Skip to content

Commit 18fb7d4

Browse files
ilrudieilrudie
authored
Enable multi-persona helm install (#57559)
* support omitting cluster-scope resources during install Signed-off-by: Ian Rudie <[email protected]> * update proto to use an enumeration instead of boolean Signed-off-by: Ian Rudie <[email protected]> * update istio-control charts to use enumeration instead of boolean Signed-off-by: Ian Rudie <[email protected]> * switch to capitalized values Signed-off-by: Ian Rudie <[email protected]> * update istio-cni charts to use enumeration for resourceScope Signed-off-by: Ian Rudie <[email protected]> * update base chart to use enumeration for resourceScope Signed-off-by: Ian Rudie <[email protected]> * update ztunnel chart to use enumeration for resourceScope Signed-off-by: Ian Rudie <[email protected]> * cleanup and move setting out of global, which is not preferred for ztunnel Signed-off-by: Ian Rudie <[email protected]> * rescope webhook resources to CLUSTER Signed-off-by: Ian Rudie <[email protected]> * switch to all lowercase enum for resourceScope Signed-off-by: Ian Rudie <[email protected]> * release note Signed-off-by: Ian Rudie <[email protected]> --------- Signed-off-by: Ian Rudie <[email protected]>
1 parent b982895 commit 18fb7d4

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

47 files changed

+528
-310
lines changed

manifests/charts/base/templates/crds.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
12
# TODO enableCRDTemplates is now defaulted to true as we
23
# want to always self-manage CRD upgrades via plain templates,
34
# so we should remove this flag after a few releases
@@ -19,3 +20,4 @@
1920
{{- else }}
2021
{{ .Files.Get "files/crd-all.gen.yaml" }}
2122
{{- end }}
23+
{{- end }}

manifests/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
12
{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
23
apiVersion: admissionregistration.k8s.io/v1
34
kind: ValidatingAdmissionPolicy
@@ -51,3 +52,4 @@ spec:
5152
policyName: "stable-channel-default-policy.istio.io"
5253
validationActions: [Deny]
5354
{{- end }}
55+
{{- end }}

manifests/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
12
{{- if not (eq .Values.defaultRevision "") }}
23
apiVersion: admissionregistration.k8s.io/v1
34
kind: ValidatingWebhookConfiguration
@@ -54,3 +55,4 @@ webhooks:
5455
sideEffects: None
5556
admissionReviewVersions: ["v1"]
5657
{{- end }}
58+
{{- end }}

manifests/charts/base/templates/reader-serviceaccount.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
12
# This singleton service account aggregates reader permissions for the revisions in a given cluster
23
# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
34
# as otherwise compromising the token for this SA would give you access to *every* installed revision.
@@ -18,3 +19,4 @@ metadata:
1819
release: {{ .Release.Name }}
1920
app.kubernetes.io/name: "istio-reader"
2021
{{- include "istio.labels" . | nindent 4 }}
22+
{{- end }}

manifests/charts/base/values.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,14 @@ _internal_defaults_do_not_set:
1010

1111
# Used to locate istiod.
1212
istioNamespace: istio-system
13+
14+
# resourceScope controls what resources will be processed by helm.
15+
# This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
16+
# It can be one of:
17+
# - all: all resources are processed
18+
# - cluster: only cluster-scoped resources are processed
19+
# - namespace: only namespace-scoped resources are processed
20+
resourceScope: all
1321
base:
1422
# A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
1523
# Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.

manifests/charts/istio-cni/templates/clusterrole.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
# Created if cluster resources are not omitted
2+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
13
apiVersion: rbac.authorization.k8s.io/v1
24
kind: ClusterRole
35
metadata:
@@ -78,3 +80,4 @@ rules:
7880
resourceNames: ["{{ template "name" . }}-node"]
7981
verbs: ["get"]
8082
{{- end }}
83+
{{- end }}

manifests/charts/istio-cni/templates/clusterrolebinding.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
# Created if cluster resources are not omitted
2+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
13
apiVersion: rbac.authorization.k8s.io/v1
24
kind: ClusterRoleBinding
35
metadata:
@@ -64,3 +66,4 @@ roleRef:
6466
kind: ClusterRole
6567
name: {{ template "name" . }}-ambient
6668
{{- end }}
69+
{{- end }}

manifests/charts/istio-cni/templates/configmap-cni.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
12
kind: ConfigMap
23
apiVersion: v1
34
metadata:
@@ -40,3 +41,4 @@ data:
4041
{{ $key }}: "{{ $val }}"
4142
{{- end }}
4243
{{- end }}
44+
{{- end }}

manifests/charts/istio-cni/templates/daemonset.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
12
# This manifest installs the Istio install-cni container, as well
23
# as the Istio CNI plugin and config on
34
# each master and worker node in a Kubernetes cluster.
@@ -249,3 +250,4 @@ spec:
249250
type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
250251
# and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
251252
# Once the CNI does mount this, it will get populated and we're good.
253+
{{- end }}

manifests/charts/istio-cni/templates/network-attachment-definition.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
12
{{- if eq .Values.provider "multus" }}
23
apiVersion: k8s.cni.cncf.io/v1
34
kind: NetworkAttachmentDefinition
@@ -9,3 +10,4 @@ metadata:
910
app.kubernetes.io/name: {{ template "name" . }}
1011
{{- include "istio.labels" . | nindent 4 }}
1112
{{- end }}
13+
{{- end }}

0 commit comments

Comments
 (0)