sunggun-yu
diff --git a/‎charts/meowhq-istio/README.md‎
Lines changed: 61 additions & 46 deletions b/‎charts/meowhq-istio/README.md‎
Lines changed: 61 additions & 46 deletions
diff --git a/‎charts/meowhq-istio/examples/README.md‎
Lines changed: 119 additions & 0 deletions b/‎charts/meowhq-istio/examples/README.md‎
Lines changed: 119 additions & 0 deletions
diff --git a/‎charts/meowhq-istio/templates/multicluster/istio-reader-sa-remote-token.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/meowhq-istio/templates/multicluster/istio-reader-sa-remote-token.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/meowhq-istio/tests/default-vaules-istiod_test.yaml‎
Lines changed: 20 additions & 0 deletions b/‎charts/meowhq-istio/tests/default-vaules-istiod_test.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎charts/meowhq-istio/tests/istio-reader-sa-remote-token_test.yaml‎
Lines changed: 35 additions & 14 deletions b/‎charts/meowhq-istio/tests/istio-reader-sa-remote-token_test.yaml‎
Lines changed: 35 additions & 14 deletions
@@ -7,49 +7,64 @@ Helm Chart for installing and configuring Istio Base and Istiod with Istio offic
 - `istio/base`: Istio base chart which contains cluster-wide Custom Resource Definitions (CRDs) which must be installed prior to the deployment of the Istio control plane
 - `istio/istiod`: Istio discovery chart which deploys the istiod service
 
-## Multicluster Config Example
-
-### Multi-Primary
-
-It follows the installation instruction:
-
-- [Install Multi-Primary](https://istio.io/latest/docs/setup/install/multicluster/multi-primary/)
-- [Install Multi-Primary on different networks](https://istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/)
-
-Helm values example:
-
-```yaml
-# =============================================================================
-# istiod Helm Chart configuration
-# =============================================================================
-istiod:
-  global:
-    meshID: "meowhq-lab-mesh"
-    network: "meowhq-lab"
-    multiCluster:
-      enabled: true
-      clusterName: "meowhq"
-```
-
-### Primary-Remote
-
-It follows the installation instruction:
-
-- [Install Primary-Remote](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/)
-- [Install Primary-Remote on different networks](https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/)
-
-Helm values example:
-
-```yaml
-# =============================================================================
-# istiod Helm Chart configuration
-# =============================================================================
-istiod:
-  global:
-    meshID: "meowhq-lab-mesh"
-    network: "meowhq-lab"
-    externalIstiod: true # when expose istiod to external - primary-remote setup
-    multiCluster:
-      enabled: true
-      clusterName: "meowhq"
-```
+## Configuration Values
+
+please see [examples](examples/README.md) for more about usage and examples of values.
+
+### Global Settings
+
+Shared global settings for both istio base and istiod subchart.
+
+- `global.istioNamespace` - Namespace where Istio components will be installed (default: istio-system). it is shared global value for both istio base and istiod subchart
+- `global.imagePullSecrets` - Image pull secrets for accessing container registry (default: artifactory-registry). it is shared global value for both istio base and istiod subchart
+
+### Istio Base Settings
+
+For more detail: <https://github.com/istio/istio/blob/master/manifests/charts/base/values.yaml>
+
+- `base.enabled` - Enable installation of Istio base chart (default: true)
+- `base.profile` - istio profile to be applied (default: not defined). set `remote` for Remote cluster for Primary-Remote multicluster setup
+- `base.defaultRevision` - Default revision for Istio installation (default: default)
+
+### Istiod Settings
+
+For more details: <https://github.com/istio/istio/blob/master/manifests/charts/istio-control/istio-discovery/values.yaml>
+
+#### Global Istiod Configuration
+
+- `istiod.enabled` - Enable installation of Istiod component (default: true)
+- `istiod.profile` - istio profile to be applied (default: not defined). set `remote` for Remote cluster for Primary-Remote multicluster setup
+- `istiod.global.configValidation` - Enable config validation (default: true)
+- `istiod.global.priorityClass` - Priority class for Istiod pods (default: infra-critical)
+- `istiod.global.caAddress` - CA address for istio-csr integration (default: "") this is for cert-manager-istio-csr integration.
