From d4aaa69b72d4545d81aac34fb264da09625a6b21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=8C=85=E6=89=AC?= Date: Thu, 14 Oct 2021 09:51:55 +0800 Subject: [PATCH 1/2] add proxyStatsMatcher to gateway-proxy for more detailed proxy stats --- .../charts/operator-crd/templates/operator-crd.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/helm/hango-gateway/charts/operator-crd/templates/operator-crd.yaml b/install/helm/hango-gateway/charts/operator-crd/templates/operator-crd.yaml index a0f2d35..6e28296 100644 --- a/install/helm/hango-gateway/charts/operator-crd/templates/operator-crd.yaml +++ b/install/helm/hango-gateway/charts/operator-crd/templates/operator-crd.yaml @@ -61,7 +61,7 @@ spec: name: hango-rider-plugin mountPath: /usr/local/lib/rider/plugins podAnnotations: - proxy.istio.io/config: '{"discoveryAddress" : "istiod.hango-system.svc.cluster.local:15010","controlPlaneAuthPolicy":"NONE"}' + proxy.istio.io/config: '{"discoveryAddress" : "istiod.hango-system.svc.cluster.local:15010","controlPlaneAuthPolicy":"NONE","proxyStatsMatcher": {"inclusionPrefixes":["cluster", "listener","http"]}}' service: selector: app: gateway-proxy From 218542f97fb206615c03350a7bfb0a990e6045c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=8C=85=E6=89=AC?= Date: Tue, 16 Nov 2021 15:09:01 +0800 Subject: [PATCH 2/2] install istio with helm --- install/istio-install-helm/.gitignore | 3 + install/istio-install-helm/.gitlab-ci.yml | 42 ++++ install/istio-install-helm/.helmignore | 26 +++ install/istio-install-helm/Chart.yaml | 19 ++ .../templates/allinone.yaml | 220 ++++++++++++++++++ install/istio-install-helm/values.yaml | 0 6 files changed, 310 insertions(+) create mode 100644 install/istio-install-helm/.gitignore create mode 100644 install/istio-install-helm/.gitlab-ci.yml create mode 100644 install/istio-install-helm/.helmignore create mode 100644 install/istio-install-helm/Chart.yaml create mode 100644 install/istio-install-helm/templates/allinone.yaml create mode 100644 install/istio-install-helm/values.yaml diff --git a/install/istio-install-helm/.gitignore b/install/istio-install-helm/.gitignore new file mode 100644 index 0000000..5d46735 --- /dev/null +++ b/install/istio-install-helm/.gitignore @@ -0,0 +1,3 @@ +# Chart dependencies +.idea + diff --git a/install/istio-install-helm/.gitlab-ci.yml b/install/istio-install-helm/.gitlab-ci.yml new file mode 100644 index 0000000..dc2b530 --- /dev/null +++ b/install/istio-install-helm/.gitlab-ci.yml @@ -0,0 +1,42 @@ +stages: + - package + +before_script: + - CHART_VERSION="${CI_COMMIT_TAG:-v0.0.0-r$CI_PIPELINE_ID}" + +variables: + NAMESPACE: istio + RELEASE_NAME: istio + +helm_package: + stage: package + variables: + REPO_NAME: cloudnative + KUBECONFIG_YAML: $KUBECONFIG_DEV + script: + - mkdir -p target + - helm package --version="$CHART_VERSION" -d target . || exit 1 + - echo "$CHART_VERSION" + - | + # helm upgrade -n $NAMESPACE $RELEASE_NAME . --install --create-namespace --dry-run + + REPO_ADDR="$(jq -r '.repo//empty'<<<"$ONLINE_CHART_REPO")" + USERNAME="$(jq -r '.username//empty'<<<"$ONLINE_CHART_REPO")" + PASSWORD="$(jq -r '.password//empty'<<<"$ONLINE_CHART_REPO")" + + helm repo add --insecure-skip-tls-verify --username="$USERNAME" \ + --password="$PASSWORD" "$REPO_NAME" "$REPO_ADDR/chartrepo/$REPO_NAME" --force-update + helm push --insecure target/$(cd target; ls | grep tgz) "$REPO_NAME" || exit 1 + - | + REPO_ADDR="$(jq -r '.repo//empty'<<<"$ONLINE_CHART_REPO")" + USERNAME="$(jq -r '.username//empty'<<<"$ONLINE_CHART_REPO")" + PASSWORD="$(jq -r '.password//empty'<<<"$ONLINE_CHART_REPO")" + + helm repo add --insecure-skip-tls-verify --username="$USERNAME" \ + --password="$PASSWORD" "$REPO_NAME" "$REPO_ADDR/chartrepo/$REPO_NAME" --force-update + helm push --insecure target/$(cd target; ls | grep tgz) "$REPO_NAME" || exit 1 + + only: + - develop + - tags + diff --git a/install/istio-install-helm/.helmignore b/install/istio-install-helm/.helmignore new file mode 100644 index 0000000..93bf1ec --- /dev/null +++ b/install/istio-install-helm/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# helm/charts +OWNERS +hack/ +ci/ +kube-prometheus-*.tgz diff --git a/install/istio-install-helm/Chart.yaml b/install/istio-install-helm/Chart.yaml new file mode 100644 index 0000000..8f7d21a --- /dev/null +++ b/install/istio-install-helm/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: istio + +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +# +# this version will be overwritten during helm package stage by gitlab-ci +version: 0.0.0 + diff --git a/install/istio-install-helm/templates/allinone.yaml b/install/istio-install-helm/templates/allinone.yaml new file mode 100644 index 0000000..211ae4c --- /dev/null +++ b/install/istio-install-helm/templates/allinone.yaml @@ -0,0 +1,220 @@ +--- +# Source: istio-operator/templates/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: istio-operator + labels: + istio-operator-managed: Reconcile + istio-injection: disabled +--- +# Source: istio-operator/templates/service_account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: istio-operator + name: istio-operator +--- +# Source: istio-operator/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: istio-operator +rules: +# istio groups +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - replicasets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/proxy + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +--- +# Source: istio-operator/templates/clusterrole_binding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-operator +subjects: +- kind: ServiceAccount + name: istio-operator + namespace: istio-operator +roleRef: + kind: ClusterRole + name: istio-operator + apiGroup: rbac.authorization.k8s.io +--- +# Source: istio-operator/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + namespace: istio-operator + labels: + name: istio-operator + name: istio-operator +spec: + ports: + - name: http-metrics + port: 8383 + targetPort: 8383 + protocol: TCP + selector: + name: istio-operator +--- +# Source: istio-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: istio-operator + name: istio-operator +spec: + replicas: 1 + selector: + matchLabels: + name: istio-operator + template: + metadata: + labels: + name: istio-operator + spec: + serviceAccountName: istio-operator + containers: + - name: istio-operator + image: docker.io/istio/operator:1.10.2 + command: + - operator + - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + env: + - name: WATCH_NAMESPACE + value: "hango-system" + - name: LEADER_ELECTION_NAMESPACE + value: "istio-operator" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "istio-operator" + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: "120s" + - name: REVISION + value: "" \ No newline at end of file diff --git a/install/istio-install-helm/values.yaml b/install/istio-install-helm/values.yaml new file mode 100644 index 0000000..e69de29