From 372c2ce3588f035b5f5e1f460abfb393ab66c24a Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 08:49:11 -0500
Subject: [PATCH 01/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
touch | 0
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 touch
diff --git a/touch b/touch
new file mode 100644
index 0000000..e69de29
--
GitLab
From dfb07346aac9d213838450b0fb841e58f2973707 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 14:40:45 -0500
Subject: [PATCH 02/22] update "gateway" (https://github.com/istio/istio) from
"1.23.3" (33af1b65afe2780bc2bc7c94ccd8a6f6281215e4) to "1.25.0"
(57e59c2e5d6b757a68d867491d9c9c09694e1522)
---
chart/Kptfile | 4 +-
chart/files/profile-ambient.yaml | 3 --
.../profile-compatibility-version-1.22.yaml | 16 ++++++-
.../profile-compatibility-version-1.23.yaml | 23 ++++++++++
.../profile-compatibility-version-1.24.yaml | 11 +++++
chart/files/profile-demo.yaml | 21 +++++++++
chart/files/profile-platform-gke.yaml | 6 +++
chart/files/profile-platform-k3d.yaml | 7 +++
chart/files/profile-platform-k3s.yaml | 7 +++
chart/files/profile-platform-microk8s.yaml | 7 +++
chart/files/profile-platform-minikube.yaml | 6 +++
chart/files/profile-platform-openshift.yaml | 19 ++++++++
chart/files/profile-remote.yaml | 13 ++++++
chart/templates/_helpers.tpl | 11 -----
chart/templates/deployment.yaml | 19 ++++++--
chart/templates/hpa.yaml | 2 +
chart/templates/poddisruptionbudget.yaml | 2 +
chart/templates/role.yaml | 4 ++
chart/templates/service.yaml | 2 +
chart/templates/serviceaccount.yaml | 2 +
chart/templates/zzz_profile.yaml | 45 ++++++++++++++++---
chart/values.schema.json | 9 ++++
chart/values.yaml | 22 +++++++--
23 files changed, 230 insertions(+), 31 deletions(-)
create mode 100644 chart/files/profile-compatibility-version-1.23.yaml
create mode 100644 chart/files/profile-compatibility-version-1.24.yaml
create mode 100644 chart/files/profile-platform-gke.yaml
create mode 100644 chart/files/profile-platform-k3d.yaml
create mode 100644 chart/files/profile-platform-k3s.yaml
create mode 100644 chart/files/profile-platform-microk8s.yaml
create mode 100644 chart/files/profile-platform-minikube.yaml
create mode 100644 chart/files/profile-platform-openshift.yaml
create mode 100644 chart/files/profile-remote.yaml
diff --git a/chart/Kptfile b/chart/Kptfile
index 150e5f7..d11d943 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 33af1b65afe2780bc2bc7c94ccd8a6f6281215e4
+ commit: 57e59c2e5d6b757a68d867491d9c9c09694e1522
repo: https://github.com/istio/istio
directory: /manifests/charts/gateway
- ref: 1.23.3
+ ref: 1.25.0
diff --git a/chart/files/profile-ambient.yaml b/chart/files/profile-ambient.yaml
index 22db033..2805fe4 100644
--- a/chart/files/profile-ambient.yaml
+++ b/chart/files/profile-ambient.yaml
@@ -15,6 +15,3 @@ pilot:
cni:
ambient:
enabled: true
-
-# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
-variant: distroless
diff --git a/chart/files/profile-compatibility-version-1.22.yaml b/chart/files/profile-compatibility-version-1.22.yaml
index b091e2b..62420fe 100644
--- a/chart/files/profile-compatibility-version-1.22.yaml
+++ b/chart/files/profile-compatibility-version-1.22.yaml
@@ -6,7 +6,14 @@ pilot:
env:
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
-
+
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
meshConfig:
defaultConfig:
proxyMetadata:
@@ -14,3 +21,10 @@ meshConfig:
ENABLE_DEFERRED_CLUSTER_CREATION: "false"
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.23.yaml b/chart/files/profile-compatibility-version-1.23.yaml
new file mode 100644
index 0000000..6b636e6
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.23.yaml
@@ -0,0 +1,23 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.24.yaml b/chart/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000..a2dc354
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+ambient:
+ dnsCapture: false
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-demo.yaml b/chart/files/profile-demo.yaml
index 83b9d6b..d6dc36d 100644
--- a/chart/files/profile-demo.yaml