+
+#### Multicluster Configuration
+
+- `istiod.global.meshID` - Mesh ID for multicluster setup (default: ""). no meshID required for Remote cluster. the `remote` profile will ignore in anyways.
+- `istiod.global.network` - Network name for multicluster setup (default: "")
+- `istiod.global.multiCluster.enabled` - Enable multicluster setup (default: false)
+- `istiod.global.multiCluster.clusterName` - Name of the cluster in multicluster setup (default: "")
+- `istiod.global.externalIstiod` - Enable control of remote clusters (default: false)
+- `istiod.global.configCluster` - Configure as remote cluster for external istiod (default: false)
+
+#### Proxy Configuration
+
+- `istiod.global.proxy.logLevel` - Log level for sidecars (default: info)
+- `istiod.global.proxy.resources.requests.cpu` - CPU requests for sidecar (default: 100m)
+- `istiod.global.proxy.resources.requests.memory` - Memory requests for sidecar (default: 64Mi)
+- `istiod.global.proxy.resources.limits.cpu` - CPU limits for sidecar (default: 200m)
+- `istiod.global.proxy.resources.limits.memory` - Memory limits for sidecar (default: 128Mi)
+
+#### Mesh Configuration
+
+- `istiod.meshConfig.accessLogFile` - Access log file path (default: /dev/stdout)
+- `istiod.meshConfig.enableTracing` - Enable distributed tracing (default: true)
+- `istiod.meshConfig.defaultConfig.holdApplicationUntilProxyStarts` - Hold app start until proxy ready (default: true)
+
+#### Pilot Configuration
+
+- `istiod.pilot.autoscaleEnabled` - Enable autoscaling for istiod (default: true)
+- `istiod.pilot.autoscaleMin` - Minimum replicas for istiod (default: 2)
+- `istiod.pilot.cni.enabled` - Enable CNI plugin (default: true)
+- `istiod.pilot.resources.requests.cpu` - CPU requests for istiod (default: 10m)
+- `istiod.pilot.resources.requests.memory` - Memory requests for istiod (default: 100Mi)
@@ -0,0 +1,119 @@
+# Examples
+
+## normal installation
+
+just install with default values for normal and non-multicluster configuration.
+
+## use another priority class
+
+values.yaml:
+
+```yaml
+istiod:
+  global:
+    priorityClass: something-else
+```
+
+following also works:
+
+```yaml
+global:
+  priorityClass: something-else
+```
+
+## Multicluster example
+
+prerequisites of following example:
+
+- `cert-manager-istio-csr` chart installed
+- Vault PKI engine is integrated
+
+### Multi-Primary on different networks example
+
+> ref: <https://istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/>
+
+values.yaml: in all clusters in the mesh cluster
+
+```yaml
+istiod:
+  global:
+    caAddress: "cert-manager-istio-csr.istio-system.svc:443"
+    meshID: "mesh1"
+    network: "network1"
+    multiCluster:
+      enabled: true
+      clusterName: "cluster1"
+  pilot:
+    env:
+      ENABLE_CA_SERVER: false
+```
+
+### Primary-Remote on different networks example
+
+Primary-Remote consists of Primary and Remote clusters, and the configuration is slightly different between them.
