UNCLASSIFIED

Skip to content

GitLab

You need to sign in or sign up before continuing.
Commits (8)
Show whitespace changes
Inline Side-by-side
Showing with 251 additions and 312 deletions
CHANGELOG.md
View file @ 8abf01fe
......@@ -2,6 +2,11 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.8.4-bb.6]
### Changed
- **BREAKING** `ingressGateway` deprecated in favor of creating `ingressGateways` in a uniform manner
- **BREAKING** `gateway` deprecated in favor of creating `gateways` in a uniform manner
## [1.8.4-bb.5]
### Fixed
- Kube API egress allowed for all pods, not just istiod
......
CODEOWNERS
View file @ 8abf01fe
* @barrywoodtetrate @joshwolf @kavitha @kenna81 @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia
* @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
README.md
View file @ 8abf01fe
......@@ -4,32 +4,33 @@ A simple chart wrapper around `IstioOperator` custom resource.
#### _This is a mirror of a government repo hosted on [Repo1](https://repo1.dso.mil/) by [DoD Platform One](http://p1.dso.mil/). Please direct all code changes, issues and comments to https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane_
# Table of Contents
## Table of Contents
- [Prerequisites](#pre-requisites)
- [Iron Bank](#iron-bank-istio-controlplane)
- [Deployment](#deploy-istio-controlplane)
- [Istio configuration](docs/README.md)
- [Keycloak configuration](docs/KEYCLOAK.md)
- [Ingress](./docs/ingress.md)
## Pre-Requisites
* Kubernetes Cluster deployed
* Kubernetes config installed in `~/.kube/config`
* Helm installed
- Kubernetes Cluster deployed
- Kubernetes config installed in `~/.kube/config`
- Helm installed
Install Helm
https://helm.sh/docs/intro/install/
This chart requires the Istio Operator to be deployed beforehand. You can use [BigBang]() or the standalone [istio-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) chart.
This chart requires the Istio Operator to be deployed beforehand. You can use [BigBang]() or the standalone [istio-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) chart. Place the chart into the "istio-system" namespace as described below.
## Iron Bank
You can `pull` the registry1 image(s) [here](https://registry1.dso.mil/harbor/projects/3/repositories/opensource%2Fistio-1.7%2Fpilot-1.7) and view the container approval [here](https://ironbank.dso.mil/ironbank/repomap/opensource/istio-1.7).
You can `pull` the registry1 image(s) [here](https://registry1.dso.mil/harbor/projects/3/repositories/opensource%2Fistio-1.8%2Fpilot-1.8) and view the container approval [here](https://ironbank.dso.mil/ironbank/repomap/opensource/istio-1.8).
## Deployment
```
```shell
git clone https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
cd istio-controlplane
helm install istio-controlplane chart
helm install istio-controlplane chart -n istio-system
```
chart/Chart.yaml
View file @ 8abf01fe
apiVersion: v2
name: istio
version: 1.8.4-bb.5
version: 1.8.4-bb.6
chart/templates/controlplane.yaml
View file @ 8abf01fe
......@@ -54,123 +54,21 @@ spec:
{{- end }}
{{- end }}
ingressGateways:
- name: istio-ingressgateway
namespace: {{ .Release.Namespace }}
enabled: true
label:
{{- toYaml .Values.ingressGateway.labels | default (dict) | nindent 10 }}
k8s:
service:
type: {{ .Values.ingressGateway.type }}
ports:
{{- range $k, $v := .Values.ingressGateway.ports }}
{{- /* Input validation */}}
{{- if not $v.name }}
{{- fail "missing field 'name' in ports object" }}
{{- else if not $v.port }}
{{- fail "missing field 'port' in ports object" }}
{{- else if eq $.Values.ingressGateway.type "NodePort" }}
{{- if not $v.nodePort }}
{{- fail "'nodePort' must be defined when type is NodePort" }}
{{- else if or (lt (int $v.nodePort) 30000) (gt (int $v.nodePort) 32767) }}
{{- fail "nodePort value outside of acceptable range (30000-32767)" }}
