feat(catalog): Add istio-stack

README.md

@@ -35,3 +35,4 @@ You're ready to browse the [catalog](#catalog).
 - [keda](./catalog/keda) - Keda is a Kubernetes based Event Driven Autoscaler. With KEDA, you can drive the scaling of any container in Kubernetes based on the number of events needing to be processed
 - [kyverno](./catalog/kyverno) - Kyverno is a policy engine designed for Kubernetes.
 - [ingress-nginx](./catalog/ingress-nginx) - Ingress-Nginx is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer.
+- [istio-stack](./catalog/istio-stack) - Istio is a service mesh for Kubernetes. It provides secure service-to-service communication, automatic load balancing, fine-grained control of traffic behavior and more.

catalog/istio-stack/README.md

@@ -0,0 +1,154 @@
+# istio-stack
+
+This stack made it easier to setup a service mesh with [istio](https://istio.io/latest/),
+using the the [official provided charts](https://artifacthub.io/packages/search?ts_query_web=istio&official=true&sort=relevance&page=1).
+
+Furthermore [Kiali](https://kiali.io/) with a preconfigured [Kiali-operator](https://github.com/kiali/helm-charts/tree/master/kiali-operator)
+can be setup as well for configuring, visualizing, validating and troubleshooting your service mesh.
+
+## Usage
+
+### Basic setup
+
+To use this stack you have to apply 2 configurations (and the GitRepository source):
+
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: istio-stack-namespace
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/namespace"
+ prune: true
+ wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: istio-system
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ dependsOn:
+ - name: istio-stack-namespace
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/base"
+ prune: true
+ wait: true
+```
+
+### Setup with GKE
+
+This will set up the base istio and additionally add some google specific annotations to the ingress gateway.
+
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: istio-stack-namespace
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/namespace"
+ prune: true
+ wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: istio-system
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ dependsOn:
+ - name: istio-stack-namespace
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/gke"
+ prune: true
+ wait: true
+```
+
+### Sidecar injection
+
+Istio sidecar can be injected [automatically](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection)
+or [manually](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection)
+or [via a custom injection template](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection).
+
+### Setup mutual TLS
+
+To setup [Istio mutual TLS](https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/) in a namespace,
+a destination rule like below needs to be defined.
+
+```yaml
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: istio-mtls
+ namespace: apps
+spec:
+ host: "*.apps.svc.cluster.local"
+ trafficPolicy:
+ tls:
+ mode: ISTIO_MUTUAL
+```
+
+In this example, the `apps` namespace is targeted.
+
+### Kiali
+
+To use Kiali, you have to apply the following configuration (and the GitRepository source):
+
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: kiali
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/kiali"
+ dependsOn:
+ # istio system is a hard dependency
+ - name: istio-system
+ # The prometheus-operator is required for visualization
+ - name: kube-prometheus-stack
+ prune: true
+ wait: true
+ healthChecks:
+ - kind: Deployment
+ name: kiali
+ namespace: istio-system
+```
+
+Make sure to set up `grafana` and `prometheus` via [kube-prometheus-stack](./../kube-prometheus-stack/README.md)
+before hand in your cluster for Kiali's visualization to work correctly.
+
+The Kiali UI can be accessed via a port-forward on port 20001:
+
+```sh
+kubectl port-forward services/kiali --namespace istio-system 20001
+```

catalog/istio-stack/base/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+ - repositories.yaml
+ - releases.yaml

catalog/istio-stack/base/releases.yaml

@@ -0,0 +1,116 @@
+---
+################################################################################
+# Base
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istio-base
+ namespace: istio-system
+spec:
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: base
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ interval: 1m
+ install:
+ crds: CreateReplace
+ upgrade:
+ crds: CreateReplace
+---
+################################################################################
+# Istiod
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istiod
+ namespace: istio-system
+spec:
+ dependsOn:
+ - name: istio-base
+ namespace: istio-system
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: istiod
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ interval: 1m
+ values:
+ global:
+ istioNamespace: istio-system
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 16Mi
+ pilot:
+ resources:
+ requests:
+ cpu: 100m
+ memory: 500Mi
+---
+################################################################################
+# Ingress Gateways
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ dependsOn:
+ - name: istio-base
+ namespace: istio-system
+ - name: istiod
+ namespace: istio-system
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: gateway
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ values:
+ name: istio-ingressgateway
+ service:
+ type: LoadBalancer
+ podAnnotations:
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+---
+################################################################################
+# Egress Gateways
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istio-egressgateway
+ namespace: istio-system
+spec:
+ dependsOn:
+ - name: istio-base
+ namespace: istio-system
+ - name: istiod
+ namespace: istio-system
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: gateway
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ values:
+ name: istio-egressgateway
+ service:
+ type: ClusterIP
+ podAnnotations:
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

catalog/istio-stack/base/repositories.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: istio
+ namespace: istio-system
+spec:
+ interval: 1h0m0s
+ url: https://istio-release.storage.googleapis.com/charts

catalog/istio-stack/gke/kustomization.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+ - ../base
+patches:
+ - target:
+ kind: HelmRelease
+ name: istio-ingressgateway
+ namespace: istio-system
+ patch: |-
+ - op: add
+ path: /spec/values/service/annotations
+ value:
+ cloud.google.com/backend-config: '{"default": "backend-config"}'
+ cloud.google.com/neg: '{"ingress": true}'

catalog/istio-stack/kiali/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+ - repositories.yaml
+ - releases.yaml

catalog/istio-stack/kiali/releases.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: kiali-operator
+ namespace: istio-system
+spec:
+ interval: 10m0s
+ chart:
+ spec:
+ chart: kiali-operator
+ version: "1.63.1"
+ sourceRef:
+ kind: HelmRepository
+ name: kiali
+ interval: 1m
+ install:
+ crds: CreateReplace
+ upgrade:
+ crds: CreateReplace
+ values:
+ onlyViewOnlyMode: true
+ watchNamespace: ""
+
+ # For what a Kiali CR spec can look like, see:
+ # https://github.com/kiali/kiali-operator/blob/master/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
+ cr:
+ create: true
+ name: kiali-operator
+ namespace: "istio-system"
+ spec:
+ installation_tag: "Kiali - View Only"
+ istio_namespace: "istio-system"
+ auth:
+ strategy: "anonymous"
+ deployment:
+ accessible_namespaces:
+ - '**'
+ view_only_mode: true
+ instance_name: "kiali"
+ external_services:
+ custom_dashboards:
+ enabled: true
+ is_core: false
+ grafana:
+ url: "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local"
+ prometheus:
+ url: "http://kube-prometheus-stack-operator.monitoring.svc.cluster.local:9090"
+ server:
+ web_root: "/kiali"

catalog/istio-stack/kiali/repositories.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: kiali
+ namespace: istio-system
+spec:
+ interval: 1h0m0s
+ url: https://kiali.org/helm-charts

catalog/istio-stack/namespace/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+ - namespaces.yaml

catalog/istio-stack/namespace/namespaces.yaml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+ name: istio-system
+ labels:
+ istio-operator-managed: Reconcile