Skip to content

Commit

Permalink
tweak istio install and monitoring cert
Browse files Browse the repository at this point in the history
  • Loading branch information
upodroid committed Oct 7, 2024
1 parent ad89a41 commit a4c653b
Show file tree
Hide file tree
Showing 8 changed files with 126 additions and 143 deletions.
36 changes: 0 additions & 36 deletions kubernetes/apps/ingress-nginx.yaml

This file was deleted.

159 changes: 70 additions & 89 deletions kubernetes/apps/istio.yaml
Original file line number Diff line number Diff line change
@@ -1,98 +1,79 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
kind: ApplicationSet
metadata:
name: istio-base
annotations:
argocd.argoproj.io/sync-wave: "-3"
spec:
destination:
name: gke-utility
namespace: istio-system
project: default
sources:
- chart: base
repoURL: https://istio-release.storage.googleapis.com/charts
targetRevision: 1.23.2
- path: config/crd/experimental
repoURL: https://github.com/kubernetes-sigs/gateway-api
targetRevision: v1.1.0
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
jsonPointers:
- /webhooks/0/failurePolicy
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
goTemplate: true
generators:
- clusters:
selector:
matchLabels:
clusterType: 'utility'
template:
metadata:
name: 'istio-base-{{ .name }}'
annotations:
argocd.argoproj.io/sync-wave: "-3"
spec:
destination:
namespace: istio-system
server: "{{ .server }}"
project: default
sources:
- chart: base
repoURL: https://istio-release.storage.googleapis.com/charts
targetRevision: 1.23.2
- path: config/crd/experimental
repoURL: https://github.com/kubernetes-sigs/gateway-api
targetRevision: v1.1.0
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
managedNamespaceMetadata:
labels:
topology.istio.io/network: "{{ .metadata.labels.istioNetwork }}"
---
apiVersion: argoproj.io/v1alpha1
kind: Application
kind: ApplicationSet
metadata:
name: istio
spec:
destination:
name: gke-utility
namespace: istio-system
project: default
sources:
- chart: istiod
repoURL: https://istio-release.storage.googleapis.com/charts
targetRevision: 1.23.2
helm:
values: |
global:
hub: gcr.io/istio-release
istiod:
enableAnalysis: true
meshConfig:
accessLogFile: /dev/stdout
enablePrometheusMerge: true
protocolDetectionTimeout: 5s
enableTracing: true
defaultConfig:
tracing:
extensionProviders:
- name: stackdriver
stackdriver:
- name: "oauth2-proxy"
envoyExtAuthzHttp:
service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
port: "80"
headersToDownstreamOnDeny:
- content-type
- set-cookie
headersToUpstreamOnAllow:
- authorization
- cookie
- path
- x-*
includeHeadersInCheck:
- authorization
- cookie
- user-agent
includeAdditionalHeadersInCheck:
X-Auth-Request-Redirect: https://%REQ(Host)%%REQ(:PATH)%
defaultConfig:
gatewayTopology:
numTrustedProxies: 2
telemetry:
enabled: true
v2:
prometheus:
enabled: true
wasmEnabled: false
- path: kubernetes/gke-utility/istio-system
repoURL: https://github.com/kubernetes/k8s.io
targetRevision: main
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
jsonPointers:
- /webhooks/0/failurePolicy
syncPolicy:
automated:
prune: true
selfHeal: true
goTemplate: true
generators:
- clusters:
selector:
matchLabels:
clusterType: 'utility'
template:
metadata:
name: 'istio-{{ .name }}'
spec:
destination:
namespace: istio-system
server: "{{ .server }}"
project: default
sources:
- chart: istiod
repoURL: https://istio-release.storage.googleapis.com/charts
targetRevision: 1.23.2
helm:
valueFiles:
- $values/kubernetes/{{ .name }}/helm/istio.yaml
- repoURL: 'https://github.com/kubernetes/k8s.io.git'
targetRevision: main
ref: values
- repoURL: https://github.com/kubernetes/k8s.io
targetRevision: main
path: kubernetes/{{ .name }}/istio-system
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
jsonPointers:
- /webhooks/0/failurePolicy
syncPolicy:
automated:
prune: true
selfHeal: true
1 change: 0 additions & 1 deletion kubernetes/apps/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ resources:
# - argocd.yaml This has been manually applied to fix sync issues
- external-secrets.yaml
- cert-manager.yaml
# - ingress-nginx.yaml
- prow.yaml
- istio.yaml
- oauth2-proxy.yaml
8 changes: 4 additions & 4 deletions kubernetes/gke-utility/helm/cert-manager.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
crds:
enabled: true
extraObjects:
- |
apiVersion: cert-manager.io/v1
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
Expand All @@ -13,5 +12,6 @@ extraObjects:
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- cloudDNS:
project: kubernetes-public
- dns01:
cloudDNS:
project: kubernetes-public
13 changes: 0 additions & 13 deletions kubernetes/gke-utility/helm/ingress-nginx.yaml

This file was deleted.

48 changes: 48 additions & 0 deletions kubernetes/gke-utility/helm/istio.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
global:
hub: gcr.io/istio-release
istiod:
enableAnalysis: true
meshID: mesh
multiCluster:
clusterName: gke-utility
network: prow-vpc
pilot:
env:
PILOT_ENABLE_ALPHA_GATEWAY_API: 'true'
ENABLE_NATIVE_SIDECARS: 'true'
meshConfig:
accessLogFile: /dev/stdout
enablePrometheusMerge: true
protocolDetectionTimeout: 5s
enableTracing: true
defaultConfig:
gatewayTopology:
numTrustedProxies: 2
tracing:
extensionProviders:
- name: stackdriver
stackdriver:
- name: "oauth2-proxy"
envoyExtAuthzHttp:
service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
port: "80"
headersToDownstreamOnDeny:
- content-type
- set-cookie
headersToUpstreamOnAllow:
- authorization
- cookie
- path
- x-*
includeHeadersInCheck:
- authorization
- cookie
- user-agent
includeAdditionalHeadersInCheck:
X-Auth-Request-Redirect: https://%REQ(Host)%%REQ(:PATH)%
telemetry:
enabled: true
v2:
prometheus:
enabled: true
wasmEnabled: false
1 change: 1 addition & 0 deletions kubernetes/gke-utility/istio-system/auth-policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ spec:
- operation:
hosts:
- argo.k8s.io
- monitoring.prow.k8s.io
3 changes: 3 additions & 0 deletions kubernetes/gke-utility/istio-system/gateway.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ spec:
sectionName: http
hostnames:
- '*.k8s.io'
- '*.prow.k8s.io'
rules:
- filters:
- type: RequestRedirect
Expand All @@ -49,5 +50,7 @@ spec:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: '*.k8s.io'
# *.prow.k8s.io doesn't work as GCP CERT MANAGER USES CNAME FOR ACME INSTEAD OF TXT :(((((((
dnsNames:
- '*.k8s.io'
- 'monitoring.prow.k8s.io'

0 comments on commit a4c653b

Please sign in to comment.