feat(istio): re-onboard + upgrade + split (#843)

* feat(istio): init re-onboard + upgrade + split

Signed-off-by: David van der Spek <[email protected]>

* fix template

Signed-off-by: David van der Spek <[email protected]>

* some fixes after pushing

Signed-off-by: David van der Spek <[email protected]>

* some initial kiali fixes

Signed-off-by: David van der Spek <[email protected]>

* add default istio gateway to ingress chart

Signed-off-by: David van der Spek <[email protected]>

* some fixes for aws nlb ingress + kiali vs

Signed-off-by: David van der Spek <[email protected]>

* fix(kiali): allow for oidc login

Signed-off-by: David van der Spek <[email protected]>

* fix(kiali): allow it to work with sidecar

Signed-off-by: David van der Spek <[email protected]>

* fix(kiali): grafana integration

Signed-off-by: David van der Spek <[email protected]>

* some more kiali templating cleanup

Signed-off-by: David van der Spek <[email protected]>

* set gateway to 2 replicas + kiali labels

Signed-off-by: David van der Spek <[email protected]>

* deps and template fixes

Signed-off-by: David van der Spek <[email protected]>

* fix(kiali): enable support for mimir

Signed-off-by: David van der Spek <[email protected]>

* enable tracing

Signed-off-by: David van der Spek <[email protected]>

* update istio dashboards

Signed-off-by: David van der Spek <[email protected]>

* bump chart versions

Signed-off-by: David van der Spek <[email protected]>

* remove breaking flag

Signed-off-by: David van der Spek <[email protected]>

* fix recipes

Signed-off-by: David van der Spek <[email protected]>

---------

Signed-off-by: David van der Spek <[email protected]>

bootstrap/helm/bootstrap/Chart.yaml

@@ -10,7 +10,7 @@ maintainers:
   email: [email protected]
 - name: David van der Spek
   email: [email protected]
-version: 0.8.73
+version: 0.8.74
 dependencies:
 - name: external-dns
   version: 6.14.1

bootstrap/helm/bootstrap/values.yaml.tpl

@@ -52,10 +52,9 @@ external-dns:
   sources:
   - service
   - ingress
-  {{ if .Configuration.istio }}
-  - istio-gateway
+  {{- if chartInstalled "istio" "istio" }}
   - istio-virtualservice
-  {{ end }}
+  {{- end }}
 
 {{ if and (not $pluraldns) (eq .Provider "azure") }}
 externalDnsIdentityId: {{ importValue "Terraform" "externaldns_msi_id" }}

grafana-agent/helm/grafana-agent/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: grafana-agent
 description: helm chart for grafana-agent
 type: application
-version: 0.1.3
+version: 0.1.4
 appVersion: v0.34.3
 dependencies:
 - name: grafana-agent

grafana-agent/helm/grafana-agent/values.yaml

@@ -200,6 +200,10 @@ traces: # TODO: split this into 2 deployment to allow for tail based sampling. F
       port: 6831
       targetPort: 6831
       protocol: "UDP"
+    - name: http-zipkin
+      port: 9411
+      targetPort: 9411
+      protocol: "TCP"
     mimirHost: http://mimir-nginx.mimir
     lokiHost: http://loki-loki-distributed-gateway.loki/loki/api/v1/push
     tempoHost: http://tempo-gateway.tempo/otlp
@@ -260,9 +264,16 @@ traces: # TODO: split this into 2 deployment to allow for tail based sampling. F
           }
 
           output {
-            metrics = [otelcol.exporter.otlphttp.local.input]
-            logs    = [otelcol.exporter.otlphttp.local.input]
-            traces  = [otelcol.exporter.otlphttp.local.input]
+            metrics = [otelcol.processor.batch.local.input]
+            logs    = [otelcol.processor.batch.local.input]
+            traces  = [otelcol.processor.batch.local.input]
+          }
+        }
+
+        otelcol.receiver.zipkin "local" {
+          endpoint = "0.0.0.0:9411"
+          output {
+            traces = [otelcol.processor.batch.local.input]
           }
         }
 

istio-cni/Pluralfile

@@ -0,0 +1,6 @@
+REPO istio-cni
+ATTRIBUTES Plural repository.yaml
+
+TF terraform/*
+HELM helm/*
+RECIPE plural/recipes/*

istio-cni/helm/istio-cni/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

istio-cni/helm/istio-cni/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: cni
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.19.0
+- name: ztunnel
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.19.0
+digest: sha256:5f9e835cde6c2cda3a01add30d38cee44a3c2595306f17914015c3ee3ed6e0d8
+generated: "2023-09-11T12:24:33.670239+02:00"

istio-cni/helm/istio-cni/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: istio-cni
+description: helm chart for istio-cni
+type: application
+version: 0.1.1
+appVersion: "1.19.0"
+dependencies:
+- name: cni
+  version: 1.19.0
+  repository: https://istio-release.storage.googleapis.com/charts
+  condition: cni.enabled
+- name: ztunnel
+  version: 1.19.0
+  repository: https://istio-release.storage.googleapis.com/charts
+  condition: ztunnel.enabled

istio-cni/helm/istio-cni/README.md

@@ -0,0 +1 @@
+A helm chart for istio-cni

istio-cni/helm/istio-cni/deps.yaml

@@ -0,0 +1,19 @@
+apiVersion: plural.sh/v1alpha1
+kind: Dependencies
+metadata:
+  application: true
+  description: Deploys istio-cni crafted for the target cloud
+spec:
+  dependencies:
+  - type: helm
+    name: bootstrap
+    repo: bootstrap
+    version: '>= 0.7.12'
+  - type: helm
+    name: istio
+    repo: istio
+    version: '>= 0.2.0'
+  - type: terraform
+    name: kube
+    repo: istio-cni
+    version: '>= 0.1.0'

