Additional Istio resources into the reconciliation (#346)

* Initial

* Second

* Third

* WIP

* Unit tests

* More unit tests

* Integration test

* Fix integration tests

* Update docs/contributor/04-40-istio-resources.md

Co-authored-by: Natalia Sitko <[email protected]>

* Update internal/reconciliations/istio_resources/gateway_kyma.yaml

Co-authored-by: Bartosz Chwila <[email protected]>

* Update docs/contributor/04-40-istio-resources.md

Co-authored-by: Natalia Sitko <[email protected]>

* Update docs/contributor/04-40-istio-resources.md

Co-authored-by: Natalia Sitko <[email protected]>

* Update docs/contributor/04-40-istio-resources.md

Co-authored-by: Natalia Sitko <[email protected]>

* Update docs/contributor/04-40-istio-resources.md

Co-authored-by: Natalia Sitko <[email protected]>

* Update docs/release-notes/1.0.1.md

Co-authored-by: Natalia Sitko <[email protected]>

* Update docs/contributor/04-40-istio-resources.md

Co-authored-by: Natalia Sitko <[email protected]>

* scheme packages

* Owner to configmaps

* Obsolete

* Warning

* VS in different versions

* Error description

* Lint fix

* fix istio-resources feature

* Update internal/reconciliations/istio_resources/configmap_control_plane.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/configmap_mesh.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/configmap_performance.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/configmap_service.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/configmap_workload.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/peer_authentication_mtls.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/gateway_kyma.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/virtual_service_healthz.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update tests/integration/scenario.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Rename

* Update internal/reconciliations/istio_resources/configmap_control_plane.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/configmap_mesh.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/configmap_service.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/configmap_workload.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/envoy_filter_allow_partial_referer.go

Co-authored-by: Bartosz Chwila <[email protected]>

* Update internal/reconciliations/istio_resources/peer_authentication_mtls.go

Co-authored-by: Bartosz Chwila <[email protected]>

* dummy

* Refactor applies

* Update istio_resources.feature

* Log istio CR description

* Wait for istio system do be deleted

* Update 04-40-istio-resources.md

---------

Co-authored-by: Natalia Sitko <[email protected]>
Co-authored-by: Bartosz Chwila <[email protected]>
Co-authored-by: Chwila <[email protected]>

controllers/istio_controller.go

@@ -19,9 +19,10 @@ package controllers
 import (
 	"context"
 	"fmt"
-	"github.com/kyma-project/istio/operator/internal/filter"
 	"time"
 
+	"github.com/kyma-project/istio/operator/internal/filter"
+
 	"github.com/kyma-project/istio/operator/internal/described_errors"
 	"github.com/kyma-project/istio/operator/internal/reconciliations/ingress_gateway"
 	"github.com/kyma-project/istio/operator/internal/reconciliations/istio_resources"
@@ -56,16 +57,25 @@ var IstioTag = fmt.Sprintf("%s-%s", IstioVersion, IstioImageBase)
 func NewReconciler(mgr manager.Manager, reconciliationInterval time.Duration) *IstioReconciler {
 	merger := manifest.NewDefaultIstioMerger()
 
-	envoyFilterReferer := istio_resources.NewEnvoyFilterAllowPartialReferer(mgr.GetClient())
-	istioResources := []istio_resources.Resource{envoyFilterReferer}
+	efReferer := istio_resources.NewEnvoyFilterAllowPartialReferer(mgr.GetClient())
+
+	istioResources := []istio_resources.Resource{efReferer}
+	istioResources = append(istioResources, istio_resources.NewGatewayKyma(mgr.GetClient()))
+	istioResources = append(istioResources, istio_resources.NewVirtualServiceHealthz(mgr.GetClient()))
+	istioResources = append(istioResources, istio_resources.NewPeerAuthenticationMtls(mgr.GetClient()))
+	istioResources = append(istioResources, istio_resources.NewConfigMapControlPlane(mgr.GetClient()))
+	istioResources = append(istioResources, istio_resources.NewConfigMapMesh(mgr.GetClient()))
+	istioResources = append(istioResources, istio_resources.NewConfigMapPerformance(mgr.GetClient()))
+	istioResources = append(istioResources, istio_resources.NewConfigMapService(mgr.GetClient()))
+	istioResources = append(istioResources, istio_resources.NewConfigMapWorkload(mgr.GetClient()))
 
 	return &IstioReconciler{
 		Client:                 mgr.GetClient(),
 		Scheme:                 mgr.GetScheme(),
 		istioInstallation:      &istio.Installation{Client: mgr.GetClient(), IstioClient: istio.NewIstioClient(), IstioVersion: IstioVersion, IstioImageBase: IstioImageBase, Merger: &merger},
-		proxySidecars:          &proxy.Sidecars{IstioVersion: IstioVersion, IstioImageBase: IstioImageBase, Log: mgr.GetLogger(), Client: mgr.GetClient(), Merger: &merger, Predicates: []filter.SidecarProxyPredicate{envoyFilterReferer}},
+		proxySidecars:          &proxy.Sidecars{IstioVersion: IstioVersion, IstioImageBase: IstioImageBase, Log: mgr.GetLogger(), Client: mgr.GetClient(), Merger: &merger, Predicates: []filter.SidecarProxyPredicate{efReferer}},
 		istioResources:         istio_resources.NewReconciler(mgr.GetClient(), istioResources),
-		ingressGateway:         ingress_gateway.Reconciler{Client: mgr.GetClient(), Predicates: []filter.IngressGatewayPredicate{envoyFilterReferer}},
+		ingressGateway:         ingress_gateway.NewReconciler(mgr.GetClient(), []filter.IngressGatewayPredicate{efReferer}),
 		log:                    mgr.GetLogger(),
 		statusHandler:          newStatusHandler(mgr.GetClient()),
 		reconciliationInterval: reconciliationInterval,
@@ -129,7 +139,7 @@ func (r *IstioReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 		return ctrl.Result{}, nil
 	}
 
-	resourcesErr := r.istioResources.Reconcile(ctx)
+	resourcesErr := r.istioResources.Reconcile(ctx, istioCR)
 	if resourcesErr != nil {
 		return r.requeueReconciliation(ctx, istioCR, resourcesErr)
 	}

controllers/istio_controller_test.go

@@ -3,10 +3,10 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"time"
+
 	"github.com/kyma-project/istio/operator/internal/filter"
-	"github.com/kyma-project/istio/operator/internal/reconciliations/ingress_gateway"
 	"github.com/kyma-project/istio/operator/internal/reconciliations/istio_resources"
-	"time"
 
 	"github.com/go-logr/logr"
 	operatorv1alpha1 "github.com/kyma-project/istio/operator/api/v1alpha1"
@@ -579,7 +579,7 @@ var _ = Describe("Istio Controller", func() {
 type ingressGatewayReconciliationMock struct {
 }
 
-func (i *ingressGatewayReconciliationMock) AddReconcilePredicate(_ filter.IngressGatewayPredicate) ingress_gateway.Reconciliation {
+func (i *ingressGatewayReconciliationMock) AddReconcilePredicate(_ filter.IngressGatewayPredicate) Reconciliation {
 	return i
 }
 
@@ -590,11 +590,11 @@ func (i *ingressGatewayReconciliationMock) Reconcile(_ context.Context) describe
 type istioResourcesReconciliationMock struct {
 }
 
-func (i *istioResourcesReconciliationMock) AddReconcileResource(_ istio_resources.Resource) istio_resources.Reconciliation {
+func (i *istioResourcesReconciliationMock) AddReconcileResource(_ istio_resources.Resource) istio_resources.ResourcesReconciliation {
 	return i
 }
 
-func (i *istioResourcesReconciliationMock) Reconcile(_ context.Context) described_errors.DescribedError {
+func (i *istioResourcesReconciliationMock) Reconcile(_ context.Context, istioCR operatorv1alpha1.Istio) described_errors.DescribedError {
 	return nil
 }
 

controllers/istio_types.go

@@ -1,27 +1,32 @@
 package controllers
 
 import (
-	"github.com/kyma-project/istio/operator/internal/reconciliations/ingress_gateway"
-	"github.com/kyma-project/istio/operator/internal/reconciliations/istio_resources"
+	"context"
 	"time"
 
