Skip to content

Commit

Permalink
Fixing the helm templates to support Control Plane SDS (#16466)
Browse files Browse the repository at this point in the history 
* support control plane SDS

* test control plane SDS

* revise

* revise

* revise

* set env

* revise

* revise

* revise

* revise

* revise

* revise

* template change for SDS control plane

* revise

* update

* fix unit tests

* fix tests

* enable control plane SDS
  • Loading branch information
@JimmyCYJ @istio-testing
JimmyCYJ authored and istio-testing committed Aug 24, 2019
1 parent 3c79be7 commit 90ebc30
Show file tree
Hide file tree
Showing 83 changed files with 1,274 additions and 13 deletions.
2 changes: 2 additions & 0 deletions install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $key }}
- name: ISTIO_META_OWNER
Expand Down
4 changes: 4 additions & 0 deletions install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
Expand Down Expand Up @@ -336,6 +338,8 @@
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
Expand Down
2 changes: 2 additions & 0 deletions install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,8 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 12 }}
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/helm/istio/example-values/values-istio-googleca.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
global:
controlPlaneSecurityEnabled: false
controlPlaneSecurityEnabled: true

mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
Expand Down
2 changes: 2 additions & 0 deletions install/kubernetes/helm/istio/files/injection-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,8 @@ containers:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: {{ $.Values.global.sds.enabled }}
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/helm/istio/test-values/values-istio-auth-sds.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
global:
controlPlaneSecurityEnabled: false
controlPlaneSecurityEnabled: true

mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/helm/istio/values-istio-sds-auth.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
global:
controlPlaneSecurityEnabled: false
controlPlaneSecurityEnabled: true

mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
Expand Down
198 changes: 196 additions & 2 deletions pilot/docker/envoy_pilot.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,52 @@ static_resources:
http2_protocol_options: {}
name: mixer_report_server
{{- if .ControlPlaneAuth }}
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name:
- {{ .MixerSubjectAltName }}
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
{{- else }}
tls_context:
common_tls_context:
tls_certificates:
Expand All @@ -57,12 +103,13 @@ static_resources:
filename: /etc/certs/root-cert.pem
verify_subject_alt_name:
- {{ .MixerSubjectAltName }}
{{- end }}
{{- end }}
type: STRICT_DNS
dns_lookup_family: "{{ .dns_lookup_family }}"
listeners:
- address:
socket_address:
socket_address:
address: "{{ .wildcard }}"
port_value: 15003
filter_chains:
Expand Down Expand Up @@ -123,6 +170,54 @@ static_resources:
stat_prefix: "15003"
name: envoy.http_connection_manager
{{- if .ControlPlaneAuth }}
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
alpn_protocols:
- http/1.1
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name: []
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
require_client_certificate: true
{{- else }}
tls_context:
common_tls_context:
alpn_protocols:
Expand All @@ -136,6 +231,7 @@ static_resources:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
{{- end }}
{{- end }}
name: "15003"
- address:
Expand Down Expand Up @@ -202,6 +298,54 @@ static_resources:
timeout: 0.000s
stat_prefix: "15011"
name: envoy.http_connection_manager
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
alpn_protocols:
- h2
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name: []
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
require_client_certificate: true
{{- else }}
tls_context:
common_tls_context:
alpn_protocols:
Expand All @@ -215,6 +359,7 @@ static_resources:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
{{- end }}
name: "15011"
- address:
socket_address:
Expand Down Expand Up @@ -277,6 +422,54 @@ static_resources:
timeout: 0.000s
stat_prefix: "15005"
name: envoy.http_connection_manager
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
alpn_protocols:
- http/1.1
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name: []
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
require_client_certificate: true
{{- else }}
tls_context:
common_tls_context:
alpn_protocols:
Expand All @@ -290,6 +483,7 @@ static_resources:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
{{- end }}
name: "15005"
- address:
socket_address:
Expand Down Expand Up @@ -352,4 +546,4 @@ static_resources:
timeout: 0.000s
stat_prefix: "15007"
name: envoy.http_connection_manager
name: "15007"
name: "15007"
Loading

0 comments on commit 90ebc30

Please sign in to comment.