feat: updated nodeport support for istio gateways

db8f3d31 · Michael McLeroy · dabc7544 · db8f3d31 · db8f3d31
Commit db8f3d31 authored 3 years ago by Michael McLeroy
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -18,6 +18,7 @@ ingressGateways:
  istio-ingressgateway:
    enabled: false
 {{- end }}
+
 {{- range $name, $values := .Values.istio.ingressGateways }}
  {{ $name | nindent 2 }}:
    extraLabels:
@@ -27,6 +28,26 @@ ingressGateways:
    k8s:
      service:
        type: {{ $values.type }}
+        {{- if $values.nodePortBase }}
+        ports: # Pulled from Istio gateway defaults (https://github.com/istio/istio/blob/master/manifests/charts/gateways/istio-ingress/values.yaml)
+        # Ports default to "protocol: TCP" and "targetPort = port"
+        # AWS ELB will by default perform health checks on the first port on this list. https://github.com/istio/istio/issues/12503
+        - port: 15021
+          name: status-port
+          nodePort: {{ add $values.nodePortBase 0 }}
+        - port: 80
+          targetPort: 8080
+          name: http2
+          nodePort: {{ add $values.nodePortBase 1 }}
+        - port: 443
+          targetPort: 8443
+          name: https
+          nodePort: {{ add $values.nodePortBase 2 }}
+        # SNI Routing port
+        - port: 15443
+          name: tls
+          nodePort: {{ add $values.nodePortBase 3 }}
+        {{- end }}
      serviceAnnotations:
        {{ $values.serviceAnnotations | default (dict) | toYaml | nindent 8 }}
 {{- end }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -115,18 +115,25 @@ istio:
  # Ingress gateways are created based on the key name.  Adding more keys will add ingress gateways.
  # Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
  # Besides some ports needed by Istio, only ports 80 and 443 are opened
+  # Ingress gateways that require more configuration can be completed using `istio.values`
  ingressGateways:
    public-ingressgateway:
      type: "LoadBalancer" # or "NodePort"
      serviceAnnotations: {}
-        # service.beta.kubernetes.io/aws-load-balancer-type: nlb
-        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+
    # private-ingressgateway:
    #   type: "LoadBalancer" # or "NodePort"
-    #   serviceAnnotations: {}
+    #   serviceAnnotations:
+    #     service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    #     service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+
    # keycloak-ingressgateway:
-    #   type: "LoadBalancer" # or "NodePort"
+    #   type: "NodePort" # or "LoadBalancer"
    #   serviceAnnotations: {}
+    #   # Node ports are assigned starting from nodePortBase.  The nodePortBase specifies the start of a range of 4 unused node ports.
+    #   # Node port will be assigned as follows: Port 15021 (Status) = nodePortBase, Port 80 = nodePortBase+1, Port 443 = nodePortBase+2, Port 15443 (SNI) = nodePortBase+3
+    #   # Node port base should be in the range from 30000 to 32764
+    #   nodePortBase: 32000

  gateways:
    public:
@@ -139,22 +146,14 @@ istio:
    # private:
    #   ingressGateway: "private-ingressgateway"
    #   hosts:
-    #   - alertmanager.{{ .Values.hostname }}
-    #   - anchore.{{ .Values.hostname }}
-    #   - argocd.{{ .Values.hostname }}
-    #   - grafana.{{ .Values.hostname }}
-    #   - kiali.{{ .Values.hostname }}
-    #   - kibana.{{ .Values.hostname }}
-    #   - prometheus.{{ .Values.hostname }}
-    #   - tracing.{{ .Values.hostname }}
-    #   - twistlock.{{ .Values.hostname }}
+    #   - "*.{{ .Values.hostname }}"
    #   tls:
    #     key: ""
    #     cert: ""
    # keycloak:
    #   ingressGateway: "keycloak-ingressgateway"
    #   hosts:
-    #   - "keycloak.{{ .Values.hostname }}"
+    #   - "*.{{ .Values.hostname }}"
    #   tls:
    #     mode: "PASSTHROUGH"