+++ b/chart/files/profile-demo.yaml
@@ -21,6 +21,22 @@ meshConfig:
opentelemetry:
port: 4317
service: opentelemetry-collector.observability.svc.cluster.local
+ - name: jaeger
+ opentelemetry:
+ port: 4317
+ service: jaeger-collector.istio-system.svc.cluster.local
+
+cni:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+ztunnel:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
global:
proxy:
@@ -28,6 +44,11 @@ global:
requests:
cpu: 10m
memory: 40Mi
+ waypoint:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
pilot:
autoscaleEnabled: false
diff --git a/chart/files/profile-platform-gke.yaml b/chart/files/profile-platform-gke.yaml
new file mode 100644
index 0000000..521bf1b
--- /dev/null
+++ b/chart/files/profile-platform-gke.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
diff --git a/chart/files/profile-platform-k3d.yaml b/chart/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000..cd86d9e
--- /dev/null
+++ b/chart/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /bin
diff --git a/chart/files/profile-platform-k3s.yaml b/chart/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000..0782010
--- /dev/null
+++ b/chart/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/chart/files/profile-platform-microk8s.yaml b/chart/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000..57d7f5e
--- /dev/null
+++ b/chart/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/snap/microk8s/current/args/cni-network
+ cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/chart/files/profile-platform-minikube.yaml b/chart/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000..fa9992e
--- /dev/null
+++ b/chart/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniNetnsDir: /var/run/docker/netns
diff --git a/chart/files/profile-platform-openshift.yaml b/chart/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000..8ddc5e1
--- /dev/null
+++ b/chart/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ provider: "multus"
+pilot:
+ cni:
+ enabled: true
+ provider: "multus"
+seLinuxOptions:
+ type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/chart/files/profile-remote.yaml b/chart/files/profile-remote.yaml
new file mode 100644
index 0000000..d17b9a8
--- /dev/null
+++ b/chart/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+ enabled: true
+configMap: false
+telemetry:
+ enabled: false
+global:
+ # TODO BML maybe a different profile for a configcluster/revisit this
+ omitSidecarInjectorConfigMap: true
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 6ef392d..56a6f17 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -6,19 +6,8 @@
{{- end -}}
{{- end }}
-{{/*
-Create chart name and version as used by the helm.sh/chart label.
-*/}}
-{{- define "gateway.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
{{- define "gateway.labels" -}}
-helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
-app.kubernetes.io/name: {{ include "gateway.name" . }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 330dca0..bee05f3 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -4,6 +4,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -13,6 +15,13 @@ spec:
replicas: {{ . }}
{{- end }}
{{- end }}
+ {{- with .Values.strategy }}
+ strategy:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.minReadySeconds }}
+ minReadySeconds: {{ . }}
+ {{- end }}
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
@@ -26,7 +35,7 @@ spec:
{{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
- app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+ {{- include "istio.labels" . | nindent 8}}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
@@ -72,7 +81,7 @@ spec:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
- {{- if not (eq .Values.platform "openshift") }}
+ {{- if not (eq (.Values.platform | default "") "openshift") }}
runAsUser: 1337
runAsGroup: 1337
{{- end }}
@@ -100,7 +109,11 @@ spec:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.volumeMounts }}
volumeMounts:
- {{ toYaml . | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.readinessProbe }}