{{- end }}
{{- if .Values.ingressgateway }}
{{- required "`ingressgateway` value has been deprecated. Please use the new format in the `ingressGateways` value." "" }}
{{- end }}
{{- /* Actual port object rendering */}}
-
{{- range $pk, $pv := $v }}
{{ $pk }}: {{ $pv }}
{{- end }}
{{- end }}
hpaSpec:
minReplicas: {{ .Values.ingressGateway.minReplicas }}
maxReplicas: {{ .Values.ingressGateway.maxReplicas }}
metrics:
{{- toYaml .Values.ingressGateway.scaleMetrics | nindent 12 }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
resources:
{{- toYaml .Values.ingressGateway.resources | nindent 12 }}
serviceAnnotations:
{{- .Values.ingressGateway.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
podAnnotations:
{{- .Values.ingressGateway.podAnnotations | default (dict) | toYaml | nindent 12 }}
nodeSelector:
{{- .Values.ingressGateway.nodeSelector | default (dict) | toYaml | nindent 12 }}
affinity:
{{- .Values.ingressGateway.affinity | default (dict) | toYaml | nindent 12 }}
tolerations:
{{- .Values.ingressGateway.tolerations | default (list) | toYaml | nindent 12 }}
{{- range $i := .Values.extraIngressGateways }}
- name: {{ $i.name }}
{{- range $name, $values := .Values.ingressGateways }}
- name: {{ $name }}
namespace: {{ $.Release.Namespace }}
enabled: true
enabled: {{ if eq (toString $values.enabled) "<nil>" }}true{{ else }}{{ $values.enabled }}{{ end }}
label:
{{- toYaml $i.labels | default (dict) | nindent 10 }}
k8s:
service:
type: {{ $i.type }}
ports:
{{- range $k, $v := $i.ports }}
{{- /* Input validation */}}
{{- if not $v.name }}
{{- fail "missing field 'name' in ports object" }}
{{- else if not $v.port }}
{{- fail "missing field 'port' in ports object" }}
{{- else if eq $i.type "NodePort" }}
{{- if not $v.nodePort }}
{{- fail "'nodePort' must be defined when type is NodePort" }}
{{- else if or (lt (int $v.nodePort) 30000) (gt (int $v.nodePort) 32767) }}
{{- fail "nodePort value outside of acceptable range (30000-32767)" }}
{{- end }}
{{- end }}
{{- /* Actual port object rendering */}}
-
{{- range $pk, $pv := $v }}
{{ $pk }}: {{ $pv }}
{{- end }}
{{- end }}
{{- if $i.k8s.hpaSpec }}
hpaSpec:
minReplicas: {{ $i.k8s.hpaSpec.minReplicas }}
maxReplicas: {{ $i.k8s.hpaSpec.maxReplicas }}
metrics:
{{ if $i.k8s.hpaSpec.metrics }}
{{- toYaml $i.k8s.hpaSpec.metrics | indent 12 }}
{{ else }}
{{- /* default metrics, backwards compatible */}}
- type: Resource
resource:
name: cpu
targetAverageUtilization: 60
app: {{ $name }}
istio: ingressgateway
{{- if $values.extraLabels }}
{{- toYaml $values.extraLabels | nindent 8 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $i.name }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
resources:
{{- toYaml .k8s.resources | nindent 12 }}
serviceAnnotations:
{{- .k8s.serviceAnnotations | default (dict) | toYaml | nindent 12 }}
podAnnotations:
{{- .k8s.podAnnotations | default (dict) | toYaml | nindent 12 }}
nodeSelector:
{{- .k8s.nodeSelector | default (dict) | toYaml | nindent 12 }}
affinity:
{{- .k8s.affinity | default (dict) | toYaml | nindent 12 }}
tolerations:
{{- .k8s.tolerations | default (list) | toYaml | nindent 12 }}
k8s:
{{- toYaml $values.k8s | nindent 8 }}
{{- end }}
meshConfig:
......
chart/templates/envoyfilter.yaml 0 → 100644
View file @ 8abf01fe
{{/*
This filter is used as a workaround for https://istio.io/latest/docs/ops/common-problems/network-issues/#404-errors-occur-when-multiple-gateways-configured-with-same-tls-certificate.
This occurs because of this bug: https://github.com/envoyproxy/envoy/issues/6767.
By adding the LUA below pre-gateway, we can return a 421 error code instead of a 404 error code when the SNI host is not what we expect.
For **most** browsers, the 421 error will force it to retry the request without reusing a previous connection.
