Tweak istio install

kubernetes/apps/istio.yaml

@@ -1,98 +1,79 @@
 apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: ApplicationSet
 metadata:
   name: istio-base
-  annotations:
-    argocd.argoproj.io/sync-wave: "-3"
 spec:
-  destination:
-    name: gke-utility
-    namespace: istio-system
-  project: default
-  sources:
-    - chart: base
-      repoURL: https://istio-release.storage.googleapis.com/charts
-      targetRevision: 1.23.2
-    - path: config/crd/experimental
-      repoURL: https://github.com/kubernetes-sigs/gateway-api
-      targetRevision: v1.1.0
-  ignoreDifferences:
-    - group: admissionregistration.k8s.io
-      kind: ValidatingWebhookConfiguration
-      jsonPointers:
-      - /webhooks/0/failurePolicy
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true
+  goTemplate: true
+  generators:
+    - clusters:
+        selector:
+          matchLabels:
+            clusterType: 'utility'
+  template:
+    metadata:
+      name: 'istio-base-{{ .name }}'
+      annotations:
+        argocd.argoproj.io/sync-wave: "-3"
+    spec:
+      destination:
+        namespace: istio-system
+        server: "{{ .server }}"
+      project: default
+      sources:
+        - chart: base
+          repoURL: https://istio-release.storage.googleapis.com/charts
+          targetRevision: 1.23.2
+        - path: config/crd/experimental
+          repoURL: https://github.com/kubernetes-sigs/gateway-api
+          targetRevision: v1.1.0
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+        managedNamespaceMetadata:
+          labels:
+            topology.istio.io/network: "{{ .metadata.labels.istioNetwork }}"
 ---
 apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: ApplicationSet
 metadata:
   name: istio
 spec:
-  destination:
-    name: gke-utility
-    namespace: istio-system
-  project: default
-  sources:
-    - chart: istiod
-      repoURL: https://istio-release.storage.googleapis.com/charts
-      targetRevision: 1.23.2
-      helm:
-        values: |
-          global:
-            hub: gcr.io/istio-release
-            istiod:
-              enableAnalysis: true
-          meshConfig:
-            accessLogFile: /dev/stdout
-            enablePrometheusMerge: true
-            protocolDetectionTimeout: 5s
-            enableTracing: true
-            defaultConfig:
-              tracing:
-            extensionProviders:
-            - name: stackdriver
-              stackdriver:
-            - name: "oauth2-proxy"
-              envoyExtAuthzHttp:
-                service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
-                port: "80"
-                headersToDownstreamOnDeny:
-                  - content-type
-                  - set-cookie
-                headersToUpstreamOnAllow:
-                  - authorization
-                  - cookie
-                  - path
-                  - x-*
-                includeHeadersInCheck:
-                  - authorization
-                  - cookie
-                  - user-agent
-                includeAdditionalHeadersInCheck:
-                  X-Auth-Request-Redirect: https://%REQ(Host)%%REQ(:PATH)%
-            defaultConfig:
-              gatewayTopology:
-                numTrustedProxies: 2
-          telemetry:
-            enabled: true
-            v2:
-              prometheus:
-                enabled: true
-                wasmEnabled: false
-    - path: kubernetes/gke-utility/istio-system
-      repoURL: https://github.com/kubernetes/k8s.io
-      targetRevision: main
-  ignoreDifferences:
-    - group: admissionregistration.k8s.io
-      kind: ValidatingWebhookConfiguration
-      jsonPointers:
-      - /webhooks/0/failurePolicy
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
+  goTemplate: true
+  generators:
+    - clusters:
+        selector:
+          matchLabels:
+            clusterType: 'utility'
+  template:
+    metadata:
+      name: 'istio-{{ .name }}'
+    spec:
+      destination:
+        namespace: istio-system
+        server: "{{ .server }}"
+      project: default
+      sources:
+        - chart: istiod
+          repoURL: https://istio-release.storage.googleapis.com/charts
+          targetRevision: 1.23.2
+          helm:
+            valueFiles:
+            - $values/kubernetes/{{ .name }}/helm/istio.yaml
+        - repoURL: 'https://github.com/kubernetes/k8s.io.git'
+          targetRevision: main
+          ref: values
+        - repoURL: https://github.com/kubernetes/k8s.io
+          targetRevision: main
+          path: kubernetes/{{ .name }}/istio-system
+      ignoreDifferences:
+        - group: admissionregistration.k8s.io
+          kind: ValidatingWebhookConfiguration
+          jsonPointers:
+          - /webhooks/0/failurePolicy
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true

