diff --git a/CHANGELOG.md b/CHANGELOG.md
index 30e07a6cef42b2b2e62fee078b910cb0d9df6c0f..c8f44eec11d9b723764bec836459a1c606c852e3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
+## [1.25.0-bb.0] - 2024-03-18
+Changed
+- Updated to v1.25.0
+
## [1.23.3-bb.3] - 2024-02-13
### Added
diff --git a/README.md b/README.md
index 0e8d731e90678db9de7ef1e12ff9ecd315d45715..09e4c4bdf69c59567807363d925cc232497c3f44 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# gateway
-   
+   
Helm chart for deploying Istio gateways
@@ -11,7 +11,7 @@ Helm chart for deploying Istio gateways
## Upstream Release Notes
-- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
## Learn More
@@ -41,71 +41,74 @@ helm install gateway chart/
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| defaults.name | string | `""` | |
-| defaults.revision | string | `""` | |
-| defaults.replicaCount | string | `nil` | |
-| defaults.kind | string | `"Deployment"` | |
-| defaults.rbac.enabled | bool | `true` | |
-| defaults.serviceAccount.create | bool | `true` | |
-| defaults.serviceAccount.annotations | object | `{}` | |
-| defaults.serviceAccount.name | string | `""` | |
-| defaults.podAnnotations."prometheus.io/port" | string | `"15020"` | |
-| defaults.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
-| defaults.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
-| defaults.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
-| defaults.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
-| defaults.securityContext | object | `{}` | |
-| defaults.containerSecurityContext | object | `{}` | |
-| defaults.service.type | string | `"LoadBalancer"` | |
-| defaults.service.ports[0].name | string | `"tcp-status-port"` | |
-| defaults.service.ports[0].port | int | `15021` | |
-| defaults.service.ports[0].protocol | string | `"TCP"` | |
-| defaults.service.ports[0].targetPort | int | `15021` | |
-| defaults.service.ports[1].name | string | `"http2"` | |
-| defaults.service.ports[1].port | int | `80` | |
-| defaults.service.ports[1].protocol | string | `"TCP"` | |
-| defaults.service.ports[1].targetPort | int | `8080` | |
-| defaults.service.ports[2].name | string | `"https"` | |
-| defaults.service.ports[2].port | int | `443` | |
-| defaults.service.ports[2].protocol | string | `"TCP"` | |
-| defaults.service.ports[2].targetPort | int | `8443` | |
-| defaults.service.annotations | object | `{}` | |
-| defaults.service.loadBalancerIP | string | `""` | |
-| defaults.service.loadBalancerSourceRanges | list | `[]` | |
-| defaults.service.externalTrafficPolicy | string | `""` | |
-| defaults.service.externalIPs | list | `[]` | |
-| defaults.service.ipFamilyPolicy | string | `""` | |
-| defaults.service.ipFamilies | list | `[]` | |
-| defaults.resources.requests.cpu | string | `"100m"` | |
-| defaults.resources.requests.memory | string | `"128Mi"` | |
-| defaults.resources.limits.cpu | string | `"2000m"` | |
-| defaults.resources.limits.memory | string | `"1024Mi"` | |
-| defaults.autoscaling.enabled | bool | `true` | |
-| defaults.autoscaling.minReplicas | int | `1` | |
-| defaults.autoscaling.maxReplicas | int | `5` | |
-| defaults.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
-| defaults.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
-| defaults.autoscaling.autoscaleBehavior | object | `{}` | |
-| defaults.env | object | `{}` | |
-| defaults.labels | object | `{}` | |
-| defaults.annotations | object | `{}` | |
-| defaults.nodeSelector | object | `{}` | |
-| defaults.tolerations | list | `[]` | |
-| defaults.topologySpreadConstraints | list | `[]` | |
-| defaults.affinity | object | `{}` | |
-| defaults.networkGateway | string | `""` | |
-| defaults.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
-| defaults.image.tag | string | `"1.23.3"` | |
-| defaults.imagePullPolicy | string | `""` | |
-| defaults.imagePullSecrets[0].name | string | `"private-registry"` | |
-| defaults.podDisruptionBudget | object | `{}` | |
-| defaults.terminationGracePeriodSeconds | int | `30` | |
-| defaults.volumes | list | `[]` | |
-| defaults.volumeMounts | list | `[]` | |
-| defaults.priorityClassName | string | `""` | |
