update charts
diff --git a/charts/k8s-gerrit/istio/README.md b/charts/k8s-gerrit/istio/README.md
new file mode 100644
index 0000000..2f03490
--- /dev/null
+++ b/charts/k8s-gerrit/istio/README.md
@@ -0,0 +1,25 @@
+# Istio for Gerrit
+
+## Configuring istio
+
+It is recommended to set a static IP to be used by the LoadBalancer service
+deployed by istio. To do that set
+`spec.components.ingressGateways[0].k8s.overlays[0].patches[0].value`, which is
+commented out by default, which causes the use of an ephemeral IP.
+
+## Installing istio
+
+Create the `istio-system`-namespace:
+
+```sh
+kubectl apply -f ./istio/istio-system-namespace.yaml
+```
+
+Verify that your istioctl version (`istioctl version`) matches the version in
+`istio/gerrit.profile.yaml` under `spec.tag`.
+
+Install istio:
+
+```sh
+istioctl install -f istio/gerrit.profile.yaml
+```
diff --git a/charts/k8s-gerrit/istio/gerrit.profile.yaml b/charts/k8s-gerrit/istio/gerrit.profile.yaml
new file mode 100644
index 0000000..d81dea6
--- /dev/null
+++ b/charts/k8s-gerrit/istio/gerrit.profile.yaml
@@ -0,0 +1,312 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+ components:
+ base:
+ enabled: true
+ cni:
+ enabled: false
+ egressGateways:
+ - enabled: false
+ k8s:
+ env:
+ - name: ISTIO_META_ROUTER_MODE
+ value: standard
+ hpaSpec:
+ maxReplicas: 5
+ metrics:
+ - resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 80
+ type: Resource
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istio-egressgateway
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ service:
+ ports:
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ - name: tls
+ port: 15443
+ protocol: TCP
+ targetPort: 15443
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ name: istio-egressgateway
+ ingressGateways:
+ - enabled: true
+ k8s:
+ env:
+ - name: ISTIO_META_ROUTER_MODE
+ value: standard
+ hpaSpec:
+ maxReplicas: 5
+ metrics:
+ - resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 80
+ type: Resource
+ minReplicas: 5
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istio-ingressgateway
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ service:
+ ports:
+ - name: status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ - name: tcp-istiod
+ port: 15012
+ protocol: TCP
+ targetPort: 15012
+ # - name: tls
+ # port: 15443
+ # protocol: TCP
+ # targetPort: 15443
+ - name: ssh
+ port: 29418
+ protocol: TCP
+ targetPort: 29418
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ overlays:
+ - kind: Service
+ name: istio-ingressgateway
+ patches:
+ - path: spec.loadBalancerIP
+ # TO_BE_CHANGED: Change IP
+ #value: xxx.xxx.xxx.xxx
+ - path: spec.loadBalancerSourceRanges
+ # TO_BE_CHANGED: Change IP-Range to whitelist
+ # value:
+ # - 0.0.0.0/32
+ - path: metadata.annotations
+ # TO_BE_CHANGED: Annotations to be set in the service, e.g. to
+ # configure automated DNS and certificate management in Gardener
+ # value:
+ # dns.gardener.cloud/dnsnames: '*.example.com'
+ # dns.gardener.cloud/class: garden
+ # dns.gardener.cloud/ttl: "600"
+ # cert.gardener.cloud/commonName: '*.example.com'
+ # cert.gardener.cloud/purpose: managed
+ # cert.gardener.cloud/secretname: tls-secret
+ name: istio-ingressgateway
+ istiodRemote:
+ enabled: false
+ pilot:
+ enabled: true
+ k8s:
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ hpaSpec:
+ minReplicas: 2
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 1
+ periodSeconds: 3
+ timeoutSeconds: 5
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 50%
+ hub: docker.io/istio
+ meshConfig:
+ accessLogFile: /dev/stdout
+ defaultConfig:
