Enable istio-cni helm chart integration from istio.io repo (istio#9461)

- requirements.yaml to point to official istio helm repo - Make istio-cni enable and initContainer template flag a single option - Makefile: add helm extra settings to generate_yaml. Signed-off-by: Tim Swanson <tiswanso@cisco.com>
249043822 · Oct 26, 2018 · cc53c3a · cc53c3a
1 parent a78d9c5
commit cc53c3a
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -75,6 +75,15 @@ endif
 export GOOS ?= $(GOOS_LOCAL)
 
 export ENABLE_COREDUMP ?= false
+
+# Enable Istio CNI in helm template commands
+export ENABLE_ISTIO_CNI ?= false
+
+# NOTE: env var EXTRA_HELM_SETTINGS can contain helm chart override settings, example:
+# EXTRA_HELM_SETTINGS="--set istio-cni.excludeNamespaces={} --set istio-cni.tag=v0.1-dev-foo"
+
+
+ISTIO_HELM_REPO := https://raw.githubusercontent.com/istio/istio.io/master/static/charts
 #-----------------------------------------------------------------------------
 # Output control
 #-----------------------------------------------------------------------------
@@ -612,27 +621,36 @@ $(HELM):
 $(HOME)/.helm:
 	$(HELM) init --client-only
 
+.PHONY: helm-repo-add
+
+helm-repo-add:
+	$(HELM) repo add istio.io ${ISTIO_HELM_REPO}
+
 # create istio-remote.yaml
-istio-remote.yaml: $(HELM) $(HOME)/.helm
+istio-remote.yaml: $(HELM) $(HOME)/.helm helm-repo-add
 	cat install/kubernetes/namespace.yaml > install/kubernetes/$@
 	$(HELM) dep update --skip-refresh install/kubernetes/helm/istio-remote
 	$(HELM) template --name=istio --namespace=istio-system \
+		--set istio_cni.enabled=${ENABLE_ISTIO_CNI} \
+		${EXTRA_HELM_SETTINGS} \
 		install/kubernetes/helm/istio-remote >> install/kubernetes/$@
 
 # creates istio.yaml istio-auth.yaml istio-one-namespace.yaml istio-one-namespace-auth.yaml
 # Ensure that values-$filename is present in install/kubernetes/helm/istio
-isti%.yaml: $(HELM) $(HOME)/.helm
+isti%.yaml: $(HELM) $(HOME)/.helm helm-repo-add
 	$(HELM) dep update --skip-refresh install/kubernetes/helm/istio
 	cat install/kubernetes/namespace.yaml > install/kubernetes/$@
 	$(HELM) template --set global.tag=${TAG} \
 		--name=istio \
 		--namespace=istio-system \
 		--set global.hub=${HUB} \
 		--set global.proxy.enableCoreDump=${ENABLE_COREDUMP} \
+		--set istio_cni.enabled=${ENABLE_ISTIO_CNI} \
+		${EXTRA_HELM_SETTINGS} \
 		--values install/kubernetes/helm/istio/values-$@ \
 		install/kubernetes/helm/istio >> install/kubernetes/$@
 
-generate_yaml: $(HELM) $(HOME)/.helm
+generate_yaml: $(HELM) $(HOME)/.helm helm-repo-add
 	$(HELM) dep update --skip-refresh install/kubernetes/helm/istio
 	./install/updateVersion.sh -a ${HUB},${TAG} >/dev/null 2>&1
 	cat install/kubernetes/namespace.yaml > install/kubernetes/istio.yaml
@@ -641,6 +659,8 @@ generate_yaml: $(HELM) $(HOME)/.helm
 		--namespace=istio-system \
 		--set global.hub=${HUB} \
 		--set global.proxy.enableCoreDump=${ENABLE_COREDUMP} \
+		--set istio_cni.enabled=${ENABLE_ISTIO_CNI} \
+		${EXTRA_HELM_SETTINGS} \
 		--values install/kubernetes/helm/istio/values.yaml \
 		install/kubernetes/helm/istio >> install/kubernetes/istio.yaml
 
@@ -652,6 +672,8 @@ generate_yaml: $(HELM) $(HOME)/.helm
 		--set global.mtls.enabled=true \
 		--set global.controlPlaneSecurityEnabled=true \
 		--set global.proxy.enableCoreDump=${ENABLE_COREDUMP} \
+		--set istio_cni.enabled=${ENABLE_ISTIO_CNI} \
+		${EXTRA_HELM_SETTINGS} \
 		--values install/kubernetes/helm/istio/values.yaml \
 		install/kubernetes/helm/istio >> install/kubernetes/istio-auth.yaml
 
