install istio with helm

install/helm/hango-gateway/charts/operator-crd/templates/operator-crd.yaml

@@ -61,7 +61,7 @@ spec:
               name: hango-rider-plugin 
               mountPath: /usr/local/lib/rider/plugins
         podAnnotations:
-          proxy.istio.io/config: '{"discoveryAddress" : "istiod.hango-system.svc.cluster.local:15010","controlPlaneAuthPolicy":"NONE"}'
+          proxy.istio.io/config: '{"discoveryAddress" : "istiod.hango-system.svc.cluster.local:15010","controlPlaneAuthPolicy":"NONE","proxyStatsMatcher": {"inclusionPrefixes":["cluster", "listener","http"]}}'
         service:
           selector:
             app: gateway-proxy

install/istio-install-helm/.gitignore

@@ -0,0 +1,3 @@
+# Chart dependencies
+.idea
+

install/istio-install-helm/.gitlab-ci.yml

@@ -0,0 +1,42 @@
+stages:
+  - package
+
+before_script:
+  - CHART_VERSION="${CI_COMMIT_TAG:-v0.0.0-r$CI_PIPELINE_ID}"
+
+variables:
+  NAMESPACE: istio
+  RELEASE_NAME: istio
+
+helm_package:
+  stage: package
+  variables:
+    REPO_NAME: cloudnative
+    KUBECONFIG_YAML: $KUBECONFIG_DEV
+  script:
+    - mkdir -p target
+    - helm package --version="$CHART_VERSION" -d target . || exit 1
+    - echo "$CHART_VERSION"
+    - |
+      # helm upgrade -n $NAMESPACE $RELEASE_NAME . --install --create-namespace --dry-run
+
+      REPO_ADDR="$(jq -r '.repo//empty'<<<"$ONLINE_CHART_REPO")"
+      USERNAME="$(jq -r '.username//empty'<<<"$ONLINE_CHART_REPO")"
+      PASSWORD="$(jq -r '.password//empty'<<<"$ONLINE_CHART_REPO")"
+
+      helm repo add --insecure-skip-tls-verify --username="$USERNAME" \
+          --password="$PASSWORD" "$REPO_NAME" "$REPO_ADDR/chartrepo/$REPO_NAME" --force-update
+      helm push --insecure target/$(cd target; ls | grep tgz) "$REPO_NAME" || exit 1
+    - |
+      REPO_ADDR="$(jq -r '.repo//empty'<<<"$ONLINE_CHART_REPO")"
+      USERNAME="$(jq -r '.username//empty'<<<"$ONLINE_CHART_REPO")"
+      PASSWORD="$(jq -r '.password//empty'<<<"$ONLINE_CHART_REPO")"
+
+      helm repo add --insecure-skip-tls-verify --username="$USERNAME" \
+          --password="$PASSWORD" "$REPO_NAME" "$REPO_ADDR/chartrepo/$REPO_NAME" --force-update
+      helm push --insecure target/$(cd target; ls | grep tgz) "$REPO_NAME" || exit 1
+
+  only:
+    - develop
+    - tags
+

install/istio-install-helm/.helmignore

@@ -0,0 +1,26 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# helm/charts
+OWNERS
+hack/
+ci/
+kube-prometheus-*.tgz

install/istio-install-helm/Chart.yaml

@@ -0,0 +1,19 @@
+apiVersion: v2
+name: istio
+
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+#
+# this version will be overwritten during helm package stage by gitlab-ci
+version: 0.0.0
+

install/istio-install-helm/templates/allinone.yaml

@@ -0,0 +1,220 @@
+---
+# Source: istio-operator/templates/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-operator
+  labels:
+    istio-operator-managed: Reconcile
+    istio-injection: disabled
+---
+# Source: istio-operator/templates/service_account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: istio-operator
+  name: istio-operator
+---
+# Source: istio-operator/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: istio-operator
+rules:
+# istio groups
+- apiGroups:
+  - authentication.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - config.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - install.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - security.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+# k8s groups
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions.apiextensions.k8s.io
+  - customresourcedefinitions
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/finalizers
+  - replicasets
+  verbs:
+  - '*'
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+  - update
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - create
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - events
+  - namespaces
+  - pods
+  - pods/proxy
+  - persistentvolumeclaims
+  - secrets
+  - services
+  - serviceaccounts
+  verbs:
+  - '*'
+---
+# Source: istio-operator/templates/clusterrole_binding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: istio-operator
+subjects:
+- kind: ServiceAccount
+  name: istio-operator
+  namespace: istio-operator
+roleRef:
+  kind: ClusterRole
+  name: istio-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+# Source: istio-operator/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: istio-operator
+  labels:
+    name: istio-operator
+  name: istio-operator
+spec:
+  ports:
+  - name: http-metrics
+    port: 8383
+    targetPort: 8383
+    protocol: TCP
+  selector:
+    name: istio-operator
+---
+# Source: istio-operator/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: istio-operator
+  name: istio-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: istio-operator
+  template:
+    metadata:
+      labels:
+        name: istio-operator
+    spec:
+      serviceAccountName: istio-operator
+      containers:
+        - name: istio-operator
+          image: docker.io/istio/operator:1.10.2
+          command:
+          - operator
+          - server
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1337
+            runAsUser: 1337
+            runAsNonRoot: true
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 128Mi
+          env:
+            - name: WATCH_NAMESPACE
+              value: "hango-system"
+            - name: LEADER_ELECTION_NAMESPACE
+              value: "istio-operator"
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: "istio-operator"
+            - name: WAIT_FOR_RESOURCES_TIMEOUT
+              value: "120s"
+            - name: REVISION
+              value: ""