feat: meowhq istio charts (#248)

.github/workflows/test.yaml

@@ -91,7 +91,9 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         id: unittest
         run: |
-          helm dependency update ${{ steps.list-changed.outputs.charts }}
+          for chart in ${{ steps.list-changed.outputs.charts }}; do
+            helm dependency update $chart
+          done
           helm unittest ${{ steps.list-changed.outputs.charts }}
 
       - name: Create kind cluster

.gitignore

@@ -3,3 +3,4 @@
 **/*.tgz
 .target
 ct_previous_revision*
+Chart.lock

.release-please-manifest.json

@@ -4,5 +4,7 @@
   "charts/meowhq-vault": "0.5.0",
   "charts/meowhq-nginx": "1.8.0",
   "charts/meowhq-haproxy": "1.4.0",
-  "charts/meowhq-redis": "1.19.0"
+  "charts/meowhq-redis": "1.19.0",
+  "charts/meowhq-istio": "0.0.0",
+  "charts/meowhq-istio-gateway": "0.0.0"
 }

charts/meowhq-istio-gateway/.gitignore

@@ -0,0 +1 @@
+charts/**

charts/meowhq-istio-gateway/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: meowhq-istio-gateway
+description: A Parent Helm chart that configures Istio Ingress Gateway
+type: application
+version: 0.0.0
+appVersion: 1.24.3
+dependencies:
+  - name: gateway
+    repository: https://istio-release.storage.googleapis.com/charts
+    version: 1.24.3

charts/meowhq-istio-gateway/README.md

@@ -0,0 +1,137 @@
+# meowhq-istio-gateway Helm Chart
+
+Helm Chart for installing and configuring Istio Ingress Gateway with Istio official Helm Charts as a dependency. It also includes configuring the `gateways.networking.istio.io` Istio Gateway.
+
+refs:
+
+- <https://istio.io/latest/docs/setup/install/helm/>
+- <https://github.com/istio/istio/tree/master/manifests/charts/gateway>
+- [Install Multi-Primary on different networks](https://istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/)
+- [Install Primary-Remote on different networks](https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/)
+
+___
+Table of Contents:
+
+- [Configuration Values](#configuration-values)
+- [Istio Gateway Configuration](#istio-gateway-configuration)
+  - [Global Settings](#global-settings)
+  - [Default Gateway Settings](#default-gateway-settings)
+  - [Multicluster Settings](#multicluster-settings)
+- [Istio Ingress Gateway Deployment Configuration](#istio-ingress-gateway-deployment-configuration)
+  - [Basic Settings](#basic-settings)
+  - [Service Configuration](#service-configuration)
+  - [Resource Management](#resource-management)
+- [Examples](#examples)
+  - [Adding additional ports in the Istio Gateway](#adding-additional-ports-in-the-istio-gateway)
+  - [Multicluster](#multicluster)
+
+## Configuration Values
+
+please see [examples](examples/README.md) for more about usage and examples of values.
+
+## Istio Gateway Configuration
+
+### Global Settings
+
+Global settings shares common variables across the ingress gateway configuration
+
+- `global.istioGateway.apiVersion` - API version for Gateway resource (default: v1)
+- `global.istioGateway.namespace` - Target namespace for Gateway deployment (default: default)
+
+### Default Gateway Settings
+
+The default Istio Gateway is configured with the default HTTPS listener server port. It is enabled by default and will be disabled if `multicluster` is enabled.
+
+- `istioGateway.enabled` - creates Istio Gateway resource (default: true)
+- `istioGateway.name` - Name of the Istio Gateway (default: ingress-gateway)
+- `istioGateway.https.tlsMode` - TLS mode for the HTTPS listener (default: SIMPLE)
+- `istioGateway.https.credentialName` - TLS credential name for default HTTPS listener (default: gkegatewaysecret)
+- `istioGateway.https.hosts` - List of allowed hosts in default HTTPS listener (default: ["*"])
+- `istioGateway.additionalServers` - Additional server listener port configurations for Istio Gateway
+
+### Multicluster Settings
+
+Enabling `multicluster` allows the creation and configuration of a general pattern for Multicluster Gateway Resources. It also disables the default Istio Gateway to create a dedicated Istio Ingress Gateway Deployment and Service.
+
+- `multicluster.enabled` - Enable multicluster configuration (default: false)
+- `multicluster.crossNetworkGateway.name` - Name of cross-network gateway
+- `multicluster.crossNetworkGateway.hosts` - List of allowed hosts for cross-network gateway (default: ["*.local"])
+- `multicluster.crossNetworkGateway.additionalServers` - Additional server configurations for cross-network gateway
+- `multicluster.istiodGateway.enabled` - Enable istiod gateway for Primary-Remote setup (default: false)
+- `multicluster.istiodGateway.name` - Name of istiod gateway
+- `multicluster.istiodGateway.additionalServers` - Additional server configurations for istiod gateway
+
+## Istio Ingress Gateway Deployment Configuration
+
+This section provides configuration details for the official Istio Ingress Gateway Helm chart `gateway` used as a subchart. It sets default values for deploying the Istio Ingress Gateway following a general pattern.
+
+<https://github.com/istio/istio/tree/master/manifests/charts/gateway>
+
+> ⚠️ **INFO:**
+>
+> This configuration follows the official Istio Gateway Helm values. Please refer to the official documentation for more details and customization.
+>
+> <https://github.com/istio/istio/blob/1.24.0/manifests/charts/gateway/values.yaml>
+
+### Basic Settings
+
+- `gateway.name`: Name of the gateway deployment
+- `gateway.imagePullSecrets`: Image pull secrets configuration (default: empty array)
+- `gateway.revision`: Istio revision
+- `gateway.labels.app`: App label value (default: null). it will be automatically generated and set from gateway.name unless you set the custom value
+- `gateway.labels.istio`: Istio label value (default: null). it will be automatically generated and set from gateway.name unless you set the custom value
+
+### Service Configuration
+
+- `gateway.service.type`: Service type (default: LoadBalancer)
+- `gateway.service.loadBalancerIP`: Load balancer IP address
+
+### Resource Management
+
+- `gateway.resources.requests.cpu`: CPU request (default: 200m)
+- `gateway.resources.requests.memory`: Memory request (default: 256Mi)
+- `gateway.autoscaling.enabled`: Enable autoscaling
+- `gateway.autoscaling.minReplicas`: Minimum replicas (default: 2)
+- `gateway.autoscaling.maxReplicas`: Maximum replicas (default: 8)
+
+## Examples
+
+### Adding additional ports in the Istio Gateway
+
+```yaml
+istioGateway:
+  https:
+    credentialName: my-cred
+  additionalServers:
+  - port:
+      name: http
+      number: 80
+      protocol: HTTP
+    tls:
+      httpsRedirect: false
+    hosts:
+      - "*"
+gateway:
+  service:
+    loadBalancerIP: "192.168.10.10"
+```
+
+### Multicluster
+
+It follows the installation instruction:
+
+- [Install Multi-Primary on different networks](https://istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/)
+- [Install Primary-Remote on different networks](https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/)
+
+```yaml
+multicluster:
+  enabled: true
+gateway:
+  name: istio-cross-network-gateway
+  labels:
+    app: cross-network-gateway
+    istio: istio-cross-network-gateway
+  networkGateway: meowhq-lab
+  service:
+    loadBalancerIP: "192.168.10.12"
+```