-| defaults.enterprise | bool | `false` | |
-| defaults.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
-| defaults.tidTag | string | `"1.23.3-tetratefips-v0"` | |
+| _internal_defaults_do_not_set.name | string | `""` | |
+| _internal_defaults_do_not_set.revision | string | `""` | |
+| _internal_defaults_do_not_set.replicaCount | string | `nil` | |
+| _internal_defaults_do_not_set.kind | string | `"Deployment"` | |
+| _internal_defaults_do_not_set.rbac.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.create | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.serviceAccount.name | string | `""` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/port" | string | `"15020"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
+| _internal_defaults_do_not_set.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
+| _internal_defaults_do_not_set.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
+| _internal_defaults_do_not_set.securityContext | object | `{}` | |
+| _internal_defaults_do_not_set.containerSecurityContext | object | `{}` | |
+| _internal_defaults_do_not_set.service.type | string | `"LoadBalancer"` | |
+| _internal_defaults_do_not_set.service.ports[0].name | string | `"tcp-status-port"` | |
+| _internal_defaults_do_not_set.service.ports[0].port | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[0].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[0].targetPort | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[1].name | string | `"http2"` | |
+| _internal_defaults_do_not_set.service.ports[1].port | int | `80` | |
+| _internal_defaults_do_not_set.service.ports[1].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[1].targetPort | int | `8080` | |
+| _internal_defaults_do_not_set.service.ports[2].name | string | `"https"` | |
+| _internal_defaults_do_not_set.service.ports[2].port | int | `443` | |
+| _internal_defaults_do_not_set.service.ports[2].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[2].targetPort | int | `8443` | |
+| _internal_defaults_do_not_set.service.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.service.loadBalancerIP | string | `""` | |
+| _internal_defaults_do_not_set.service.loadBalancerSourceRanges | list | `[]` | |
+| _internal_defaults_do_not_set.service.externalTrafficPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.externalIPs | list | `[]` | |
+| _internal_defaults_do_not_set.service.ipFamilyPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.ipFamilies | list | `[]` | |
+| _internal_defaults_do_not_set.resources.requests.cpu | string | `"100m"` | |
+| _internal_defaults_do_not_set.resources.requests.memory | string | `"128Mi"` | |
+| _internal_defaults_do_not_set.resources.limits.cpu | string | `"2000m"` | |
+| _internal_defaults_do_not_set.resources.limits.memory | string | `"1024Mi"` | |
+| _internal_defaults_do_not_set.autoscaling.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.autoscaling.minReplicas | int | `1` | |
+| _internal_defaults_do_not_set.autoscaling.maxReplicas | int | `5` | |
+| _internal_defaults_do_not_set.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
+| _internal_defaults_do_not_set.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
+| _internal_defaults_do_not_set.autoscaling.autoscaleBehavior | object | `{}` | |
+| _internal_defaults_do_not_set.env | object | `{}` | |
+| _internal_defaults_do_not_set.strategy | object | `{}` | |
+| _internal_defaults_do_not_set.minReadySeconds | string | `nil` | |
+| _internal_defaults_do_not_set.readinessProbe | object | `{}` | |
+| _internal_defaults_do_not_set.labels."istio.io/dataplane-mode" | string | `"none"` | |
+| _internal_defaults_do_not_set.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.nodeSelector | object | `{}` | |
+| _internal_defaults_do_not_set.tolerations | list | `[]` | |
+| _internal_defaults_do_not_set.topologySpreadConstraints | list | `[]` | |
+| _internal_defaults_do_not_set.affinity | object | `{}` | |
+| _internal_defaults_do_not_set.networkGateway | string | `""` | |
+| _internal_defaults_do_not_set.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
+| _internal_defaults_do_not_set.image.tag | string | `"1.25.0"` | |
