add istio with kiali [ci skip]

2024-01-07 17:45:58 +00:00 · 2024-01-07 17:45:58 +00:00 · 757e598c4d
commit 757e598c4d
parent a1382cf46a
4 changed files with 797 additions and 0 deletions
--- a/modules/kubernetes/istio/base.yaml
+++ b/modules/kubernetes/istio/base.yaml
@ -0,0 +1,40 @@
 global:
  # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
  # to use for pulling any images in pods that reference this ServiceAccount.
  # Must be set for any cluster configured with private docker registry.
  imagePullSecrets: []
  # Used to locate istiod.
  istioNamespace: istio-system
  istiod:
    enableAnalysis: false
  configValidation: true
  externalIstiod: false
  remotePilotAddress: ""
  # Platform where Istio is deployed. Possible values are: "openshift", "gcp".
  # An empty value means it is a vanilla Kubernetes distribution, therefore no special
  # treatment will be considered.
  platform: ""
  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
  # This is intended only for use with external istiod.
  ipFamilyPolicy: ""
  ipFamilies: []
 base:
  # Used for helm2 to add the CRDs to templates.
  enableCRDTemplates: false
  # Validation webhook configuration url
  # For example: https://$remotePilotAddress:15017/validate
  validationURL: ""
  # For istioctl usage to disable istio config crds in base
  enableIstioConfigCRDs: true
 defaultRevision: "default"
--- a/modules/kubernetes/istio/istiod.yaml
+++ b/modules/kubernetes/istio/istiod.yaml
@ -0,0 +1,520 @@
 #.Values.pilot for discovery and mesh wide config
 ## Discovery Settings
 pilot:
  autoscaleEnabled: true
  autoscaleMin: 1
  autoscaleMax: 5
  autoscaleBehavior: {}
  replicaCount: 1
  rollingMaxSurge: 100%
  rollingMaxUnavailable: 25%
  hub: ""
  tag: ""
  variant: ""
  # Can be a full hub/image:tag
  image: pilot
  traceSampling: 1.0
  # Resources for a small pilot install
  resources:
    requests:
      cpu: 500m
      memory: 2048Mi
  # Set to `type: RuntimeDefault` to use the default profile if available.
  seccompProfile: {}
  # Additional container arguments
  extraContainerArgs: []
  env: {}
  cpu:
    targetAverageUtilization: 80
  # Additional volumeMounts to the istiod container
  volumeMounts: []
  # Additional volumes to the istiod pod
  volumes: []
  nodeSelector: {}
  podAnnotations: {}
  serviceAnnotations: {}
  topologySpreadConstraints: []
  # You can use jwksResolverExtraRootCA to provide a root certificate
  # in PEM format. This will then be trusted by pilot when resolving
  # JWKS URIs.
  jwksResolverExtraRootCA: ""
  # This is used to set the source of configuration for
  # the associated address in configSource, if nothing is specified
  # the default MCP is assumed.
  configSource:
    subscribedResources: []
  plugins: []
  # The following is used to limit how long a sidecar can be connected
  # to a pilot. It balances out load across pilot instances at the cost of
  # increasing system churn.
  keepaliveMaxServerConnectionAge: 30m
  # Additional labels to apply to the deployment.
  deploymentLabels: {}
  ## Mesh config settings
  # Install the mesh config map, generated from values.yaml.
  # If false, pilot wil use default values (by default) or user-supplied values.
  configMap: true
  # Additional labels to apply on the pod level for monitoring and logging configuration.
  podLabels: {}
  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
  ipFamilyPolicy: ""
  ipFamilies: []
 sidecarInjectorWebhook:
  # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
  # always skip the injection on pods that match that label selector, regardless of the global policy.
  # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
  neverInjectSelector: []
  alwaysInjectSelector: []
  # injectedAnnotations are additional annotations that will be added to the pod spec after injection
  # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
  #
  # annotations:
  #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
  #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
  #
  # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
  # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
  # injectedAnnotations:
  #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
  #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
  injectedAnnotations: {}
  # This enables injection of sidecar in all namespaces,
  # with the exception of namespaces with "istio-injection:disabled" annotation
  # Only one environment should have this enabled.
  enableNamespacesByDefault: false
  # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
  # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
  # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
  reinvocationPolicy: Never
  rewriteAppHTTPProbe: true
  # Templates defines a set of custom injection templates that can be used. For example, defining:
  #
  # templates:
  #   hello: |
  #     metadata:
  #       labels:
  #         hello: world
  #
  # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
  # being injected with the hello=world labels.
  # This is intended for advanced configuration only; most users should use the built in template
  templates: {}
  # Default templates specifies a set of default templates that are used in sidecar injection.
  # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
  # To inject other additional templates, define it using the `templates` option, and add it to
  # the default templates list.
  # For example:
  #
  # templates:
  #   hello: |
  #     metadata:
  #       labels:
  #         hello: world
  #
  # defaultTemplates: ["sidecar", "hello"]
  defaultTemplates: []
 istiodRemote:
  # Sidecar injector mutating webhook configuration clientConfig.url value.
  # For example: https://$remotePilotAddress:15017/inject
  # The host should not refer to a service running in the cluster; use a service reference by specifying
  # the clientConfig.service field instead.
  injectionURL: ""
  # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
  # Override to pass env variables, for example: /inject/cluster/remote/net/network2
  injectionPath: "/inject"
 telemetry:
  enabled: true
  v2:
    # For Null VM case now.
    # This also enables metadata exchange.
    enabled: true
    metadataExchange:
      # Indicates whether to enable WebAssembly runtime for metadata exchange filter.
      wasmEnabled: false
    # Indicate if prometheus stats filter is enabled or not
    prometheus:
      enabled: true
      # Indicates whether to enable WebAssembly runtime for stats filter.
      wasmEnabled: false
      # overrides stats EnvoyFilter configuration.
      configOverride:
        gateway: {}
        inboundSidecar: {}
        outboundSidecar: {}
    # stackdriver filter settings.
    stackdriver:
      enabled: false
      logging: false
      monitoring: false
      topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
      disableOutbound: false
      #  configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
      configOverride: {}
      #  e.g.
      #  disable_server_access_logging: false
      #  disable_host_header_fallback: true
    # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
    accessLogPolicy:
      enabled: false
      # To reduce the number of successful logs, default log window duration is
      # set to 12 hours.
      logWindowDuration: "43200s"
 # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
 revision: ""
 # Revision tags are aliases to Istio control plane revisions
 revisionTags: []
 # For Helm compatibility.
 ownerName: ""
 # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
 # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
 meshConfig:
  enablePrometheusMerge: true
 global:
  # Used to locate istiod.
  istioNamespace: istio-system
  # List of cert-signers to allow "approve" action in the istio cluster role
  #
  # certSigners:
  #   - clusterissuers.cert-manager.io/istio-ca
  certSigners: []
  # enable pod disruption budget for the control plane, which is used to
  # ensure Istio control plane components are gradually upgraded or recovered.
  defaultPodDisruptionBudget:
    enabled: true
    # The values aren't mutable due to a current PodDisruptionBudget limitation
    # minAvailable: 1
  # A minimal set of requested resources to applied to all deployments so that
  # Horizontal Pod Autoscaler will be able to function (if set).
  # Each component can overwrite these default values by adding its own resources
  # block in the relevant section below and setting the desired resources values.
  defaultResources:
    requests:
      cpu: 10m
    #   memory: 128Mi
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
  # Default hub for Istio images.
  # Releases are published to docker hub under 'istio' project.
  # Dev builds from prow are on gcr.io
  hub: docker.io/istio
  # Default tag for Istio images.
  tag: 1.20.1
  # Variant of the image to use.
  # Currently supported are: [debug, distroless]
  variant: ""
  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
  imagePullPolicy: ""
  # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
  # to use for pulling any images in pods that reference this ServiceAccount.
  # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
  # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
  # Must be set for any cluster configured with private docker registry.
  imagePullSecrets: []
  # - private-registry-key
  # Enabled by default in master for maximising testing.
  istiod:
    enableAnalysis: false
  # To output all istio components logs in json format by adding --log_as_json argument to each container argument
  logAsJson: false
  # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
  # The control plane has different scopes depending on component, but can configure default log level across all components
  # If empty, default scope and level will be used as configured in code
  logging:
    level: "default:info"
  omitSidecarInjectorConfigMap: false
  # Whether to restrict the applications namespace the controller manages;
  # If not set, controller watches all namespaces
  oneNamespace: false
  # Configure whether Operator manages webhook configurations. The current behavior
  # of Istiod is to manage its own webhook configurations.
  # When this option is set as true, Istio Operator, instead of webhooks, manages the
  # webhook configurations. When this option is set as false, webhooks manage their
  # own webhook configurations.
  operatorManageWebhooks: false
  # Custom DNS config for the pod to resolve names of services in other
  # clusters. Use this to add additional search domains, and other settings.
  # see
  # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
  # This does not apply to gateway pods as they typically need a different
  # set of DNS settings than the normal application pods (e.g., in
  # multicluster scenarios).
  # NOTE: If using templates, follow the pattern in the commented example below.
  #podDNSSearchNamespaces:
  #- global
  #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
  # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
  # system-node-critical, it is better to configure this in order to make sure your Istio pods
  # will not be killed because of low priority class.
  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  # for more detail.
  priorityClassName: ""
  proxy:
    image: proxyv2
    # This controls the 'policy' in the sidecar injector.
    autoInject: enabled
    # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
    # cluster domain. Default value is "cluster.local".
    clusterDomain: "cluster.local"
    # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
    # not set, then the global "logLevel" will be used.
    componentLogLevel: "misc:error"
    # If set, newly injected sidecars will have core dumps enabled.
    enableCoreDump: false
    # istio ingress capture allowlist
    # examples:
    #     Redirect only selected ports:            --includeInboundPorts="80,8080"
    excludeInboundPorts: ""
    includeInboundPorts: "*"
    # istio egress capture allowlist
    # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
    # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
    # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
    # be allowed by the sidecar
    includeIPRanges: "*"
    excludeIPRanges: ""
    includeOutboundPorts: ""
    excludeOutboundPorts: ""
    # Log level for proxy, applies to gateways and sidecars.
    # Expected values are: trace|debug|info|warning|error|critical|off
    logLevel: warning
    #If set to true, istio-proxy container will have privileged securityContext
    privileged: false
    # The number of successive failed probes before indicating readiness failure.
    readinessFailureThreshold: 4
    # The initial delay for readiness probes in seconds.
    readinessInitialDelaySeconds: 0
    # The period between readiness probes.
    readinessPeriodSeconds: 15
    # Enables or disables a startup probe.
    # For optimal startup times, changing this should be tied to the readiness probe values.
    #
    # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
    # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
    # and doesn't spam the readiness endpoint too much
    #
    # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
    # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
    startupProbe:
      enabled: true
      failureThreshold: 600 # 10 minutes
    # Resources for the sidecar.
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
    # Default port for Pilot agent health checks. A value of 0 will disable health checking.
    statusPort: 15020
    # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
    # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
    tracer: "zipkin"
  proxy_init:
    # Base name for the proxy_init container, used to configure iptables.
    image: proxyv2
  # configure remote pilot and istiod service and endpoint
  remotePilotAddress: ""
  ##############################################################################################
  # The following values are found in other charts. To effectively modify these values, make   #
  # make sure they are consistent across your Istio helm charts                                #
  ##############################################################################################
  # The customized CA address to retrieve certificates for the pods in the cluster.
  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
  # If not set explicitly, default to the Istio discovery address.
  caAddress: ""