+ readinessProbe:
+ {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
diff --git a/chart/templates/hpa.yaml b/chart/templates/hpa.yaml
index 1b0f936..64ecb6a 100644
--- a/chart/templates/hpa.yaml
+++ b/chart/templates/hpa.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/poddisruptionbudget.yaml b/chart/templates/poddisruptionbudget.yaml
index 77f71e7..b0155cd 100644
--- a/chart/templates/poddisruptionbudget.yaml
+++ b/chart/templates/poddisruptionbudget.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
spec:
selector:
diff --git a/chart/templates/role.yaml b/chart/templates/role.yaml
index c8a25cb..3d16079 100644
--- a/chart/templates/role.yaml
+++ b/chart/templates/role.yaml
@@ -6,6 +6,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -20,6 +22,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml
index 9177d2a..25ce3bc 100644
--- a/chart/templates/service.yaml
+++ b/chart/templates/service.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.networkGateway }}
topology.istio.io/network: "{{.}}"
diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml
index e5b2304..c88afea 100644
--- a/chart/templates/serviceaccount.yaml
+++ b/chart/templates/serviceaccount.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
diff --git a/chart/templates/zzz_profile.yaml b/chart/templates/zzz_profile.yaml
index 2d0bd4a..ded66c5 100644
--- a/chart/templates/zzz_profile.yaml
+++ b/chart/templates/zzz_profile.yaml
@@ -15,15 +15,20 @@ However, we can workaround this by placing all of (1) under a specific key (.Val
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
-{{- $globals := $.Values.global | default dict | deepCopy }}
-{{- $defaults := $.Values.defaults }}
-{{- $_ := unset $.Values "defaults" }}
+{{- if $.Values.defaults}}
+{{ fail (cat
+ "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+ ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
{{- $profile := dict }}
-{{- with .Values.profile }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
-{{ fail (cat "unknown profile" $.Values.profile) }}
+{{ fail (cat "unknown profile" .) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
@@ -33,11 +38,37 @@ Finally, we can set all of that under .Values so the chart behaves without aware
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
# Flatten globals, if defined on a per-chart basis
-{{- if false }}
-{{- $a := mustMergeOverwrite $defaults $globals }}
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }}
{{- end }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 4c4f083..3108259 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -60,6 +60,15 @@
"env": {
"type": "object"
},
+ "strategy": {
+ "type": "object"
+ },
+ "minReadySeconds": {
+ "type": [ "null", "integer" ]
+ },
+ "readinessProbe": {
+ "type": [ "null", "object" ]
+ },
"labels": {
"type": "object"
},
diff --git a/chart/values.yaml b/chart/values.yaml
index df29075..721bd2e 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,6 +1,6 @@
-# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
-# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
-defaults:
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
# Name allows overriding the release name. Generally this should not be set
name: ""
# revision declares which revision this gateway is a part of
@@ -84,8 +84,21 @@ defaults:
# Pod environment variables
env: {}
+ # Deployment Update strategy
+ strategy: {}
+
+ # Sets the Deployment minReadySeconds value
+ minReadySeconds:
+
+ # Optionally configure a custom readinessProbe. By default the control plane
+ # automatically injects the readinessProbe. If you wish to override that
+ # behavior, you may define your own readinessProbe here.
+ readinessProbe: {}
+
# Labels to apply to all resources
- labels: {}
+ labels:
+ # By default, don't enroll gateways into the ambient dataplane
+ "istio.io/dataplane-mode": none
# Annotations to apply to all resources
annotations: {}
@@ -143,6 +156,7 @@ defaults:
#
podDisruptionBudget: {}
+ # Sets the per-pod terminationGracePeriodSeconds setting.