+| _internal_defaults_do_not_set.imagePullPolicy | string | `""` | |
+| _internal_defaults_do_not_set.imagePullSecrets[0].name | string | `"private-registry"` | |
+| _internal_defaults_do_not_set.podDisruptionBudget | object | `{}` | |
+| _internal_defaults_do_not_set.terminationGracePeriodSeconds | int | `30` | |
+| _internal_defaults_do_not_set.volumes | list | `[]` | |
+| _internal_defaults_do_not_set.volumeMounts | list | `[]` | |
+| _internal_defaults_do_not_set.priorityClassName | string | `""` | |
+| _internal_defaults_do_not_set.enterprise | bool | `false` | |
+| _internal_defaults_do_not_set.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
+| _internal_defaults_do_not_set.tidTag | string | `"1.25.0-tetratefips0"` | |
| mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| networkPolicies.enabled | bool | `true` | |
| networkPolicies.additionalPolicies | list | `[]` | |
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 0b62eb7c872f66aa6ea5d34e09155bebfe8e7ca6..a232c6a75706002069b047a828c0116b77701daf 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
name: gateway
description: Helm chart for deploying Istio gateways
type: application
-version: 1.23.3-bb.3
-appVersion: 1.23.3
+version: 1.25.0-bb.0
+appVersion: 1.25.0
sources:
- https://github.com/istio/istio
icon: https://istio.io/latest/favicons/android-192x192.png
@@ -13,4 +13,4 @@ keywords:
annotations:
bigbang.dev/maintenanceTrack: bb_integrated
bigbang.dev/upstreamReleaseNotesMarkdown: |
- - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+ - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
diff --git a/chart/Kptfile b/chart/Kptfile
index 150e5f79a1454a5132d18762d3e970bbd13602f0..d11d943515c1dd69c4be4751af2e5c3a3752fa51 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 33af1b65afe2780bc2bc7c94ccd8a6f6281215e4
+ commit: 57e59c2e5d6b757a68d867491d9c9c09694e1522
repo: https://github.com/istio/istio
directory: /manifests/charts/gateway
- ref: 1.23.3
+ ref: 1.25.0
diff --git a/chart/files/profile-ambient.yaml b/chart/files/profile-ambient.yaml
index 22db033094c520e7d5191e87c00553526bcf14d1..2805fe46bf78e797a6cf7a17f3d8528b1ad6ba59 100644
--- a/chart/files/profile-ambient.yaml
+++ b/chart/files/profile-ambient.yaml
@@ -15,6 +15,3 @@ pilot:
cni:
ambient:
enabled: true
-
-# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
-variant: distroless
diff --git a/chart/files/profile-compatibility-version-1.22.yaml b/chart/files/profile-compatibility-version-1.22.yaml
index b091e2b94284b60411572a8c7b187eb14c006263..62420fe5f5d887b93cc2204c00e3da3272830df5 100644
--- a/chart/files/profile-compatibility-version-1.22.yaml
+++ b/chart/files/profile-compatibility-version-1.22.yaml
@@ -6,7 +6,14 @@ pilot:
env:
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
-
+
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
meshConfig:
defaultConfig:
proxyMetadata:
@@ -14,3 +21,10 @@ meshConfig:
ENABLE_DEFERRED_CLUSTER_CREATION: "false"
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.23.yaml b/chart/files/profile-compatibility-version-1.23.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6b636e607810a7d685ff62d47a64955a510549cf
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.23.yaml
@@ -0,0 +1,23 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.24.yaml b/chart/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a2dc354894f54d1f766b924f28bb4c28346627b8
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+ambient:
+ dnsCapture: false
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-demo.yaml b/chart/files/profile-demo.yaml
index 83b9d6b6638b95faa87f09e8b42647e1cd89aafe..d6dc36dd0f7434d1768352e0364a075ae4af65e5 100644
--- a/chart/files/profile-demo.yaml
+++ b/chart/files/profile-demo.yaml
@@ -21,6 +21,22 @@ meshConfig:
opentelemetry:
port: 4317
service: opentelemetry-collector.observability.svc.cluster.local
+ - name: jaeger
+ opentelemetry:
+ port: 4317
+ service: jaeger-collector.istio-system.svc.cluster.local
+
+cni:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+ztunnel:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
global:
proxy:
@@ -28,6 +44,11 @@ global:
requests:
cpu: 10m