@@ -662,7 +684,7 @@ generate_yaml_coredump:
 # Generate the install files, using istioctl.
 # TODO: make sure they match, pass all tests.
 # TODO:
-generate_yaml_new: $(HELM) $(HOME)/.helm
+generate_yaml_new: $(HELM) $(HOME)/.helm helm-repo-add
 	$(HELM) init --client-only
 	$(HELM) dep update --skip-refresh install/kubernetes/helm/istio
 	./install/updateVersion.sh -a ${HUB},${TAG} >/dev/null 2>&1

diff --git a/install/kubernetes/helm/istio-remote/requirements.yaml b/install/kubernetes/helm/istio-remote/requirements.yaml
@@ -7,3 +7,7 @@ dependencies:
     version: 1.1.0
     condition: security.enabled
     repository: file://../subcharts/security
+  - name: istio-cni
+    version: ">=0.0.1"
+    repository: https://raw.githubusercontent.com/istio/istio.io/master/static/charts
+    condition: istio_cni.enabled
diff --git a/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml b/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml
@@ -14,7 +14,9 @@ data:
   config: |-
     policy: {{ .Values.global.proxy.autoInject }}
     template: |-
+{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
       initContainers:
+{{- if not .Values.istio_cni.enabled }}
       - name: istio-init
         image: {{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}
         args:
@@ -56,6 +58,7 @@ data:
           privileged: true
           {{ end }}
         restartPolicy: Always
+{{- end }}
       {{ if eq .Values.global.proxy.enableCoreDump true }}
       - name: enable-core-dump
         args:
@@ -69,6 +72,7 @@ data:
         securityContext:
           privileged: true
       {{ end }}
+{{- end }}
       containers:
       - name: istio-proxy
         image: {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\") -]]" }}

diff --git a/install/kubernetes/helm/istio-remote/values.yaml b/install/kubernetes/helm/istio-remote/values.yaml
@@ -242,3 +242,11 @@ global:
   # Use the Mesh Control Protocol (MCP) for configuring Mixer and
   # Pilot. Requires galley (`--set galley.enabled=true`).
   useMCP: false
+
+#
+# Istio CNI plugin enabled
+#   If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
+#   settings for the istio-proxy.
+#
+istio_cni:
+  enabled: false
diff --git a/install/kubernetes/helm/istio/requirements.yaml b/install/kubernetes/helm/istio/requirements.yaml
@@ -54,4 +54,9 @@ dependencies:
   - name: certmanager
     version: 1.1.0
     condition: certmanager.enabled
-    repository: file://../subcharts/certmanager
+    repository: file://../subcharts/certmanager
+  - name: istio-cni
+    version: ">=0.0.1"
+    repository: https://raw.githubusercontent.com/istio/istio.io/master/static/charts
+    condition: istio_cni.enabled
+
diff --git a/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml b/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml
@@ -14,7 +14,9 @@ data:
   config: |-
     policy: {{ .Values.global.proxy.autoInject }}
     template: |-
+{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
       initContainers:
+{{- if not .Values.istio_cni.enabled }}
       - name: istio-init
 {{- if contains "/" .Values.global.proxy_init.image }}
         image: "{{ .Values.global.proxy_init.image }}"
@@ -52,6 +54,7 @@ data:
           privileged: true
           {{ end -}}
         restartPolicy: Always
+{{- end }}
       {{ if eq .Values.global.proxy.enableCoreDump true }}
       - name: enable-core-dump
         args:
@@ -69,6 +72,7 @@ data:
         securityContext:
           privileged: true
       {{ end }}
+{{- end }}
       containers:
       - name: istio-proxy
 {{- if contains "/" .Values.global.proxy.image }}

diff --git a/install/kubernetes/helm/istio/values.yaml b/install/kubernetes/helm/istio/values.yaml
@@ -79,6 +79,14 @@ tracing:
 kiali:
   enabled: false
 
+#
+# Istio CNI plugin enabled
+#   If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
+#   settings for the istio-proxy.
+#
+istio_cni:
+  enabled: false
+
 # Common settings used among istio subcharts.
 global:
   # Default hub for Istio images.