+ proxyMetadata: {}
+ enablePrometheusMerge: true
+ profile: default
+ tag: 1.16.0
+ values:
+ base:
+ enableCRDTemplates: false
+ validationURL: ""
+ gateways:
+ istio-egressgateway:
+ autoscaleEnabled: true
+ env: {}
+ name: istio-egressgateway
+ secretVolumes:
+ - mountPath: /etc/istio/egressgateway-certs
+ name: egressgateway-certs
+ secretName: istio-egressgateway-certs
+ - mountPath: /etc/istio/egressgateway-ca-certs
+ name: egressgateway-ca-certs
+ secretName: istio-egressgateway-ca-certs
+ type: ClusterIP
+ istio-ingressgateway:
+ autoscaleEnabled: true
+ env: {}
+ name: istio-ingressgateway
+ secretVolumes:
+ - mountPath: /etc/istio/ingressgateway-certs
+ name: ingressgateway-certs
+ secretName: istio-ingressgateway-certs
+ - mountPath: /etc/istio/ingressgateway-ca-certs
+ name: ingressgateway-ca-certs
+ secretName: istio-ingressgateway-ca-certs
+ type: LoadBalancer
+ global:
+ configValidation: true
+ defaultNodeSelector: {}
+ defaultPodDisruptionBudget:
+ enabled: true
+ defaultResources:
+ requests:
+ cpu: 10m
+ imagePullPolicy: ""
+ imagePullSecrets: []
+ istioNamespace: istio-system
+ istiod:
+ enableAnalysis: false
+ jwtPolicy: third-party-jwt
+ logAsJson: false
+ logging:
+ level: default:info
+ meshNetworks: {}
+ mountMtlsCerts: false
+ multiCluster:
+ clusterName: ""
+ enabled: false
+ network: ""
+ omitSidecarInjectorConfigMap: false
+ oneNamespace: false
+ operatorManageWebhooks: false
+ pilotCertProvider: istiod
+ priorityClassName: ""
+ proxy:
+ autoInject: enabled
+ clusterDomain: cluster.local
+ componentLogLevel: misc:error
+ enableCoreDump: false
+ excludeIPRanges: ""
+ excludeInboundPorts: ""
+ excludeOutboundPorts: ""
+ image: proxyv2
+ includeIPRanges: '*'
+ # Use this value, if more detailed logging output is needed, e.g. for
+ # debugging.
+ logLevel: warning
+ privileged: false
+ readinessFailureThreshold: 30
+ readinessInitialDelaySeconds: 1
+ readinessPeriodSeconds: 2
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ statusPort: 15020
+ tracer: zipkin
+ proxy_init:
+ image: proxyv2
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ sds:
+ token:
+ aud: istio-ca
+ sts:
+ servicePort: 0
+ tracer:
+ datadog: {}
+ lightstep: {}
+ stackdriver: {}
+ zipkin: {}
+ useMCP: false
+ istiodRemote:
+ injectionURL: ""
+ pilot:
+ autoscaleEnabled: true
+ autoscaleMax: 5
+ autoscaleMin: 2
+ configMap: true
+ cpu:
+ targetAverageUtilization: 80
+ enableProtocolSniffingForInbound: true
+ enableProtocolSniffingForOutbound: true
+ env: {}
+ image: pilot
+ keepaliveMaxServerConnectionAge: 24h
+ nodeSelector: {}
+ podLabels: {}
+ replicaCount: 1
+ traceSampling: 1
+ sidecarInjectorWebhook:
+ enableNamespacesByDefault: false
+ objectSelector:
+ autoInject: true
+ enabled: false
+ rewriteAppHTTPProbe: true
+ telemetry:
+ enabled: true
+ v2:
+ enabled: true
+ metadataExchange:
+ wasmEnabled: false
+ prometheus:
+ enabled: true
+ wasmEnabled: false
+ stackdriver:
+ configOverride: {}
+ enabled: false
+ logging: false
+ monitoring: false
+ topology: false
diff --git a/charts/k8s-gerrit/istio/istio-system-namespace.yaml b/charts/k8s-gerrit/istio/istio-system-namespace.yaml
new file mode 100644
index 0000000..f394e91
--- /dev/null
+++ b/charts/k8s-gerrit/istio/istio-system-namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: istio-system
diff --git a/charts/k8s-gerrit/istio/namespace.yaml b/charts/k8s-gerrit/istio/namespace.yaml
new file mode 100644
index 0000000..6e9fb38
--- /dev/null
+++ b/charts/k8s-gerrit/istio/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gerrit-replica
+ labels:
+ istio-injection: enabled