1.8 upgrade

a29d2ead · Nick Nellis · runyontr · 569760ee · a29d2ead · a29d2ead
Commit a29d2ead authored Apr 19, 2021 by Nick Nellis Committed by runyontr Apr 19, 2021
9 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,5 +3,5 @@ include:
    ref: master
    file: '/templates/package-tests.yml'
 variables:
-  ISTIO_GATEWAY_NS: istio-system
+  PACKAGE_NAMESPACE: istio-system
-  PROJECT_NAME: istio-system
+  PACKAGE_HELM_NAME: istio
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: istio
-version: 1.7.3-bb.15
+version: 1.8.4-bb.0
\ No newline at end of file
--- a/chart/templates/controlplane.yaml
+++ b/chart/templates/controlplane.yaml
@@ -9,10 +9,49 @@ spec:
  tag: {{ .Values.tag }}
  components:
+    pilot:
+      k8s:
+{{- if and .Values.istiod.hpaSpec.maxReplicas .Values.istiod.hpaSpec.minReplicas }}
+        hpaSpec:
+          maxReplicas: {{ .Values.istiod.hpaSpec.maxReplicas }}
+          minReplicas: {{ .Values.istiod.hpaSpec.minReplicas }}
+          scaleTargetRef:
+            apiVersion: apps/v1
+            kind: Deployment
+            name: istiod
+          metrics:
+            {{- toYaml .Values.istiod.hpaSpec.metrics | nindent 12 }}
+{{- end }}
+        replicaCount: {{ .Values.istiod.replicaCount }}
+        resources:
+          {{- toYaml .Values.istiod.resources | nindent 10 }}
+        strategy:
+          {{- toYaml .Values.istiod.strategy | nindent 10 }}
+        serviceAnnotations:
+          {{- .Values.istiod.serviceAnnotations | default (dict) | toYaml | nindent 10 }}
+        podAnnotations:
+          {{- .Values.istiod.podAnnotations | default (dict) | toYaml | nindent 10 }}
+        nodeSelector:
+          {{- .Values.istiod.nodeSelector | default (dict) | toYaml | nindent 10 }}
+        affinity:
+          {{- .Values.istiod.affinity | default (dict) | toYaml | nindent 10 }}
+        tolerations:
+          {{- .Values.istiod.tolerations | default (list) | toYaml | nindent 10 }}
    {{- if .Values.openshift }}
+    {{- with .Values.cni }}
    cni:
      enabled: true
      namespace: kube-system
+      k8s:
+        podAnnotations:
+          {{- .podAnnotations | default (dict) | toYaml | nindent 10 }}
+        nodeSelector:
+          {{- .nodeSelector | default (dict) | toYaml | nindent 10 }}
+        tolerations:
+          {{- .tolerations | default (list) | toYaml | nindent 10 }}
+        affinity:
+          {{- .affinity | default (dict) | toYaml | nindent 10 }}
+    {{- end }}
    {{- end }}
    ingressGateways:
      - name: istio-ingressgateway
@@ -47,10 +86,7 @@ spec:
            minReplicas: {{ .Values.ingressGateway.minReplicas }}
            maxReplicas: {{ .Values.ingressGateway.maxReplicas }}
            metrics:
-              - type: Resource
+              {{- toYaml .Values.ingressGateway.scaleMetrics | nindent 12 }}
-                resource:
-                  name: cpu
-                  targetAverageUtilization: 60
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
@@ -60,13 +96,15 @@ spec:
              maxSurge: 100%
              maxUnavailable: 25%
          resources:
-{{ toYaml .Values.ingressGateway.resources | indent 12 }}
+            {{- toYaml .Values.ingressGateway.resources | indent 12 }}
          serviceAnnotations:
            {{- .Values.ingressGateway.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
          podAnnotations:
            {{- .Values.ingressGateway.podAnnotations | default (dict) | toYaml | nindent 12 }}
          nodeSelector:
            {{- .Values.ingressGateway.nodeSelector | default (dict) | toYaml | nindent 12 }}
+          affinity:
+            {{- .Values.ingressGateway.affinity | default (dict) | toYaml | nindent 12 }}
          tolerations:
            {{- .Values.ingressGateway.tolerations | default (list) | toYaml | nindent 12 }}
      {{- range $i := .Values.extraIngressGateways }}
@@ -98,40 +136,43 @@ spec:
                {{ $pk }}: {{ $pv }}
                {{- end }}
              {{- end }}
+          {{- if $i.k8s.hpaSpec }}
          hpaSpec:
            minReplicas: {{ $i.k8s.hpaSpec.minReplicas }}
