Updated istio values umbrella template
Package Merge Request
Package Changes
N/A
Umbrella Template Changes
This MR contains changes to the Istio Umbrella template to address some bugs in the creation of gateways and ingress gateways:
-
IngressGateways would only ever work if kubernetesResourceSpec was specified. However, our documentation says it should be k8s. In our defaults we are using kubernetesResourceSpec so it appears the goal was to allow both to work, but that was not the case. Added $values.k8s to the merge so it would work as expected in all cases.
-
TLS was being specified even when the protocol was not HTTPS preventing new gateways from being created (See issue here). This occurred on upgrades only and while it worked on fresh installs, it still put the TLS section in which is not valid. This also made it impossible to create standard HTTP endpoints.
-
Added logic to allow users to manually specify if they want an HTTP endpoint to redirect to HTTPS in the event they want a more customized gateway. This will allow users to set our autoHttpRedirect to false when they need more granular control while still being able to use the functionality when and where they need it.
The following can be added to the istio.ingressGateways section under the test-values.yaml file to validate:
twistlock-ingressgateway:
type: "LoadBalancer"
kubernetesResourceSpec:
service:
ports:
- name: tcp-health-status
port: 15021
targetPort: 15021
nodePort: 30200
- name: tcp-twistlock-wss
port: 8084
targetPort: 8084
nodePort: 30201
additional-ingressgateway:
type: "LoadBalancer"
k8s:
service:
ports:
- name: tcp-health-status
port: 15021
targetPort: 15021
nodePort: 30300
- name: http-redirect
port: 80
targetPort: 8080
nodePort: 30301
- name: https
port: 443
targetPort: 8443
nodePort: 30302
- name: http-custom
port: 8000
targetPort: 8000
nodePort: 30303The following can be added under the istio.gateways:
twistlock:
autoHttpRedirect:
enabled: false
selector:
app: "twistlock-ingressgateway"
servers:
- hosts:
- "*"
port:
name: tcp-twistlock-wss
number: 8084
protocol: TCP
additional:
autoHttpRedirect:
enabled: false
selector:
app: "additional-ingressgateway"
servers:
- hosts:
- "*.someotherrandomurl.com"
port:
name: http-custom
number: 8000
protocol: HTTP
- hosts:
- "*.someotherrandomurl.com"
port:
name: http-redirect
number: 8080
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- "*.someotherrandomurl.com"
port:
name: https
number: 8443
protocol: HTTPS
tls:
mode: PASSTHROUGHExecuting the following commands can be used to verify the service and ingress pods are listening on the correct ports:
kubectl get svc -n istio-system -o wide
kubectl get pods -n istio-system -o yaml | grep containerPort -B 20The following can be executed to verify the gateways are configured as expected:
kubectl get gateways -n istio-system -o yamlPackage MR
N/A
For Issue
Closes (link to issue here)
Upgrade Notices
N/A