 	"github.com/go-logr/logr"
+	"github.com/kyma-project/istio/operator/internal/described_errors"
 	"github.com/kyma-project/istio/operator/internal/reconciliations/istio"
+	"github.com/kyma-project/istio/operator/internal/reconciliations/istio_resources"
 	"github.com/kyma-project/istio/operator/internal/reconciliations/proxy"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+type Reconciliation interface {
+	Reconcile(ctx context.Context) described_errors.DescribedError
+}
+
 // IstioReconciler reconciles a Istio object
 type IstioReconciler struct {
 	*rest.Config // required to pass rest config to the declarative library
 	client.Client
 	Scheme                 *runtime.Scheme
 	istioInstallation      istio.InstallationReconciliation
 	proxySidecars          proxy.SidecarsReconciliation
-	istioResources         istio_resources.Reconciliation
-	ingressGateway         ingress_gateway.Reconciliation
+	istioResources         istio_resources.ResourcesReconciliation
+	ingressGateway         Reconciliation
 	log                    logr.Logger
 	statusHandler          status
 	reconciliationInterval time.Duration

docs/contributor/04-40-istio-resources.md

@@ -0,0 +1,11 @@
+# Kyma Istio Additional Resources
+
+## Overview
+
+The additional Istio resources include the Kyma configuration of Istio. They consist of:
+
+
+- Configuration details for Istio monitoring containing specifications for Grafana dashboards
+- Configuration for Istio Ingress Gateway, which handles incoming traffic to Kyma
+- Configuration for enabling Mutual TLS (mTLS) cluster-wide in the `STRICT` mode
+- Information about Istio [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/), which indicates whether Istio is operational.

docs/release-notes/1.0.1.md

@@ -0,0 +1,5 @@
+
+## New features
+
+- Apply additional Kyma resources and configuration like Kyma Gateway, configure service-mesh traffic to only allow mTLS using PeerAuthentication, install Istio Grafana dashboards, and expose Istio availability endpoint with a Virtual Service [#334](https://github.com/kyma-project/istio/issues/334)
+

internal/clusterconfig/clusterconfig.go

@@ -26,7 +26,7 @@ const (
 	ProductionClusterCpuThreshold      int64 = 5
 	ProductionClusterMemoryThresholdGi int64 = 10
 
-	LocalKymaDomain = "*.local.kyma.dev"
+	LocalKymaDomain = "local.kyma.dev"
 )
 
 func (s ClusterSize) String() string {
@@ -160,7 +160,7 @@ func (f ClusterFlavour) clusterConfiguration(ctx context.Context, k8sClient clie
 					"gateways": map[string]interface{}{
 						"istio-ingressgateway": map[string]interface{}{
 							"serviceAnnotations": map[string]string{
-								"dns.gardener.cloud/dnsnames": LocalKymaDomain,
+								"dns.gardener.cloud/dnsnames": fmt.Sprintf("*.%s", LocalKymaDomain),
 							},
 						},
 					},
@@ -183,7 +183,7 @@ func (f ClusterFlavour) clusterConfiguration(ctx context.Context, k8sClient clie
 		}
 		return config, nil
 	case Gardener:
-		hostDomainName, err := getHostDomainName(ctx, k8sClient)
+		domainName, err := GetDomainName(ctx, k8sClient)
 		if err != nil {
 			return ClusterConfiguration{}, err
 		}
@@ -193,7 +193,7 @@ func (f ClusterFlavour) clusterConfiguration(ctx context.Context, k8sClient clie
 					"gateways": map[string]interface{}{
 						"istio-ingressgateway": map[string]interface{}{
 							"serviceAnnotations": map[string]string{
-								"dns.gardener.cloud/dnsnames": hostDomainName,
+								"dns.gardener.cloud/dnsnames": fmt.Sprintf("*.%s", domainName),
 							},
 						},
 					},
@@ -205,13 +205,13 @@ func (f ClusterFlavour) clusterConfiguration(ctx context.Context, k8sClient clie
 	return ClusterConfiguration{}, nil
 }
 