            maxReplicas: {{ $i.k8s.hpaSpec.maxReplicas }}
            metrics:
+              {{ if $i.k8s.hpaSpec.metrics }}
+              {{- toYaml $i.k8s.hpaSpec.metrics | indent 12 }}
+              {{ else }}
+              {{- /* default metrics, backwards compatible */}}
              - type: Resource
                resource:
                  name: cpu
                  targetAverageUtilization: 60
+            {{- end }}
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: {{ $i.name }}
+          {{- end }}
          strategy:
            rollingUpdate:
              maxSurge: 100%
              maxUnavailable: 25%
          resources:
-            {{ toYaml .k8s.resources | nindent 12 }}
+            {{- toYaml .k8s.resources | nindent 12 }}
          serviceAnnotations:
            {{- .k8s.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
          podAnnotations:
            {{- .k8s.podAnnotations | default (dict) | toYaml | nindent 12 }}
          nodeSelector:
            {{- .k8s.nodeSelector | default (dict) | toYaml | nindent 12 }}
+          affinity:
+            {{- .k8s.affinity | default (dict) | toYaml | nindent 12 }}
          tolerations:
            {{- .k8s.tolerations | default (list) | toYaml | nindent 12 }}
  {{- end }}
-  addonComponents:
-    kiali:
-      enabled: {{ .Values.kiali.enabled }}
-    tracing:
-      enabled: false
  meshConfig:
    accessLogFile: /dev/stdout
    enableTracing: {{ .Values.tracing.enabled }}
@@ -139,6 +180,9 @@ spec:
      tracing:
        sampling: {{ .Values.tracing.sampling }}
      zipkinAddress: {{ .Values.tracing.address }}:{{.Values.tracing.port}}
+    {{- if .Values.meshConfig }}
+    {{- toYaml .Values.meshConfig | nindent 4 }}
+    {{- end }}
  values:
    {{- if .Values.openshift }}
@@ -148,14 +192,14 @@ spec:
      image: {{ .Values.cni.image.name }}
      hub: {{ .Values.cni.image.hub }}
      tag: {{ .Values.cni.image.tag }}
-      cniBinDir: /var/lib/cni/bin
+      cniBinDir: {{ .Values.cni.binDir | default "/var/lib/cni/bin" }}
-      cniConfDir: /etc/cni/multus/net.d
+      cniConfDir: {{ .Values.cni.confDir | default "/etc/cni/multus/net.d" }}
      chained: false
-      cniConfFileName: "istio-cni.conf"
+      cniConfFileName: {{ .Values.cni.confFileName | default "istio-cni.conf" }}
      excludeNamespaces:
       - istio-system
       - kube-system
-      logLevel: info
+      logLevel: {{ .Values.cni.logLevel | default "info" }}
    {{- end }}
    global:
      {{- if .Values.imagePullPolicy }}
@@ -165,32 +209,14 @@ spec:
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- if .Values.proxy }}
+      {{- if .Values.tracing.enabled }}
-      {{- if .Values.proxy.image }}
-      proxy:
-        image: {{ .Values.proxy.image }}
-      proxy_init:
-        image: {{ .Values.proxy.image }}
-      {{- end }}
-      {{- end }}
      tracer:
        zipkin:
          address: {{ .Values.tracing.address }}:{{.Values.tracing.port}}
-    # https://istio.io/v1.5/docs/reference/config/installation-options/#kiali-options
+      {{ end }}
-    kiali:
+      {{- if .Values.values.global }}
-      image: {{ .Values.kiali.image.name }}
+      {{- toYaml .Values.values.global | nindent 6 }}
-      hub: {{ .Values.kiali.image.hub }}
+      {{- end }}
-      tag: {{ .Values.kiali.image.tag }}
-      {{- if .Values.monitoring.enabled }}
-      prometheusAddr: http://monitoring-monitoring-kube-prometheus.monitoring.svc:9090
-      {{- end }}
-      dashboard:
-        jaegerURL: {{tpl .Values.tracing.externalAddress $ }}
-        grafanaInClusterURL: http://monitoring-monitoring-grafana.monitoring.svc
-        auth:
-          strategy: {{ .Values.kiali.dashboard.auth.strategy }}
    sidecarInjectorWebhook:
      rewriteAppHTTPProbe: true
      {{- if .Values.openshift }}

--- a/chart/templates/kiali-vs.yaml
+++ b/chart/templates/kiali-vs.yaml
-{{- if and .Values.kiali.enabled .Values.istio.kiali.enabled -}}
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: kiali
-  namespace: {{ .Release.Namespace }}
-  {{- if .Values.istio.kiali.labels }}
