Jennifer Kays · Brendon Lloyd · Micah Nagel · Micah Nagel · Micah Nagel · Micah Nagel
13 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.8.4-bb.6]
+### Changed
+- **BREAKING** `ingressGateway` deprecated in favor of creating `ingressGateways` in a uniform manner
+- **BREAKING** `gateway` deprecated in favor of creating `gateways` in a uniform manner
 ## [1.8.4-bb.5]
 ### Fixed
 - Kube API egress allowed for all pods, not just istiod

--- a/CODEOWNERS
+++ b/CODEOWNERS
-* @barrywoodtetrate @joshwolf @kavitha @kenna81 @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia
+* @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
--- a/README.md
+++ b/README.md
@@ -4,32 +4,33 @@ A simple chart wrapper around `IstioOperator` custom resource.
 #### _This is a mirror of a government repo hosted on [Repo1](https://repo1.dso.mil/) by [DoD Platform One](http://p1.dso.mil/).  Please direct all code changes, issues and comments to https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane_
-# Table of Contents
+## Table of Contents
 - [Prerequisites](#pre-requisites)
 - [Iron Bank](#iron-bank-istio-controlplane)
 - [Deployment](#deploy-istio-controlplane)
- [Istio configuration](docs/README.md)
+- [Ingress](./docs/ingress.md)
- [Keycloak configuration](docs/KEYCLOAK.md)
 ## Pre-Requisites
-* Kubernetes Cluster deployed
+- Kubernetes Cluster deployed
-* Kubernetes config installed in `~/.kube/config`
+- Kubernetes config installed in `~/.kube/config`
-* Helm installed
+- Helm installed
 Install Helm
 https://helm.sh/docs/intro/install/
-This chart requires the Istio Operator to be deployed beforehand.  You can use [BigBang]() or the standalone [istio-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) chart.
+This chart requires the Istio Operator to be deployed beforehand.  You can use [BigBang]() or the standalone [istio-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) chart. Place the chart into the "istio-system" namespace as described below.
 ## Iron Bank
-You can `pull` the registry1 image(s) [here](https://registry1.dso.mil/harbor/projects/3/repositories/opensource%2Fistio-1.7%2Fpilot-1.7) and view the container approval [here](https://ironbank.dso.mil/ironbank/repomap/opensource/istio-1.7).
+You can `pull` the registry1 image(s) [here](https://registry1.dso.mil/harbor/projects/3/repositories/opensource%2Fistio-1.8%2Fpilot-1.8) and view the container approval [here](https://ironbank.dso.mil/ironbank/repomap/opensource/istio-1.8).
 ## Deployment
-```
+```shell
 git clone https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
 cd istio-controlplane
-helm install istio-controlplane chart
+helm install istio-controlplane chart -n istio-system
 ```
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: istio
-version: 1.8.4-bb.5
+version: 1.8.4-bb.6
--- a/chart/templates/controlplane.yaml
+++ b/chart/templates/controlplane.yaml
@@ -54,124 +54,22 @@ spec:
    {{- end }}
    {{- end }}
    ingressGateways:
-      - name: istio-ingressgateway
+    {{- if .Values.ingressgateway }}
-        namespace: {{ .Release.Namespace }}
+    {{- required "`ingressgateway` value has been deprecated.  Please use the new format in the `ingressGateways` value." "" }}
-        enabled: true
+    {{- end }}
-        label:
+    {{- range $name, $values := .Values.ingressGateways }}
-          {{- toYaml .Values.ingressGateway.labels | default (dict) | nindent 10 }}
+    - name: {{ $name }}
-        k8s:
+      namespace: {{ $.Release.Namespace }}
-          service:
+      enabled: {{ if eq (toString $values.enabled) "<nil>" }}true{{ else }}{{ $values.enabled }}{{ end }}
-            type: {{ .Values.ingressGateway.type }}
+      label:
-            ports:
+        app: {{ $name }}
-              {{- range $k, $v := .Values.ingressGateway.ports }}
+        istio: ingressgateway
-              {{- /* Input validation */}}
+        {{- if $values.extraLabels }}
-              {{- if not $v.name }}
