diff --git a/kubernetes/apps/ingress-nginx.yaml b/kubernetes/apps/ingress-nginx.yaml deleted file mode 100644 index 82da793268a..00000000000 --- a/kubernetes/apps/ingress-nginx.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: ingress-nginx -spec: - goTemplate: true - generators: - - clusters: - selector: - matchLabels: - clusterType: 'utility' - template: - metadata: - name: 'ingress-nginx-{{ .name }}' - spec: - destination: - namespace: ingress-nginx - server: "{{ .server }}" - project: default - sources: - - chart: ingress-nginx - repoURL: 'https://kubernetes.github.io/ingress-nginx' - targetRevision: 4.11.2 - helm: - releaseName: ingress-nginx - valueFiles: - - $values/kubernetes/{{ .name }}/helm/ingress-nginx.yaml - - repoURL: 'https://github.com/kubernetes/k8s.io.git' - targetRevision: main - ref: values - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/kubernetes/apps/istio.yaml b/kubernetes/apps/istio.yaml index 632079e2372..1a4fe4868d3 100644 --- a/kubernetes/apps/istio.yaml +++ b/kubernetes/apps/istio.yaml @@ -1,98 +1,79 @@ apiVersion: argoproj.io/v1alpha1 -kind: Application +kind: ApplicationSet metadata: name: istio-base - annotations: - argocd.argoproj.io/sync-wave: "-3" spec: - destination: - name: gke-utility - namespace: istio-system - project: default - sources: - - chart: base - repoURL: https://istio-release.storage.googleapis.com/charts - targetRevision: 1.23.2 - - path: config/crd/experimental - repoURL: https://github.com/kubernetes-sigs/gateway-api - targetRevision: v1.1.0 - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - jsonPointers: - - /webhooks/0/failurePolicy - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true + goTemplate: true + generators: + - clusters: + selector: + matchLabels: + clusterType: 'utility' + template: + metadata: + name: 'istio-base-{{ .name }}' + annotations: + argocd.argoproj.io/sync-wave: "-3" + spec: + destination: + namespace: istio-system + server: "{{ .server }}" + project: default + sources: + - chart: base + repoURL: https://istio-release.storage.googleapis.com/charts + targetRevision: 1.23.2 + - path: config/crd/experimental + repoURL: https://github.com/kubernetes-sigs/gateway-api + targetRevision: v1.1.0 + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + managedNamespaceMetadata: + labels: + topology.istio.io/network: "{{ .metadata.labels.istioNetwork }}" --- apiVersion: argoproj.io/v1alpha1 -kind: Application +kind: ApplicationSet metadata: name: istio spec: - destination: - name: gke-utility - namespace: istio-system - project: default - sources: - - chart: istiod - repoURL: https://istio-release.storage.googleapis.com/charts - targetRevision: 1.23.2 - helm: - values: | - global: - hub: gcr.io/istio-release - istiod: - enableAnalysis: true - meshConfig: - accessLogFile: /dev/stdout - enablePrometheusMerge: true - protocolDetectionTimeout: 5s - enableTracing: true - defaultConfig: - tracing: - extensionProviders: - - name: stackdriver - stackdriver: - - name: "oauth2-proxy" - envoyExtAuthzHttp: - service: "oauth2-proxy.oauth2-proxy.svc.cluster.local" - port: "80" - headersToDownstreamOnDeny: - - content-type - - set-cookie - headersToUpstreamOnAllow: - - authorization - - cookie - - path - - x-* - includeHeadersInCheck: - - authorization - - cookie - - user-agent - includeAdditionalHeadersInCheck: - X-Auth-Request-Redirect: https://%REQ(Host)%%REQ(:PATH)% - defaultConfig: - gatewayTopology: - numTrustedProxies: 2 - telemetry: - enabled: true - v2: - prometheus: - enabled: true - wasmEnabled: false - - path: kubernetes/gke-utility/istio-system - repoURL: https://github.com/kubernetes/k8s.io - targetRevision: main - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - jsonPointers: - - /webhooks/0/failurePolicy - syncPolicy: - automated: - prune: true - selfHeal: true + goTemplate: true + generators: + - clusters: + selector: + matchLabels: + clusterType: 'utility' + template: + metadata: + name: 'istio-{{ .name }}' + spec: + destination: + namespace: istio-system + server: "{{ .server }}" + project: default + sources: + - chart: istiod + repoURL: https://istio-release.storage.googleapis.com/charts + targetRevision: 1.23.2 + helm: + valueFiles: + - $values/kubernetes/{{ .name }}/helm/istio.yaml + - repoURL: 'https://github.com/kubernetes/k8s.io.git' + targetRevision: main + ref: values + - repoURL: https://github.com/kubernetes/k8s.io + targetRevision: main + path: kubernetes/{{ .name }}/istio-system + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jsonPointers: + - /webhooks/0/failurePolicy + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml index 0b7529d2541..104266f64d5 100644 --- a/kubernetes/apps/kustomization.yaml +++ b/kubernetes/apps/kustomization.yaml @@ -4,7 +4,6 @@ resources: # - argocd.yaml This has been manually applied to fix sync issues - external-secrets.yaml - cert-manager.yaml - # - ingress-nginx.yaml - prow.yaml - istio.yaml - oauth2-proxy.yaml diff --git a/kubernetes/gke-utility/helm/cert-manager.yaml b/kubernetes/gke-utility/helm/cert-manager.yaml index 259909be8f5..353eb9107df 100644 --- a/kubernetes/gke-utility/helm/cert-manager.yaml +++ b/kubernetes/gke-utility/helm/cert-manager.yaml @@ -1,8 +1,7 @@ crds: enabled: true extraObjects: - - | - apiVersion: cert-manager.io/v1 + - apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod @@ -13,5 +12,6 @@ extraObjects: privateKeySecretRef: name: letsencrypt-prod solvers: - - cloudDNS: - project: kubernetes-public + - dns01: + cloudDNS: + project: kubernetes-public diff --git a/kubernetes/gke-utility/helm/ingress-nginx.yaml b/kubernetes/gke-utility/helm/ingress-nginx.yaml deleted file mode 100644 index 2463432f0ad..00000000000 --- a/kubernetes/gke-utility/helm/ingress-nginx.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - allowSnippetAnnotations: true # Required for OAuth2 Proxy - publishService: - enabled: true - service: - annotations: - networking.gke.io/load-balancer-ip-addresses: utility-ingress-v4,utility-ingress-v6 - cloud.google.com/l4-rbs: "enabled" - externalTrafficPolicy: Local - ipFamilyPolicy: RequireDualStack - ipFamilies: - - IPv6 - - IPv4 diff --git a/kubernetes/gke-utility/helm/istio.yaml b/kubernetes/gke-utility/helm/istio.yaml new file mode 100644 index 00000000000..23a74541fd0 --- /dev/null +++ b/kubernetes/gke-utility/helm/istio.yaml @@ -0,0 +1,48 @@ +global: + hub: gcr.io/istio-release + istiod: + enableAnalysis: true + meshID: mesh + multiCluster: + clusterName: gke-utility + network: prow-vpc +pilot: + env: + PILOT_ENABLE_ALPHA_GATEWAY_API: 'true' + ENABLE_NATIVE_SIDECARS: 'true' +meshConfig: + accessLogFile: /dev/stdout + enablePrometheusMerge: true + protocolDetectionTimeout: 5s + enableTracing: true + defaultConfig: + gatewayTopology: + numTrustedProxies: 2 + tracing: + extensionProviders: + - name: stackdriver + stackdriver: + - name: "oauth2-proxy" + envoyExtAuthzHttp: + service: "oauth2-proxy.oauth2-proxy.svc.cluster.local" + port: "80" + headersToDownstreamOnDeny: + - content-type + - set-cookie + headersToUpstreamOnAllow: + - authorization + - cookie + - path + - x-* + includeHeadersInCheck: + - authorization + - cookie + - user-agent + includeAdditionalHeadersInCheck: + X-Auth-Request-Redirect: https://%REQ(Host)%%REQ(:PATH)% +telemetry: + enabled: true + v2: + prometheus: + enabled: true + wasmEnabled: false diff --git a/kubernetes/gke-utility/istio-system/auth-policy.yaml b/kubernetes/gke-utility/istio-system/auth-policy.yaml index 64097a9d84c..c67875bd5bb 100644 --- a/kubernetes/gke-utility/istio-system/auth-policy.yaml +++ b/kubernetes/gke-utility/istio-system/auth-policy.yaml @@ -15,3 +15,4 @@ spec: - operation: hosts: - argo.k8s.io + - monitoring.prow.k8s.io diff --git a/kubernetes/gke-utility/istio-system/gateway.yaml b/kubernetes/gke-utility/istio-system/gateway.yaml index 8a4635e9822..9af3fb31ee6 100644 --- a/kubernetes/gke-utility/istio-system/gateway.yaml +++ b/kubernetes/gke-utility/istio-system/gateway.yaml @@ -32,6 +32,7 @@ spec: sectionName: http hostnames: - '*.k8s.io' + - '*.prow.k8s.io' rules: - filters: - type: RequestRedirect @@ -49,5 +50,7 @@ spec: name: letsencrypt-prod kind: ClusterIssuer commonName: '*.k8s.io' + # *.prow.k8s.io doesn't work as GCP CERT MANAGER USES CNAME FOR ACME INSTEAD OF TXT :((((((( dnsNames: - '*.k8s.io' + - 'monitoring.prow.k8s.io'