terminationGracePeriodSeconds: 30
# A list of `Volumes` added into the Gateway Pods. See
--
GitLab
From c019a8312a874d1504f9eb0394e348d2f2c91aa4 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 14:43:41 -0500
Subject: [PATCH 03/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
touch | 0
1 file changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 touch
diff --git a/touch b/touch
deleted file mode 100644
index e69de29..0000000
--
GitLab
From eaf33b5b6aac326e68c57a50dd45a44e9523b87c Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 15:03:54 -0500
Subject: [PATCH 04/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.md | 133 ++++++++++++++++++++++++++++--------------------------
1 file changed, 68 insertions(+), 65 deletions(-)
diff --git a/README.md b/README.md
index 0e8d731..c848192 100644
--- a/README.md
+++ b/README.md
@@ -41,71 +41,74 @@ helm install gateway chart/
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| defaults.name | string | `""` | |
-| defaults.revision | string | `""` | |
-| defaults.replicaCount | string | `nil` | |
-| defaults.kind | string | `"Deployment"` | |
-| defaults.rbac.enabled | bool | `true` | |
-| defaults.serviceAccount.create | bool | `true` | |
-| defaults.serviceAccount.annotations | object | `{}` | |
-| defaults.serviceAccount.name | string | `""` | |
-| defaults.podAnnotations."prometheus.io/port" | string | `"15020"` | |
-| defaults.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
-| defaults.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
-| defaults.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
-| defaults.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
-| defaults.securityContext | object | `{}` | |
-| defaults.containerSecurityContext | object | `{}` | |
-| defaults.service.type | string | `"LoadBalancer"` | |
-| defaults.service.ports[0].name | string | `"tcp-status-port"` | |
-| defaults.service.ports[0].port | int | `15021` | |
-| defaults.service.ports[0].protocol | string | `"TCP"` | |
-| defaults.service.ports[0].targetPort | int | `15021` | |
-| defaults.service.ports[1].name | string | `"http2"` | |
-| defaults.service.ports[1].port | int | `80` | |
-| defaults.service.ports[1].protocol | string | `"TCP"` | |
-| defaults.service.ports[1].targetPort | int | `8080` | |
-| defaults.service.ports[2].name | string | `"https"` | |
-| defaults.service.ports[2].port | int | `443` | |
-| defaults.service.ports[2].protocol | string | `"TCP"` | |
-| defaults.service.ports[2].targetPort | int | `8443` | |
-| defaults.service.annotations | object | `{}` | |
-| defaults.service.loadBalancerIP | string | `""` | |
-| defaults.service.loadBalancerSourceRanges | list | `[]` | |
-| defaults.service.externalTrafficPolicy | string | `""` | |
-| defaults.service.externalIPs | list | `[]` | |
-| defaults.service.ipFamilyPolicy | string | `""` | |
-| defaults.service.ipFamilies | list | `[]` | |
-| defaults.resources.requests.cpu | string | `"100m"` | |
-| defaults.resources.requests.memory | string | `"128Mi"` | |
-| defaults.resources.limits.cpu | string | `"2000m"` | |
-| defaults.resources.limits.memory | string | `"1024Mi"` | |
-| defaults.autoscaling.enabled | bool | `true` | |
-| defaults.autoscaling.minReplicas | int | `1` | |
-| defaults.autoscaling.maxReplicas | int | `5` | |
-| defaults.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
-| defaults.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
-| defaults.autoscaling.autoscaleBehavior | object | `{}` | |
-| defaults.env | object | `{}` | |
-| defaults.labels | object | `{}` | |
-| defaults.annotations | object | `{}` | |
-| defaults.nodeSelector | object | `{}` | |
-| defaults.tolerations | list | `[]` | |
-| defaults.topologySpreadConstraints | list | `[]` | |
-| defaults.affinity | object | `{}` | |
-| defaults.networkGateway | string | `""` | |
-| defaults.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
-| defaults.image.tag | string | `"1.23.3"` | |
-| defaults.imagePullPolicy | string | `""` | |
-| defaults.imagePullSecrets[0].name | string | `"private-registry"` | |
-| defaults.podDisruptionBudget | object | `{}` | |
-| defaults.terminationGracePeriodSeconds | int | `30` | |
-| defaults.volumes | list | `[]` | |
-| defaults.volumeMounts | list | `[]` | |
-| defaults.priorityClassName | string | `""` | |
-| defaults.enterprise | bool | `false` | |
-| defaults.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
-| defaults.tidTag | string | `"1.23.3-tetratefips-v0"` | |
+| _internal_defaults_do_not_set.name | string | `""` | |
+| _internal_defaults_do_not_set.revision | string | `""` | |
+| _internal_defaults_do_not_set.replicaCount | string | `nil` | |
+| _internal_defaults_do_not_set.kind | string | `"Deployment"` | |
+| _internal_defaults_do_not_set.rbac.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.create | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.serviceAccount.name | string | `""` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/port" | string | `"15020"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
+| _internal_defaults_do_not_set.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
+| _internal_defaults_do_not_set.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
+| _internal_defaults_do_not_set.securityContext | object | `{}` | |
+| _internal_defaults_do_not_set.containerSecurityContext | object | `{}` | |
+| _internal_defaults_do_not_set.service.type | string | `"LoadBalancer"` | |
+| _internal_defaults_do_not_set.service.ports[0].name | string | `"tcp-status-port"` | |
+| _internal_defaults_do_not_set.service.ports[0].port | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[0].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[0].targetPort | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[1].name | string | `"http2"` | |
+| _internal_defaults_do_not_set.service.ports[1].port | int | `80` | |
+| _internal_defaults_do_not_set.service.ports[1].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[1].targetPort | int | `8080` | |
+| _internal_defaults_do_not_set.service.ports[2].name | string | `"https"` | |
+| _internal_defaults_do_not_set.service.ports[2].port | int | `443` | |
+| _internal_defaults_do_not_set.service.ports[2].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[2].targetPort | int | `8443` | |
+| _internal_defaults_do_not_set.service.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.service.loadBalancerIP | string | `""` | |
+| _internal_defaults_do_not_set.service.loadBalancerSourceRanges | list | `[]` | |
+| _internal_defaults_do_not_set.service.externalTrafficPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.externalIPs | list | `[]` | |
+| _internal_defaults_do_not_set.service.ipFamilyPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.ipFamilies | list | `[]` | |
+| _internal_defaults_do_not_set.resources.requests.cpu | string | `"100m"` | |
+| _internal_defaults_do_not_set.resources.requests.memory | string | `"128Mi"` | |
+| _internal_defaults_do_not_set.resources.limits.cpu | string | `"2000m"` | |
+| _internal_defaults_do_not_set.resources.limits.memory | string | `"1024Mi"` | |
+| _internal_defaults_do_not_set.autoscaling.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.autoscaling.minReplicas | int | `1` | |
+| _internal_defaults_do_not_set.autoscaling.maxReplicas | int | `5` | |
+| _internal_defaults_do_not_set.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
+| _internal_defaults_do_not_set.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
+| _internal_defaults_do_not_set.autoscaling.autoscaleBehavior | object | `{}` | |
+| _internal_defaults_do_not_set.env | object | `{}` | |
+| _internal_defaults_do_not_set.strategy | object | `{}` | |
+| _internal_defaults_do_not_set.minReadySeconds | string | `nil` | |
+| _internal_defaults_do_not_set.readinessProbe | object | `{}` | |
+| _internal_defaults_do_not_set.labels."istio.io/dataplane-mode" | string | `"none"` | |
+| _internal_defaults_do_not_set.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.nodeSelector | object | `{}` | |
+| _internal_defaults_do_not_set.tolerations | list | `[]` | |
+| _internal_defaults_do_not_set.topologySpreadConstraints | list | `[]` | |
+| _internal_defaults_do_not_set.affinity | object | `{}` | |
+| _internal_defaults_do_not_set.networkGateway | string | `""` | |
+| _internal_defaults_do_not_set.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
+| _internal_defaults_do_not_set.image.tag | string | `"1.23.3"` | |
+| _internal_defaults_do_not_set.imagePullPolicy | string | `""` | |
+| _internal_defaults_do_not_set.imagePullSecrets[0].name | string | `"private-registry"` | |
+| _internal_defaults_do_not_set.podDisruptionBudget | object | `{}` | |
+| _internal_defaults_do_not_set.terminationGracePeriodSeconds | int | `30` | |
+| _internal_defaults_do_not_set.volumes | list | `[]` | |
+| _internal_defaults_do_not_set.volumeMounts | list | `[]` | |
+| _internal_defaults_do_not_set.priorityClassName | string | `""` | |
+| _internal_defaults_do_not_set.enterprise | bool | `false` | |
+| _internal_defaults_do_not_set.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
+| _internal_defaults_do_not_set.tidTag | string | `"1.23.3-tetratefips-v0"` | |
| mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| networkPolicies.enabled | bool | `true` | |
| networkPolicies.additionalPolicies | list | `[]` | |
--
GitLab
From 40018a822fed62cc6e7e93028999a6d24e462efc Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 15:23:49 -0500
Subject: [PATCH 05/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.md | 4 ++--
chart/Chart.yaml | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index c848192..85db7dc 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# gateway