+          {{- toYaml $values.extraLabels | nindent 8 }}
-                {{- fail "missing field 'name' in ports object" }}
+        {{- end }}
-              {{- else if not $v.port }}
+      k8s:
-                {{- fail "missing field 'port' in ports object" }}
+        {{- toYaml $values.k8s | nindent 8 }}
-              {{- else if eq $.Values.ingressGateway.type "NodePort" }}
+    {{- end }}
-                {{- if not $v.nodePort }}
-                  {{- fail "'nodePort' must be defined when type is NodePort" }}
-                {{- else if or (lt (int $v.nodePort) 30000) (gt (int $v.nodePort) 32767) }}
-                  {{- fail "nodePort value outside of acceptable range (30000-32767)" }}
-                {{- end }}
-              {{- end }}
-              {{- /* Actual port object rendering */}}
-              -
-                {{- range $pk, $pv := $v }}
-                {{ $pk }}: {{ $pv }}
-                {{- end }}
-              {{- end }}
-          hpaSpec:
-            minReplicas: {{ .Values.ingressGateway.minReplicas }}
-            maxReplicas: {{ .Values.ingressGateway.maxReplicas }}
-            metrics:
-              {{- toYaml .Values.ingressGateway.scaleMetrics | nindent 12 }}
-            scaleTargetRef:
-              apiVersion: apps/v1
-              kind: Deployment
-              name: istio-ingressgateway
-          strategy:
-            rollingUpdate:
-              maxSurge: 100%
-              maxUnavailable: 25%
-          resources:
-            {{- toYaml .Values.ingressGateway.resources | nindent 12 }}
-          serviceAnnotations:
-            {{- .Values.ingressGateway.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
-          podAnnotations:
-            {{- .Values.ingressGateway.podAnnotations | default (dict) | toYaml | nindent 12 }}
-          nodeSelector:
-            {{- .Values.ingressGateway.nodeSelector | default (dict) | toYaml | nindent 12 }}
-          affinity:
-            {{- .Values.ingressGateway.affinity | default (dict) | toYaml | nindent 12 }}
-          tolerations:
-            {{- .Values.ingressGateway.tolerations | default (list) | toYaml | nindent 12 }}
-      {{- range $i := .Values.extraIngressGateways }}
-      - name: {{ $i.name }}
-        namespace: {{ $.Release.Namespace }}
-        enabled: true
-        label:
-          {{- toYaml $i.labels | default (dict) | nindent 10 }}
-        k8s:
-          service:
-            type: {{ $i.type }}
-            ports:
-              {{- range $k, $v := $i.ports }}
-              {{- /* Input validation */}}
-              {{- if not $v.name }}
-                {{- fail "missing field 'name' in ports object" }}
-              {{- else if not $v.port }}
-                {{- fail "missing field 'port' in ports object" }}
-              {{- else if eq $i.type "NodePort" }}
-                {{- if not $v.nodePort }}
-                  {{- fail "'nodePort' must be defined when type is NodePort" }}
-                {{- else if or (lt (int $v.nodePort) 30000) (gt (int $v.nodePort) 32767) }}
-                  {{- fail "nodePort value outside of acceptable range (30000-32767)" }}
-                {{- end }}
-              {{- end }}
-              {{- /* Actual port object rendering */}}
-              -
-                {{- range $pk, $pv := $v }}
-                {{ $pk }}: {{ $pv }}
-                {{- end }}
-              {{- end }}
-          {{- if $i.k8s.hpaSpec }}
-          hpaSpec:
-            minReplicas: {{ $i.k8s.hpaSpec.minReplicas }}
-            maxReplicas: {{ $i.k8s.hpaSpec.maxReplicas }}
-            metrics:
-              {{ if $i.k8s.hpaSpec.metrics }}
-              {{- toYaml $i.k8s.hpaSpec.metrics | indent 12 }}
-              {{ else }}
-              {{- /* default metrics, backwards compatible */}}
-              - type: Resource
-                resource:
-                  name: cpu
-                  targetAverageUtilization: 60
-            {{- end }}