istio-cni/helm/istio-cni/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "istio-cni-plural.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "istio-cni-plural.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "istio-cni-plural.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "istio-cni-plural.labels" -}}
+helm.sh/chart: {{ include "istio-cni-plural.chart" . }}
+{{ include "istio-cni-plural.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "istio-cni-plural.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "istio-cni-plural.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "istio-cni-plural.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "istio-cni-plural.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

istio-cni/helm/istio-cni/values.yaml

@@ -0,0 +1,36 @@
+global:
+  hub: gcr.io/istio-release
+
+cni:
+  enabled: true
+  cni:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+    # privileged: true # Possibly needed for ambient mode
+    excludeNamespaces:
+    - istio
+    - istio-ingress
+    - kube-system
+    # ambient:
+    #   enabled: false
+    #   redirectMode: ebpf
+      # redirectMode: iptables # this is the default. For GKE and new AKS it would need to be ebpf
+
+ztunnel:
+  enabled: false
+  hub: gcr.io/istio-release
+  istioNamespace: istio
+  redirectMode: ebpf
+  # redirectMode: iptables # this is the default. For GKE and new AKS it would need to be ebpf
+  resources:
+    requests:
+      cpu: 100m
+      memory: 1024Mi
+  meshConfig:
+    defaultConfig:
+      proxyMetadata:
+        ISTIO_META_ENABLE_HBONE: "true" # Needed for ambient mode
+        CA_ADDRESS: istiod.istio.svc:15012 # Hack until new chart is released
+        XDS_ADDRESS: istiod.istio.svc:15012 # Hack until new chart is released

istio-cni/helm/istio-cni/values.yaml.tpl

@@ -0,0 +1 @@
+{}

istio-cni/plural/notes.tpl

@@ -0,0 +1 @@
+Use `plural watch istio-cni` to track the status of your application

istio-cni/plural/recipes/istio-cni-aws.yaml

@@ -0,0 +1,17 @@
+name: istio-cni-aws
+description: Installs istio-cni on an aws eks cluster
+provider: AWS
+primary: true
+dependencies:
+- repo: bootstrap
+  name: aws-k8s
+- repo: istio
+  name: istio-aws
+sections:
+- name: istio-cni
+  configuration: []
+  items:
+  - type: TERRAFORM
+    name: kube
+  - type: HELM
+    name: istio-cni

istio-cni/plural/recipes/istio-cni-azure.yaml

@@ -0,0 +1,17 @@
+name: istio-cni-azure
+description: Installs istio-cni on an azure aks cluster
+provider: AZURE
+primary: true
+dependencies:
+- repo: bootstrap
+  name: azure-k8s
+- repo: istio
+  name: istio-azure
+sections:
+- name: istio-cni
+  configuration: []
+  items:
+  - type: TERRAFORM
+    name: kube
+  - type: HELM
+    name: istio-cni

istio-cni/plural/recipes/istio-cni-gcp.yaml

@@ -0,0 +1,17 @@
+name: istio-cni-gcp
+description: Installs istio-cni on a gcp gke cluster
+provider: GCP
+primary: true
+dependencies:
+- repo: bootstrap
+  name: gcp-k8s
+- repo: istio
+  name: istio-gcp
+sections:
+- name: istio-cni
+  configuration: []
+  items:
+  - type: TERRAFORM
+    name: kube
+  - type: HELM
+    name: istio-cni

istio-cni/repository.yaml

@@ -0,0 +1,12 @@
+name: istio-cni
+description: istio-cni deployed on plural
+category: NETWORK
+private: true
+icon: plural/icons/istio.png
+notes: plural/notes.tpl
+homepage: https://istio.io/
+gitUrl: https://github.com/istio/istio
+tags:
+- tag: istio
+- tag: network
+- tag: security

istio-cni/terraform/kube/deps.yaml

@@ -0,0 +1,12 @@
+apiVersion: plural.sh/v1alpha1
+kind: Dependencies
+metadata:
+  description: istio-cni kubernetes setup
+  version: 0.1.0
+spec:
+  dependencies: []
+  providers:
+  - aws
+  - gcp
+  - azure
+  - kind

istio-cni/terraform/kube/main.tf

@@ -0,0 +1,11 @@
+resource "kubernetes_namespace" "istio-cni" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "istio-cni"
+
+    }
+  }
+}
+

istio-cni/terraform/kube/terraform.tfvars

@@ -0,0 +1,2 @@
+namespace = {{ .Namespace | quote }}
+cluster_name = {{ .Cluster | quote }}

istio-cni/terraform/kube/variables.tf

@@ -0,0 +1,8 @@
+variable "namespace" {
+  type = string
+  default = "istio-cni"
+}
+
+variable "cluster_name" {
+  type = string
+}

istio-ingress/Pluralfile

@@ -0,0 +1,6 @@
+REPO istio-ingress
+ATTRIBUTES Plural repository.yaml
+
+TF terraform/*
+HELM helm/*
+RECIPE plural/recipes/*

istio-ingress/helm/istio-ingress/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

istio-ingress/helm/istio-ingress/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: gateway
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.19.0
+digest: sha256:518d9b00690f92ce7a833150409637c6ad5b96a7fe203114e53c265166f702f3
+generated: "2023-09-11T12:39:30.936515+02:00"