  # Configure a remote cluster data plane controlled by an external istiod.
  # When set to true, istiod is not deployed locally and only a subset of the other
  # discovery charts are enabled.
  externalIstiod: false
  # Configure a remote cluster as the config cluster for an external istiod.
  configCluster: false
  # Configure the policy for validating JWT.
  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
  jwtPolicy: "third-party-jwt"
  # Mesh ID means Mesh Identifier. It should be unique within the scope where
  # meshes will interact with each other, but it is not required to be
  # globally/universally unique. For example, if any of the following are true,
  # then two meshes must have different Mesh IDs:
  # - Meshes will have their telemetry aggregated in one place
  # - Meshes will be federated together
  # - Policy will be written referencing one mesh from the other
  #
  # If an administrator expects that any of these conditions may become true in
  # the future, they should ensure their meshes have different Mesh IDs
  # assigned.
  #
  # Within a multicluster mesh, each cluster must be (manually or auto)
  # configured to have the same Mesh ID value. If an existing cluster 'joins' a
  # multicluster mesh, it will need to be migrated to the new mesh ID. Details
  # of migration TBD, and it may be a disruptive operation to change the Mesh
  # ID post-install.
  #
  # If the mesh admin does not specify a value, Istio will use the value of the
  # mesh's Trust Domain. The best practice is to select a proper Trust Domain
  # value.
  meshID: ""
  # Configure the mesh networks to be used by the Split Horizon EDS.
  #
  # The following example defines two networks with different endpoints association methods.
  # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
  # mapped to network1. The gateway for this network example is specified by its public IP
  # address and port.
  # The second network, `network2`, in this example is defined differently with all endpoints
  # retrieved through the specified Multi-Cluster registry being mapped to network2. The
  # gateway is also defined differently with the name of the gateway service on the remote
  # cluster. The public IP for the gateway will be determined from that remote service (only
  # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
  # it still need to be configured manually).
  #
  # meshNetworks:
  #   network1:
  #     endpoints:
  #     - fromCidr: "192.168.0.1/24"
  #     gateways:
  #     - address: 1.1.1.1
  #       port: 80
  #   network2:
  #     endpoints:
  #     - fromRegistry: reg1
  #     gateways:
  #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
  #       port: 443
  #
  meshNetworks: {}
  # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
  mountMtlsCerts: false
  multiCluster:
    # Set to true to connect two kubernetes clusters via their respective
    # ingressgateway services when pods in each cluster cannot directly
    # talk to one another. All clusters should be using Istio mTLS and must
    # have a shared root CA for this model to work.
    enabled: false
    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
    # to properly label proxies
    clusterName: ""
  # Network defines the network this cluster belong to. This name
  # corresponds to the networks in the map of mesh networks.
  network: ""
  # Configure the certificate provider for control plane communication.
  # Currently, two providers are supported: "kubernetes" and "istiod".
  # As some platforms may not have kubernetes signing APIs,
  # Istiod is the default
  pilotCertProvider: istiod
  sds:
    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
    # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
    # JWT is intended for the CA.
    token:
      aud: istio-ca
  sts:
    # The service port used by Security Token Service (STS) server to handle token exchange requests.
    # Setting this port to a non-zero value enables STS server.
    servicePort: 0
  # The name of the CA for workload certificates.
  # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
  # will be used as the certificates for workloads.
  # The default value is "" and when caName="", the CA will be configured by other
  # mechanisms (e.g., environmental variable CA_PROVIDER).
  caName: ""
  # whether to use autoscaling/v2 template for HPA settings
  # for internal usage only, not to be configured by users.
  autoscalingv2API: true
 base:
  # For istioctl usage to disable istio config crds in base
  enableIstioConfigCRDs: true
  # If enabled, gateway-api types will be validated using the standard upstream validation logic.
  # This is an alternative to deploying the standalone validation server the project provides.
  # This is disabled by default, as the cluster may already have a validation server; while technically
  # it works to have multiple redundant validations, this adds complexity and operational risks.
  # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers.