-            scaleTargetRef:
-              apiVersion: apps/v1
-              kind: Deployment
-              name: {{ $i.name }}
-          {{- end }}
-          strategy:
-            rollingUpdate:
-              maxSurge: 100%
-              maxUnavailable: 25%
-          resources:
-            {{- toYaml .k8s.resources | nindent 12 }}
-          serviceAnnotations:
-            {{- .k8s.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
-          podAnnotations:
-            {{- .k8s.podAnnotations | default (dict) | toYaml | nindent 12 }}
-          nodeSelector:
-            {{- .k8s.nodeSelector | default (dict) | toYaml | nindent 12 }}
-          affinity:
-            {{- .k8s.affinity | default (dict) | toYaml | nindent 12 }}
-          tolerations:
-            {{- .k8s.tolerations | default (list) | toYaml | nindent 12 }}
-  {{- end }}
  meshConfig:
    accessLogFile: /dev/stdout

--- a/chart/templates/envoyfilter.yaml
+++ b/chart/templates/envoyfilter.yaml
+{{/*
+This filter is used as a workaround for https://istio.io/latest/docs/ops/common-problems/network-issues/#404-errors-occur-when-multiple-gateways-configured-with-same-tls-certificate.
+This occurs because of this bug: https://github.com/envoyproxy/envoy/issues/6767.
+By adding the LUA below pre-gateway, we can return a 421 error code instead of a 404 error code when the SNI host is not what we expect.
+For **most** browsers, the 421 error will force it to retry the request without reusing a previous connection.
+NOTE: This workaround relies on Envoy v1.18.x and above, which is included in istio/proxyv2 1.10.x and above
+*/}}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: misdirected-request
+  namespace: istio-system
+spec:
+  configPatches:
+    - applyTo: HTTP_FILTER
+      match:
+        context: GATEWAY
+        listener:
+          filterChain:
+            filter:
+              name: envoy.filters.network.http_connection_manager
+              subFilter:
+                name: envoy.filters.http.router
+      patch:
+        operation: INSERT_BEFORE
+        value:
+          name: envoy.lua
+          typed_config:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
+              inlineCode: |
+                function envoy_on_request(request_handle)
+                  local streamInfo = request_handle:streamInfo()
+                  if request_handle:streamInfo():requestedServerName() ~= "" then
+                    if (string.sub(request_handle:streamInfo():requestedServerName(), 0, 2) == "*." and not string.find(request_handle:headers():get(":authority"), string.sub(request_handle:streamInfo():requestedServerName(), 1))) then
+                      request_handle:respond({[":status"] = "421"}, "Misdirected Request")
+                    end
+                    if (string.sub(request_handle:streamInfo():requestedServerName(), 0, 2) ~= "*." and request_handle:streamInfo():requestedServerName() ~= request_handle:headers():get(":authority")) then
+                      request_handle:respond({[":status"] = "421"}, "Misdirected Request")
+                    end
+                  end
+                end
\ No newline at end of file
--- a/chart/templates/gateway.yaml
+++ b/chart/templates/gateway.yaml
+{{- if .Values.gateway }}
+{{- required "`gateway` value has been deprecated.  Please use the new format in the `gateways` value." "" }}
+{{- end }}
+{{- range $name, $values := .Values.gateways }}
+---
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
-  name: main
+  name: {{ $name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
  selector:
-    istio: ingressgateway
+    {{- $values.selector | default (dict) | toYaml | nindent 4 }}
  servers:
-  - port:
+  - hosts:
+    - "*"
+    port:
      name: http
-      protocol: HTTP
      number: 8080
-    hosts:
+      protocol: HTTP
-    - "*"
    tls:
      httpsRedirect: true
-  - port:
+    {{- tpl (toYaml $values.servers) $ | nindent 2 }}
-      name: https
+{{- end }}
