feat: multi-ingress gateway

dabc7544 · Michael McLeroy · b7973841 · dabc7544 · dabc7544 · dabc7544
Commit dabc7544 authored 3 years ago by Michael McLeroy
--- a/chart/templates/istio/controlplane/secret-tls.yaml
+++ b/chart/templates/istio/controlplane/secret-tls.yaml
-{{- if and .Values.istio.enabled  (and .Values.istio.ingress.key .Values.istio.ingress.cert ) }}
+{{- if and .Values.istio.enabled }}
+
+{{/*
+For backwards compatibility, get key/cert from .Values.istio.ingress
+*/}}
+{{- $default := .Values.istio.ingress | default dict -}}
+
+{{- range $name, $values := .Values.istio.gateways }}
+{{- if or (and $values.tls.cert $values.tls.key) (and $default.cert $default.key) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: wildcard-cert
+  name: {{ printf "%s-cert" $name }}
  namespace: istio-system
  labels:
    app.kubernetes.io/name: istio-controlplane
    app.kubernetes.io/component: "core"
-    {{- include "commonLabels" . | nindent 4}}
+    {{- include "commonLabels" $ | nindent 4}}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Values.istio.ingress.cert | b64enc }}
-  tls.key: {{ .Values.istio.ingress.key | b64enc}}
+  tls.crt: {{ default $default.cert $values.tls.cert | b64enc }}
+  tls.key: {{ default $default.key $values.tls.key | b64enc }}
+---
+{{- end }}
+{{- end }}
+
 {{- end }}
\ No newline at end of file
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -13,6 +13,44 @@ imagePullSecrets:

 openshift: {{ .Values.openshift }}

+{{- if .Values.istio.ingressGateways }}
+ingressGateways:
+  istio-ingressgateway:
+    enabled: false
+{{- end }}
+{{- range $name, $values := .Values.istio.ingressGateways }}
+  {{ $name | nindent 2 }}:
+    extraLabels:
+      app.kubernetes.io/name: istio-controlplane
+      app.kubernetes.io/component: "core"
+      {{- include "commonLabels" $ | nindent 6}}
+    k8s:
+      service:
+        type: {{ $values.type }}
+      serviceAnnotations:
+        {{ $values.serviceAnnotations | default (dict) | toYaml | nindent 8 }}
+{{- end }}
+
+{{- if .Values.istio.gateways }}
+gateways:
+  main: null
+{{- end }}
+{{- range $name, $values := .Values.istio.gateways }}
+  {{ $name | nindent 2 }}:
+    selector:
+      app: {{ $values.ingressGateway }}
+    servers:
+    - hosts:
+      {{ tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}
+      port:
+        name: https
+        number: 8443
+        protocol: HTTPS
+      tls:
+        credentialName: {{ $name }}-cert
+        mode: {{ default "SIMPLE" $values.tls.mode }}
+{{- end }}
+
 {{- if .Values.addons.keycloak.enabled }}
 extraServers:
 - port:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -110,17 +110,57 @@ istio:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
    path: "./chart"
-    tag: "1.8.4-bb.2"
+    tag: "1.8.4-bb.3"
+
+  # Ingress gateways are created based on the key name.  Adding more keys will add ingress gateways.
+  # Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
+  # Besides some ports needed by Istio, only ports 80 and 443 are opened
+  ingressGateways:
+    public-ingressgateway:
+      type: "LoadBalancer" # or "NodePort"
+      serviceAnnotations: {}
+        # service.beta.kubernetes.io/aws-load-balancer-type: nlb
+        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+    # private-ingressgateway:
+    #   type: "LoadBalancer" # or "NodePort"
+    #   serviceAnnotations: {}
+    # keycloak-ingressgateway:
+    #   type: "LoadBalancer" # or "NodePort"
+    #   serviceAnnotations: {}
+
+  gateways:
+    public:
+      ingressGateway: "public-ingressgateway"
+      hosts:
+      - "*.{{ .Values.hostname }}"
+      tls:
+        key: ""
+        cert: ""
+    # private:
+    #   ingressGateway: "private-ingressgateway"
+    #   hosts:
+    #   - alertmanager.{{ .Values.hostname }}
+    #   - anchore.{{ .Values.hostname }}
+    #   - argocd.{{ .Values.hostname }}
+    #   - grafana.{{ .Values.hostname }}
+    #   - kiali.{{ .Values.hostname }}
+    #   - kibana.{{ .Values.hostname }}
+    #   - prometheus.{{ .Values.hostname }}
+    #   - tracing.{{ .Values.hostname }}
+    #   - twistlock.{{ .Values.hostname }}
+    #   tls:
+    #     key: ""
+    #     cert: ""
+    # keycloak:
+    #   ingressGateway: "keycloak-ingressgateway"
+    #   hosts:
+    #   - "keycloak.{{ .Values.hostname }}"
+    #   tls:
+    #     mode: "PASSTHROUGH"

  # -- Flux reconciliation overrides specifically for the Istio Package
  flux: {}

-  # -- Certificate/Key pair to use as the default certificate for exposing BigBang created applications.
-  # If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`.
-  ingress:
-    key: ""
-    cert: ""
-
  # -- Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
  values: {}

@@ -943,12 +983,6 @@ addons:
      path: "./chart"
      tag: "11.0.0-bb.4"

-    # -- Certificate/Key pair to use as the certificate for exposing Keycloak
-    # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
-    ingress:
-      key: ""
-      cert: ""
-
    database:
      # -- Hostname of a pre-existing database to use for Keycloak.
      # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.