charts/meowhq-istio-gateway/templates/_helpers.tpl

@@ -0,0 +1,22 @@
+{{/*
+  read gateway.selectorLabels from the istio gateway(subchart) chart helper
+  the default value in values.yaml for gateway chart should be initialized with null to avoid nil pointer
+  ```yaml
+  gateway:
+    labels:
+      app: null
+      istio: null
+  ```
+*/}}
+{{- define "gatewaySelectorLabel" -}}
+{{ template "gateway.selectorLabels" .Subcharts.gateway }}
+{{- end }}
+
+{{/*
+  convert gateway.selectorLabels from the istio gateway(subchart) chart helper to dict and pick istio label value
+  and use it in the gateway selector
+*/}}
+{{- define "gatewaySelectorLabelIstio" -}}
+{{- $dict := include "gatewaySelectorLabel" . | fromYaml -}}
+{{ $dict.istio }}
+{{- end -}}

charts/meowhq-istio-gateway/templates/ingress-gateway.yaml

@@ -0,0 +1,23 @@
+{{- if and .Values.istioGateway.enabled (not .Values.multicluster.enabled) }}
+apiVersion: networking.istio.io/{{ .Values.global.istioGateway.apiVersion }}
+kind: Gateway
+metadata:
+  name: {{ .Values.istioGateway.name }}
+  namespace: {{ .Values.global.istioGateway.namespace }}
+spec:
+  selector:
+    istio: {{ include "gatewaySelectorLabelIstio" . }}
+  servers:
+  - port:
+      name: https
+      number: 443
+      protocol: HTTPS
+    tls:
+      mode: {{ .Values.istioGateway.https.tlsMode }}
+      credentialName: {{ .Values.istioGateway.https.credentialName }}
+    hosts:
+    {{- .Values.istioGateway.https.hosts | toYaml | nindent 4 }}
+  {{- with .Values.istioGateway.additionalServers }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

charts/meowhq-istio-gateway/templates/multicluster/cross-network-gateway.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.multicluster.enabled  }}
+apiVersion: networking.istio.io/{{ .Values.global.istioGateway.apiVersion }}
+kind: Gateway
+metadata:
+  name: {{ .Values.multicluster.crossNetworkGateway.name }}
+  namespace: {{ .Values.global.istioGateway.namespace }}
+spec:
+  selector:
+    istio: {{ include "gatewaySelectorLabelIstio" . }}
+  servers:
+  - port:
+      name: tls
+      number: 15443
+      protocol: TLS
+    tls:
+      mode: AUTO_PASSTHROUGH
+    hosts:
+      - '*.local'
+  {{- with .Values.multicluster.crossNetworkGateway.additionalServers }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