memory: 40Mi
+ waypoint:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
pilot:
autoscaleEnabled: false
diff --git a/chart/files/profile-platform-gke.yaml b/chart/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..521bf1b1e26bf4461e9858e32861bd2ad0748922
--- /dev/null
+++ b/chart/files/profile-platform-gke.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
diff --git a/chart/files/profile-platform-k3d.yaml b/chart/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cd86d9ec587e204a3e12cda575458d54f76cec39
--- /dev/null
+++ b/chart/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /bin
diff --git a/chart/files/profile-platform-k3s.yaml b/chart/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..07820106d9be43c0e97860c02b3409a31907e172
--- /dev/null
+++ b/chart/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/chart/files/profile-platform-microk8s.yaml b/chart/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..57d7f5e3cd0ac4bcac00a9cc1241482702649e86
--- /dev/null
+++ b/chart/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/snap/microk8s/current/args/cni-network
+ cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/chart/files/profile-platform-minikube.yaml b/chart/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fa9992e2043f48a771ec296ec00b48c7bf2adde0
--- /dev/null
+++ b/chart/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniNetnsDir: /var/run/docker/netns
diff --git a/chart/files/profile-platform-openshift.yaml b/chart/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8ddc5e1654318e7b523e805c35c997bc27a50315
--- /dev/null
+++ b/chart/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ provider: "multus"
+pilot:
+ cni:
+ enabled: true
+ provider: "multus"
+seLinuxOptions:
+ type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/chart/files/profile-remote.yaml b/chart/files/profile-remote.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d17b9a801ac074d384c1512d2bd0b24e5d960c4b
--- /dev/null
+++ b/chart/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+ enabled: true
+configMap: false
+telemetry:
+ enabled: false
+global:
+ # TODO BML maybe a different profile for a configcluster/revisit this
+ omitSidecarInjectorConfigMap: true
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 6ef392dc794e733be371b94a21f09c830f6fa9a9..56a6f17f9a02dadc97e035b02815f664560a98ba 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -6,19 +6,8 @@
{{- end -}}
{{- end }}
-{{/*
-Create chart name and version as used by the helm.sh/chart label.
-*/}}
-{{- define "gateway.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
{{- define "gateway.labels" -}}
-helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
-app.kubernetes.io/name: {{ include "gateway.name" . }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 330dca03631063885c422164c15cbbd90b7e0e00..bee05f3243f0011ffaa8b377604100b50ffbec56 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -4,6 +4,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -13,6 +15,13 @@ spec:
replicas: {{ . }}
{{- end }}
{{- end }}
+ {{- with .Values.strategy }}
+ strategy:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.minReadySeconds }}
+ minReadySeconds: {{ . }}
+ {{- end }}
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
@@ -26,7 +35,7 @@ spec:
{{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
- app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+ {{- include "istio.labels" . | nindent 8}}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
@@ -72,7 +81,7 @@ spec:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
- {{- if not (eq .Values.platform "openshift") }}
+ {{- if not (eq (.Values.platform | default "") "openshift") }}
runAsUser: 1337
runAsGroup: 1337
{{- end }}
@@ -100,7 +109,11 @@ spec:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.volumeMounts }}
volumeMounts:
- {{ toYaml . | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.readinessProbe }}
+ readinessProbe:
+ {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
diff --git a/chart/templates/hpa.yaml b/chart/templates/hpa.yaml
index 1b0f9366bbc99e1d3e30aaa610a49fb4f02f8b68..64ecb6a4cd73375ffd52dfba4750d1bc115b1436 100644