NOTE: This workaround relies on Envoy v1.18.x and above, which is included in istio/proxyv2 1.10.x and above
*/}}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: misdirected-request
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
local streamInfo = request_handle:streamInfo()
if request_handle:streamInfo():requestedServerName() ~= "" then
if (string.sub(request_handle:streamInfo():requestedServerName(), 0, 2) == "*." and not string.find(request_handle:headers():get(":authority"), string.sub(request_handle:streamInfo():requestedServerName(), 1))) then
request_handle:respond({[":status"] = "421"}, "Misdirected Request")
end
if (string.sub(request_handle:streamInfo():requestedServerName(), 0, 2) ~= "*." and request_handle:streamInfo():requestedServerName() ~= request_handle:headers():get(":authority")) then
request_handle:respond({[":status"] = "421"}, "Misdirected Request")
end
end
end
\ No newline at end of file
chart/templates/gateway.yaml
View file @ 8abf01fe
{{- if .Values.gateway }}
{{- required "`gateway` value has been deprecated. Please use the new format in the `gateways` value." "" }}
{{- end }}
{{- range $name, $values := .Values.gateways }}
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: main
namespace: {{ .Release.Namespace }}
name: {{ $name }}
namespace: {{ $.Release.Namespace }}
spec:
selector:
istio: ingressgateway
{{- $values.selector | default (dict) | toYaml | nindent 4 }}
servers:
- port:
- hosts:
- "*"
port:
name: http
protocol: HTTP
number: 8080
hosts:
- "*"
protocol: HTTP
tls:
httpsRedirect: true
- port:
name: https
protocol: HTTPS
number: 8443
hosts:
{{- if .Values.gateway.hosts }}
{{- .Values.gateway.hosts | toYaml | nindent 6 }}
{{- else }}
- "*.{{ .Values.hostname | default .Values.domain }}"
{{- end }}
tls:
credentialName: {{ .Values.tls.credentialName }}
mode: {{ .Values.tls.mode }}
{{- range .Values.extraServers }}
- port:
{{- if eq .port.name "https" }}
{{- fail "The port name must be unique" }}
{{- end }}
name: {{ required "A valid port name is required!" .port.name }}
protocol: {{ .port.protocol | default "HTTPS" }}
number: {{ .port.number | default 443 }}
{{- range .hosts }}
hosts:
- {{ tpl . $ | quote }}
{{- end }}
tls:
{{- if .tls.credentialName }}
credentialName: {{ .tls.credentialName | quote }}
{{- end }}
mode: {{ .tls.mode | default "SIMPLE" }}
{{- end }}
\ No newline at end of file
{{- tpl (toYaml $values.servers) $ | nindent 2 }}
{{- end }}
\ No newline at end of file
chart/values.yaml
View file @ 8abf01fe
......@@ -12,35 +12,88 @@ domain: bigbang.dev
# Openshift feature switch toggle
openshift: false
monitoring:
enabled: true
imagePullSecrets: []
gateway:
# Sets the default hosts to match for HTTPS using the tls mode below
hosts: [] # Defaults to "*.{{ .Values.domain }}"
# Examples:
# - *.admin.bigbang.dev
# - myapp.bigbang.dev
# Sets the default gateway TLS mode for HTTPS
tls:
credentialName: wildcard-cert
mode: SIMPLE
extraServers: []
# Example below of complete values capable of being set
# NOTE: hosts[] is capable of dynamic templating from the .Values context
# - port:
# name: https-other # required: must not be equal to "http"
# protocol: HTTPS
# number: 443
# hosts:
# - "*.sub.{{ .Values.hostname | default .Values.domain }}"
# tls:
# credentialName: "another-credential" # required
# mode: SIMPLE
monitoring:
enabled: false
# Ingress gateways
# The following items are automatically set for every ingress gateway:
# - label: "app: {name of ingress gateway}"
ingressGateways:
istio-ingressgateway: # This becomes the name
enabled: true
# Labels to use for selecting the ingress gateway from the service
extraLabels: {} # Automatic labels: 'app: {ingress gateway name}' and `istio: ingressgateway`
k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
# hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80%
resources: {}
# requests:
# cpu: 500m
# memory: 1Gi
# limits:
# cpu: 1.5
# memory: 3Gi
service:
type: "LoadBalancer" # or "NodePort"
# ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
# # Complete example of an additional ingressgateway defined below
# private-ingressgateway: # This becomes the name
# # Labels to use for selecting the ingress gateway from the service
# extraLabels: {} # Automatic labels: 'app: {ingress gateway name}'
# k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
# # hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80%
# resources: {}
# # requests:
# # cpu: 500m
# # memory: 1Gi
# # limits:
# # cpu: 1.5
# # memory: 3Gi
# service:
# type: "LoadBalancer" # or "NodePort"
# # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
# podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
# serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
# nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
# tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
# See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec
gateways:
main: # This becomes the name of the gateway
selector:
app: "istio-ingressgateway"
servers: # HTTP redirect to HTTPS is automatically added
- hosts:
- "*.{{ .Values.domain }}"
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: "wildcard-cert"
mode: "SIMPLE"
# # Example of adding additional gateways
# private:
# selector:
# app: "private-istio-ingressgateway"
# servers:
# - hosts:
# - "mypackage.{{ .Values.domain }}"
# port:
# name: http2
# number: 8443
# protocol: HTTPS
# tls:
# credentialName: "some-secret"
# mode: "SIMPLE"
# istiod / pilot configuration
istiod:
......@@ -76,128 +129,12 @@ istiod:
# k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
ingressGateway:
minReplicas: 1
maxReplicas: 5
scaleMetrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 60
resources: {}
# limits:
# cpu: 1.5
# memory: 3Gi
# requests:
# cpu: 500m
# memory: 1Gi
# Only "LoadBalancer" and "NodePort" are allowed
type: LoadBalancer
labels:
# These are the default labels tied to the default gateway
app: istio-ingressgateway
istio: ingressgateway
ports:
# NOTE: Below are ripped directly from istio gateway helm chart defaults: https://github.com/istio/istio/blob/master/manifests/charts/gateways/istio-ingress/values.yaml
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- port: 15012
targetPort: 15012
name: tcp-istiod
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
serviceAnnotations: {}
# k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
extraIngressGateways: []
# Complete example of an additional ingressgateway defined below
# - name: private-ingressgateway
# k8s:
# hpaSpec:
# minReplicas: 1
# maxReplicas: 3
# serviceAnnotations:
# service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# metrics:
# - type: Resource
# resource:
# name: cpu
# targetAverageUtilization: 80
# resources:
# limits:
# cpu: 1.5
# memory: 3Gi
# requests:
# cpu: 500m
# memory: 1Gi
# labels:
# app: private-ingressgateway
kiali:
enabled: true
image:
name: kiali
hub: registry1.dso.mil/ironbank/opensource/kiali
tag: v1.23.0
dashboard:
auth:
strategy: ""
tracing:
enabled: false
address: jaeger-collector.jaeger.svc
port: 9411
# how to access tracing for users. Provided as link in kiali
externalAddress: https://tracing.{{ .Values.hostname | default .Values.domain }}
# percent of traces to send to jaeger
sampling: 10
image:
name: all-in-one
hub: registry1.dso.mil/ironbank/opensource/jaegertracing
tag: 1.19.2
sso:
enabled: false
namespace: istio-addons-sso
selector:
key: protect
value: keycloak
cni:
image:
......@@ -221,4 +158,5 @@ values:
networkPolicies:
enabled: false
# See `kubectl cluster-info` and then resolve to IP
controlPlaneCidr: 0.0.0.0/0
\ No newline at end of file
docs/ingress.md 0 → 100644
View file @ 8abf01fe
# Istio Control Plan Ingress Configuration
## Default
Without changes to this template, the following ingress will be created:
- One ingress gateway
- Name: `istio-ingressgateway`
- Type: load balancer
- Listening ports: 80 (HTTP), 443 (HTTPS), 15021 (Istio Status), and 15443 (Istio SNI)
- One gateway
- Name: `main`
- Ingress Gateway: `istio-ingressgateway`
- Hosts: `*.{domain}`
- HTTP redirect to HTTPS
- TLS termination on HTTPS
- No TLS certificate
At a minimum, a secret holding the wildcard TLS certificate for the domain needs to be provided for the default setup to function. In addition, Virtual Services should be created for applications to create a complete ingress to an endpoint.
## Additional Ingress Gateways
To create additional ingress gateways (or replace the default), the following `values.yaml` configuration can be used. Under the `k8s` section, any parameters listed in the [Istio Operator documentation](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec) can be added.
> To remove the default ingress gateway, set `istio-ingressgateway: null` in your `values.yaml`
```yaml
ingressGateways:
# Complete example of an additional ingressgateway defined below
private-ingressgateway: # This becomes the name
extraLabels: {} # Automatic labels: 'app: {ingress gateway name}'
k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
# hpaSpec: By default, HPA is set from 1-5 instances with a target average utilization of 80%
resources: {}
# requests:
# cpu: 500m
# memory: 1Gi
# limits:
# cpu: 1.5
# memory: 3Gi
service:
type: "LoadBalancer" # or "NodePort"
# ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
tolerations: [] # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
```
## Additional Gateways
Additional gateways can be added to Istio by using the following configuration in your `values.yaml`.
- `selector` should be used to select which `IngressGateway` to use
- HTTP redirect is automatically included in every gateway
- The TLS credentials must be created separately in a secret and referenced in the `tls.credentialName` field
- Hosts should not overlap between Gateways unless the Ingress Gateways are completely isolated (e.g. different IPs or different Ports)
> To remove the default gateway, set `main: null` in your `values.yaml`
```yaml
# See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec
gateways:
private:
selector:
app: "private-istio-ingressgateway"
servers:
- hosts:
- "mypackage.{{ .Values.domain }}"
port:
name: http2
number: 8443
protocol: HTTPS
tls:
credentialName: "some-secret"
mode: "SIMPLE"
```

UNCLASSIFIED