kubernetes/apps/kustomization.yaml

@@ -4,7 +4,6 @@ resources:
   # - argocd.yaml This has been manually applied to fix sync issues
   - external-secrets.yaml
   - cert-manager.yaml
-  # - ingress-nginx.yaml
   - prow.yaml
   - istio.yaml
   - oauth2-proxy.yaml

kubernetes/gke-utility/helm/cert-manager.yaml

@@ -1,8 +1,7 @@
 crds:
   enabled: true
 extraObjects:
-  - |
-    apiVersion: cert-manager.io/v1
+  - apiVersion: cert-manager.io/v1
     kind: ClusterIssuer
     metadata:
       name: letsencrypt-prod
@@ -13,5 +12,6 @@ extraObjects:
         privateKeySecretRef:
           name: letsencrypt-prod
         solvers:
-          - cloudDNS:
-              project: kubernetes-public
+          - dns01:
+              cloudDNS:
+                project: kubernetes-public

kubernetes/gke-utility/helm/istio.yaml

@@ -0,0 +1,48 @@
+global:
+  hub: gcr.io/istio-release
+  istiod:
+    enableAnalysis: true
+  meshID: mesh
+  multiCluster:
+    clusterName: gke-utility
+  network: prow-vpc
+pilot:
+  env:
+    PILOT_ENABLE_ALPHA_GATEWAY_API: 'true'
+    ENABLE_NATIVE_SIDECARS: 'true'
+meshConfig:
+  accessLogFile: /dev/stdout
+  enablePrometheusMerge: true
+  protocolDetectionTimeout: 5s
+  enableTracing: true
+  defaultConfig:
+    gatewayTopology:
+      numTrustedProxies: 2
+    tracing:
+  extensionProviders:
+  - name: stackdriver
+    stackdriver:
+  - name: "oauth2-proxy"
+    envoyExtAuthzHttp:
+      service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
+      port: "80"
+      headersToDownstreamOnDeny:
+        - content-type
+        - set-cookie
+      headersToUpstreamOnAllow:
+        - authorization
+        - cookie
+        - path
+        - x-*
+      includeHeadersInCheck:
+        - authorization
+        - cookie
+        - user-agent
+      includeAdditionalHeadersInCheck:
+        X-Auth-Request-Redirect: https://%REQ(Host)%%REQ(:PATH)%
+telemetry:
+  enabled: true
+  v2:
+    prometheus:
+      enabled: true
+      wasmEnabled: false

kubernetes/gke-utility/istio-system/auth-policy.yaml

@@ -15,3 +15,4 @@ spec:
     - operation:
         hosts:
         - argo.k8s.io
+        - monitoring.prow.k8s.io

kubernetes/gke-utility/istio-system/gateway.yaml

@@ -32,6 +32,7 @@ spec:
     sectionName: http
   hostnames:
   - '*.k8s.io'
+  - '*.prow.k8s.io'
   rules:
   - filters:
     - type: RequestRedirect
@@ -49,5 +50,7 @@ spec:
     name: letsencrypt-prod
     kind: ClusterIssuer
   commonName: '*.k8s.io'
+  # *.prow.k8s.io doesn't work as GCP CERT MANAGER USES CNAME FOR ACME INSTEAD OF TXT :(((((((
   dnsNames:
   - '*.k8s.io'
+  - 'monitoring.prow.k8s.io'