-  labels:
-{{ toYaml .Values.istio.kiali.labels | indent 4 }}
-  {{- end }}
-  {{- if .Values.istio.kiali.annotations }}
-  annotations:
-{{ toYaml .Values.istio.kiali.annotations | indent 4 }}
-  {{- end }}
-spec:
-  gateways:
-  {{- range .Values.istio.kiali.gateways }}
-    - {{ . }}
-  {{- end }}
-  hosts: 
-  {{- range .Values.istio.kiali.hosts }}
-    - {{ tpl . $}}
-  {{- end }}
-  http:
-  - route:
-    - destination:
-        port:
-          number: {{ .Values.istio.kiali.port | default "20001" }}
-        host: {{ .Values.istio.kiali.service }}.{{ .Values.istio.kiali.namespace | default .Release.Namespace }}.svc.cluster.local
-{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -2,13 +2,15 @@
 profile: default
 # The hub to use for the image (note: the image is built as ".Values.hub/<component>:.Values.tag"
-hub: registry1.dso.mil/ironbank/opensource/istio
+hub: registry1.dso.mil/ironbank/opensource/istio-1.8
 # The tag to use for the image
-tag: 1.7.3
+tag: 1.8.4
-proxy:
+tracing:
-  image: registry1.dso.mil/ironbank/opensource/istio-1.7/proxyv2-1.7:1.7.7
+  enabled: true
+  address: jaeger-collector.jaeger.svc
+  port:  9411
+  sampling: 10
 # The domain to use for the default gateway
 domain: bigbang.dev
@@ -16,23 +18,6 @@ domain: bigbang.dev
 # Openshift feature switch toggle
 openshift: false
-## A little odd to have `.Values.istio` inside the `isito` chart, 
-##bbut keeping it this way for consistency with other bigbang package charts.
-istio:
-  kiali:
-    # Toggle vs creation
-    enabled: true
-    annotations: {}
-    labels: {}
-    gateways:
-      - istio-system/main
-    hosts:
-      - kiali.{{ .Values.hostname | default .Values.domain }}
-    service: kiali
-    namespace: ""
-    port: ""
 monitoring:
  enabled: true
@@ -64,9 +49,48 @@ extraServers:
 #      credentialName: "another-credential"       # required
 #      mode: SIMPLE
+# istiod / pilot configuration
+istiod:
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2Gi
+    limits:
+      cpu: 500m
+      memory: 2Gi
+  hpaSpec:
+    maxReplicas: 3
+    minReplicas: 1
+    metrics:
+      - type: Resource
+        resource:
+          name: cpu
+          targetAverageUtilization: 60
+  strategy: {}
+  #  k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  podAnnotations: {}
+  #  k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  serviceAnnotations: {}
+  #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
 ingressGateway:
  minReplicas: 1
  maxReplicas: 5
+  scaleMetrics:
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: 60
  resources: {}
 #    limits:
 #      cpu: 1.5
@@ -119,6 +143,9 @@ ingressGateway:
  #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  nodeSelector: {}
+  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  tolerations: []
@@ -131,7 +158,12 @@ extraIngressGateways:
 #        minReplicas: 1
 #        maxReplicas: 3
 #      serviceAnnotations:
-#        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+#        service.beta.kubernetes.io/aws-load-balancer-internal: "true
+#       metrics:
+#         - type: Resource
+#           resource:
+#             name: cpu
+#            targetAverageUtilization: 80
 #      resources:
 #        limits:
 #          cpu: 1.5
@@ -177,6 +209,21 @@ sso:
 cni:
  image:
-    name: install-cni-1.7
+    name: install-cni-1.8
-    hub: registry1.dso.mil/ironbank/opensource/istio-1.7
+    hub: registry1.dsop.io/ironbank/opensource/istio-1.8
-    tag: 1.7.3
+    tag: 1.8.4
\ No newline at end of file
+  #  k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  podAnnotations: {}
+  #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+# global istiooperator values:
+meshConfig: {}
+values:
+  global: {}
--- a/docs/AFFINITY.md
+++ b/docs/AFFINITY.md
+# Node Affinity & Anti-Affinity with Istio ControlPlane
+Affinity is exposed through values options for this package. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeSelector` value and as needed the `affinity` value. Additional info is provided below as well to help in configuring this.
+It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+## Values for NodeSelector
+The `nodeSelector` value can be set at the `istiod` and `ingressGateway` levels to do basic node selection for deployments. See the below example for an example to schedule pods to only nodes with the label `node-type` equal to `istio`:
+```yaml
+istiod:
+  nodeSelector:
+    node-type: istio
+ingressGateway:
+  nodeSelector:
+    node-type: istio
+# If using CNI / on Openshift you can also customize those values
+cni:
+  nodeSelector:
+    node-type: istio
+```
+## Values for Affinity
+The `affinity` value at the same levels should be used to specify affinity. The format to include follows what you'd specify at a pod/deployment level. See the example below for scheduling the operator pods only to nodes with the label `node-type` equal to `istio`:
+```yaml
+istiod:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-type
+            operator: In
+            values:
+            - istio
+ingressGateway:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-type
+            operator: In
+            values:
+            - istio
+# If using CNI / on Openshift you can also customize those values
+cni:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node-type
+            operator: In
+            values:
+            - istio
+```
+## Values for Anti-Affinity
+The `affinity` value at the same levels can be set in the same way to schedule pods based on anti-affinity. See the below example to schedule pods to not be present on the nodes that already have pods with the `dont-schedule-with: istio` label:
+```yaml
+istiod:
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - topologyKey: "kubernetes.io/hostname"
+          labelSelector:
+            matchLabels:
+              dont-schedule-with: istio
+ingressGateway:
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - topologyKey: "kubernetes.io/hostname"
+          labelSelector:
+            matchLabels:
+              dont-schedule-with: istio
+# If using CNI / on Openshift you can also customize those values
+cni:
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - topologyKey: "kubernetes.io/hostname"
+          labelSelector:
+            matchLabels:
+              dont-schedule-with: istio
+```
--- a/tests/cy-run.sh
+++ b/tests/cy-run.sh
-#!/usr/bin/env bash
-echo "Running Cypress e2e tests headlessly without copying files"
-# explanation of the "docker run" command line arguments
-#
-#  -it          = interactive terminal
-#  -v $PWD:/e2e = map current folder to /e2e inside the container
-#  -w /e2e      = set working directy to /e2e
-#  $@           = pass any arguments to this script to the Cypress command
-#                 like "./cy-run.sh --record"
-#
-# Docker image "cypress/included:3.2.0" has its entrypoint
-# set to "cypress run" by default
-docker run  -it -v $PWD:/e2e -w /e2e cypress/included:5.0.0 $@
--- a/tests/cypress.json
+++ b/tests/cypress.json
-{
-  "pluginsFile": false,
-  "supportFile": false,
-  "fixturesFolder": false,
-  "env": {
-    "kiali_url": "kiali.bigbang.dev",
-    "jaeger_url": "tracing.bigbang.dev"
-  }
-}
--- a/tests/cypress/integration/kiali-healthspec.js
+++ b/tests/cypress/integration/kiali-healthspec.js
-describe('Basic Kiali', function() {
-    it('Check kiali page is accessible', function() {
-      cy.visit(Cypress.env('kiali_url'))
-      cy.title().should('eq', 'Kiali Console')
-    })
-}) 
\ No newline at end of file