docs: updated docs for multi-ingress gateway

README.md

@@ -4,31 +4,31 @@ A simple chart wrapper around `IstioOperator` custom resource.
 
 #### _This is a mirror of a government repo hosted on [Repo1](https://repo1.dso.mil/) by [DoD Platform One](http://p1.dso.mil/).  Please direct all code changes, issues and comments to https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane_
 
-# Table of Contents
+## Table of Contents
+
 - [Prerequisites](#pre-requisites)
 - [Iron Bank](#iron-bank-istio-controlplane)
 - [Deployment](#deploy-istio-controlplane)
-- [Istio configuration](docs/README.md)
-- [Keycloak configuration](docs/KEYCLOAK.md)
 
 ## Pre-Requisites
 
-* Kubernetes Cluster deployed
-* Kubernetes config installed in `~/.kube/config`
-* Helm installed
+- Kubernetes Cluster deployed
+- Kubernetes config installed in `~/.kube/config`
+- Helm installed
 
 Install Helm
 
 https://helm.sh/docs/intro/install/
 
-This chart requires the Istio Operator to be deployed beforehand.  You can use [BigBang]() or the standalone [istio-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) chart.
+This chart requires the Istio Operator to be deployed beforehand.  You can use BigBang or the standalone [istio-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) chart.
 
 ## Iron Bank
 
-You can `pull` the registry1 image(s) [here](https://registry1.dso.mil/harbor/projects/3/repositories/opensource%2Fistio-1.7%2Fpilot-1.7) and view the container approval [here](https://ironbank.dso.mil/ironbank/repomap/opensource/istio-1.7).
+You can `pull` the registry1 image(s) [here](https://registry1.dso.mil/harbor/projects/3/repositories/opensource%2Fistio-1.8%2Fpilot-1.8) and view the container approval [here](https://ironbank.dso.mil/ironbank/repomap/opensource/istio-1.8).
 
 ## Deployment
-```
+
+```shell
 git clone https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
 cd istio-controlplane
 helm install istio-controlplane chart

docs/KEYCLOAK.md

-# Keycloak
-
-Kiali and Jaeger are no longer deployed with Istio, see the [Jaeger](https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger) and [Kiali](https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali) repos for information

docs/ingress.md

+# Istio Control Plan Ingress Configuration
+
+## Default
+
+Without changes to this template, the following ingress will be created:
+
+- One ingress gateway
+  - Name: `istio-ingressgateway`
+  - Type: load balancer
+  - Listening ports: 80 (HTTP), 443 (HTTPS), 15021 (Istio Status), and 15443 (Istio SNI)
+- One gateway
+  - Name: `main`
+  - Ingress Gateway: `istio-ingressgateway`
+  - Hosts: `*.{domain}`
+  - HTTP redirect to HTTPS
+  - TLS termination on HTTPS
+  - No TLS certificate
+
+At a minimum, a secret holding the wildcard TLS certificate for the domain needs to be provided for the default setup to function.  In addition, Virtual Services should be created for applications to create a complete ingress to an endpoint.
+
+## Additional Ingress Gateways
+
+To create additional ingress gateways (or replace the default), the following `values.yaml` configuration can be used.  Under the `k8s` section, any parameters listed in the [Istio Operator documentation](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec) can be added.
+
+> To remove the default gateway, set `istio-ingressgateway: null` in your `values.yaml`
+
+```yaml
+ingressGateways:
+  # Complete example of an additional ingressgateway defined below
+  private-ingressgateway:  # This becomes the name
+    extraLabels: {} # Automatic labels: 'app: {ingress gateway name}'
+    k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+      # hpaSpec:  By default, HPA is set from 1-5 instances with a target average utilization of 80%
+      resources: {}
+        # requests:
+        #   cpu: 500m
+        #   memory: 1Gi
+        # limits:
+        #   cpu: 1.5
+        #   memory: 3Gi
+      service:
+        type: "LoadBalancer" # or "NodePort"
+        # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
+      podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+      serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+      nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+      affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+      tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+```
+
+## Additional Gateways
+
+Additional gateways can be added to Istio by using the following configuration in your `values.yaml`.  
+- `selector` should be used to select which `IngressGateway` to use
+- HTTP redirect is automatically included in every gateway
+- The TLS credentials must be created separately in a secret and referenced in the `tls.credentialName` field
+- Hosts should not overlap between Gateways unless the Ingress Gateways are completely isolated (e.g. different IPs or different Ports)
+
+```yaml
+# See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec
+gateways:
+  private:
+    selector:
+      app: "private-istio-ingressgateway"
+    servers:
+    - hosts:
+      - "mypackage.{{ .Values.domain }}"
+      port:
+        name: http2
+        number: 8443
+        protocol: HTTPS
+      tls:
+        credentialName: "some-secret"
+        mode: "SIMPLE"
+  ```