components: Add istio-operator

assets/charts/components/istio-operator/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: istio-operator
+version: 1.6.0
+description: Helm chart for deploying Istio operator
+keywords:
+- istio
+- operator
+sources:
+- http://github.com/istio/istio/operator
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png

assets/charts/components/istio-operator/crds/crd-operator.yaml

@@ -0,0 +1,46 @@
+# SYNC WITH manifests/charts/base/files
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: istiooperators.install.istio.io
+spec:
+  group: install.istio.io
+  names:
+    kind: IstioOperator
+    plural: istiooperators
+    singular: istiooperator
+    shortNames:
+    - iop
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        spec:
+          description: 'Specification of the desired state of the istio control plane resource.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+        status:
+          description: 'Status describes each of istio control plane component status at the current time.
+            0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
+            More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
+            https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+---

assets/charts/components/istio-operator/templates/clusterrole.yaml

@@ -0,0 +1,113 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: istio-operator
+rules:
+# istio groups
+- apiGroups:
+  - authentication.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - config.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - install.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - security.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+# k8s groups
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions.apiextensions.k8s.io
+  - customresourcedefinitions
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/finalizers
+  - ingresses
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - events
+  - namespaces
+  - pods
+  - persistentvolumeclaims
+  - secrets
+  - services
+  - serviceaccounts
+  verbs:
+  - '*'
+---

assets/charts/components/istio-operator/templates/clusterrole_binding.yaml

@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: istio-operator
+subjects:
+- kind: ServiceAccount
+  name: istio-operator
+  namespace: {{.Values.operatorNamespace}}
+roleRef:
+  kind: ClusterRole
+  name: istio-operator
+  apiGroup: rbac.authorization.k8s.io
+---

assets/charts/components/istio-operator/templates/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  name: istio-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: istio-operator
+  template:
+    metadata:
+      labels:
+        name: istio-operator
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+      serviceAccountName: istio-operator
+      containers:
+        - name: istio-operator
+          image: {{.Values.hub}}/operator:{{.Values.tag}}
+          command:
+          - operator
+          - server
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 128Mi
+          env:
+            - name: WATCH_NAMESPACE
+              value: {{.Values.istioNamespace}}
+            - name: LEADER_ELECTION_NAMESPACE
+              value: {{.Values.operatorNamespace}}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: {{.Values.operatorNamespace}}
+---

assets/charts/components/istio-operator/templates/istio-operator-cr.yaml

@@ -0,0 +1,17 @@
+---
+# XXX: Lokomotive specific config
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{.Values.istioNamespace}}
+  labels:
+    lokomotive.kinvolk.io/name: {{.Values.istioNamespace}}
+---
+# XXX: Lokomotive specific config
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  namespace: {{.Values.istioNamespace}}
+  name: istiocontrolplane
+spec:
+  profile: {{ .Values.istioOperator.profile }}

assets/charts/components/istio-operator/templates/service-monitor.yaml

@@ -0,0 +1,47 @@
+{{ if .Values.enableMonitoring }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    name: istio-operator
+    release: prometheus-operator
+  name: istio-control-plane-proxies
+  namespace: {{.Values.istioNamespace}}
+spec:
+  selector:
+    matchLabels:
+      install.operator.istio.io/owning-resource: istiocontrolplane
+  endpoints:
+  - targetPort: 15090
+    path: /stats/prometheus
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    name: istio-operator
+    release: prometheus-operator
+  name: istiod
+  namespace: {{.Values.istioNamespace}}
+spec:
+  selector:
+    matchLabels:
+      app: istiod
+  endpoints:
+  - port: http-monitoring
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    name: istio-operator
+    release: prometheus-operator
+  name: istio-operator
+  namespace: {{.Values.operatorNamespace}}
+spec:
+  selector:
+    matchLabels:
+      name: istio-operator
+  endpoints:
+  - port: http-metrics
+{{ end }}

assets/charts/components/istio-operator/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  labels:
+    name: istio-operator
+  name: istio-operator
+spec:
+  ports:
+  - name: http-metrics
+    port: 8383
+    targetPort: 8383
+  selector:
+    name: istio-operator
+---

assets/charts/components/istio-operator/templates/service_account.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  name: istio-operator
+---

assets/charts/components/istio-operator/values.yaml

@@ -0,0 +1,8 @@
+hub: docker.io/istio
+tag: 1.6.3
+operatorNamespace: istio-operator
+istioNamespace: istio-system
+
+# XXX: Lokomotive specific changes
+istioOperator:
+  profile: minimal

ci/aks/aks-cluster.lokocfg.envsubst

@@ -114,3 +114,7 @@ component "httpbin" {
 
   certmanager_cluster_issuer = "letsencrypt-staging"
 }
+
+component "experimental-istio-operator" {
+  enable_monitoring = true
+}

ci/aws/aws-cluster.lokocfg.envsubst

@@ -223,3 +223,7 @@ component "httpbin" {
 }
 
 component "aws-ebs-csi-driver" {}
+
+component "experimental-istio-operator" {
+  enable_monitoring = true
+}

ci/packet/packet-cluster.lokocfg.envsubst

@@ -201,3 +201,7 @@ component "httpbin" {
 
   certmanager_cluster_issuer = "letsencrypt-staging"
 }
+
+component "experimental-istio-operator" {
+  enable_monitoring = true
+}

cli/cmd/component.go

@@ -27,6 +27,7 @@ import (
 	_ "github.com/kinvolk/lokomotive/pkg/components/flatcar-linux-update-operator"
 	_ "github.com/kinvolk/lokomotive/pkg/components/gangway"
 	_ "github.com/kinvolk/lokomotive/pkg/components/httpbin"
+	_ "github.com/kinvolk/lokomotive/pkg/components/istio-operator"
 	_ "github.com/kinvolk/lokomotive/pkg/components/linkerd"
 	_ "github.com/kinvolk/lokomotive/pkg/components/metallb"
 	_ "github.com/kinvolk/lokomotive/pkg/components/metrics-server"