diff --git a/clusters/brusnika-prod/infrastructure/kustomization.yaml b/clusters/brusnika-prod/infrastructure/kustomization.yaml index 4871d99..4c62b0d 100644 --- a/clusters/brusnika-prod/infrastructure/kustomization.yaml +++ b/clusters/brusnika-prod/infrastructure/kustomization.yaml @@ -1,9 +1,27 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ../../../infrastructure/istio-base + - ../../../infrastructure/istio-pilot + - ../../../infrastructure/istio-gateway + - ../../../infrastructure/istio-config - ../../../infrastructure/vault - ./vault-ingress.yaml patches: + - path: ./patches/istio-gateway.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: ingressgateway + namespace: istio-system + - path: ./patches/istio-config.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: istio-config + namespace: default - path: ./patches/vault.yaml target: group: helm.toolkit.fluxcd.io diff --git a/clusters/brusnika-prod/infrastructure/patches/istio-config.yaml b/clusters/brusnika-prod/infrastructure/patches/istio-config.yaml new file mode 100644 index 0000000..0325c2d --- /dev/null +++ b/clusters/brusnika-prod/infrastructure/patches/istio-config.yaml @@ -0,0 +1,611 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: istio-config + namespace: default +spec: + values: + global: + env: brusnika-prod + environments: + brusnika-prod: + namespaces: [] + certManager: + clusterIssuers: {} + certificates: + argocd-secret-name: + namespace: ingress-nginx + dnsNames: + - argocd.brusnika.onprem.sarex.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer + camunda-identity-tls: + namespace: ingress-nginx + dnsNames: + - identity.camunda.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + keycloak.camunda.cde.brusnika.ru-tls: + namespace: ingress-nginx + dnsNames: + - keycloak.camunda.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + camunda-platform-operate-tls: + namespace: ingress-nginx + dnsNames: + - operate.camunda.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + camunda-optimize-tls: + namespace: ingress-nginx + dnsNames: + - optimize.camunda.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + camunda-platform-tasklist-tls: + namespace: ingress-nginx + dnsNames: + - tasklist.camunda.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + yet-another-nginx-secret-name: + namespace: ingress-nginx + dnsNames: + - document-link.cde.brusnika.ru + - cde.brusnika.ru + - rabbitmq.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + tls-secret-for-qr: + namespace: ingress-nginx + dnsNames: + - stamp-verification.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + gitea-prod-tls: + namespace: ingress-nginx + dnsNames: + - gitea.prod.brusnika.sarex.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + jupyter-cert-secret: + namespace: ingress-nginx + dnsNames: + - jupyter.brusnika.onprem.sarex.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer + dashboard-secret-name: + namespace: ingress-nginx + dnsNames: + - dashboard.brusnika.onprem.sarex.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer + brusnika-secret-name: + namespace: ingress-nginx + dnsNames: + - minio.brusnika.onprem.sarex.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer + projects-secret-name: + namespace: ingress-nginx + dnsNames: + - sso.brusnika.onprem.sarex.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer + superset-tls-secret: + namespace: ingress-nginx + dnsNames: + - superset.cde.brusnika.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + vault-prod-tls: + namespace: ingress-nginx + dnsNames: + - vault.prod.brusnika.sarex.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + istio: + envoyFilters: {} + authorizationPolicies: {} + requestAuthentications: {} + gateways: + argocd: + name: argocd-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - argocd.brusnika.onprem.sarex.io + tls: + credentialName: argocd-secret-name + camunda-identity: + name: camunda-identity-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - identity.camunda.cde.brusnika.ru + tls: + credentialName: camunda-identity-tls + camunda-keycloak: + name: camunda-keycloak-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - keycloak.camunda.cde.brusnika.ru + tls: + credentialName: keycloak.camunda.cde.brusnika.ru-tls + camunda-operate: + name: camunda-operate-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - operate.camunda.cde.brusnika.ru + tls: + credentialName: camunda-platform-operate-tls + camunda-optimize: + name: camunda-optimize-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - optimize.camunda.cde.brusnika.ru + tls: + credentialName: camunda-optimize-tls + camunda-tasklist: + name: camunda-tasklist-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - tasklist.camunda.cde.brusnika.ru + tls: + credentialName: camunda-platform-tasklist-tls + document-link: + name: document-link-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - document-link.cde.brusnika.ru + tls: + credentialName: yet-another-nginx-secret-name + stamp-verification: + name: stamp-verification-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - stamp-verification.cde.brusnika.ru + tls: + credentialName: tls-secret-for-qr + gitea: + name: gitea-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - gitea.prod.brusnika.sarex.lonsdaleites.ru + tls: + credentialName: gitea-prod-tls + global-cde: + name: global-cde-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - cde.brusnika.ru + tls: + credentialName: yet-another-nginx-secret-name + jupyter: + name: jupyter-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - jupyter.brusnika.onprem.sarex.io + tls: + credentialName: jupyter-cert-secret + dashboard: + name: dashboard-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - dashboard.brusnika.onprem.sarex.io + tls: + credentialName: dashboard-secret-name + minio: + name: minio-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - minio.brusnika.onprem.sarex.io + tls: + credentialName: brusnika-secret-name + sso-check: + name: sso-check-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - sso.brusnika.onprem.sarex.io + tls: + credentialName: projects-secret-name + superset: + name: superset-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - superset.cde.brusnika.ru + tls: + credentialName: superset-tls-secret + vault: + name: vault-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - vault.prod.brusnika.sarex.lonsdaleites.ru + tls: + credentialName: vault-prod-tls + rabbitmq: + name: rabbitmq-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - rabbitmq.cde.brusnika.ru + tls: + credentialName: yet-another-nginx-secret-name + virtualServices: + argocd-vs: + namespace: argocd + hosts: + - argocd.brusnika.onprem.sarex.io + gateways: + - ingress-nginx/argocd-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: argocd-server.argocd.svc.cluster.local + port: 80 + camunda-identity-vs: + namespace: camunda + hosts: + - identity.camunda.cde.brusnika.ru + gateways: + - ingress-nginx/camunda-identity-gw + routes: + - path: + prefix: / + service: camunda-identity.camunda.svc.cluster.local + port: 80 + camunda-keycloak-vs: + namespace: camunda + hosts: + - keycloak.camunda.cde.brusnika.ru + gateways: + - ingress-nginx/camunda-keycloak-gw + routes: + - match: + - port: 80 + uri: + prefix: /auth/ + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: /auth/ + service: camunda-keycloak.camunda.svc.cluster.local + port: 80 + camunda-operate-vs: + namespace: camunda + hosts: + - operate.camunda.cde.brusnika.ru + gateways: + - ingress-nginx/camunda-operate-gw + routes: + - path: + prefix: / + service: camunda-operate.camunda.svc.cluster.local + port: 80 + camunda-optimize-vs: + namespace: camunda + hosts: + - optimize.camunda.cde.brusnika.ru + gateways: + - ingress-nginx/camunda-optimize-gw + routes: + - path: + prefix: / + service: camunda-optimize.camunda.svc.cluster.local + port: 80 + camunda-tasklist-vs: + namespace: camunda + hosts: + - tasklist.camunda.cde.brusnika.ru + gateways: + - ingress-nginx/camunda-tasklist-gw + routes: + - path: + prefix: / + service: camunda-tasklist.camunda.svc.cluster.local + port: 80 + document-link-vs: + namespace: documentations + hosts: + - document-link.cde.brusnika.ru + gateways: + - ingress-nginx/document-link-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: frontend-service-public-link.documentations.svc.cluster.local + port: 80 + stamp-verification-vs: + namespace: documentations + hosts: + - stamp-verification.cde.brusnika.ru + gateways: + - ingress-nginx/stamp-verification-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: stamp-verification-frontend-service.documentations.svc.cluster.local + port: 8080 + gitea-vs: + namespace: gitea + hosts: + - gitea.prod.brusnika.sarex.lonsdaleites.ru + gateways: + - ingress-nginx/gitea-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: gitea.gitea.svc.cluster.local + port: 3000 + global-cde-vs: + namespace: global-ingress + hosts: + - cde.brusnika.ru + gateways: + - ingress-nginx/global-cde-gw + cors: + allowOrigins: + - exact: https://cde.brusnika.ru + - exact: https://stamp-verification.cde.brusnika.ru + - exact: https://document-link.cde.brusnika.ru + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: /integration/ + service: yet-another-nginx-service.global-ingress.svc.cluster.local + port: 80 + - path: + prefix: / + service: nginx-service.global-ingress.svc.cluster.local + port: 80 + jupyter-vs: + namespace: jupyter + hosts: + - jupyter.brusnika.onprem.sarex.io + gateways: + - ingress-nginx/jupyter-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: jupyter.jupyter.svc.cluster.local + port: 8888 + dashboard-vs: + namespace: kubernetes-dashboard + hosts: + - dashboard.brusnika.onprem.sarex.io + gateways: + - ingress-nginx/dashboard-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local + port: 80 + minio-vs: + namespace: minio + hosts: + - minio.brusnika.onprem.sarex.io + gateways: + - ingress-nginx/minio-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: minio-console-service.minio.svc.cluster.local + port: 80 + sso-check-vs: + namespace: sso-check + hosts: + - sso.brusnika.onprem.sarex.io + gateways: + - ingress-nginx/sso-check-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: gatekeeper-service.sso-check.svc.cluster.local + port: 80 + superset-vs: + namespace: superset + hosts: + - superset.cde.brusnika.ru + gateways: + - ingress-nginx/superset-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: superset.superset.svc.cluster.local + port: 8088 + vault-vs: + namespace: vault + hosts: + - vault.prod.brusnika.sarex.lonsdaleites.ru + gateways: + - ingress-nginx/vault-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: vault-vault-contour.vault.svc.cluster.local + port: 8200 + rabbitmq-vs: + namespace: workflow + hosts: + - rabbitmq.cde.brusnika.ru + gateways: + - ingress-nginx/rabbitmq-gw + cors: + allowOrigins: + - exact: https://cde.brusnika.ru + - exact: https://stamp-verification.cde.brusnika.ru + - exact: https://document-link.cde.brusnika.ru + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: rabbitmq-service.workflow.svc.cluster.local + port: 15672 diff --git a/clusters/brusnika-prod/infrastructure/patches/istio-gateway.yaml b/clusters/brusnika-prod/infrastructure/patches/istio-gateway.yaml new file mode 100644 index 0000000..88768b7 --- /dev/null +++ b/clusters/brusnika-prod/infrastructure/patches/istio-gateway.yaml @@ -0,0 +1,62 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingressgateway + namespace: istio-system +spec: + targetNamespace: ingress-nginx + postRenderers: + - kustomize: + patches: + - target: + version: v1 + kind: Deployment + name: istio-ingressgateway + namespace: ingress-nginx + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: istio-ingressgateway + namespace: ingress-nginx + spec: + template: + spec: + affinity: null + dependsOn: + - name: istio-base + namespace: istio-system + - name: istiod + namespace: istio-system + values: + _internal_defaults_do_not_set: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + replicaCount: 2 + affinity: null + tolerations: [] + hostPorts: [] + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: /stats/prometheus + inject.istio.io/templates: gateway + sidecar.istio.io/inject: "true" + service: + type: ClusterIP + externalTrafficPolicy: "" + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443