-   
+   
Helm chart for deploying Istio gateways
@@ -11,7 +11,7 @@ Helm chart for deploying Istio gateways
## Upstream Release Notes
-- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
## Learn More
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 0b62eb7..a232c6a 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
name: gateway
description: Helm chart for deploying Istio gateways
type: application
-version: 1.23.3-bb.3
-appVersion: 1.23.3
+version: 1.25.0-bb.0
+appVersion: 1.25.0
sources:
- https://github.com/istio/istio
icon: https://istio.io/latest/favicons/android-192x192.png
@@ -13,4 +13,4 @@ keywords:
annotations:
bigbang.dev/maintenanceTrack: bb_integrated
bigbang.dev/upstreamReleaseNotesMarkdown: |
- - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+ - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
--
GitLab
From 5fd5e59ac2ffa846b99c8870b313601a6a5e2438 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 15:52:44 -0500
Subject: [PATCH 06/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.schema.json | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 3108259..c43b8ef 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -246,17 +246,6 @@
"Never"
]
},
- "imagePullSecrets": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string"
- }
- }
- }
- },
"podDisruptionBudget": {
"type": "object",
"properties": {
--
GitLab
From 88dfa295497e508dec0b1784739187bffe957154 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 16:08:12 -0500
Subject: [PATCH 07/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index c346b7b..ddbecf8 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -40,7 +40,12 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
```
## chart/templates/deployment.yaml
-- Added templating for Tetrate FIPs image integration lines 56-60.
+- Added templating for Tetrate FIPs image integration lines 65-67.
+```
+ {{- if .Values.enterprise }}
+ image: "{{ .Values.tidHub }}/{{ "proxyv2" }}:{{ .Values.tidTag }}"
+ {{- else }}
+```
- Modified the following section under `spec.template.spec.containers.ports` to suppress warnings from Kiali as the gateway deployment was not listening on the same ports as its associated service:
```
--
GitLab
From 8017678358ab1889ac38a4fe2cc9ef7564c6c54d Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 16:14:16 -0500
Subject: [PATCH 08/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 2 +-
docs/DEVELOPMENT_MAINTENANCE.md | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index 721bd2e..112e98d 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -176,7 +176,7 @@ _internal_defaults_do_not_set:
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.23.3-tetratefips-v0
+ tidTag: 1.25.0-tetratefips0
mtls:
# -- STRICT = Allow only mutual TLS traffic,
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index ddbecf8..5715e3e 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -57,7 +57,13 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
```
## chart/values.yaml
-- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton lines 157-160.
+- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
+```
+ # If enterprise is set to true FIPs Tetrate Image Distro images are used
+ enterprise: false
+ tidHub: registry1.dso.mil/ironbank/tetrate/istio
+ tidTag: 1.25.0-tetratefips0
+```
- Prepended default `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
- Added gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
- Added `networkPolicies` section to enable default network policies and allow custom additional network policies to be added.
--
GitLab
From eb73445709bd40d14797a148fc94653b7d789d0c Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 16:42:42 -0500
Subject: [PATCH 09/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index 5715e3e..aacdd3c 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -64,9 +64,36 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
tidHub: registry1.dso.mil/ironbank/tetrate/istio
tidTag: 1.25.0-tetratefips0
```
-- Prepended default `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
-- Added gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+- Changed `status-port` to `tcp-status-port` under `_internal_defaults_do_not_set.service.ports` section to appease Kiali warning.
+- Added default gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+```
+# Settings for istio gateway
+gateway:
+ servers:
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: http
+ number: 8080
+ protocol: HTTP
+ tls:
+ httpsRedirect: true
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: https
+ number: 8443
+ protocol: HTTPS
+ tls:
+ credentialName: public-cert
+ mode: SIMPLE
+```
- Added `networkPolicies` section to enable default network policies and allow custom additional network policies to be added.
+```
+networkPolicies:
+ enabled: true
+ additionalPolicies: []
+```
- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
```
--
GitLab
From 1c7b2518fd35fd59017049f6e7a07935669de512 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 17:20:08 -0500
Subject: [PATCH 10/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index aacdd3c..a70db07 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -55,6 +55,10 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
name: {{ $ports.name }}
{{- end }}
```
+- Modified the image away from using `auto` to speed up deployment
+```
+ image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
+```
## chart/values.yaml
- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
--
GitLab
From f3144aaabbcaff554abb2f9cf6bf37a6a039a32f Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Mon, 17 Mar 2025 17:22:23 -0500
Subject: [PATCH 11/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index a70db07..f3b08da 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -55,7 +55,7 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
name: {{ $ports.name }}
{{- end }}
```
-- Modified the image away from using `auto` to speed up deployment
+- Modified `spec.containers.image` away from using `auto` to speed up deployment
```
image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
```
@@ -68,7 +68,7 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
tidHub: registry1.dso.mil/ironbank/tetrate/istio
tidTag: 1.25.0-tetratefips0
```
-- Changed `status-port` to `tcp-status-port` under `_internal_defaults_do_not_set.service.ports` section to appease Kiali warning.
+- Changed `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
- Added default gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
```
# Settings for istio gateway
--
GitLab
From 7b65cc00b3555d96dff67f001eb1429a5500e63b Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:20:46 -0500
Subject: [PATCH 12/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index f3b08da..8a42064 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -4,14 +4,14 @@
1. Update via `kpt`:
```bash
# update to VERSION of the upstream chart auto-merging in changes
- kpt pkg update chart@1.23.2 --strategy alpha-git-patch
+ kpt pkg update chart@1.25.0 --strategy alpha-git-patch
```
Or if you'd like to pull down upstream to a fresh `DIR` and manually merge in the changes yourself:
```bash
# get a fresh VERSION of the upstream chart to DIR
- kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.23.2" ./fresh
+ kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.25.0" ./fresh
```
-1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.22.2-bb.0`) and `appVersion` should be `<version>` (ex: `1.22.2`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
+1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.25.0-bb.0`) and `appVersion` should be `<version>` (ex: `1.25.0`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
1. Add a changelog entry for the update. At minimum mention updating the image versions.
1. Update the readme following the [steps in Gluon](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/blob/master/docs/bb-package-readme.md).
1. Open MR (or check the one that Renovate created for you) and validate that the pipeline is successful. Also follow the testing steps below for some manual confirmations.
--
GitLab
From dd7f213650c2f10b2140f9613c0ce9af4ef1cb32 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:26:58 -0500
Subject: [PATCH 13/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index 8a42064..7056836 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -105,4 +105,20 @@ mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
-```
\ No newline at end of file
+```
+
+## chart/templates/_helpers.tpl
+Replaced:
+```
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
+{{- else }}
+```
+...with...
+```
+{{- if .Values.serviceAccount.create }}
+{{- $defaultSericeAccount := printf "%s-%s" (include "gateway.name" .) "ingressgateway-service-account" -}}
+{{- .Values.serviceAccount.name | default $defaultSericeAccount }}
+{{- else }}
+```
+...to remain consistent with previously existing authorization policies.
\ No newline at end of file
--
GitLab
From 1fd4e33fa71b262e827fc138fb759a95f1159938 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:29:08 -0500
Subject: [PATCH 14/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index 7056836..d566cdc 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -121,4 +121,3 @@ Replaced:
{{- .Values.serviceAccount.name | default $defaultSericeAccount }}
{{- else }}
```
-...to remain consistent with previously existing authorization policies.
