Fixed Rancher & Keycloak Istio issues

Signed-off-by: Lalith Kota <[email protected]>
OpenG2P · May 22, 2024 · af5521e · af5521e
1 parent 5a437e7
commit af5521e
Show file tree

Hide file tree

Showing 14 changed files with 64 additions and 90 deletions.
diff --git a/kubernetes/istio/istio-gateway-tls.yaml b/kubernetes/istio/istio-gateway-tls.yaml
@@ -10,17 +10,17 @@ spec:
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
       name: https
-      number: 443
-      protocol: HTTPS
+      number: 8443
+      protocol: HTTP2
     tls:
       credentialName: tls-openg2p-ingress
       mode: SIMPLE
diff --git a/kubernetes/istio/istio-gateway.yaml b/kubernetes/istio/istio-gateway.yaml
@@ -10,17 +10,17 @@ spec:
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http-redirect-https
-      number: 81
-      protocol: HTTP
+      name: http2-redirect-https
+      number: 8081
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
@@ -34,14 +34,14 @@ spec:
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http-redirect-https
-      number: 81
-      protocol: HTTP
+      name: http2-redirect-https
+      number: 8081
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${WILDCARD_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
diff --git a/kubernetes/istio/istio-operator-no-external-lb.yaml b/kubernetes/istio/istio-operator-no-external-lb.yaml
@@ -47,16 +47,13 @@ spec:
         service:
           type: ClusterIP
           ports:
-          - port: 15021
-            name: status-port
-            targetPort: 15021
-            protocol: TCP
-          - port: 443
-            targetPort: 8443
-            name: https
-          - port: 80
+          - name: tcp-status-port
+            port: 15021
+          - name: http2
+            port: 80
             targetPort: 8080
-            name: http2
-          - port: 5432
-            targetPort: 5432
-            name: tcp-postgres
+          - name: https
+            port: 443
+            targetPort: 8443
+          - name: tcp-postgres
+            port: 5432
diff --git a/kubernetes/keycloak/base-istio-operator.yaml → ...etes/istio/istio-operator-no-ingress.yaml b/kubernetes/keycloak/base-istio-operator.yaml → ...etes/istio/istio-operator-no-ingress.yaml
@@ -15,4 +15,6 @@ spec:
         ISTIO_META_IDLE_TIMEOUT: 0s
       holdApplicationUntilProxyStarts: true
   components:
-    ingressGateways: []
+    ingressGateways:
+    - name: istio-ingressgateway
+      enabled: false
diff --git a/kubernetes/istio/istio-operator.yaml b/kubernetes/istio/istio-operator.yaml
@@ -30,20 +30,18 @@ spec:
           ports:
           - name: tcp-status-port
             port: 15021
-            targetPort: 15021
             nodePort: 30521
           - name: http2
             port: 80
             targetPort: 8080
             nodePort: 30080
-          - name: tcp-postgres
-            port: 5432
-            targetPort: 5432
-            nodePort: 30432
-          - name: http-redirect-https
+          - name: http2-redirect-https
             port: 81
             targetPort: 8081
             nodePort: 30081
+          - name: tcp-postgres
+            port: 5432
+            nodePort: 30432
     - name: istio-ingressgateway-public
       enabled: false
       label:
@@ -58,17 +56,12 @@ spec:
           ports:
           - name: tcp-status-port
             port: 15021
-            targetPort: 15021
             nodePort: 31521
           - name: http2
             port: 80
             targetPort: 8080
             nodePort: 31080
-          - name: tcp-postgres
-            port: 5432
-            targetPort: 5432
-            nodePort: 31432
-          - name: http-redirect-https
+          - name: http2-redirect-https
             port: 81
             targetPort: 8081
             nodePort: 31081
diff --git a/kubernetes/keycloak/install.sh b/kubernetes/keycloak/install.sh
@@ -1,17 +1,16 @@
 #!/usr/bin/env bash
 
 export KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME:-keycloak.openg2p.net}
+export KEYCLOAK_ISTIO_OPERATOR=${KEYCLOAK_ISTIO_OPERATOR:-true}
 export TLS=${TLS:-false}
-export ISTIO_OPERATOR=${ISTIO_OPERATOR:-true}
 export NS=${NS:-keycloak-system}
 
 kubectl create ns $NS
 
 helm -n $NS upgrade --install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak \
     -f values-keycloak.yaml
 