-      protocol: HTTPS
\ No newline at end of file
-      number: 8443
-    hosts:
-    {{- if .Values.gateway.hosts }}
-      {{- .Values.gateway.hosts | toYaml | nindent 6 }}
-    {{- else }}
-      - "*.{{ .Values.hostname | default .Values.domain }}"
-    {{- end }}
-    tls:
-      credentialName: {{ .Values.tls.credentialName }}
-      mode: {{ .Values.tls.mode }}
-  {{- range .Values.extraServers }}
-  - port:
-      {{- if eq .port.name "https" }}
-      {{- fail "The port name must be unique" }}
-      {{- end }}
-      name: {{ required "A valid port name is required!" .port.name }}
-      protocol: {{ .port.protocol | default "HTTPS" }}
-      number: {{ .port.number | default 443 }}
-    {{- range .hosts }}
-    hosts:
-      - {{ tpl . $ | quote }}
-    {{- end }}
-    tls:
-      {{- if .tls.credentialName }}
-      credentialName: {{ .tls.credentialName | quote }}
-      {{- end }}
-      mode: {{ .tls.mode | default "SIMPLE" }}
-  {{- end }}
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -12,35 +12,88 @@ domain: bigbang.dev
 # Openshift feature switch toggle
 openshift: false
-monitoring:
-  enabled: true
 imagePullSecrets: []
-gateway:
+monitoring:
-  # Sets the default hosts to match for HTTPS using the tls mode below
+  enabled: false
-  hosts: [] # Defaults to "*.{{ .Values.domain }}"
-  # Examples:
+# Ingress gateways
-  # - *.admin.bigbang.dev
+# The following items are automatically set for every ingress gateway:
-  # - myapp.bigbang.dev
+# - label: "app: {name of ingress gateway}"
+ingressGateways:
-# Sets the default gateway TLS mode for HTTPS
+  istio-ingressgateway:  # This becomes the name
-tls:
+    enabled: true
-  credentialName: wildcard-cert
+    # Labels to use for selecting the ingress gateway from the service
-  mode: SIMPLE
+    extraLabels: {} # Automatic labels: 'app: {ingress gateway name}' and `istio: ingressgateway`
+    k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
-extraServers: []
+      # hpaSpec:  By default, HPA is set from 1-5 instances with a target average utilization of 80%
-# Example below of complete values capable of being set
+      resources: {}
-# NOTE: hosts[] is capable of dynamic templating from the .Values context
+        # requests:
-#  - port:
+        #   cpu: 500m
-#      name: https-other                          # required: must not be equal to "http"
+        #   memory: 1Gi
-#      protocol: HTTPS
+        # limits:
-#      number: 443
+        #   cpu: 1.5
-#    hosts:
+        #   memory: 3Gi
-#      - "*.sub.{{ .Values.hostname | default .Values.domain }}"
+      service:
-#    tls:
+        type: "LoadBalancer" # or "NodePort"
-#      credentialName: "another-credential"       # required
+        # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
-#      mode: SIMPLE
+      podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+      serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+      nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+      affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+      tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  # # Complete example of an additional ingressgateway defined below
+  # private-ingressgateway:  # This becomes the name
+  #   # Labels to use for selecting the ingress gateway from the service
+  #   extraLabels: {} # Automatic labels: 'app: {ingress gateway name}'
+  #   k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+  #     # hpaSpec:  By default, HPA is set from 1-5 instances with a target average utilization of 80%
+  #     resources: {}
+  #       # requests:
+  #       #   cpu: 500m
+  #       #   memory: 1Gi
+  #       # limits:
+  #       #   cpu: 1.5
+  #       #   memory: 3Gi
+  #     service:
+  #       type: "LoadBalancer" # or "NodePort"
+  #       # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
