Ingress cleanups (#7222)

* Ingress and gateway updates

* Add gateways

* Remove the old ingress chart

* Don't configure https port automatically

* Remove for now the istio services ingress, roll back the old ingress.

* Really add back the ingress chart

* Add preinstall annotations and move CRDs (CRDs are not specific to pilot, but istio general)

* Add missing files (autoscaler for pilot as well, seems I missed it)

* Attempt to fix failing auth server

* use http2

* Move back crds to pilot, helm doesn't like them in templates

* use crd-install hook, up helm, more logs to debug failing test

* helm version is in 2 places

* Bump helm to 2.9.1

* Use pre-install

* Let's try CRDs without dry-run

* Helm crd creation fixes

* Autoscale doesn't work well with the default 0.1 alloc - causing test failures

* Fix failing test

* Broken build with attempt to support testing multiple helm versions

* More attempts to get CRDs working in all cases

- revert using pre-init for security - it doesn't help and it's not
cleaned on delete. System eventually recovers.

- switch test to helm 2.9 - we should test with released version
Do the crd install ahead of time.

- added explicit control for CRD inclusion, so helm template with
pre-2.10 works as before. When using kubectl apply it is safe to have
the crds included (but still better to apply them before install)

- update dep to avoid lint failure

* Prow uses different base dir

* Bad conflict resolution

bin/init.sh

@@ -35,8 +35,6 @@ GO_TOP=$(cd $(dirname $0)/../../../..; pwd)
 
 export OUT_DIR=${OUT_DIR:-${GO_TOP}/out}
 
-HELM_VER=v2.7.2
-
 export GOPATH=${GOPATH:-$GO_TOP}
 # Normally set by Makefile
 export ISTIO_BIN=${ISTIO_BIN:-${GOPATH}/bin}

bin/init_helm.sh

@@ -35,7 +35,12 @@ GO_TOP=$(cd $(dirname $0)/../../../..; pwd)
 
 export OUT_DIR=${OUT_DIR:-${GO_TOP}/out}
 
-HELM_VER=v2.7.2
+# Current version is 2.9.1, with 2.10RC available
+# 2.7.2 was released in Nov 2017.
+# 2.10 adds proper support for CRD - we will test with it
+# For pre-2.10,
+HELM_VER=${HELM_VER:-v2.9.1}
+#HELM_VER=${HELM_VER:-v2.10.0-rc.1}
 
 export GOPATH=${GOPATH:-$GO_TOP}
 # Normally set by Makefile
@@ -64,12 +69,14 @@ export GOOS=${GOOS:-${LOCAL_OS}}
 export ISTIO_OUT=${ISTIO_OUT:-${ISTIO_BIN}}
 
 # install helm if not present, it must be the local version.
-if [ ! -f ${ISTIO_OUT}/helm ] ; then
+if [ ! -f ${ISTIO_OUT}/version.helm.${HELM_VER} ] ; then
     TD=$(mktemp -d)
     # Install helm. Please keep it in sync with .circleci
     cd ${TD} && \
         curl -Lo ${TD}/helm.tgz https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VER}-${LOCAL_OS}-amd64.tar.gz && \
         tar xfz helm.tgz && \
-        mv ${LOCAL_OS}-amd64/helm ${ISTIO_OUT}/helm && \
-        rm -rf ${TD}
+        mv ${LOCAL_OS}-amd64/helm ${ISTIO_OUT}/helm-${HELM_VER} && \
+        cp ${ISTIO_OUT}/helm-${HELM_VER} ${ISTIO_OUT}/helm && \
+        rm -rf ${TD} && \
+        touch ${ISTIO_OUT}/version.helm.${HELM_VER}
 fi

install/kubernetes/helm/istio/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 name: istio
 version: 1.0.0
 appVersion: 1.0.0
-tillerVersion: ">=2.7.2"
+tillerVersion: ">=2.7.2-0"
 description: Helm chart for all istio components
 keywords:
   - istio

install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: clusterissuers.certmanager.k8s.io
+  annotations:
+    "helm.sh/hook": crd-install
   labels:
     app: certmanager
 spec:
@@ -16,6 +18,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: issuers.certmanager.k8s.io
+  annotations:
+    "helm.sh/hook": crd-install
   labels:
     app: certmanager
 spec:
@@ -30,6 +34,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: certificates.certmanager.k8s.io
+  annotations:
+    "helm.sh/hook": crd-install
   labels:
     app: certmanager
 spec:

install/kubernetes/helm/istio/charts/gateways/templates/autoscale.yaml

@@ -17,7 +17,7 @@ spec:
       - type: Resource
         resource:
           name: cpu
-          targetAverageUtilization: 55
+          targetAverageUtilization: 60
 ---
 {{- end }}
 {{- end }}

install/kubernetes/helm/istio/charts/pilot/templates/autoscale.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.autoscaleMin }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+    name: istio-pilot
+spec:
+    maxReplicas: {{ .Values.autoscaleMax }}
+    minReplicas: {{ .Values.autoscaleMin }}
+    scaleTargetRef:
+      apiVersion: apps/v1beta1
+      kind: Deployment
+      name: istio-pilot
+    metrics:
+      - type: Resource
+        resource:
+          name: cpu
+          targetAverageUtilization: 55
+---
+{{- end }}

install/kubernetes/helm/istio/charts/pilot/templates/gateway.yaml

@@ -1,3 +1,31 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-autogenerated-k8s-ingress
+  namespace: istio-system
+spec:
+  selector:
+    istio: {{ .Values.global.ingressSelector }}
+  servers:
+  - port:
+      number: 80
+      protocol: HTTP2
+      name: http
+    hosts:
+    - "*"
+{{ if .Values.global.ingressHttps }}
+  - port:
+      number: 443
+      protocol: HTTPS
+      name: https-default
+    tls:
+      mode: SIMPLE
+      serverCertificate: /etc/istio/ingress-certs/tls.crt
+      privateKey: /etc/istio/ingress-certs/tls.key
+    hosts:
+    - "*"
+{{ end }}
+---
 {{- if .Values.global.meshExpansion }}
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
@@ -43,7 +71,4 @@ spec:
       name: tcp-citadel
     hosts:
     - "*"
-
-
-
 {{- end }}

install/kubernetes/helm/istio/templates/configmap.yaml

@@ -33,7 +33,7 @@ data:
 
     {{- if .Values.ingress.enabled }}
     # This is the ingress service name, update if you used a different name
-    ingressService: istio-ingress
+    ingressService: istio-{{ .Values.global.ingressSelector }}
     {{- end }}
 
     # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get