-if [[ "$ISTIO_OPERATOR" == "true" ]]; then
-    kubectl apply -f base-istio-operator.yaml
+if [[ "$KEYCLOAK_ISTIO_OPERATOR" == "true" ]]; then
     kubectl apply -f istio-operator.yaml
 fi
 

diff --git a/kubernetes/keycloak/istio-operator.yaml b/kubernetes/keycloak/istio-operator.yaml
@@ -18,6 +18,8 @@ spec:
     base:
       enabled: false
     ingressGateways:
+    - name: istio-ingressgateway
+      enabled: false
     - name: istio-ingressgateway-keycloak
       enabled: true
       label:
@@ -33,13 +35,12 @@ spec:
           ports:
           - name: tcp-status-port
             port: 15021
-            targetPort: 15021
             nodePort: 31521
           - name: http2
             port: 80
             targetPort: 8080
             nodePort: 31080
-          - name: http-redirect-https
+          - name: http2-redirect-https
             port: 81
             targetPort: 8081
             nodePort: 31081
diff --git a/kubernetes/keycloak/istio-virtualservice-tls.template.yaml b/kubernetes/keycloak/istio-virtualservice-tls.template.yaml
@@ -9,16 +9,16 @@ spec:
   - hosts:
     - ${KEYCLOAK_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${KEYCLOAK_HOSTNAME}
     port:
       name: https
-      number: 443
+      number: 8443
       protocol: HTTPS
     tls:
       credentialName: tls-keycloak-ingress

diff --git a/kubernetes/keycloak/istio-virtualservice.template.yaml b/kubernetes/keycloak/istio-virtualservice.template.yaml
@@ -9,17 +9,17 @@ spec:
   - hosts:
     - ${KEYCLOAK_HOSTNAME}
     port:
-      name: http-redirect-https
-      number: 81
-      protocol: HTTP
+      name: http2-redirect-https
+      number: 8081
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${KEYCLOAK_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService

diff --git a/kubernetes/rancher/base-istio-operator.yaml b/kubernetes/rancher/base-istio-operator.yaml
diff --git a/kubernetes/rancher/install.sh b/kubernetes/rancher/install.sh
@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
 export RANCHER_HOSTNAME=${RANCHER_HOSTNAME:-rancher.openg2p.net}
+export RANCHER_ISTIO_OPERATOR=${RANCHER_ISTIO_OPERATOR:-true}
 export TLS=${TLS:-false}
-export ISTIO_OPERATOR=${ISTIO_OPERATOR:-true}
 export NS=${NS:-cattle-system}
 
 kubectl create ns $NS
@@ -14,8 +14,7 @@ helm -n $NS upgrade --install rancher rancher-latest/rancher \
     --set ingress.enabled=false \
     --set tls=external
 
-if [[ "$ISTIO_OPERATOR" == "true" ]]; then
-    kubectl apply -f base-istio-operator.yaml
+if [[ "$RANCHER_ISTIO_OPERATOR" == "true" ]]; then
     kubectl apply -f istio-operator.yaml
 fi
 

diff --git a/kubernetes/rancher/istio-operator.yaml b/kubernetes/rancher/istio-operator.yaml
@@ -18,6 +18,8 @@ spec:
     base:
       enabled: false
     ingressGateways:
+    - name: istio-ingressgateway
+      enabled: false
     - name: istio-ingressgateway-rancher
       enabled: true
       label:
@@ -33,13 +35,12 @@ spec:
           ports:
           - name: tcp-status-port
             port: 15021
-            targetPort: 15021
             nodePort: 30521
           - name: http2
             port: 80
             targetPort: 8080
             nodePort: 30080
-          - name: http-redirect-https
+          - name: http2-redirect-https
             port: 81
             targetPort: 8081
             nodePort: 30081
diff --git a/kubernetes/rancher/istio-virtualservice-tls.template.yaml b/kubernetes/rancher/istio-virtualservice-tls.template.yaml
@@ -9,16 +9,16 @@ spec:
   - hosts:
     - ${RANCHER_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${RANCHER_HOSTNAME}
     port:
       name: https
-      number: 443
+      number: 8443
       protocol: HTTPS
     tls:
       credentialName: tls-rancher-ingress

diff --git a/kubernetes/rancher/istio-virtualservice.template.yaml b/kubernetes/rancher/istio-virtualservice.template.yaml
@@ -9,17 +9,17 @@ spec:
   - hosts:
     - ${RANCHER_HOSTNAME}
     port:
-      name: http-redirect-https
-      number: 81
-      protocol: HTTP
+      name: http2-redirect-https
+      number: 8081
+      protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
     - ${RANCHER_HOSTNAME}
     port:
-      name: http
-      number: 80
-      protocol: HTTP
+      name: http2
+      number: 8080
+      protocol: HTTP2
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService