From af5521ee16946c2a8853af0dd5120cab277d8067 Mon Sep 17 00:00:00 2001 From: Lalith Kota Date: Wed, 22 May 2024 06:51:36 +0530 Subject: [PATCH] Fixed Rancher & Keycloak Istio issues Signed-off-by: Lalith Kota --- kubernetes/istio/istio-gateway-tls.yaml | 10 ++++---- kubernetes/istio/istio-gateway.yaml | 24 +++++++++---------- .../istio/istio-operator-no-external-lb.yaml | 21 +++++++--------- .../istio-operator-no-ingress.yaml} | 4 +++- kubernetes/istio/istio-operator.yaml | 17 ++++--------- kubernetes/keycloak/install.sh | 5 ++-- kubernetes/keycloak/istio-operator.yaml | 5 ++-- .../istio-virtualservice-tls.template.yaml | 8 +++---- .../istio-virtualservice.template.yaml | 12 +++++----- kubernetes/rancher/base-istio-operator.yaml | 18 -------------- kubernetes/rancher/install.sh | 5 ++-- kubernetes/rancher/istio-operator.yaml | 5 ++-- .../istio-virtualservice-tls.template.yaml | 8 +++---- .../istio-virtualservice.template.yaml | 12 +++++----- 14 files changed, 64 insertions(+), 90 deletions(-) rename kubernetes/{keycloak/base-istio-operator.yaml => istio/istio-operator-no-ingress.yaml} (84%) delete mode 100644 kubernetes/rancher/base-istio-operator.yaml diff --git a/kubernetes/istio/istio-gateway-tls.yaml b/kubernetes/istio/istio-gateway-tls.yaml index 57b6ca5..b34e495 100644 --- a/kubernetes/istio/istio-gateway-tls.yaml +++ b/kubernetes/istio/istio-gateway-tls.yaml @@ -10,17 +10,17 @@ spec: - hosts: - ${WILDCARD_HOSTNAME} port: - name: http - number: 80 - protocol: HTTP + name: http2 + number: 8080 + protocol: HTTP2 tls: httpsRedirect: true - hosts: - ${WILDCARD_HOSTNAME} port: name: https - number: 443 - protocol: HTTPS + number: 8443 + protocol: HTTP2 tls: credentialName: tls-openg2p-ingress mode: SIMPLE diff --git a/kubernetes/istio/istio-gateway.yaml b/kubernetes/istio/istio-gateway.yaml index 5afcae7..8eda343 100644 --- a/kubernetes/istio/istio-gateway.yaml +++ b/kubernetes/istio/istio-gateway.yaml @@ -10,17 +10,17 @@ spec: - hosts: - ${WILDCARD_HOSTNAME} port: - name: http-redirect-https - number: 81 - protocol: HTTP + name: http2-redirect-https + number: 8081 + protocol: HTTP2 tls: httpsRedirect: true - hosts: - ${WILDCARD_HOSTNAME} port: - name: http - number: 80 - protocol: HTTP + name: http2 + number: 8080 + protocol: HTTP2 --- apiVersion: networking.istio.io/v1beta1 kind: Gateway @@ -34,14 +34,14 @@ spec: - hosts: - ${WILDCARD_HOSTNAME} port: - name: http-redirect-https - number: 81 - protocol: HTTP + name: http2-redirect-https + number: 8081 + protocol: HTTP2 tls: httpsRedirect: true - hosts: - ${WILDCARD_HOSTNAME} port: - name: http - number: 80 - protocol: HTTP + name: http2 + number: 8080 + protocol: HTTP2 diff --git a/kubernetes/istio/istio-operator-no-external-lb.yaml b/kubernetes/istio/istio-operator-no-external-lb.yaml index f956d8a..3deab92 100644 --- a/kubernetes/istio/istio-operator-no-external-lb.yaml +++ b/kubernetes/istio/istio-operator-no-external-lb.yaml @@ -47,16 +47,13 @@ spec: service: type: ClusterIP ports: - - port: 15021 - name: status-port - targetPort: 15021 - protocol: TCP - - port: 443 - targetPort: 8443 - name: https - - port: 80 + - name: tcp-status-port + port: 15021 + - name: http2 + port: 80 targetPort: 8080 - name: http2 - - port: 5432 - targetPort: 5432 - name: tcp-postgres + - name: https + port: 443 + targetPort: 8443 + - name: tcp-postgres + port: 5432 diff --git a/kubernetes/keycloak/base-istio-operator.yaml b/kubernetes/istio/istio-operator-no-ingress.yaml similarity index 84% rename from kubernetes/keycloak/base-istio-operator.yaml rename to kubernetes/istio/istio-operator-no-ingress.yaml index 8b7c49c..fd1be4e 100644 --- a/kubernetes/keycloak/base-istio-operator.yaml +++ b/kubernetes/istio/istio-operator-no-ingress.yaml @@ -15,4 +15,6 @@ spec: ISTIO_META_IDLE_TIMEOUT: 0s holdApplicationUntilProxyStarts: true components: - ingressGateways: [] + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/kubernetes/istio/istio-operator.yaml b/kubernetes/istio/istio-operator.yaml index 6f5f309..1d5e175 100644 --- a/kubernetes/istio/istio-operator.yaml +++ b/kubernetes/istio/istio-operator.yaml @@ -30,20 +30,18 @@ spec: ports: - name: tcp-status-port port: 15021 - targetPort: 15021 nodePort: 30521 - name: http2 port: 80 targetPort: 8080 nodePort: 30080 - - name: tcp-postgres - port: 5432 - targetPort: 5432 - nodePort: 30432 - - name: http-redirect-https + - name: http2-redirect-https port: 81 targetPort: 8081 nodePort: 30081 + - name: tcp-postgres + port: 5432 + nodePort: 30432 - name: istio-ingressgateway-public enabled: false label: @@ -58,17 +56,12 @@ spec: ports: - name: tcp-status-port port: 15021 - targetPort: 15021 nodePort: 31521 - name: http2 port: 80 targetPort: 8080 nodePort: 31080 - - name: tcp-postgres - port: 5432 - targetPort: 5432 - nodePort: 31432 - - name: http-redirect-https + - name: http2-redirect-https port: 81 targetPort: 8081 nodePort: 31081 diff --git a/kubernetes/keycloak/install.sh b/kubernetes/keycloak/install.sh index a18c0a7..978809c 100755 --- a/kubernetes/keycloak/install.sh +++ b/kubernetes/keycloak/install.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash export KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME:-keycloak.openg2p.net} +export KEYCLOAK_ISTIO_OPERATOR=${KEYCLOAK_ISTIO_OPERATOR:-true} export TLS=${TLS:-false} -export ISTIO_OPERATOR=${ISTIO_OPERATOR:-true} export NS=${NS:-keycloak-system} kubectl create ns $NS @@ -10,8 +10,7 @@ kubectl create ns $NS helm -n $NS upgrade --install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak \ -f values-keycloak.yaml -if [[ "$ISTIO_OPERATOR" == "true" ]]; then - kubectl apply -f base-istio-operator.yaml +if [[ "$KEYCLOAK_ISTIO_OPERATOR" == "true" ]]; then kubectl apply -f istio-operator.yaml fi diff --git a/kubernetes/keycloak/istio-operator.yaml b/kubernetes/keycloak/istio-operator.yaml index f30401b..a0c37ba 100644 --- a/kubernetes/keycloak/istio-operator.yaml +++ b/kubernetes/keycloak/istio-operator.yaml @@ -18,6 +18,8 @@ spec: base: enabled: false ingressGateways: + - name: istio-ingressgateway + enabled: false - name: istio-ingressgateway-keycloak enabled: true label: @@ -33,13 +35,12 @@ spec: ports: - name: tcp-status-port port: 15021 - targetPort: 15021 nodePort: 31521 - name: http2 port: 80 targetPort: 8080 nodePort: 31080 - - name: http-redirect-https + - name: http2-redirect-https port: 81 targetPort: 8081 nodePort: 31081 diff --git a/kubernetes/keycloak/istio-virtualservice-tls.template.yaml b/kubernetes/keycloak/istio-virtualservice-tls.template.yaml index c407c65..10fe9bb 100644 --- a/kubernetes/keycloak/istio-virtualservice-tls.template.yaml +++ b/kubernetes/keycloak/istio-virtualservice-tls.template.yaml @@ -9,16 +9,16 @@ spec: - hosts: - ${KEYCLOAK_HOSTNAME} port: - name: http - number: 80 - protocol: HTTP + name: http2 + number: 8080 + protocol: HTTP2 tls: httpsRedirect: true - hosts: - ${KEYCLOAK_HOSTNAME} port: name: https - number: 443 + number: 8443 protocol: HTTPS tls: credentialName: tls-keycloak-ingress diff --git a/kubernetes/keycloak/istio-virtualservice.template.yaml b/kubernetes/keycloak/istio-virtualservice.template.yaml index 2a0f3e7..be39e6a 100644 --- a/kubernetes/keycloak/istio-virtualservice.template.yaml +++ b/kubernetes/keycloak/istio-virtualservice.template.yaml @@ -9,17 +9,17 @@ spec: - hosts: - ${KEYCLOAK_HOSTNAME} port: - name: http-redirect-https - number: 81 - protocol: HTTP + name: http2-redirect-https + number: 8081 + protocol: HTTP2 tls: httpsRedirect: true - hosts: - ${KEYCLOAK_HOSTNAME} port: - name: http - number: 80 - protocol: HTTP + name: http2 + number: 8080 + protocol: HTTP2 --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService diff --git a/kubernetes/rancher/base-istio-operator.yaml b/kubernetes/rancher/base-istio-operator.yaml deleted file mode 100644 index 8b7c49c..0000000 --- a/kubernetes/rancher/base-istio-operator.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: primary -spec: - profile: default - meshConfig: - accessLogFile: /dev/stdout - enableTracing: true - pathNormalization: - normalization: MERGE_SLASHES - defaultConfig: - proxyMetadata: - ISTIO_META_IDLE_TIMEOUT: 0s - holdApplicationUntilProxyStarts: true - components: - ingressGateways: [] diff --git a/kubernetes/rancher/install.sh b/kubernetes/rancher/install.sh index 69f586f..bafd179 100755 --- a/kubernetes/rancher/install.sh +++ b/kubernetes/rancher/install.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash export RANCHER_HOSTNAME=${RANCHER_HOSTNAME:-rancher.openg2p.net} +export RANCHER_ISTIO_OPERATOR=${RANCHER_ISTIO_OPERATOR:-true} export TLS=${TLS:-false} -export ISTIO_OPERATOR=${ISTIO_OPERATOR:-true} export NS=${NS:-cattle-system} kubectl create ns $NS @@ -14,8 +14,7 @@ helm -n $NS upgrade --install rancher rancher-latest/rancher \ --set ingress.enabled=false \ --set tls=external -if [[ "$ISTIO_OPERATOR" == "true" ]]; then - kubectl apply -f base-istio-operator.yaml +if [[ "$RANCHER_ISTIO_OPERATOR" == "true" ]]; then kubectl apply -f istio-operator.yaml fi diff --git a/kubernetes/rancher/istio-operator.yaml b/kubernetes/rancher/istio-operator.yaml index 77348e4..6cb2f6c 100644 --- a/kubernetes/rancher/istio-operator.yaml +++ b/kubernetes/rancher/istio-operator.yaml @@ -18,6 +18,8 @@ spec: base: enabled: false ingressGateways: + - name: istio-ingressgateway + enabled: false - name: istio-ingressgateway-rancher enabled: true label: @@ -33,13 +35,12 @@ spec: ports: - name: tcp-status-port port: 15021 - targetPort: 15021 nodePort: 30521 - name: http2 port: 80 targetPort: 8080 nodePort: 30080 - - name: http-redirect-https + - name: http2-redirect-https port: 81 targetPort: 8081 nodePort: 30081 diff --git a/kubernetes/rancher/istio-virtualservice-tls.template.yaml b/kubernetes/rancher/istio-virtualservice-tls.template.yaml index 7d170db..6a182d4 100644 --- a/kubernetes/rancher/istio-virtualservice-tls.template.yaml +++ b/kubernetes/rancher/istio-virtualservice-tls.template.yaml @@ -9,16 +9,16 @@ spec: - hosts: - ${RANCHER_HOSTNAME} port: - name: http - number: 80 - protocol: HTTP + name: http2 + number: 8080 + protocol: HTTP2 tls: httpsRedirect: true - hosts: - ${RANCHER_HOSTNAME} port: name: https - number: 443 + number: 8443 protocol: HTTPS tls: credentialName: tls-rancher-ingress diff --git a/kubernetes/rancher/istio-virtualservice.template.yaml b/kubernetes/rancher/istio-virtualservice.template.yaml index b9b97a1..0785af4 100644 --- a/kubernetes/rancher/istio-virtualservice.template.yaml +++ b/kubernetes/rancher/istio-virtualservice.template.yaml @@ -9,17 +9,17 @@ spec: - hosts: - ${RANCHER_HOSTNAME} port: - name: http-redirect-https - number: 81 - protocol: HTTP + name: http2-redirect-https + number: 8081 + protocol: HTTP2 tls: httpsRedirect: true - hosts: - ${RANCHER_HOSTNAME} port: - name: http - number: 80 - protocol: HTTP + name: http2 + number: 8080 + protocol: HTTP2 --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService