This repository was archived by the owner on Aug 19, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmodule_helm_istio.tf
129 lines (109 loc) · 3.11 KB
/
module_helm_istio.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
module "helm_istio" {
source = "git::https://github.com/canada-ca-terraform-modules/terraform-kubernetes-istio.git"
chart_version = "1.4.7"
dependencies = [
"${module.namespace_istio_system.depended_on}",
]
helm_service_account = "tiller"
helm_namespace = "${kubernetes_namespace.istio_system.metadata.0.name}"
helm_repository = "istio"
values = <<EOF
# Use a specific image
global:
# tag: release-1.1-latest-daily
k8sIngress:
enabled: true
enableHttps: true
controlPlanSecurityEnabled: true
disablePolicyChecks: false
policyCheckFailOpen: false
enableTracing: false
mtls:
enabled: true
outboundTrafficPolicy:
mode: ALLOW_ANY
sidecarInjectorWebhook:
enabled: true
# If true, webhook or istioctl injector will rewrite PodSpec for liveness
# health check to redirect request to sidecar. This makes liveness check work
# even when mTLS is enabled.
rewriteAppHTTPProbe: true
pilot:
enableProtocolSniffingForInbound: false
enableProtocolSniffingForOutbound: false
autoscaleEnabled: true
autoscaleMin: 2
autoscaleMax: 5
galley:
autoscaleEnabled: true
autoscaleMin: 2
autoscaleMax: 5
mixer:
policy:
autoscaleEnabled: true
autoscaleMin: 2
autoscaleMax: 5
telemetry:
autoscaleEnabled: true
autoscaleMin: 2
autoscaleMax: 5
gateways:
istio-ingressgateway:
sds:
enabled: true
autoscaleEnabled: true
autoscaleMin: 2
autoscaleMax: 5
security:
replicaCount: 2
kiali:
enabled: true
contextPath: /
ingress:
enabled: true
## Used to create an Ingress record.
hosts:
- istio-kiali.${var.ingress_domain}
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "istio"
tls:
# Secrets must be manually created in the namespace.
# - secretName: kiali-tls
# hosts:
# - kiali.local
dashboard:
grafanaURL: https://istio-grafana.${var.ingress_domain}
grafana:
enabled: true
contextPath: /
ingress:
enabled: true
## Used to create an Ingress record.
hosts:
- istio-grafana.${var.ingress_domain}
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "istio"
tls:
# Secrets must be manually created in the namespace.
# - secretName: grafana-tls
# hosts:
# - grafana.local
prometheus:
enabled: true
EOF
}
resource "null_resource" "add_https_to_ingress_gateway" {
provisioner "local-exec" {
command = "kubectl -n istio-system patch gateway istio-autogenerated-k8s-ingress --type=json --patch='[{\"op\": \"add\", \"path\": \"/spec/servers/0/tls\", \"value\": {\"httpsRedirect\": true}}]'"
}
provisioner "local-exec" {
command = "kubectl -n istio-system patch gateway istio-autogenerated-k8s-ingress --type=json --patch='[{\"op\": \"replace\", \"path\": \"/spec/servers/1/tls\", \"value\": {\"credentialName\": \"wildcard-tls\", \"mode\": \"SIMPLE\", \"privateKey\": \"sds\", \"serverCertificate\": \"sds\"}}]'"
}
depends_on = [
"module.helm_istio"
]
}