1.8 upgrade

.gitlab-ci.yml

@@ -3,5 +3,5 @@ include:
     ref: master
     file: '/templates/package-tests.yml'
 variables:
-  ISTIO_GATEWAY_NS: istio-system
-  PROJECT_NAME: istio-system
+  PACKAGE_NAMESPACE: istio-system
+  PACKAGE_HELM_NAME: istio

chart/Chart.yaml

 apiVersion: v2
 name: istio
-version: 1.7.3-bb.15
+version: 1.8.4-bb.0
\ No newline at end of file

chart/templates/controlplane.yaml

@@ -9,10 +9,49 @@ spec:
   tag: {{ .Values.tag }}
 
   components:
+    pilot:
+      k8s:
+{{- if and .Values.istiod.hpaSpec.maxReplicas .Values.istiod.hpaSpec.minReplicas }}
+        hpaSpec:
+          maxReplicas: {{ .Values.istiod.hpaSpec.maxReplicas }}
+          minReplicas: {{ .Values.istiod.hpaSpec.minReplicas }}
+          scaleTargetRef:
+            apiVersion: apps/v1
+            kind: Deployment
+            name: istiod
+          metrics:
+            {{- toYaml .Values.istiod.hpaSpec.metrics | nindent 12 }}
+{{- end }}
+        replicaCount: {{ .Values.istiod.replicaCount }}
+        resources:
+          {{- toYaml .Values.istiod.resources | nindent 10 }}
+        strategy:
+          {{- toYaml .Values.istiod.strategy | nindent 10 }}
+        serviceAnnotations:
+          {{- .Values.istiod.serviceAnnotations | default (dict) | toYaml | nindent 10 }}
+        podAnnotations:
+          {{- .Values.istiod.podAnnotations | default (dict) | toYaml | nindent 10 }}
+        nodeSelector:
+          {{- .Values.istiod.nodeSelector | default (dict) | toYaml | nindent 10 }}
+        affinity:
+          {{- .Values.istiod.affinity | default (dict) | toYaml | nindent 10 }}
+        tolerations:
+          {{- .Values.istiod.tolerations | default (list) | toYaml | nindent 10 }}
     {{- if .Values.openshift }}
+    {{- with .Values.cni }}
     cni:
       enabled: true
       namespace: kube-system
+      k8s:
+        podAnnotations:
+          {{- .podAnnotations | default (dict) | toYaml | nindent 10 }}
+        nodeSelector:
+          {{- .nodeSelector | default (dict) | toYaml | nindent 10 }}
+        tolerations:
+          {{- .tolerations | default (list) | toYaml | nindent 10 }}
+        affinity:
+          {{- .affinity | default (dict) | toYaml | nindent 10 }}
+    {{- end }}
     {{- end }}
     ingressGateways:
       - name: istio-ingressgateway
@@ -47,10 +86,7 @@ spec:
             minReplicas: {{ .Values.ingressGateway.minReplicas }}
             maxReplicas: {{ .Values.ingressGateway.maxReplicas }}
             metrics:
-              - type: Resource
-                resource:
-                  name: cpu
-                  targetAverageUtilization: 60
+              {{- toYaml .Values.ingressGateway.scaleMetrics | nindent 12 }}
             scaleTargetRef:
               apiVersion: apps/v1
               kind: Deployment
@@ -60,13 +96,15 @@ spec:
               maxSurge: 100%
               maxUnavailable: 25%
           resources:
-{{ toYaml .Values.ingressGateway.resources | indent 12 }}
+            {{- toYaml .Values.ingressGateway.resources | indent 12 }}
           serviceAnnotations:
             {{- .Values.ingressGateway.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
           podAnnotations:
             {{- .Values.ingressGateway.podAnnotations | default (dict) | toYaml | nindent 12 }}
           nodeSelector:
             {{- .Values.ingressGateway.nodeSelector | default (dict) | toYaml | nindent 12 }}
+          affinity:
+            {{- .Values.ingressGateway.affinity | default (dict) | toYaml | nindent 12 }}
           tolerations:
             {{- .Values.ingressGateway.tolerations | default (list) | toYaml | nindent 12 }}
       {{- range $i := .Values.extraIngressGateways }}
@@ -98,40 +136,43 @@ spec:
                 {{ $pk }}: {{ $pv }}
                 {{- end }}
               {{- end }}
+          {{- if $i.k8s.hpaSpec }}
           hpaSpec:
             minReplicas: {{ $i.k8s.hpaSpec.minReplicas }}
             maxReplicas: {{ $i.k8s.hpaSpec.maxReplicas }}
             metrics:
+              {{ if $i.k8s.hpaSpec.metrics }}
+              {{- toYaml $i.k8s.hpaSpec.metrics | indent 12 }}
+              {{ else }}
+              {{- /* default metrics, backwards compatible */}}
               - type: Resource
                 resource:
                   name: cpu
                   targetAverageUtilization: 60
+            {{- end }}
             scaleTargetRef:
               apiVersion: apps/v1
               kind: Deployment
               name: {{ $i.name }}
+          {{- end }}
           strategy:
             rollingUpdate:
               maxSurge: 100%
               maxUnavailable: 25%
           resources:
-            {{ toYaml .k8s.resources | nindent 12 }}
+            {{- toYaml .k8s.resources | nindent 12 }}
           serviceAnnotations:
             {{- .k8s.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
           podAnnotations:
             {{- .k8s.podAnnotations | default (dict) | toYaml | nindent 12 }}
           nodeSelector:
             {{- .k8s.nodeSelector | default (dict) | toYaml | nindent 12 }}
+          affinity:
+            {{- .k8s.affinity | default (dict) | toYaml | nindent 12 }}
           tolerations:
             {{- .k8s.tolerations | default (list) | toYaml | nindent 12 }}
   {{- end }}
 
