-
Notifications
You must be signed in to change notification settings - Fork 0
/
helm_istio_ingress_gateway_additional.tf
78 lines (72 loc) · 2.82 KB
/
helm_istio_ingress_gateway_additional.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Deploys Additional Ingress Gateways used by AAW in the cluster.
# This deployment configures:
# - the Ingress Gateway
# - an Istio Gateway for HTTPS traffic
# - an EnvoyFilter which adds HSTS to any response without it
# - a cert-manager Certificate which references a ClusterIssuer to request a certificate for TLS from Let's Encrypt
resource "helm_release" "istio_ingress_gateway_additional" {
for_each = var.additional_istio_ingress_gateways
name = each.key
namespace = module.namespace_istio_system.name
repository = lookup(var.platform_helm_repositories, "istio-ingress-gateway", "https://statcan.github.io/charts")
repository_username = var.platform_helm_repository_username
repository_password = var.platform_helm_repository_password
chart = "istio-ingress-gateway"
version = "2.6.0"
values = [<<EOF
# Sets the tag of the images to use
tag: ${module.istio_operator.tag}
# Configurations relating to the Istio Ingress Gateway to deploy.
ingressGateway:
# The name of the ingress-gateway instance.
# If left blank, will use the Release name.
name:
# Toggles if the ingress gateway is enabled or not.
# If disabled, the Istio Operator will remove the deployment and service.
enabled: true
maxReplicas: 5
minReplicas: 3
service:
# Defines the type of Service to deploy:
type: LoadBalancer
# Defines if an "internal" or "external" Azure load-balancer is deployed for the service.
azureLoadBalancer: internal
azureLoadBalancerSubnet: ${var.load_balancer_subnet}
# Lets autogenerate the Node Ports.
nodePorts: {}
# Configures HTTPS on the ingress gateway.
https:
# Toggles HTTPS configurations on the ingress gateway.
enabled: true
# The hosts to which the ingress gateway should route traffic to.
hosts: ${jsonencode(each.value.hosts)}
httpsRedirect: true
# Configures if HSTS headers should be added to all responses which do not have it.
hsts:
enabled: true
# Sets the values of the header.
# Defaults to only setting the max-age to one year.
value: max-age=31536000
# Configures a cert-manager Certificate for automated certificate generation.
certificate:
# Defines the name of the secret that will contain the certificates.
secretName: "${each.value.certificate_secret_name}"
# Defines list of DNS names for the certificate.
# Note: The first entry is set as the common name.
dnsNames: ${jsonencode(each.value.dns_names)}
# Toggles if the Azure DNS solver should be used.
useAzureDNSSolver: true
# Defines the type of Issuer to use.
issuerRef:
# Can be ClusterIssuer or Issuer.
kind: ClusterIssuer
# The name of the Issuer to use.
name: issuer-letsencrypt
# Configures Telemetry on the ingress gateway.
telemetry:
# Enable access logging
accessLogging:
enabled: true
EOF
]
}