+  #     podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  #     serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  #     nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  #     affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  #     tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+# See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec
+gateways:
+  main: # This becomes the name of the gateway
+    selector:
+      app: "istio-ingressgateway"
+    servers:  # HTTP redirect to HTTPS is automatically added
+    - hosts:
+      - "*.{{ .Values.domain }}"
+      port:
+        name: https
+        number: 8443
+        protocol: HTTPS
+      tls:
+        credentialName: "wildcard-cert"
+        mode: "SIMPLE"
+  # # Example of adding additional gateways
+  # private:
+  #   selector:
+  #     app: "private-istio-ingressgateway"
+  #   servers:
+  #   - hosts:
+  #     - "mypackage.{{ .Values.domain }}"
+  #     port:
+  #       name: http2
+  #       number: 8443
+  #       protocol: HTTPS
+  #     tls:
+  #       credentialName: "some-secret"
+  #       mode: "SIMPLE"
 # istiod / pilot configuration
 istiod:
@@ -76,128 +129,12 @@ istiod:
  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  tolerations: []
-ingressGateway:
-  minReplicas: 1
-  maxReplicas: 5
-  scaleMetrics:
-    - type: Resource
-      resource:
-        name: cpu
-        targetAverageUtilization: 60
-  resources: {}
-  #    limits:
-  #      cpu: 1.5
-  #      memory: 3Gi
-  #    requests:
-  #      cpu: 500m
-  #      memory: 1Gi
-  # Only "LoadBalancer" and "NodePort" are allowed
-  type: LoadBalancer
-  labels:
-    # These are the default labels tied to the default gateway
-    app: istio-ingressgateway
-    istio: ingressgateway
-  ports:
-    # NOTE: Below are ripped directly from istio gateway helm chart defaults: https://github.com/istio/istio/blob/master/manifests/charts/gateways/istio-ingress/values.yaml
-    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
-    # Note that AWS ELB will by default perform health checks on the first port
-    # on this list. Setting this to the health check port will ensure that health
-    # checks always work. https://github.com/istio/istio/issues/12503
-    - port: 15021
-      targetPort: 15021
-      name: status-port
-      protocol: TCP
-    - port: 80
-      targetPort: 8080
-      name: http2
-      protocol: TCP
-    - port: 443
-      targetPort: 8443
-      name: https
-      protocol: TCP
-    - port: 15012
-      targetPort: 15012
-      name: tcp-istiod
-      protocol: TCP
-    # This is the port where sni routing happens
-    - port: 15443
-      targetPort: 15443
-      name: tls
-      protocol: TCP
-  #  k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-  podAnnotations: {}
-  #  k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-  serviceAnnotations: {}
-  #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
-  nodeSelector: {}
-  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
-  affinity: {}
-  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-  tolerations: []
-extraIngressGateways: []
-# Complete example of an additional ingressgateway defined below
-#  - name: private-ingressgateway
-#    k8s:
-#      hpaSpec:
-#        minReplicas: 1
-#        maxReplicas: 3
-#      serviceAnnotations:
-#        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
-#       metrics:
-#         - type: Resource
-#           resource:
-#             name: cpu
-#            targetAverageUtilization: 80
-#      resources:
-#        limits:
-#          cpu: 1.5
-#          memory: 3Gi
-#        requests:
-#          cpu: 500m
-#          memory: 1Gi
-#    labels:
-#      app: private-ingressgateway
-kiali:
-  enabled: true
-  image:
-    name: kiali
-    hub: registry1.dso.mil/ironbank/opensource/kiali
-    tag: v1.23.0
-  dashboard:
-    auth:
-      strategy: ""
 tracing:
  enabled: false
  address: jaeger-collector.jaeger.svc
  port: 9411
-  # how to access tracing for users. Provided as link in kiali