-func getHostDomainName(ctx context.Context, k8sClient client.Client) (string, error) {
+func GetDomainName(ctx context.Context, k8sClient client.Client) (string, error) {
 	cmShootInfo := corev1.ConfigMap{}
 	err := k8sClient.Get(ctx, types.NamespacedName{Namespace: ConfigMapShootInfoNS, Name: ConfigMapShootInfoName}, &cmShootInfo)
 	if err != nil {
 		return "", err
 	}
-	return fmt.Sprintf("*.%s", cmShootInfo.Data["domain"]), nil
+	return cmShootInfo.Data["domain"], nil
 }
 
 func MergeOverrides(template []byte, overrides ClusterConfiguration) ([]byte, error) {

internal/clusterconfig/clusterconfig_test.go

@@ -2,6 +2,7 @@ package clusterconfig_test
 
 import (
 	"context"
+	"fmt"
 
 	"k8s.io/apimachinery/pkg/api/resource"
 
@@ -55,7 +56,7 @@ var _ = Describe("EvaluateClusterConfiguration", func() {
 						"gateways": map[string]interface{}{
 							"istio-ingressgateway": map[string]interface{}{
 								"serviceAnnotations": map[string]string{
-									"dns.gardener.cloud/dnsnames": clusterconfig.LocalKymaDomain,
+									"dns.gardener.cloud/dnsnames": fmt.Sprintf("*.%s", clusterconfig.LocalKymaDomain),
 								},
 							},
 						},

internal/reconciliations/ingress_gateway/reconciliation.go

@@ -2,6 +2,7 @@ package ingress_gateway
 
 import (
 	"context"
+
 	"github.com/kyma-project/istio/operator/internal/described_errors"
 	"github.com/kyma-project/istio/operator/internal/filter"
 	"github.com/kyma-project/istio/operator/pkg/lib/annotations"
@@ -18,26 +19,29 @@ const (
 	deploymentName string = "istio-ingressgateway"
 )
 
-type Reconciliation interface {
-	Reconcile(ctx context.Context) described_errors.DescribedError
+type IngressGatewayReconciler struct {
+	client     client.Client
+	predicates []filter.IngressGatewayPredicate
 }
 
-type Reconciler struct {
-	Client     client.Client
-	Predicates []filter.IngressGatewayPredicate
+func NewReconciler(client client.Client, predicates []filter.IngressGatewayPredicate) *IngressGatewayReconciler {
+	return &IngressGatewayReconciler{
+		client:     client,
+		predicates: predicates,
+	}
 }
 
-func (r Reconciler) Reconcile(ctx context.Context) described_errors.DescribedError {
+func (r *IngressGatewayReconciler) Reconcile(ctx context.Context) described_errors.DescribedError {
 	ctrl.Log.Info("Reconciling Istio ingress gateway")
 
-	podList, err := getIngressGatewayPods(ctx, r.Client)
+	podList, err := getIngressGatewayPods(ctx, r.client)
 	if err != nil {
 		return described_errors.NewDescribedError(err, "Failed to get ingress gateway pods")
 	}
 
 	mustRestart := false
 
-	for _, predicate := range r.Predicates {
+	for _, predicate := range r.predicates {
 		evaluator, err := predicate.NewIngressGatewayEvaluator(ctx)
 		if err != nil {
 			return described_errors.NewDescribedError(err, "Cannot create evaluator")
@@ -55,7 +59,7 @@ func (r Reconciler) Reconcile(ctx context.Context) described_errors.DescribedErr
 	}
 
 	if mustRestart {
-		if err := RestartIngressGateway(ctx, r.Client); err != nil {
+		if err := RestartIngressGateway(ctx, r.client); err != nil {
 			return described_errors.NewDescribedError(err, "Failed to restart ingress gateway")
 		}
 	}

internal/reconciliations/istio/installation_test.go

@@ -30,13 +30,11 @@ import (
 )
 
