diff --git a/charts/gateway/config b/charts/gateway/config index 915e40161..93e103e0a 100644 --- a/charts/gateway/config +++ b/charts/gateway/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://istio-release.storage.googleapis.com/charts export REPO_NAME=istio export CHART_NAME=gateway -export VERSION=1.17.1 +export VERSION=1.24.2 # pr, issue, none export UPGRADE_METHOD=pr diff --git a/charts/gateway/gateway/Chart.yaml b/charts/gateway/gateway/Chart.yaml index bc865e11d..7c560b868 100644 --- a/charts/gateway/gateway/Chart.yaml +++ b/charts/gateway/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.17.1 +appVersion: 1.24.2 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,10 +7,10 @@ keywords: - gateways name: gateway sources: - - http://github.com/istio/istio + - https://github.com/istio/istio type: application -version: 1.17.1 +version: 1.24.2 dependencies: - name: gateway - version: "1.17.1" + version: "1.24.2" repository: "https://istio-release.storage.googleapis.com/charts" diff --git a/charts/gateway/gateway/README.md b/charts/gateway/gateway/README.md index 0e58c00f2..5c064d165 100644 --- a/charts/gateway/gateway/README.md +++ b/charts/gateway/gateway/README.md @@ -35,6 +35,28 @@ To view support configuration options and documentation, run: helm show values istio/gateway ``` +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + ### `image: auto` Information The image used by the chart, `auto`, may be unintuitive. diff --git a/charts/gateway/gateway/charts/gateway/Chart.yaml b/charts/gateway/gateway/charts/gateway/Chart.yaml index ab40b4fd4..33743efd2 100644 --- a/charts/gateway/gateway/charts/gateway/Chart.yaml +++ b/charts/gateway/gateway/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.17.1 +appVersion: 1.24.2 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,6 +7,6 @@ keywords: - gateways name: gateway sources: -- http://github.com/istio/istio +- https://github.com/istio/istio type: application -version: 1.17.1 +version: 1.24.2 diff --git a/charts/gateway/gateway/charts/gateway/README.md b/charts/gateway/gateway/charts/gateway/README.md index 0e58c00f2..5c064d165 100644 --- a/charts/gateway/gateway/charts/gateway/README.md +++ b/charts/gateway/gateway/charts/gateway/README.md @@ -35,6 +35,28 @@ To view support configuration options and documentation, run: helm show values istio/gateway ``` +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + ### `image: auto` Information The image used by the chart, `auto`, may be unintuitive. diff --git a/charts/gateway/gateway/charts/gateway/files/profile-ambient.yaml b/charts/gateway/gateway/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 000000000..2805fe46b --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.21.yaml b/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..c8da4d2e1 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.22.yaml b/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..70d8eb40c --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.23.yaml b/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 000000000..636bb6f15 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/charts/gateway/gateway/charts/gateway/files/profile-demo.yaml b/charts/gateway/gateway/charts/gateway/files/profile-demo.yaml new file mode 100644 index 000000000..eadbde17c --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,90 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/charts/gateway/gateway/charts/gateway/files/profile-platform-k3d.yaml b/charts/gateway/gateway/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/charts/gateway/gateway/charts/gateway/files/profile-platform-k3s.yaml b/charts/gateway/gateway/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/charts/gateway/gateway/charts/gateway/files/profile-platform-microk8s.yaml b/charts/gateway/gateway/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/charts/gateway/gateway/charts/gateway/files/profile-platform-minikube.yaml b/charts/gateway/gateway/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/charts/gateway/gateway/charts/gateway/files/profile-platform-openshift.yaml b/charts/gateway/gateway/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..8ddc5e165 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/charts/gateway/gateway/charts/gateway/files/profile-preview.yaml b/charts/gateway/gateway/charts/gateway/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/charts/gateway/gateway/charts/gateway/files/profile-remote.yaml b/charts/gateway/gateway/charts/gateway/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/charts/gateway/gateway/charts/gateway/files/profile-stable.yaml b/charts/gateway/gateway/charts/gateway/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/charts/gateway/gateway/charts/gateway/templates/NOTES.txt b/charts/gateway/gateway/charts/gateway/templates/NOTES.txt index 78451d33e..fd0142911 100644 --- a/charts/gateway/gateway/charts/gateway/templates/NOTES.txt +++ b/charts/gateway/gateway/charts/gateway/templates/NOTES.txt @@ -1,8 +1,8 @@ "{{ include "gateway.name" . }}" successfully installed! To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} Next steps: * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ diff --git a/charts/gateway/gateway/charts/gateway/templates/_helpers.tpl b/charts/gateway/gateway/charts/gateway/templates/_helpers.tpl index e75d27345..e5a0a9b3c 100644 --- a/charts/gateway/gateway/charts/gateway/templates/_helpers.tpl +++ b/charts/gateway/gateway/charts/gateway/templates/_helpers.tpl @@ -6,40 +6,28 @@ {{- end -}} {{- end }} -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - {{- define "gateway.labels" -}} -helm.sh/chart: {{ include "gateway.chart" . }} {{ include "gateway.