-  externalAddress: https://tracing.{{ .Values.hostname | default .Values.domain }}
  # percent of traces to send to jaeger
  sampling: 10
-  image:
-    name: all-in-one
-    hub: registry1.dso.mil/ironbank/opensource/jaegertracing
-    tag: 1.19.2
-sso:
-  enabled: false
-  namespace: istio-addons-sso
-  selector:
-    key: protect
-    value: keycloak
 cni:
  image:
@@ -221,4 +158,5 @@ values:
 networkPolicies:
  enabled: false
-  controlPlaneCidr: 0.0.0.0/0
+  # See `kubectl cluster-info` and then resolve to IP
+  controlPlaneCidr: 0.0.0.0/0
\ No newline at end of file
--- a/docs/README.md
+++ b/docs/README.md
--- a/docs/AFFINITY.md
+++ b/docs/AFFINITY.md
--- a/docs/ingress.md
+++ b/docs/ingress.md
+# Istio Control Plan Ingress Configuration
+## Default
+Without changes to this template, the following ingress will be created:
+- One ingress gateway
+  - Name: `istio-ingressgateway`
+  - Type: load balancer
+  - Listening ports: 80 (HTTP), 443 (HTTPS), 15021 (Istio Status), and 15443 (Istio SNI)
+- One gateway
+  - Name: `main`
+  - Ingress Gateway: `istio-ingressgateway`
+  - Hosts: `*.{domain}`
+  - HTTP redirect to HTTPS
+  - TLS termination on HTTPS
+  - No TLS certificate
+At a minimum, a secret holding the wildcard TLS certificate for the domain needs to be provided for the default setup to function.  In addition, Virtual Services should be created for applications to create a complete ingress to an endpoint.
+## Additional Ingress Gateways
+To create additional ingress gateways (or replace the default), the following `values.yaml` configuration can be used.  Under the `k8s` section, any parameters listed in the [Istio Operator documentation](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec) can be added.
+> To remove the default ingress gateway, set `istio-ingressgateway: null` in your `values.yaml`
+```yaml
+ingressGateways:
+  # Complete example of an additional ingressgateway defined below
+  private-ingressgateway:  # This becomes the name
+    extraLabels: {} # Automatic labels: 'app: {ingress gateway name}'
+    k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+      # hpaSpec:  By default, HPA is set from 1-5 instances with a target average utilization of 80%
+      resources: {}
+        # requests:
+        #   cpu: 500m
+        #   memory: 1Gi
+        # limits:
+        #   cpu: 1.5
+        #   memory: 3Gi
+      service:
+        type: "LoadBalancer" # or "NodePort"
+        # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
+      podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+      serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+      nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+      affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+      tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+```
+## Additional Gateways
+Additional gateways can be added to Istio by using the following configuration in your `values.yaml`.
+- `selector` should be used to select which `IngressGateway` to use
+- HTTP redirect is automatically included in every gateway
+- The TLS credentials must be created separately in a secret and referenced in the `tls.credentialName` field
+- Hosts should not overlap between Gateways unless the Ingress Gateways are completely isolated (e.g. different IPs or different Ports)
+> To remove the default gateway, set `main: null` in your `values.yaml`
+```yaml
+# See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec
+gateways:
+  private:
+    selector:
+      app: "private-istio-ingressgateway"
+    servers:
+    - hosts:
+      - "mypackage.{{ .Values.domain }}"
+      port:
+        name: http2
+        number: 8443
+        protocol: HTTPS
+      tls:
+        credentialName: "some-secret"
+        mode: "SIMPLE"
+  ```
--- a/docs/KEYCLOAK.md
+++ b/docs/KEYCLOAK.md
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -3,4 +3,4 @@ imagePullSecrets:
 networkPolicies:
  enabled: true
  controlPlaneCidr: 172.16.0.0/12
\ No newline at end of file