\ No newline at end of file
--
GitLab
From 227c6a8461831b7f68fe9c37622b5fe4bbe5afa6 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:35:10 -0500
Subject: [PATCH 15/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index d566cdc..c8f40aa 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -61,6 +61,19 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
```
## chart/values.yaml
+- Specified the `image` to use instead of using `auto`
+```
+ # Setting ironbank image
+ image:
+ repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
+ tag: 1.25.0
+```
+- Changed to ``private-registry`
+```
+ imagePullSecrets:
+ - name: private-registry
+```
+
- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
```
# If enterprise is set to true FIPs Tetrate Image Distro images are used
--
GitLab
From 779556b7dbfd055b0dbd986807629c009030adcd Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:35:48 -0500
Subject: [PATCH 16/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index c8f40aa..017739d 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -68,7 +68,7 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
tag: 1.25.0
```
-- Changed to ``private-registry`
+- Changed `imagePullSecrets` to `private-registry`
```
imagePullSecrets:
- name: private-registry
--
GitLab
From d771a37f4edaa46dfd1e0cdd3b6e89212234280e Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:41:06 -0500
Subject: [PATCH 17/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index 017739d..ec7710b 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -74,14 +74,18 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
- name: private-registry
```
-- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
+- Added `defaults.enterprise` boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
```
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
tidTag: 1.25.0-tetratefips0
```
+
- Changed `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
+- Changed the `targetPort`s under `service.ports` from 80 and 443 to 8080 and 8443.
+
+
- Added default gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
```
# Settings for istio gateway
@@ -105,14 +109,15 @@ gateway:
credentialName: public-cert
mode: SIMPLE
```
+
- Added `networkPolicies` section to enable default network policies and allow custom additional network policies to be added.
```
networkPolicies:
enabled: true
additionalPolicies: []
```
-- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
+- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
```
mtls:
# -- STRICT = Allow only mutual TLS traffic,
--
GitLab
From fa9a3376560c4917ec687ea39cde2f292be4ed6e Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:48:19 -0500
Subject: [PATCH 18/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 85db7dc..1a9675d 100644
--- a/README.md
+++ b/README.md
@@ -108,7 +108,7 @@ helm install gateway chart/
| _internal_defaults_do_not_set.priorityClassName | string | `""` | |
| _internal_defaults_do_not_set.enterprise | bool | `false` | |
| _internal_defaults_do_not_set.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
-| _internal_defaults_do_not_set.tidTag | string | `"1.23.3-tetratefips-v0"` | |
+| _internal_defaults_do_not_set.tidTag | string | `"1.25.0-tetratefips0"` | |
| mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| networkPolicies.enabled | bool | `true` | |
| networkPolicies.additionalPolicies | list | `[]` | |
--
GitLab
From 623b2ac555e7da99a4ea232656ab5b550921a406 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:49:49 -0500
Subject: [PATCH 19/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index 112e98d..b39a675 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -117,7 +117,7 @@ _internal_defaults_do_not_set:
# Setting ironbank image
image:
repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
- tag: 1.23.3
+ tag: 1.25.0
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent
--
GitLab
From d9498fc8196e17f12beea141cb7fe397986dd2c0 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:49:56 -0500
Subject: [PATCH 20/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 1a9675d..09e4c4b 100644
--- a/README.md
+++ b/README.md
@@ -98,7 +98,7 @@ helm install gateway chart/
| _internal_defaults_do_not_set.affinity | object | `{}` | |
| _internal_defaults_do_not_set.networkGateway | string | `""` | |
| _internal_defaults_do_not_set.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
-| _internal_defaults_do_not_set.image.tag | string | `"1.23.3"` | |
+| _internal_defaults_do_not_set.image.tag | string | `"1.25.0"` | |
| _internal_defaults_do_not_set.imagePullPolicy | string | `""` | |
| _internal_defaults_do_not_set.imagePullSecrets[0].name | string | `"private-registry"` | |
| _internal_defaults_do_not_set.podDisruptionBudget | object | `{}` | |
--
GitLab
From 69664707b7fc5aeeaf167a23c487fda768015b6d Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:55:19 -0500
Subject: [PATCH 21/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 30e07a6..00ab2ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
+## [1.25.0-bb.0] - 2024-03-18
+Changed
+- Updated istio-gateway to 1.25.0
+
## [1.23.3-bb.3] - 2024-02-13
### Added
--
GitLab
From 35dc346e8ebafc99a47ae424646f4cf0e2ba4da1 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 18 Mar 2025 05:56:38 -0500
Subject: [PATCH 22/22] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00ab2ed..c8f44ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
## [1.25.0-bb.0] - 2024-03-18
Changed
-- Updated istio-gateway to 1.25.0
+- Updated to v1.25.0
## [1.23.3-bb.3] - 2024-02-13
--
GitLab