--- a/chart/templates/hpa.yaml
+++ b/chart/templates/hpa.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/poddisruptionbudget.yaml b/chart/templates/poddisruptionbudget.yaml
index 77f71e7fa5fbb4b24daea4025c979d54aeae18b3..b0155cdf059151bb74dc2f0b923f21a1fa2f4f71 100644
--- a/chart/templates/poddisruptionbudget.yaml
+++ b/chart/templates/poddisruptionbudget.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
spec:
selector:
diff --git a/chart/templates/role.yaml b/chart/templates/role.yaml
index c8a25cb7207cb179f3d0420aa9168a6185709820..3d16079632dd323eb398e8e51d881c4b6f192ae6 100644
--- a/chart/templates/role.yaml
+++ b/chart/templates/role.yaml
@@ -6,6 +6,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -20,6 +22,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml
index 9177d2a119ede5e95b12cc99067f566aafa98ba9..25ce3bcb0f381bc2476aa3adfba3ee0db1c8d837 100644
--- a/chart/templates/service.yaml
+++ b/chart/templates/service.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.networkGateway }}
topology.istio.io/network: "{{.}}"
diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml
index e5b2304d620f6faf71a39d3cfc8cd85c1c9eec6e..c88afeadd376081f776dfb12245740b1b2eed194 100644
--- a/chart/templates/serviceaccount.yaml
+++ b/chart/templates/serviceaccount.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
diff --git a/chart/templates/zzz_profile.yaml b/chart/templates/zzz_profile.yaml
index 2d0bd4af7a355b33aae6bd815a9e49f31849aa0b..ded66c5fdf7b3a27101bef55109fab2096021593 100644
--- a/chart/templates/zzz_profile.yaml
+++ b/chart/templates/zzz_profile.yaml
@@ -15,15 +15,20 @@ However, we can workaround this by placing all of (1) under a specific key (.Val
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
-{{- $globals := $.Values.global | default dict | deepCopy }}
-{{- $defaults := $.Values.defaults }}
-{{- $_ := unset $.Values "defaults" }}
+{{- if $.Values.defaults}}
+{{ fail (cat
+ "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+ ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
{{- $profile := dict }}
-{{- with .Values.profile }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
-{{ fail (cat "unknown profile" $.Values.profile) }}
+{{ fail (cat "unknown profile" .) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
@@ -33,11 +38,37 @@ Finally, we can set all of that under .Values so the chart behaves without aware
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
# Flatten globals, if defined on a per-chart basis
-{{- if false }}
-{{- $a := mustMergeOverwrite $defaults $globals }}
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }}
{{- end }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 4c4f0836d7e0eef77a79493b0aebd4740ad2ec73..c43b8ef4c98bc1e726278dc3fe98ae66dd0e465b 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -60,6 +60,15 @@
"env": {
"type": "object"
},
+ "strategy": {
+ "type": "object"
+ },
+ "minReadySeconds": {
+ "type": [ "null", "integer" ]
+ },
+ "readinessProbe": {
+ "type": [ "null", "object" ]
+ },
"labels": {
"type": "object"
},
@@ -237,17 +246,6 @@
"Never"
]
},
- "imagePullSecrets": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string"
- }
- }
- }
- },
"podDisruptionBudget": {
"type": "object",
"properties": {
diff --git a/chart/values.yaml b/chart/values.yaml
index df2907560c46dae65448f795865beebb6924db76..b39a675ff19d7e188d0f5c735bb36f7c28b88327 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,6 +1,6 @@
-# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
-# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
-defaults:
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
# Name allows overriding the release name. Generally this should not be set
name: ""
# revision declares which revision this gateway is a part of
@@ -84,8 +84,21 @@ defaults:
# Pod environment variables
env: {}
+ # Deployment Update strategy
+ strategy: {}
+
+ # Sets the Deployment minReadySeconds value
+ minReadySeconds:
+
+ # Optionally configure a custom readinessProbe. By default the control plane
+ # automatically injects the readinessProbe. If you wish to override that
+ # behavior, you may define your own readinessProbe here.