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "gateway.name" . }} {{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{- if and (ne $key "app") (ne $key "istio") }} {{ $key | quote }}: {{ $val | quote }} {{- end }} {{- end }} {{- end }} {{- define "gateway.selectorLabels" -}} -{{- if hasKey .Values.labels "app" }} -{{- with .Values.labels.app }}app: {{.|quote}} -{{- end}} -{{- else }}app: {{ include "gateway.name" . }} -{{- end }} -{{- if hasKey .Values.labels "istio" }} -{{- with .Values.labels.istio }} -istio: {{.|quote}} -{{- end}} -{{- else }} -istio: {{ include "gateway.name" . | trimPrefix "istio-" }} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} {{- end }} {{- end }} diff --git a/charts/gateway/gateway/charts/gateway/templates/deployment.yaml b/charts/gateway/gateway/charts/gateway/templates/deployment.yaml index b3b76cd24..e9bfbbd36 100644 --- a/charts/gateway/gateway/charts/gateway/templates/deployment.yaml +++ b/charts/gateway/gateway/charts/gateway/templates/deployment.yaml @@ -4,12 +4,23 @@ metadata: name: {{ include "gateway.name" . }} namespace: {{ .Release.Namespace }} labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} {{- include "gateway.labels" . | nindent 4}} annotations: {{- .Values.annotations | toYaml | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- with .Values.replicaCount }} + replicas: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} {{- end }} selector: matchLabels: @@ -21,11 +32,15 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -35,12 +50,16 @@ spec: securityContext: {{- if .Values.securityContext }} {{- toYaml .Values.securityContext | nindent 8 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + {{- else }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} containers: - name: istio-proxy # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection @@ -51,28 +70,18 @@ spec: securityContext: {{- if .Values.containerSecurityContext }} {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + {{- else }} capabilities: drop: - ALL allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + {{- if not (eq .Values.platform "openshift") }} runAsUser: 1337 runAsGroup: 1337 + {{- end }} runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true {{- end }} env: {{- with .Values.networkGateway }} @@ -89,6 +98,14 @@ spec: name: http-envoy-prom resources: {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -105,3 +122,7 @@ spec: topologySpreadConstraints: {{- toYaml . | nindent 8 }} {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/charts/gateway/gateway/charts/gateway/templates/hpa.yaml b/charts/gateway/gateway/charts/gateway/templates/hpa.yaml index e287406c4..64ecb6a4c 100644 --- a/charts/gateway/gateway/charts/gateway/templates/hpa.yaml +++ b/charts/gateway/gateway/charts/gateway/templates/hpa.yaml @@ -1,14 +1,12 @@ {{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} kind: HorizontalPodAutoscaler metadata: name: {{ include "gateway.name" . }} namespace: {{ .Release.Namespace }} labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} {{- include "gateway.labels" . | nindent 4 }} annotations: {{- .Values.annotations | toYaml | nindent 4 }} @@ -28,4 +26,15 @@ spec: averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} type: Utilization {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/gateway/gateway/charts/gateway/templates/poddisruptionbudget.yaml b/charts/gateway/gateway/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..b0155cdf0 --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} diff --git a/charts/gateway/gateway/charts/gateway/templates/role.yaml b/charts/gateway/gateway/charts/gateway/templates/role.yaml index 3febf79bc..3d1607963 100644 --- a/charts/gateway/gateway/charts/gateway/templates/role.yaml +++ b/charts/gateway/gateway/charts/gateway/templates/role.yaml @@ -5,6 +5,12 @@ kind: Role metadata: name: {{ include "gateway.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} rules: - apiGroups: [""] resources: ["secrets"] @@ -15,6 +21,12 @@ kind: RoleBinding metadata: name: {{ include "gateway.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/charts/gateway/gateway/charts/gateway/templates/service.yaml b/charts/gateway/gateway/charts/gateway/templates/service.yaml index b96a52b90..25ce3bcb0 100644 --- a/charts/gateway/gateway/charts/gateway/templates/service.yaml +++ b/charts/gateway/gateway/charts/gateway/templates/service.yaml @@ -5,6 +5,8 @@ metadata: name: {{ include "gateway.name" . }} namespace: {{ .Release.Namespace }} labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} {{- include "gateway.labels" . | nindent 4 }} {{- with .Values.networkGateway }} topology.istio.io/network: "{{.}}" @@ -15,6 +17,20 @@ spec: {{- with .Values.service.loadBalancerIP }} loadBalancerIP: "{{ . }}" {{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} {{- with .Values.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml . | indent 4 }} diff --git a/charts/gateway/gateway/charts/gateway/templates/serviceaccount.yaml b/charts/gateway/gateway/charts/gateway/templates/serviceaccount.yaml index e5b2304d6..c88afeadd 100644 --- a/charts/gateway/gateway/charts/gateway/templates/serviceaccount.yaml +++ b/charts/gateway/gateway/charts/gateway/templates/serviceaccount.yaml @@ -5,6 +5,8 @@ metadata: name: {{ include "gateway.serviceAccountName" . }} namespace: {{ .Release.Namespace }} labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} {{- include "gateway.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: diff --git a/charts/gateway/gateway/charts/gateway/templates/zzz_profile.yaml b/charts/gateway/gateway/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 000000000..35623047c --- /dev/null +++ b/charts/gateway/gateway/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,74 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/charts/gateway/gateway/charts/gateway/values.schema.json b/charts/gateway/gateway/charts/gateway/values.schema.json index f651d4063..3108259a9 100644 --- a/charts/gateway/gateway/charts/gateway/values.schema.json +++ b/charts/gateway/gateway/charts/gateway/values.schema.json @@ -2,203 +2,309 @@ "$schema": "http://json-schema.org/schema#", "type": "object", "additionalProperties": false, - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": ["object", "null"] - }, - "containerSecurityContext": { - "type": ["object", "null"] - }, - "kind":{ - "type": "string", - "enum": ["Deployment", "DaemonSet"] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { + "$defs": { + "values": { "type": "object", "properties": { - "enabled": { - "type": "boolean" + "global": { + "type": "object" }, - "maxReplicas": { - "type": "integer" + "affinity": { + "type": "object" }, - "minReplicas": { - "type": "integer" + "securityContext": { + "type": [ + "object", + "null" + ] }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" }, - "prometheus.io/path": { + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, + "labels": { + "type": "object" + }, + "name": { "type": "string" }, - "prometheus.io/port": { + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { "type": "string" }, - "prometheus.io/scrape": { + "compatibilityVersion": { "type": "string" - } - } - }, - "replicaCount": { - "type": "integer" - }, - "resources": { - "type": "object", - "properties": { - "limits": { + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { "type": "object", "properties": { - "cpu": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { "type": "string" }, - "memory": { + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { "type": "string" } } }, - "requests": { + "serviceAccount": { "type": "object", "properties": { - "cpu": { - "type": "string" + "annotations": { + "type": "object" }, - "memory": { + "name": { "type": "string" + }, + "create": { + "type": "boolean" } } - } - } - }, - "revision": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": ["string", "boolean"], - "enum": [true, false, "auto"] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" }, - "externalTrafficPolicy": { - "type": "string" + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } }, - "loadBalancerIP": { - "type": "string" + "tolerations": { + "type": "array" }, - "loadBalancerSourceRanges": { + "topologySpreadConstraints": { "type": "array" }, - "ports": { + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { "type": "array", "items": { "type": "object", "properties": { "name": { "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" } } } }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } }, - "name": { - "type": "string" + "terminationGracePeriodSeconds": { + "type": "number" }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": ["", "Always", "IfNotPresent", "Never"] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" + "volumes": { + "type": "array", + "items": { + "type": "object" } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" } } } - } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" } diff --git a/charts/gateway/gateway/charts/gateway/values.yaml b/charts/gateway/gateway/charts/gateway/values.yaml index b62c3eaeb..b02240df1 100644 --- a/charts/gateway/gateway/charts/gateway/values.yaml +++ b/charts/gateway/gateway/charts/gateway/values.yaml @@ -1,97 +1,166 @@ -# Name allows overriding the release name. Generally this should not be set -name: "" -# revision declares which revision this gateway is a part of -revision: "" - -replicaCount: 1 - -kind: Deployment - -rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - -serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set name: "" - -podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - -# Define the security context for the pod. -# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. -# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. -securityContext: ~ -containerSecurityContext: ~ - -service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: {} + + # Annotations to apply to all resources annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - -resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - -autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - -# Pod environment variables -env: {} - -# Labels to apply to all resources -labels: {} - -# Annotations to apply to all resources -annotations: {} - -nodeSelector: {} - -tolerations: [] - -topologySpreadConstraints: [] - -affinity: {} - -# If specified, the gateway will act as a network gateway for the given network. -networkGateway: "" - -# Specify image pull policy if default behavior isn't desired. -# Default behavior: latest images will be Always else IfNotPresent -imagePullPolicy: "" -imagePullSecrets: [] + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/charts/gateway/gateway/values.schema.json b/charts/gateway/gateway/values.schema.json index 00a8ac1f2..6094ffb5d 100644 --- a/charts/gateway/gateway/values.schema.json +++ b/charts/gateway/gateway/values.schema.json @@ -5,182 +5,223 @@ "gateway": { "type": "object", "properties": { - "affinity": { - "type": "object" - }, - "annotations": { - "type": "object" - }, - "autoscaling": { + "_internal_defaults_do_not_set": { "type": "object", "properties": { - "enabled": { - "type": "boolean" + "affinity": { + "type": "object" }, - "maxReplicas": { - "type": "integer" + "annotations": { + "type": "object" }, - "minReplicas": { - "type": "integer" + "autoscaling": { + "type": "object", + "properties": { + "autoscaleBehavior": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + }, + "targetMemoryUtilizationPercentage": { + "type": "object" + } + } }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "containerSecurityContext": { - "type": "null" - }, - "env": { - "type": "object" - }, - "imagePullPolicy": { - "type": "string" - }, - "imagePullSecrets": { - "type": "array" - }, - "kind": { - "type": "string" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "networkGateway": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" + "containerSecurityContext": { + "type": "object" }, - "prometheus.io/path": { + "env": { + "type": "object" + }, + "imagePullPolicy": { "type": "string" }, - "prometheus.io/port": { + "imagePullSecrets": { + "type": "array" + }, + "kind": { "type": "string" }, - "prometheus.io/scrape": { + "labels": { + "type": "object" + }, + "minReadySeconds": { + "type": "null" + }, + "name": { "type": "string" }, - "sidecar.istio.io/inject": { + "networkGateway": { "type": "string" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "replicaCount": { - "type": "integer" - }, - "resources": { - "type": "object", - "properties": { - "limits": { + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { "type": "object", "properties": { - "cpu": { + "inject.istio.io/templates": { "type": "string" }, - "memory": { + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + }, + "sidecar.istio.io/inject": { "type": "string" } } }, - "requests": { + "podDisruptionBudget": { + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "rbac": { "type": "object", "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" + "enabled": { + "type": "boolean" } } - } - } - }, - "revision": { - "type": "string" - }, - "securityContext": { - "type": "null" - }, - "service": { - "type": "object", - "properties": { - "annotations": { + }, + "readinessProbe": { "type": "object" }, - "externalIPs": { - "type": "array" + "replicaCount": { + "type": "null" }, - "externalTrafficPolicy": { - "type": "string" + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } }, - "loadBalancerIP": { + "revision": { "type": "string" }, - "loadBalancerSourceRanges": { - "type": "array" + "securityContext": { + "type": "object" }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalIPs": { + "type": "array" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "ipFamilies": { + "type": "array" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } } + }, + "type": { + "type": "string" } } }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "strategy": { "type": "object" }, - "create": { - "type": "boolean" + "terminationGracePeriodSeconds": { + "type": "integer" }, - "name": { - "type": "string" + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "volumeMounts": { + "type": "array" + }, + "volumes": { + "type": "array" } } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" } } } diff --git a/charts/gateway/gateway/values.yaml b/charts/gateway/gateway/values.yaml index e18787698..09ec85f97 100644 --- a/charts/gateway/gateway/values.yaml +++ b/charts/gateway/gateway/values.yaml @@ -1,99 +1,168 @@ # child values gateway: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - replicaCount: 1 - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used + # "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. + # For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. + _internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: ~ - containerSecurityContext: ~ - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: {} + + # Annotations to apply to all resources annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - - # Pod environment variables - env: {} - - # Labels to apply to all resources - labels: {} - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - imagePullSecrets: [] + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: ""