charts/meowhq-istio-gateway/templates/multicluster/istiod-gateway.yaml

@@ -0,0 +1,30 @@
+{{- if and .Values.multicluster.enabled .Values.multicluster.istiodGateway.enabled }}
+apiVersion: networking.istio.io/{{ .Values.global.istioGateway.apiVersion }}
+kind: Gateway
+metadata:
+  name: {{ .Values.multicluster.istiodGateway.name }}
+  namespace: {{ .Values.global.istioGateway.namespace }}
+spec:
+  selector:
+    istio: {{ include "gatewaySelectorLabelIstio" . }}
+  servers:
+  - port:
+      name: tls-istiod
+      number: 15012
+      protocol: tls
+    tls:
+      mode: PASSTHROUGH
+    hosts:
+      - "*"
+  - port:
+      name: tls-istiodwebhook
+      number: 15017
+      protocol: tls
+    tls:
+      mode: PASSTHROUGH
+    hosts:
+      - "*"
+  {{- with .Values.multicluster.istiodGateway.additionalServers }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

charts/meowhq-istio-gateway/templates/multicluster/istiod-virtualservice.yaml

@@ -0,0 +1,31 @@
+{{- if and .Values.multicluster.enabled .Values.multicluster.istiodGateway.enabled }}
+apiVersion: networking.istio.io/{{ .Values.global.istioGateway.apiVersion }}
+kind: VirtualService
+metadata:
+  name: istiod-vs
+  namespace: {{ .Release.Namespace }}
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - "{{ .Values.global.istioGateway.namespace }}/{{ .Values.multicluster.istiodGateway.name }}"
+  tls:
+  - match:
+    - port: 15012
+      sniHosts:
+      - "*"
+    route:
+    - destination:
+        host: istiod.{{ .Release.Namespace }}.svc.cluster.local
+        port:
+          number: 15012
+  - match:
+    - port: 15017
+      sniHosts:
+      - "*"
+    route:
+    - destination:
+        host: istiod.{{ .Release.Namespace }}.svc.cluster.local
+        port:
+          number: 443
+{{- end }}

charts/meowhq-istio-gateway/tests/default-values-gateway_test.yaml

@@ -0,0 +1,60 @@
+suite: Istio Gateway ingress-gateway tests
+templates:
+  - ingress-gateway.yaml
+  - multicluster/cross-network-gateway.yaml
+  - multicluster/istiod-gateway.yaml
+  - multicluster/istiod-virtualservice.yaml
+release:
+  name: "istio-ingressgateway"
+  namespace: "istio-system"
+tests: 
+- it: render Gateway with default values
+  template: ingress-gateway.yaml
+  asserts:
+  - containsDocument:
+      apiVersion: networking.istio.io/v1
+      kind: Gateway
+      name: ingress-gateway
+      namespace: default
+  - equal:
+      path: spec
+      value:
+        selector:
+          istio: ingressgateway
+        servers:
+        - port:
+            name: https
+            number: 443
+            protocol: HTTPS
+          tls:
+            mode: SIMPLE
+            credentialName: gateway-tls
+          hosts:
+            - '*'
+
+- it: should not render the cross-network-gateway Gateway by default
+  template: multicluster/cross-network-gateway.yaml
+  asserts:
+  - not: true
+    containsDocument:
+      apiVersion: networking.istio.io/v1
+      kind: Gateway
+
+- it: should not render the istiod-gateway Gateway by default
+  template: multicluster/istiod-gateway.yaml
+  asserts:
+  - not: true
+    containsDocument:
+      apiVersion: networking.istio.io/v1
+      kind: Gateway
+
+- it: should not render the istiod-vs VirtualService by default
+  template: multicluster/istiod-virtualservice.yaml
+  asserts:
+  - not: true
+    containsDocument:
+      apiVersion: networking.istio.io/v1
+      kind: VirtualService
+      name: istiod-vs
+
+

charts/meowhq-istio-gateway/tests/default-vaules-subchart-deployment_test.yaml

@@ -0,0 +1,27 @@
+suite: Istio Gateway subchart test - Deployment for cross-network-gateway configuration
+templates:
+  - charts/* # this includes all the templates in the subchart
+release:
+  name: "istio-gateway"
+  namespace: "istio-system"
+tests:
+- it: should render deployment with default values
+  template: charts/gateway/templates/deployment.yaml
+  asserts:
+  - containsDocument:
+      apiVersion: apps/v1
+      kind: Deployment
+      name: istio-ingressgateway
+      namespace: istio-system
+  - isSubset:
+      path: metadata.labels
+      content:
+        app: istio-ingressgateway
+        istio: ingressgateway
+  - isSubset:
+      path: spec.template.metadata.labels
+      content:
+        istio.io/rev: "default"
+        app: istio-ingressgateway
+        istio: ingressgateway
+