istio app of apps

apps/templates/helm-guestbook.yaml → apps/templates/istio-crds.yaml

@@ -1,16 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: helm-guestbook
+  name: istio-system
   namespace: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    namespace: helm-guestbook
+    namespace: istio-system
     server: {{ .Values.spec.destination.server }}
   project: default
   source:
-    path: helm-guestbook
+    path: istio-crds
     repoURL: {{ .Values.spec.source.repoURL }}
     targetRevision: {{ .Values.spec.source.targetRevision }}
+

apps/templates/kustomize-guestbook.yaml → apps/templates/istio-install.yaml

@@ -1,16 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: kustomize-guestbook
+  name: istio-system
   namespace: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    namespace: kustomize-guestbook
+    namespace: istio-system
     server: {{ .Values.spec.destination.server }}
   project: default
   source:
-    path: kustomize-guestbook
+    path: istio-install
     repoURL: {{ .Values.spec.source.repoURL }}
     targetRevision: {{ .Values.spec.source.targetRevision }}
+

apps/templates/helm-hooks.yaml → apps/templates/istio.yaml

@@ -1,17 +1,16 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: helm-hooks
+  name: istio-system
   namespace: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    namespace: helm-hooks
+    namespace: istio-system
     server: {{ .Values.spec.destination.server }}
   project: default
   source:
-    path: helm-hooks
+    path: istio
     repoURL: {{ .Values.spec.source.repoURL }}
     targetRevision: {{ .Values.spec.source.targetRevision }}
-

apps/templates/namespaces.yaml

@@ -1,21 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: helm-guestbook
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: helm-hooks
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kustomize-guestbook
+  name: istio-system
   annotations:
     argocd.argoproj.io/sync-wave: "-1"
 ---

apps/values.yaml

@@ -2,5 +2,5 @@ spec:
   destination:
     server: https://kubernetes.default.svc
   source:
-    repoURL: https://github.com/argoproj/argocd-example-apps
-    targetRevision: HEAD
+    repoURL: https://github.com/arun-vc/argocd-example-apps
+    targetRevision: HEAD

istio-crds/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- crds.yaml
+namespace: kubeflow

istio-crds/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+bases:
+- base
+kind: Kustomization
+namespace: istio-system

istio-install/base/kustomization.yaml

@@ -0,0 +1,39 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- istio-noauth.yaml
+namespace: kubeflow
+images:
+- name: docker.io/istio/kubectl
+  newName: docker.io/istio/kubectl
+  newTag: 1.1.6
+- name: docker.io/istio/galley
+  newName: docker.io/istio/galley
+  newTag: 1.1.6
+- name: docker.io/istio/proxyv2
+  newName: docker.io/istio/proxyv2
+  newTag: 1.1.6
+- name: grafana/grafana
+  newName: grafana/grafana
+  newTag: 6.0.2
+- name: docker.io/kiali/kiali
+  newName: docker.io/kiali/kiali
+  newTag: v0.16
+- name: docker.io/istio/mixer
+  newName: docker.io/istio/mixer
+  newTag: 1.1.6
+- name: docker.io/istio/pilot
+  newName: docker.io/istio/pilot
+  newTag: 1.1.6
+- name: docker.io/prom/prometheus
+  newName: docker.io/prom/prometheus
+  newTag: v2.3.1
+- name: docker.io/istio/citadel
+  newName: docker.io/istio/citadel
+  newTag: 1.1.6
+- name: docker.io/istio/sidecar_injector
+  newName: docker.io/istio/sidecar_injector
+  newTag: 1.1.6
+- name: docker.io/jaegertracing/all-in-one
+  newName: docker.io/jaegertracing/all-in-one
+  newTag: '1.9'

istio-install/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+bases:
+- base
+kind: Kustomization
+namespace: istio-system

istio/base/README.md

@@ -0,0 +1,7 @@
+# Manifest for Istio in Kubeflow
+
+- `install` dir contains the manifest to install Istio
+- kf-istio-resources.yaml has
+  - Gateway for routing
+  - VirtualService for Grafana
+  - ServiceEntry and VirtualService for egress traffic

istio/base/cluster-roles.yaml

@@ -0,0 +1,51 @@
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-istio-admin
+  labels:
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
+rules: []
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-istio-edit
+  labels:
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
+rules:
+- apiGroups: ["istio.io"]
+  resources: ["*"]
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeflow-istio-view
+  labels:
+    rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
+rules:
+- apiGroups: ["istio.io"]
+  resources: ["*"]
+  verbs:
+  - get
+  - list
+  - watch

istio/base/kf-istio-resources.yaml

@@ -0,0 +1,110 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: kubeflow-gateway
+spec:
+  selector:
+    istio: $(gatewaySelector)
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: grafana-vs
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - "kubeflow-gateway"
+  http:
+  - match:
+    - uri:
+        prefix: "/istio/grafana/"
+      method:
+        exact: "GET"
+    rewrite:
+      uri: "/"
+    route:
+    - destination:
+        host: "grafana.istio-system.svc.cluster.local"
+        port:
+          number: 3000
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: google-api-entry
+spec:
+  hosts:
+  - www.googleapis.com
+  ports:
+  - number: 443
+    name: https
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: google-api-vs
+spec:
+  hosts:
+  - www.googleapis.com
+  tls:
+  - match:
+    - port: 443
+      sni_hosts:
+      - www.googleapis.com
+    route:
+    - destination:
+        host: www.googleapis.com
+        port:
+          number: 443
+      weight: 100
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: google-storage-api-entry
+spec:
+  hosts:
+  - storage.googleapis.com
+  ports:
+  - number: 443
+    name: https
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: google-storage-api-vs
+spec:
+  hosts:
+  - storage.googleapis.com
+  tls:
+  - match:
+    - port: 443
+      sni_hosts:
+      - storage.googleapis.com
+    route:
+    - destination:
+        host: storage.googleapis.com
+        port:
+          number: 443
+      weight: 100
+---
+apiVersion: rbac.istio.io/v1alpha1
+kind: ClusterRbacConfig
+metadata:
+  name: default
+spec:
+  mode: $(clusterRbacConfig)

istio/base/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- kf-istio-resources.yaml
+- cluster-roles.yaml
+namespace: kubeflow
+configMapGenerator:
+- name: istio-parameters
+  env: params.env
+vars:
+- name: clusterRbacConfig
+  objref:
+    kind: ConfigMap
+    name: istio-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.clusterRbacConfig
+- name: gatewaySelector
+  objref:
+    kind: ConfigMap
+    name: istio-parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.gatewaySelector
+configurations:
+- params.yaml

istio/base/params.env

@@ -0,0 +1,2 @@
+clusterRbacConfig=ON
+gatewaySelector=ingressgateway

istio/base/params.yaml

@@ -0,0 +1,5 @@
+varReference:
+- path: spec/mode
+  kind: ClusterRbacConfig
+- path: spec/selector
+  kind: Gateway

istio/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+bases:
+- base
+kind: Kustomization
+namespace: kubeflow

istio/overlays/https-gateway/kf-istio-resources.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: kubeflow-gateway
+spec:
+  selector:
+    istio: $(gatewaySelector)
+  servers:
+  - hosts:
+    - '*'
+    port:
+      name: https
+      number: 443
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

istio/overlays/https-gateway/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../../base
+patchesStrategicMerge:
+- kf-istio-resources.yaml
+
+configMapGenerator:
+- name: istio-parameters
+  behavior: merge
+  env: params.env
+configurations:
+- params.yaml

istio/overlays/https-gateway/params.env

@@ -0,0 +1 @@
+gatewaySelector=ingressgateway

istio/overlays/https-gateway/params.yaml

@@ -0,0 +1,3 @@
+varReference:
+- path: spec/selector
+  kind: Gateway