From 616555abe1ffa8956374a0163394c92477fac692 Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Wed, 3 Jun 2026 15:27:05 +0300 Subject: [PATCH] add isito resources to brusnika-stage --- .../infrastructure/kustomization.yaml | 18 + .../infrastructure/patches/istio-config.yaml | 515 ++++++++++++++++++ .../infrastructure/patches/istio-gateway.yaml | 33 ++ 3 files changed, 566 insertions(+) create mode 100644 clusters/brusnika-stage/infrastructure/patches/istio-config.yaml create mode 100644 clusters/brusnika-stage/infrastructure/patches/istio-gateway.yaml diff --git a/clusters/brusnika-stage/infrastructure/kustomization.yaml b/clusters/brusnika-stage/infrastructure/kustomization.yaml index 4871d99..4c62b0d 100644 --- a/clusters/brusnika-stage/infrastructure/kustomization.yaml +++ b/clusters/brusnika-stage/infrastructure/kustomization.yaml @@ -1,9 +1,27 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ../../../infrastructure/istio-base + - ../../../infrastructure/istio-pilot + - ../../../infrastructure/istio-gateway + - ../../../infrastructure/istio-config - ../../../infrastructure/vault - ./vault-ingress.yaml patches: + - path: ./patches/istio-gateway.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: ingressgateway + namespace: istio-system + - path: ./patches/istio-config.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: istio-config + namespace: default - path: ./patches/vault.yaml target: group: helm.toolkit.fluxcd.io diff --git a/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml b/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml new file mode 100644 index 0000000..e0787a2 --- /dev/null +++ b/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml @@ -0,0 +1,515 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: istio-config + namespace: default +spec: + values: + global: + env: brusnika-stage + environments: + brusnika-stage: + namespaces: [] + certManager: + clusterIssuers: {} + certificates: + keycloak.camunda.test.sarex.brusnika.tech-tls: + namespace: ingress-nginx + dnsNames: + - keycloak.camunda.test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer + camunda-platform-operate-tls: + namespace: ingress-nginx + dnsNames: + - operate.camunda.test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer + camunda-platform-tasklist-tls: + namespace: ingress-nginx + dnsNames: + - tasklist.camunda.test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer + tls-public-link: + namespace: ingress-nginx + dnsNames: + - document-link.test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer + tls-stamp-verification: + namespace: ingress-nginx + dnsNames: + - stamp-verification.test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer + gitea-stage-tls: + namespace: ingress-nginx + dnsNames: + - gitea.stage.brusnika.sarex.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + another-nginx-secret: + namespace: ingress-nginx + dnsNames: + - test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer + nginx-secret: + namespace: ingress-nginx + dnsNames: + - cde.brusnika.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + jupyter-cert-secret: + namespace: ingress-nginx + dnsNames: + - jupyter.brusnika.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + dashboard-cert-secret: + namespace: ingress-nginx + dnsNames: + - dashboard.brusnika.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + minio-console-cert-secret: + namespace: ingress-nginx + dnsNames: + - minio.brusnika.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + superset-tls-secret: + namespace: ingress-nginx + dnsNames: + - superset.test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer + vault-stage-tls: + namespace: ingress-nginx + dnsNames: + - vault.stage.brusnika.sarex.lonsdaleites.ru + issuerRef: + name: letsencrypt + kind: ClusterIssuer + istio: + envoyFilters: {} + authorizationPolicies: {} + requestAuthentications: {} + gateways: + camunda-identity: + name: camunda-identity-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - identity.camunda.test.sarex.brusnika.tech + camunda-keycloak: + name: camunda-keycloak-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - keycloak.camunda.test.sarex.brusnika.tech + tls: + credentialName: keycloak.camunda.test.sarex.brusnika.tech-tls + camunda-operate: + name: camunda-operate-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - operate.camunda.test.sarex.brusnika.tech + tls: + credentialName: camunda-platform-operate-tls + camunda-optimize: + name: camunda-optimize-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - optimize.camunda.test.sarex.brusnika.tech + camunda-tasklist: + name: camunda-tasklist-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - tasklist.camunda.test.sarex.brusnika.tech + tls: + credentialName: camunda-platform-tasklist-tls + document-link: + name: document-link-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - document-link.test.sarex.brusnika.tech + tls: + credentialName: tls-public-link + stamp-verification: + name: stamp-verification-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - stamp-verification.test.sarex.brusnika.tech + tls: + credentialName: tls-stamp-verification + gitea: + name: gitea-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - gitea.stage.brusnika.sarex.lonsdaleites.ru + tls: + credentialName: gitea-stage-tls + global-test: + name: global-test-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - test.sarex.brusnika.tech + tls: + credentialName: another-nginx-secret + global-cde: + name: global-cde-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - cde.brusnika.lonsdaleites.ru + tls: + credentialName: nginx-secret + jupyter: + name: jupyter-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - jupyter.brusnika.lonsdaleites.ru + tls: + credentialName: jupyter-cert-secret + dashboard: + name: dashboard-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - dashboard.brusnika.lonsdaleites.ru + tls: + credentialName: dashboard-cert-secret + minio: + name: minio-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - minio.brusnika.lonsdaleites.ru + tls: + credentialName: minio-console-cert-secret + superset: + name: superset-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - superset.test.sarex.brusnika.tech + tls: + credentialName: superset-tls-secret + vault: + name: vault-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - vault.stage.brusnika.sarex.lonsdaleites.ru + tls: + credentialName: vault-stage-tls + virtualServices: + camunda-identity-vs: + namespace: camunda + hosts: + - identity.camunda.test.sarex.brusnika.tech + gateways: + - ingress-nginx/camunda-identity-gw + routes: + - path: + prefix: / + service: camunda-identity.camunda.svc.cluster.local + port: 80 + camunda-keycloak-vs: + namespace: camunda + hosts: + - keycloak.camunda.test.sarex.brusnika.tech + gateways: + - ingress-nginx/camunda-keycloak-gw + routes: + - match: + - port: 80 + uri: + prefix: /auth/ + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: /auth/ + service: camunda-keycloak.camunda.svc.cluster.local + port: 80 + camunda-operate-vs: + namespace: camunda + hosts: + - operate.camunda.test.sarex.brusnika.tech + gateways: + - ingress-nginx/camunda-operate-gw + routes: + - path: + prefix: / + service: camunda-operate.camunda.svc.cluster.local + port: 80 + camunda-optimize-vs: + namespace: camunda + hosts: + - optimize.camunda.test.sarex.brusnika.tech + gateways: + - ingress-nginx/camunda-optimize-gw + routes: + - path: + prefix: / + service: camunda-optimize.camunda.svc.cluster.local + port: 80 + camunda-tasklist-vs: + namespace: camunda + hosts: + - tasklist.camunda.test.sarex.brusnika.tech + gateways: + - ingress-nginx/camunda-tasklist-gw + routes: + - path: + prefix: / + service: camunda-tasklist.camunda.svc.cluster.local + port: 80 + document-link-vs: + namespace: documentations + hosts: + - document-link.test.sarex.brusnika.tech + gateways: + - ingress-nginx/document-link-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: frontend-service-public-link.documentations.svc.cluster.local + port: 80 + stamp-verification-vs: + namespace: documentations + hosts: + - stamp-verification.test.sarex.brusnika.tech + gateways: + - ingress-nginx/stamp-verification-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: stamp-verification-frontend-service.documentations.svc.cluster.local + port: 8080 + gitea-vs: + namespace: gitea + hosts: + - gitea.stage.brusnika.sarex.lonsdaleites.ru + gateways: + - ingress-nginx/gitea-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: gitea.gitea.svc.cluster.local + port: 3000 + global-test-vs: + namespace: global-ingress + hosts: + - test.sarex.brusnika.tech + gateways: + - ingress-nginx/global-test-gw + cors: + allowOrigins: + - exact: https://test.sarex.brusnika.tech + - exact: https://stamp-verification.test.sarex.brusnika.tech + - exact: https://document-link.test.sarex.brusnika.tech + - exact: https://login.brusnika.ru + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: nginx-service.global-ingress.svc.cluster.local + port: 80 + global-cde-vs: + namespace: global-ingress + hosts: + - cde.brusnika.lonsdaleites.ru + gateways: + - ingress-nginx/global-cde-gw + cors: + allowOrigins: + - regex: ".*" + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: nginx-service.global-ingress.svc.cluster.local + port: 80 + jupyter-vs: + namespace: jupyter + hosts: + - jupyter.brusnika.lonsdaleites.ru + gateways: + - ingress-nginx/jupyter-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: jupyter.jupyter.svc.cluster.local + port: 8888 + dashboard-vs: + namespace: kubernetes-dashboard + hosts: + - dashboard.brusnika.lonsdaleites.ru + gateways: + - ingress-nginx/dashboard-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: kubernetes-dashboard-brusnika.kubernetes-dashboard.svc.cluster.local + port: 9090 + minio-vs: + namespace: minio + hosts: + - minio.brusnika.lonsdaleites.ru + gateways: + - ingress-nginx/minio-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: minio-svc.minio.svc.cluster.local + port: 9000 + superset-vs: + namespace: superset + hosts: + - superset.test.sarex.brusnika.tech + gateways: + - ingress-nginx/superset-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: superset.superset.svc.cluster.local + port: 8088 + vault-vs: + namespace: vault + hosts: + - vault.stage.brusnika.sarex.lonsdaleites.ru + gateways: + - ingress-nginx/vault-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: vault-vault-contour.vault.svc.cluster.local + port: 8200 diff --git a/clusters/brusnika-stage/infrastructure/patches/istio-gateway.yaml b/clusters/brusnika-stage/infrastructure/patches/istio-gateway.yaml new file mode 100644 index 0000000..1114a38 --- /dev/null +++ b/clusters/brusnika-stage/infrastructure/patches/istio-gateway.yaml @@ -0,0 +1,33 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingressgateway + namespace: istio-system +spec: + targetNamespace: ingress-nginx + dependsOn: + - name: istio-base + namespace: istio-system + - name: istiod + namespace: istio-system + values: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + service: + type: ClusterIP + externalTrafficPolicy: "" + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443