-  addonComponents:
-    kiali:
-      enabled: {{ .Values.kiali.enabled }}
-    tracing:
-      enabled: false
-
   meshConfig:
     accessLogFile: /dev/stdout
     enableTracing: {{ .Values.tracing.enabled }}
@@ -139,6 +180,9 @@ spec:
       tracing:
         sampling: {{ .Values.tracing.sampling }}
       zipkinAddress: {{ .Values.tracing.address }}:{{.Values.tracing.port}}
+    {{- if .Values.meshConfig }}
+    {{- toYaml .Values.meshConfig | nindent 4 }}
+    {{- end }}
 
   values:
     {{- if .Values.openshift }}
@@ -148,14 +192,14 @@ spec:
       image: {{ .Values.cni.image.name }}
       hub: {{ .Values.cni.image.hub }}
       tag: {{ .Values.cni.image.tag }}
-      cniBinDir: /var/lib/cni/bin
-      cniConfDir: /etc/cni/multus/net.d
+      cniBinDir: {{ .Values.cni.binDir | default "/var/lib/cni/bin" }}
+      cniConfDir: {{ .Values.cni.confDir | default "/etc/cni/multus/net.d" }}
       chained: false
-      cniConfFileName: "istio-cni.conf"
+      cniConfFileName: {{ .Values.cni.confFileName | default "istio-cni.conf" }}
       excludeNamespaces:
        - istio-system
        - kube-system
-      logLevel: info
+      logLevel: {{ .Values.cni.logLevel | default "info" }}
     {{- end }}
     global:
       {{- if .Values.imagePullPolicy }}
@@ -165,32 +209,14 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.proxy }}
-      {{- if .Values.proxy.image }}
-      proxy:
-        image: {{ .Values.proxy.image }}
-
-      proxy_init:
-        image: {{ .Values.proxy.image }}
-      {{- end }}
-      {{- end }}
+      {{- if .Values.tracing.enabled }}
       tracer:
         zipkin:
           address: {{ .Values.tracing.address }}:{{.Values.tracing.port}}
-    # https://istio.io/v1.5/docs/reference/config/installation-options/#kiali-options
-    kiali:
-      image: {{ .Values.kiali.image.name }}
-      hub: {{ .Values.kiali.image.hub }}
-      tag: {{ .Values.kiali.image.tag }}
-      {{- if .Values.monitoring.enabled }}
-      prometheusAddr: http://monitoring-monitoring-kube-prometheus.monitoring.svc:9090
-      {{- end }}
-      dashboard:
-        jaegerURL: {{tpl .Values.tracing.externalAddress $ }}
-        grafanaInClusterURL: http://monitoring-monitoring-grafana.monitoring.svc
-        auth:
-          strategy: {{ .Values.kiali.dashboard.auth.strategy }}
-
+      {{ end }}
+      {{- if .Values.values.global }}
+      {{- toYaml .Values.values.global | nindent 6 }}
+      {{- end }}
     sidecarInjectorWebhook:
       rewriteAppHTTPProbe: true
       {{- if .Values.openshift }}

