Skip to content

Commit

Permalink
Fixing the helm templates to support Control Plane SDS (#16466)
Browse files Browse the repository at this point in the history
* support control plane SDS

* test control plane SDS

* revise

* revise

* revise

* set env

* revise

* revise

* revise

* revise

* revise

* revise

* template change for SDS control plane

* revise

* update

* fix unit tests

* fix tests

* enable control plane SDS
  • Loading branch information
JimmyCYJ authored and istio-testing committed Aug 24, 2019
1 parent 3c79be7 commit 90ebc30
Show file tree
Hide file tree
Showing 83 changed files with 1,274 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $key }}
- name: ISTIO_META_OWNER
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
Expand Down Expand Up @@ -336,6 +338,8 @@
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,8 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "{{ $.Values.global.sds.enabled }}"
resources:
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 12 }}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
global:
controlPlaneSecurityEnabled: false
controlPlaneSecurityEnabled: true

mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
Expand Down
2 changes: 2 additions & 0 deletions install/kubernetes/helm/istio/files/injection-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,8 @@ containers:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: {{ $.Values.global.sds.enabled }}
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
global:
controlPlaneSecurityEnabled: false
controlPlaneSecurityEnabled: true

mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/helm/istio/values-istio-sds-auth.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
global:
controlPlaneSecurityEnabled: false
controlPlaneSecurityEnabled: true

mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
Expand Down
198 changes: 196 additions & 2 deletions pilot/docker/envoy_pilot.yaml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,52 @@ static_resources:
http2_protocol_options: {}
name: mixer_report_server
{{- if .ControlPlaneAuth }}
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name:
- {{ .MixerSubjectAltName }}
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
{{- else }}
tls_context:
common_tls_context:
tls_certificates:
Expand All @@ -57,12 +103,13 @@ static_resources:
filename: /etc/certs/root-cert.pem
verify_subject_alt_name:
- {{ .MixerSubjectAltName }}
{{- end }}
{{- end }}
type: STRICT_DNS
dns_lookup_family: "{{ .dns_lookup_family }}"
listeners:
- address:
socket_address:
socket_address:
address: "{{ .wildcard }}"
port_value: 15003
filter_chains:
Expand Down Expand Up @@ -123,6 +170,54 @@ static_resources:
stat_prefix: "15003"
name: envoy.http_connection_manager
{{- if .ControlPlaneAuth }}
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
alpn_protocols:
- http/1.1
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name: []
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
require_client_certificate: true
{{- else }}
tls_context:
common_tls_context:
alpn_protocols:
Expand All @@ -136,6 +231,7 @@ static_resources:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
{{- end }}
{{- end }}
name: "15003"
- address:
Expand Down Expand Up @@ -202,6 +298,54 @@ static_resources:
timeout: 0.000s
stat_prefix: "15011"
name: envoy.http_connection_manager
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
alpn_protocols:
- h2
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name: []
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
require_client_certificate: true
{{- else }}
tls_context:
common_tls_context:
alpn_protocols:
Expand All @@ -215,6 +359,7 @@ static_resources:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
{{- end }}
name: "15011"
- address:
socket_address:
Expand Down Expand Up @@ -277,6 +422,54 @@ static_resources:
timeout: 0.000s
stat_prefix: "15005"
name: envoy.http_connection_manager
{{- if .sds_uds_path }}
tls_context:
common_tls_context:
alpn_protocols:
- http/1.1
tls_certificate_sds_secret_configs:
- name: default
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
combined_validation_context:
default_validation_context:
verify_subject_alt_name: []
validation_context_sds_secret_config:
name: ROOTCA
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
- google_grpc:
target_uri: {{ .sds_uds_path }}
channel_credentials:
local_credentials: {}
call_credentials:
- from_plugin:
name: envoy.grpc_credentials.file_based_metadata
config:
header_key: istio_sds_credentials_header-bin
secret_data:
filename: {{ .sds_token_path }}
credentials_factory_name: envoy.grpc_credentials.file_based_metadata
stat_prefix: sdsstat
require_client_certificate: true
{{- else }}
tls_context:
common_tls_context:
alpn_protocols:
Expand All @@ -290,6 +483,7 @@ static_resources:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
{{- end }}
name: "15005"
- address:
socket_address:
Expand Down Expand Up @@ -352,4 +546,4 @@ static_resources:
timeout: 0.000s
stat_prefix: "15007"
name: envoy.http_connection_manager
name: "15007"
name: "15007"
Loading

0 comments on commit 90ebc30

Please sign in to comment.