 const (
-	istioVersion         string = "1.16.1"
-	istioImageBase       string = "distroless"
-	resourceListPath     string = "test/test_controlled_resource_list.yaml"
-	testKey              string = "key"
-	testValue            string = "value"
-	istioDisclaimerKey   string = "istios.operator.kyma-project.io/managed-by-disclaimer"
-	istioDisclaimerValue string = "DO NOT EDIT - This resource is managed by Kyma.\nAny modifications are discarded and the resource is reverted to the original state."
+	istioVersion     string = "1.16.1"
+	istioImageBase   string = "distroless"
+	resourceListPath string = "test/test_controlled_resource_list.yaml"
+	testKey          string = "key"
+	testValue        string = "value"
 )
 
 var istioTag = fmt.Sprintf("%s-%s", istioVersion, istioImageBase)
@@ -166,7 +164,7 @@ var _ = Describe("Installation reconciliation", func() {
 		Expect(ns.Labels).To(HaveKeyWithValue(testKey, testValue))
 		Expect(ns.Annotations).To(HaveKeyWithValue(testKey, testValue))
 		Expect(ns.Labels).To(HaveKeyWithValue("namespaces.warden.kyma-project.io/validate", "enabled"))
-		Expect(ns.Annotations).To(HaveKeyWithValue(istioDisclaimerKey, istioDisclaimerValue))
+		Expect(ns.Annotations).To(HaveKeyWithValue(istio.DisclaimerKey, istio.DisclaimerValue))
 	})
 
 	It("should fail if after install and update Istio pods do not match target version", func() {

internal/reconciliations/istio/namespace.go

@@ -2,6 +2,7 @@ package istio
 
 import (
 	"context"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -11,8 +12,9 @@ const (
 	istioNamespace   = "istio-system"
 	wardenLabelKey   = "namespaces.warden.kyma-project.io/validate"
 	wardenLabelValue = "enabled"
-	disclaimerKey    = "istios.operator.kyma-project.io/managed-by-disclaimer"
-	disclaimerValue  = "DO NOT EDIT - This resource is managed by Kyma.\nAny modifications are discarded and the resource is reverted to the original state."
+
+	DisclaimerKey   = "istios.operator.kyma-project.io/managed-by-disclaimer"
+	DisclaimerValue = "DO NOT EDIT - This resource is managed by Kyma.\nAny modifications are discarded and the resource is reverted to the original state."
 )
 
 // addWardenValidationAndDisclaimer updates the Istio namespace
@@ -24,7 +26,7 @@ func addWardenValidationAndDisclaimer(ctx context.Context, kubeClient client.Cli
 		return err
 	}
 	patch := client.StrategicMergeFrom(ns.DeepCopy())
-	ns.Annotations = addToMap(ns.Annotations, disclaimerKey, disclaimerValue)
+	ns.Annotations = addToMap(ns.Annotations, DisclaimerKey, DisclaimerValue)
 	ns.Labels = addToMap(ns.Labels, wardenLabelKey, wardenLabelValue)
 
 	err = kubeClient.Patch(ctx, ns, patch)

internal/reconciliations/istio_resources/configmap_control_plane.go

@@ -0,0 +1,29 @@
+package istio_resources
+
+import (
+	"context"
+	_ "embed"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+//go:embed configmap_control_plane.yaml
+var manifest_cm_control_plane []byte
+
+type ConfigMapControlPlane struct {
+	k8sClient client.Client
+}
+
+func NewConfigMapControlPlane(k8sClient client.Client) ConfigMapControlPlane {
+	return ConfigMapControlPlane{k8sClient: k8sClient}
+}
+
+func (ConfigMapControlPlane) apply(ctx context.Context, k8sClient client.Client, owner metav1.OwnerReference, _ map[string]string) (controllerutil.OperationResult, error) {
+	return applyResource(ctx, k8sClient, manifest_cm_control_plane, &owner)
+}
+
+func (ConfigMapControlPlane) Name() string {
+	return "ConfigMap/istio-control-plane-grafana-dashboard"
+}