  validateGateway: false
 # keep in sync with settings used when installing the Istio CNI chart
 istio_cni:
  enabled: false
  chained: true
--- a/modules/kubernetes/istio/kiali.yaml
+++ b/modules/kubernetes/istio/kiali.yaml
@ -0,0 +1,122 @@
 nameOverride: ""
 fullnameOverride: ""
 image: # see: https://quay.io/repository/kiali/kiali-operator?tab=tags
  repo: quay.io/kiali/kiali-operator # quay.io/kiali/kiali-operator
  tag: v1.78.0 # version string like v1.39.0 or a digest hash
  digest: "" # use "sha256" if tag is a sha256 hash (do NOT prefix this value with a "@")
  pullPolicy: Always
  pullSecrets: []
 # Deployment options for the operator pod.
 nodeSelector: {}
 podAnnotations: {}
 podLabels: {}
 env: []
 tolerations: []
 resources:
  requests:
    cpu: "10m"
    memory: "64Mi"
 affinity: {}
 replicaCount: 1
 priorityClassName: ""
 securityContext: {}
 # metrics.enabled: set to true if you want Prometheus to collect metrics from the operator
 metrics:
  enabled: true
 # debug.enabled: when true the full ansible logs are dumped after each reconciliation run
 # debug.verbosity: defines the amount of details the operator will log (higher numbers are more noisy)
 # debug.enableProfiler: when true (regardless of debug.enabled), timings for the most expensive tasks will be logged after each reconciliation loop
 debug:
  enabled: true
  verbosity: "1"
  enableProfiler: false
 # Defines where the operator will look for Kial CR resources. "" means "all namespaces".
 watchNamespace: ""
 # Set to true if you want the operator to be able to create cluster roles. This is necessary
 # if you want to support Kiali CRs with spec.deployment.accessible_namespaces of '**'.
 # Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also.
 # Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
 clusterRoleCreator: true
 # Set to a list of secrets in the cluster that the operator will be allowed to read. This is necessary if you want to
 # support Kiali CRs with spec.kiali_feature_flags.certificates_information_indicators.enabled=true.
 # The secrets in this list will be the only ones allowed to be specified in any Kiali CR (in the setting
 # spec.kiali_feature_flags.certificates_information_indicators.secrets).
 # If you set this to an empty list, the operator will not be given permission to read any additional secrets
 # found in the cluster, and thus will only support a value of "false" in the Kiali CR setting
 # spec.kiali_feature_flags.certificates_information_indicators.enabled.
 secretReader: ["cacerts", "istio-ca-secret"]