chart/templates/kiali-vs.yaml

-{{- if and .Values.kiali.enabled .Values.istio.kiali.enabled -}}
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: kiali
-  namespace: {{ .Release.Namespace }}
-  {{- if .Values.istio.kiali.labels }}
-  labels:
-{{ toYaml .Values.istio.kiali.labels | indent 4 }}
-  {{- end }}
-  {{- if .Values.istio.kiali.annotations }}
-  annotations:
-{{ toYaml .Values.istio.kiali.annotations | indent 4 }}
-  {{- end }}
-spec:
-  gateways:
-  {{- range .Values.istio.kiali.gateways }}
-    - {{ . }}
-  {{- end }}
-  hosts: 
-  {{- range .Values.istio.kiali.hosts }}
-    - {{ tpl . $}}
-  {{- end }}
-  http:
-  - route:
-    - destination:
-        port:
-          number: {{ .Values.istio.kiali.port | default "20001" }}
-        host: {{ .Values.istio.kiali.service }}.{{ .Values.istio.kiali.namespace | default .Release.Namespace }}.svc.cluster.local
-{{- end }}

chart/values.yaml

@@ -2,13 +2,15 @@
 profile: default
 
 # The hub to use for the image (note: the image is built as ".Values.hub/<component>:.Values.tag"
-hub: registry1.dso.mil/ironbank/opensource/istio
-
+hub: registry1.dso.mil/ironbank/opensource/istio-1.8
 # The tag to use for the image
-tag: 1.7.3
+tag: 1.8.4
 
-proxy:
-  image: registry1.dso.mil/ironbank/opensource/istio-1.7/proxyv2-1.7:1.7.7
+tracing:
+  enabled: true
+  address: jaeger-collector.jaeger.svc
+  port:  9411
+  sampling: 10
 
 # The domain to use for the default gateway
 domain: bigbang.dev
@@ -16,23 +18,6 @@ domain: bigbang.dev
 # Openshift feature switch toggle
 openshift: false
 
-## A little odd to have `.Values.istio` inside the `isito` chart, 
-##bbut keeping it this way for consistency with other bigbang package charts.
-istio:
-  kiali:
-    # Toggle vs creation
-    enabled: true
-    annotations: {}
-    labels: {}
-    gateways:
-      - istio-system/main
-    hosts:
-      - kiali.{{ .Values.hostname | default .Values.domain }}
-    service: kiali
-    namespace: ""
-    port: ""
-
-
 monitoring:
   enabled: true
 
@@ -64,9 +49,48 @@ extraServers:
 #      credentialName: "another-credential"       # required
 #      mode: SIMPLE
 
+# istiod / pilot configuration
+istiod:
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2Gi
+    limits:
+      cpu: 500m
+      memory: 2Gi
+  hpaSpec:
+    maxReplicas: 3
+    minReplicas: 1
+    metrics:
+      - type: Resource
+        resource:
+          name: cpu
+          targetAverageUtilization: 60
+  strategy: {}
+  #  k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  podAnnotations: {}
+
+  #  k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  serviceAnnotations: {}
+
+  #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+
+  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+
+  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+
 ingressGateway:
   minReplicas: 1
   maxReplicas: 5
+  scaleMetrics:
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: 60
   resources: {}
 #    limits:
 #      cpu: 1.5
@@ -119,6 +143,9 @@ ingressGateway:
   #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
   nodeSelector: {}
 
+  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+
   #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
   tolerations: []
 
@@ -131,7 +158,12 @@ extraIngressGateways:
 #        minReplicas: 1
 #        maxReplicas: 3
 #      serviceAnnotations:
-#        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+#        service.beta.kubernetes.io/aws-load-balancer-internal: "true
+#       metrics:
+#         - type: Resource
+#           resource:
+#             name: cpu
+#            targetAverageUtilization: 80
 #      resources:
 #        limits:
 #          cpu: 1.5
@@ -177,6 +209,21 @@ sso:
 
 cni:
   image:
-    name: install-cni-1.7
-    hub: registry1.dso.mil/ironbank/opensource/istio-1.7
-    tag: 1.7.3
\ No newline at end of file
+    name: install-cni-1.8
+    hub: registry1.dsop.io/ironbank/opensource/istio-1.8
+    tag: 1.8.4
+  #  k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  podAnnotations: {}
+  #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+
+# global istiooperator values:
+meshConfig: {}
+
+values:
+  global: {}
+

docs/AFFINITY.md

+# Node Affinity & Anti-Affinity with Istio ControlPlane
+
+Affinity is exposed through values options for this package. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeSelector` value and as needed the `affinity` value. Additional info is provided below as well to help in configuring this.
+
+It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+
+## Values for NodeSelector
+
+The `nodeSelector` value can be set at the `istiod` and `ingressGateway` levels to do basic node selection for deployments. See the below example for an example to schedule pods to only nodes with the label `node-type` equal to `istio`:
+
+```yaml
+istiod:
+  nodeSelector:
+    node-type: istio
+ingressGateway:
+  nodeSelector:
+    node-type: istio
+# If using CNI / on Openshift you can also customize those values
+cni:
+  nodeSelector:
+    node-type: istio
+```
+
+## Values for Affinity
+
+The `affinity` value at the same levels should be used to specify affinity. The format to include follows what you'd specify at a pod/deployment level. See the example below for scheduling the operator pods only to nodes with the label `node-type` equal to `istio`:
+
+```yaml
+istiod:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-type
+            operator: In
+            values:
+            - istio
+ingressGateway:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-type
+            operator: In
+            values:
+            - istio
+# If using CNI / on Openshift you can also customize those values
+cni:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-type
+            operator: In
+            values:
+            - istio
+```
+
+## Values for Anti-Affinity
+
+The `affinity` value at the same levels can be set in the same way to schedule pods based on anti-affinity. See the below example to schedule pods to not be present on the nodes that already have pods with the `dont-schedule-with: istio` label:
+
+```yaml
+istiod:
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - topologyKey: "kubernetes.io/hostname"
+          labelSelector:
+            matchLabels:
+              dont-schedule-with: istio
+ingressGateway:
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - topologyKey: "kubernetes.io/hostname"
+          labelSelector:
+            matchLabels:
+              dont-schedule-with: istio
+# If using CNI / on Openshift you can also customize those values
+cni:
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - topologyKey: "kubernetes.io/hostname"
+          labelSelector:
+            matchLabels:
+              dont-schedule-with: istio
+```

tests/cy-run.sh

-
-#!/usr/bin/env bash
-echo "Running Cypress e2e tests headlessly without copying files"
-
-# explanation of the "docker run" command line arguments
-#
-#  -it          = interactive terminal
-#  -v $PWD:/e2e = map current folder to /e2e inside the container
-#  -w /e2e      = set working directy to /e2e
-#  $@           = pass any arguments to this script to the Cypress command
-#                 like "./cy-run.sh --record"
-#
-# Docker image "cypress/included:3.2.0" has its entrypoint
-# set to "cypress run" by default
-
-docker run  -it -v $PWD:/e2e -w /e2e cypress/included:5.0.0 $@

tests/cypress.json

-{
- 
-  "pluginsFile": false,
-  "supportFile": false,
-  "fixturesFolder": false,
-  "env": {
-    "kiali_url": "kiali.bigbang.dev",
-    "jaeger_url": "tracing.bigbang.dev"
-  }
-}

tests/cypress/integration/kiali-healthspec.js

-describe('Basic Kiali', function() {
-    it('Check kiali page is accessible', function() {
-      cy.visit(Cypress.env('kiali_url'))
-      cy.title().should('eq', 'Kiali Console')
-     
-    })
-     
-}) 
\ No newline at end of file