+
+> ⚠️ INFO:
+>
+> - ensure the Istio cross-network gateway is configured for each primary / remote cluster
+> - some manual configuration may be required to set label/annotation to istio-system namespace
+>
+> ref: <https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/>
+
+#### Primary
+
+> ref: <https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/#configure-cluster1-as-a-primary>
+
+values.yaml:
+
+```yaml
+istiod:
+  global:
+    caAddress: "cert-manager-istio-csr.istio-system.svc:443"
+    meshID: "mesh1"
+    network: "network1"
+    multiCluster:
+      enabled: true
+      clusterName: "cluster1"
+    externalIstiod: true
+  pilot:
+    env:
+      ENABLE_CA_SERVER: false
+```
+
+#### Remote
+
+> ref: <https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/#configure-cluster2-as-a-remote>
+
+values.yaml:
+
+> ⚠️ INFO:
+>
+> - no meshID for Remote cluster
+
+```yaml
+base:
+  profile: remote
+istiod:
+  profile: remote
+  global:
+    caAddress: "cert-manager-istio-csr.istio-system.svc:443"
+    network: "network2"
+    multiCluster:
+      enabled: true
+      clusterName: "cluster2"
+    configCluster: true
+    remotePilotAddress: 192.168.10.20 # loadbalancer ip of primary cluster cross-network-gateway svc
+  istiodRemote:
+    injectionPath: /inject/cluster/cluster1/net/network1
+  pilot:
+    env:
+      ENABLE_CA_SERVER: false
+```
+
+you can get loadbalancer ip of primary cluster:
+
+```bash
+# ensure you are in primary cluster context
+kubectl -n istio-system get svc istio-cross-network-gateway \
+    -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+```
@@ -10,7 +10,7 @@ kind: Secret
 type: kubernetes.io/service-account-token
 metadata:
   name: istio-reader-service-account-istio-remote-secret-token
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.global.istioNamespace }}
   annotations:
     kubernetes.io/service-account.name: istio-reader-service-account
 {{- end }}
@@ -0,0 +1,20 @@
+suite: istiod test with default values
+templates:
+  - charts/* # this includes all the templates in the subchart
+release:
+  name: "istio"
+  namespace: "istio-system"
+tests:
+- it: should render deployment with default values
+  template: charts/istiod/templates/deployment.yaml
+  asserts:
+  - containsDocument:
+      apiVersion: apps/v1
+      kind: Deployment
+      name: istiod
+      namespace: istio-system
+  - equal:
+      path: spec.template.spec.containers[?(@.name == "discovery")].env[?(@.name == "CLUSTER_ID")].value
+      value: "Kubernetes"
+  - notExists:
+      path: spec.template.spec.containers[?(@.name == "discovery")].env[?(@.name == "ENABLE_CA_SERVER")]
@@ -1,19 +1,40 @@
 suite: test istio-reader-sa-remote-token template
 templates:
   - multicluster/istio-reader-sa-remote-token.yaml
-release:
-  namespace: istio-system
-values:
-  - values/multicluster-values.yaml
+set:
+  istiod.global.multiCluster.enabled: true
+  global.istioNamespace: istio-system
+
 tests:
-  - it: should render secret
+  - it: should render metadata.name and namespace with the correct value
     asserts:
-    - containsDocument:
-        apiVersion: v1
-        kind: Secret
-        name: istio-reader-service-account-istio-remote-secret-token
-        namespace: istio-system
-    - isSubset:
-        path: metadata.annotations
-        content:
-          kubernetes.io/service-account.name: istio-reader-service-account
+      - equal:
+          path: metadata.name
+          value: "istio-reader-service-account-istio-remote-secret-token"
+      - equal:
+          path: metadata.namespace
+          value: "istio-system"
+
+  - it: should render the apiVersion with the correct value
+    asserts:
+      - equal:
+          path: apiVersion
+          value: "v1"
+
+  - it: should render the kind with the correct value
+    asserts:
+      - equal:
+          path: kind
+          value: "Secret"
+
+  - it: should render the correct type for the Secret
+    asserts:
+      - equal:
+          path: type
+          value: "kubernetes.io/service-account-token"
+
+  - it: should render the correct service account annotation if present
+    asserts:
+      - equal:
+          path: metadata.annotations["kubernetes.io/service-account.name"]
+          value: "istio-reader-service-account"