 # Set to true if you want to allow the operator to only be able to install Kiali in view-only-mode.
 # The purpose for this setting is to allow you to restrict the permissions given to the operator itself.
 onlyViewOnlyMode: false
 # allowAdHocKialiNamespace tells the operator to allow a user to be able to install a Kiali CR in one namespace but
 # be able to install Kiali in another namespace. In other words, it will allow the Kiali CR spec.deployment.namespace
 # to be something other than the namespace where the CR is installed. You may want to disable this if you are
 # running in a multi-tenant scenario in which you only want a user to be able to install Kiali in the same namespace
 # where the user has permissions to install a Kiali CR.
 allowAdHocKialiNamespace: true
 # allowAdHocKialiImage tells the operator to allow a user to be able to install a custom Kiali image as opposed
 # to the image the operator will install by default. In other words, it will allow the
 # Kiali CR spec.deployment.image_name and spec.deployment.image_version to be configured by the user.
 # You may want to disable this if you do not want users to install their own Kiali images.
 allowAdHocKialiImage: false
 # allowAdHocOSSMConsoleImage tells the operator to allow a user to be able to install a custom OSSMC image as opposed
 # to the image the operator will install by default. In other words, it will allow the
 # OSSMConsole CR spec.deployment.imageName and spec.deployment.imageVersion to be configured by the user.
 # You may want to disable this if you do not want users to install their own OSSMC images.
 # This is only applicable when running on OpenShift.
 allowAdHocOSSMConsoleImage: false
 # allowSecurityContextOverride tells the operator to allow a user to be able to fully override the Kiali
 # container securityContext. If this is false, certain securityContext settings must exist on the Kiali
 # container and any attempt to override them will be ignored.
 allowSecurityContextOverride: false
 # allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali
 # to access all namespaces in the cluster via spec.deployment.accessible_namespaces=['**'].
 # If this is false, the user must specify an explicit list of namespaces in the Kiali CR.
 # Setting this to "true" requires clusterRoleCreator to be "true" also.
 # Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
 allowAllAccessibleNamespaces: true
 # accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces.
 # This value is either an empty string (which disables this feature) or a label name with an optional label value
 # (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in
 # spec.deployment.accessible_namespaces. Any namespace not labeled properly but specified in accessible_namespaces will cause
 # the operator to abort the Kiali installation.
 # If just a label name (but no label value) is specified, the label value the operator will look for is the value of
 # the Kiali CR's spec.istio_namespace. In other words, the operator will look for the named label whose value must be the name
 # of the Istio control plane namespace (which is typically, but not necessarily, "istio-system").
 accessibleNamespacesLabel: ""
 # For what a Kiali CR spec can look like, see:
 # https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml
 cr:
  create: false
  name: kiali
  # If you elect to create a Kiali CR (--set cr.create=true)
  # and the operator is watching all namespaces (--set watchNamespace="")
  # then this is the namespace where the CR will be created (the default will be the operator namespace).
  namespace: ""
  # Annotations to place in the Kiali CR metadata.
  annotations: {}
  spec:
    deployment:
      accessible_namespaces:
        - "**"
    external_services:
      prometheus:
        # Prometheus service name is "metrics" and is in the "telemetry" namespace
        url: "http://prometheus-server.monitoring:80/"
--- a/modules/kubernetes/istio/main.tf
+++ b/modules/kubernetes/istio/main.tf
@ -0,0 +1,115 @@
 variable "tls_secret_name" {}
 resource "kubernetes_namespace" "istio" {
  metadata {
    name = "istio-system"
  }
 }
 module "tls_secret" {
  source          = "../setup_tls_secret"
  namespace       = "istio-system"
  tls_secret_name = var.tls_secret_name
 }
 # to delete all CRDS: kubectl get crd -oname | grep --color=never 'istio.io' | xargs kubectl delete
 resource "helm_release" "istio-base" {
  namespace        = "istio-system"
  create_namespace = false
  name             = "istio-base"
  atomic           = true
  repository = "https://istio-release.storage.googleapis.com/charts"
  chart      = "base"
  depends_on = [kubernetes_namespace.istio]
 }
 resource "helm_release" "istiod" {
  namespace        = "istio-system"
  create_namespace = false
  name             = "istiod"
  atomic           = true
  repository = "https://istio-release.storage.googleapis.com/charts"
  chart      = "istiod"
  depends_on = [kubernetes_namespace.istio]
 }
 resource "helm_release" "istio-gateway" {
  namespace        = "istio-system"
  create_namespace = false
  name             = "istio-gateway"
  atomic           = true
  repository = "https://istio-release.storage.googleapis.com/charts"
  chart      = "gateway"
  depends_on = [kubernetes_namespace.istio]
 }
 # Kiali dashboard
 resource "helm_release" "kiali" {
  namespace        = "istio-system"
  create_namespace = false
  name             = "kiali"
  atomic           = true
  repository = "https://kiali.org/helm-charts"
  chart      = "kiali-operator"
  set {
    name  = "cr.create"
    value = "true"
  }
  set {
    name  = "cr.namespace"
    value = "istio-system"
  }
  values = [templatefile("${path.module}/kiali.yaml", {})]
  depends_on = [kubernetes_namespace.istio]
 }
 resource "kubernetes_secret" "kiali-token" {
  metadata {
    name      = "kiali-secret"
    namespace = "istio-system"
    annotations = {
      "kubernetes.io/service-account.name" : "kiali-service-account"
    }
  }
  type = "kubernetes.io/service-account-token"
 }
 resource "kubernetes_ingress_v1" "kiali" {
  metadata {
    name      = "kiali"
    namespace = "istio-system"
    annotations = {
      "kubernetes.io/ingress.class" = "nginx"
      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
    }
  }
  spec {
    tls {
      hosts       = ["kiali.viktorbarzin.me"]
      secret_name = var.tls_secret_name
    }
    rule {
      host = "kiali.viktorbarzin.me"
      http {
        path {
          path = "/"
          backend {
            service {
              name = "kiali"
              port {
                number = 20001
              }
            }
          }
        }
      }
    }
  }
 }