so1s · NEM-NE · Jul 20, 2022 · Jul 20, 2022 · Jul 20, 2022 · Jul 20, 2022
diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.14.2
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- http://github.com/istio/istio
+type: application
+version: 1.14.2
diff --git a/charts/gateway/README.md b/charts/gateway/README.md
@@ -0,0 +1,148 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/charts/gateway/templates/NOTES.txt b/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }}
+  $ helm get all {{ .Release.Name }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/charts/gateway/templates/_helpers.tpl b/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,52 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gateway.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+helm.sh/chart: {{ include "gateway.chart" . }}
+{{ include "gateway.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ include "gateway.name" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if not (or (eq $key "app") (eq $key "istio")) }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+{{- if hasKey .Values.labels "app" }}
+{{- with .Values.labels.app }}app: {{.|quote}}
+{{- end}}
+{{- else }}app: {{ include "gateway.name" . }}
+{{- end }}
+{{- if hasKey .Values.labels "istio" }}
+{{- with .Values.labels.istio }}
+istio: {{.|quote}}
+{{- end}}
+{{- else }}
+istio: {{ include "gateway.name" . | trimPrefix "istio-" }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/charts/gateway/templates/deployment.yaml b/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        sidecar.istio.io/inject: "true"
+        {{- with .Values.revision }}
+        istio.io/rev: {{ . }}
+        {{- end }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
+            # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1337
+            runAsGroup: 1337
+            runAsNonRoot: true
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+              add:
+              - NET_BIND_SERVICE
+            runAsUser: 0
+            runAsGroup: 1337
+            runAsNonRoot: false
+            allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/gateway/templates/hpa.yaml b/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,31 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
+apiVersion: autoscaling/v2
+{{- else }}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+{{- end }}
diff --git a/charts/gateway/templates/role.yaml b/charts/gateway/templates/role.yaml
@@ -0,0 +1,25 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}