+ readinessProbe: {}
+
# Labels to apply to all resources
- labels: {}
+ labels:
+ # By default, don't enroll gateways into the ambient dataplane
+ "istio.io/dataplane-mode": none
# Annotations to apply to all resources
annotations: {}
@@ -104,7 +117,7 @@ defaults:
# Setting ironbank image
image:
repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
- tag: 1.23.3
+ tag: 1.25.0
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent
@@ -143,6 +156,7 @@ defaults:
#
podDisruptionBudget: {}
+ # Sets the per-pod terminationGracePeriodSeconds setting.
terminationGracePeriodSeconds: 30
# A list of `Volumes` added into the Gateway Pods. See
@@ -162,7 +176,7 @@ defaults:
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.23.3-tetratefips-v0
+ tidTag: 1.25.0-tetratefips0
mtls:
# -- STRICT = Allow only mutual TLS traffic,
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index c346b7beedcc8e95be95d4301359e0ab5ae2b606..ec7710bf9ddd7181c764d89e2a4d5010acf59e04 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -4,14 +4,14 @@
1. Update via `kpt`:
```bash
# update to VERSION of the upstream chart auto-merging in changes
- kpt pkg update chart@1.23.2 --strategy alpha-git-patch
+ kpt pkg update chart@1.25.0 --strategy alpha-git-patch
```
Or if you'd like to pull down upstream to a fresh `DIR` and manually merge in the changes yourself:
```bash
# get a fresh VERSION of the upstream chart to DIR
- kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.23.2" ./fresh
+ kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.25.0" ./fresh
```
-1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.22.2-bb.0`) and `appVersion` should be `<version>` (ex: `1.22.2`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
+1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.25.0-bb.0`) and `appVersion` should be `<version>` (ex: `1.25.0`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
1. Add a changelog entry for the update. At minimum mention updating the image versions.
1. Update the readme following the [steps in Gluon](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/blob/master/docs/bb-package-readme.md).
1. Open MR (or check the one that Renovate created for you) and validate that the pipeline is successful. Also follow the testing steps below for some manual confirmations.
@@ -40,7 +40,12 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
```
## chart/templates/deployment.yaml
-- Added templating for Tetrate FIPs image integration lines 56-60.
+- Added templating for Tetrate FIPs image integration lines 65-67.
+```
+ {{- if .Values.enterprise }}
+ image: "{{ .Values.tidHub }}/{{ "proxyv2" }}:{{ .Values.tidTag }}"
+ {{- else }}
+```
- Modified the following section under `spec.template.spec.containers.ports` to suppress warnings from Kiali as the gateway deployment was not listening on the same ports as its associated service:
```
@@ -50,17 +55,87 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
name: {{ $ports.name }}
{{- end }}
```
+- Modified `spec.containers.image` away from using `auto` to speed up deployment
+```
+ image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
+```
## chart/values.yaml
-- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton lines 157-160.
-- Prepended default `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
-- Added gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+- Specified the `image` to use instead of using `auto`
+```
+ # Setting ironbank image
+ image:
+ repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
+ tag: 1.25.0
+```
+- Changed `imagePullSecrets` to `private-registry`
+```
+ imagePullSecrets:
+ - name: private-registry
+```
+
+- Added `defaults.enterprise` boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
+```
+ # If enterprise is set to true FIPs Tetrate Image Distro images are used
+ enterprise: false
+ tidHub: registry1.dso.mil/ironbank/tetrate/istio
+ tidTag: 1.25.0-tetratefips0
+```
+
+- Changed `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
+- Changed the `targetPort`s under `service.ports` from 80 and 443 to 8080 and 8443.
+
+
+- Added default gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+```
+# Settings for istio gateway
+gateway:
+ servers:
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: http
+ number: 8080
+ protocol: HTTP
+ tls:
+ httpsRedirect: true
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: https
+ number: 8443
+ protocol: HTTPS
+ tls:
+ credentialName: public-cert
+ mode: SIMPLE
+```
+
- Added `networkPolicies` section to enable default network policies and allow custom additional network policies to be added.
-- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
+```
+networkPolicies:
+ enabled: true
+ additionalPolicies: []
+```
+- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
```
mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
-```
\ No newline at end of file
+```
+
+## chart/templates/_helpers.tpl
+Replaced:
+```
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
+{{- else }}
+```
+...with...
+```
+{{- if .Values.serviceAccount.create }}
+{{- $defaultSericeAccount := printf "%s-%s" (include "gateway.name" .) "ingressgateway-service-account" -}}
+{{- .Values.serviceAccount.name | default $defaultSericeAccount }}
+{{- else }}
+```