feat(catalog): Add istio-stack

README.md

@@ -35,3 +35,4 @@ You're ready to browse the [catalog](#catalog).
 - [keda](./catalog/keda) - Keda is a Kubernetes based Event Driven Autoscaler. With KEDA, you can drive the scaling of any container in Kubernetes based on the number of events needing to be processed
 - [kyverno](./catalog/kyverno) - Kyverno is a policy engine designed for Kubernetes.
 - [ingress-nginx](./catalog/ingress-nginx) - Ingress-Nginx is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer.
+- [istio-stack](./catalog/istio-stack) - Istio is a service mesh for Kubernetes. It provides secure service-to-service communication, automatic load balancing, fine-grained control of traffic behavior and more.

catalog/istio-stack/README.md

@@ -0,0 +1,129 @@
+# istio-stack
+
+This stack made it easier to setup a service mesh with [istio](https://istio.io/latest/). 
+It provides the setup for [istio-operator](https://github.com/stevehipwell/helm-charts/tree/master/charts/istio-operator) with sensible defaults
+and also provides optional configurations for destination rules and service entries. 
+Furthermore [Kiali](https://kiali.io/) with a preconfigured [Kiali-operator](https://github.com/kiali/helm-charts/tree/master/kiali-operator)
+can be setup as well for configuring, visualizing, validating and troubleshooting your service mesh.
+
+## Usage
+
+### Setup
+
+To use this stack you have to apply 2 configurations (and the GitRepository source):
+
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: istio-stack-namespace
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/namespace"
+ prune: true
+ wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: istio-system
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ dependsOn:
+ - name: istio-stack-namespace
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/base"
+ prune: true
+ wait: true
+```
+
+### Configuration
+
+The catalog also provides default configuration. This configuration is optional, and can be omitted but is recommended. 
+To use the configuration, apply this Kustomization via GitOps
+
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: istio-config
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/config"
+ dependsOn:
+ # Please make sure the apps namespace is created
+ - name: apps
+ namespace: flux-system
+ # This dependency is required to make sure the operator is deployed before the config is applied
+ - name: istio-system
+ namespace: flux-system
+ prune: true
+ wait: true
+```
+
+The configuration targets the `apps` namespace, so make sure that it's created before using the provided configuration.
+Or alternatively you can copy and customize the rules in your own GitOps repository's config folder as needed.
+
+### Sidecar injection
+
+Istio sidecar can be injected [automatically](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection)
+or [manually](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection)
+or [via a custom injection template](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection).
+
+### Kiali
+
+To use Kiali, you have to apply the following configuration (and the GitRepository source):
+
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: kiali
+ namespace: flux-system
+spec:
+ interval: 10m
+ retryInterval: 1m0s
+ sourceRef:
+ kind: GitRepository
+ name: flux-k8s-stack
+ path: "./catalog/istio-stack/kiali"
+ dependsOn:
+ # istio system is a hard dependency
+ - name: istio-system
+ namespace: flux-system
+ # The prometheus-operator is required for visualization
+ - name: kube-prometheus-stack
+ namespace: flux-system
+ prune: true
+ wait: true
+ healthChecks:
+ - kind: Deployment
+ name: kiali
+ namespace: istio-system
+```
+
+Make sure to set up `grafana` and `prometheus` via [kube-prometheus-stack](./../kube-prometheus-stack/README.md)
+before hand in your cluster for Kiali's visualization to work correctly.
+
+The Kiali UI can be accessed via a port-forward on port 20001:
+
+```sh
+kubectl port-forward services/kiali --namespace istio-system 20001
+```

catalog/istio-stack/base/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: istio-system
+resources:
+ - repositories.yaml
+ - releases.yaml

catalog/istio-stack/base/releases.yaml

@@ -0,0 +1,116 @@
+---
+################################################################################
+# Base
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istio-base
+ namespace: istio-system
+spec:
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: base
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ interval: 1m
+ install:
+ crds: CreateReplace
+ upgrade:
+ crds: CreateReplace
+---
+################################################################################
+# Istiod
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istiod
+ namespace: istio-system
+spec:
+ dependsOn:
+ - name: istio-base
+ namespace: istio-system
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: istiod
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ interval: 1m
+ values:
+ global:
+ istioNamespace: istio-system
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 16Mi
+ pilot:
+ resources:
+ requests:
+ cpu: 100m
+ memory: 500Mi
+---
+################################################################################
+# Ingress Gateways
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ dependsOn:
+ - name: istio-base
+ namespace: istio-system
+ - name: istiod
+ namespace: istio-system
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: gateway
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ values:
+ name: istio-ingressgateway
+ service:
+ type: LoadBalancer
+ podAnnotations:
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+---
+################################################################################
+# Egress Gateways
+################################################################################
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: istio-egressgateway
+ namespace: istio-system
+spec:
+ dependsOn:
+ - name: istio-base
+ namespace: istio-system
+ - name: istiod
+ namespace: istio-system
+ interval: 10m0s
+ chart:
+ spec:
+ version: "1.17.1"
+ chart: gateway
+ sourceRef:
+ kind: HelmRepository
+ name: istio
+ values:
+ name: istio-egressgateway
+ service:
+ type: ClusterIP
+ podAnnotations:
+ cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

catalog/istio-stack/base/repositories.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: istio
+ namespace: istio-system
+spec:
+ interval: 1h0m0s
+ url: https://istio-release.storage.googleapis.com/charts

catalog/istio-stack/config/destinationrules.yaml

@@ -0,0 +1,78 @@
+---
+################################################################################
+# Istio mTLS between Apps
+################################################################################
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: istio-apps-mtls
+ namespace: apps
+spec:
+ host: "*.apps.svc.cluster.local"
+ trafficPolicy:
+ tls:
+ mode: ISTIO_MUTUAL
+---
+################################################################################
+# Google Destination Rules
+################################################################################
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: dr-google-storage-api
+ namespace: apps
+spec:
+ host: storage.googleapis.com
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 80
+ tls:
+ mode: SIMPLE # initiates HTTPS
+---
+################################################################################
+# Prometheus
+################################################################################
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: prometheus-stack-grafana
+ namespace: apps
+spec:
+ host: kube-prometheus-stack-grafana.monitoring.svc.cluster.local
+ trafficPolicy:
+ tls:
+ mode: DISABLE
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: prometheus-stack-prometheus
+ namespace: apps
+spec:
+ host: kube-prometheus-stack-operator.monitoring.svc.cluster.local
+ trafficPolicy:
+ tls:
+ mode: DISABLE
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: prometheus-stack-alertmanager
+ namespace: apps
+spec:
+ host: kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local
+ trafficPolicy:
+ tls:
+ mode: DISABLE
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+ name: prometheus-pushgateway
+ namespace: apps
+spec:
+ host: prometheus-pushgateway.monitoring.svc.cluster.local
+ trafficPolicy:
+ tls:
+ mode: DISABLE

catalog/istio-stack/config/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - destinationrules.yaml
+ - serviceentries.yaml