Update istio-init to manage istio CRDs

charts/rancher-istio/0.0.2/Chart.yaml

 apiVersion: v1
 name: rancher-istio
-version: 0.0.1
+version: 0.0.2
 appVersion: 1.2.0
 tillerVersion: ">=2.7.2-0"
 description: Helm chart for all istio components

charts/rancher-istio/0.0.2/charts/istio-init/templates/clusterrole.yaml

@@ -8,4 +8,4 @@ metadata:
 rules:
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
-  verbs: ["create", "get", "list", "watch", "patch"]
+  verbs: ["create", "get", "list", "watch", "patch", "delete"]

charts/rancher-istio/0.0.2/charts/istio-init/templates/job-crd-10.yaml

@@ -12,7 +12,7 @@ spec:
       serviceAccountName: istio-init-service-account
       containers:
       - name: istio-init-crd-10
-        image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
         volumeMounts:
         - name: crd-10
@@ -24,3 +24,37 @@ spec:
         configMap:
           name: istio-crd-10
       restartPolicy: OnFailure
+
+{{- if .Values.deleteCRDs }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: istio-init-delete-crd-10
+  annotations:
+    "helm.sh/hook": "pre-delete"
+    "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation"
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      serviceAccountName: istio-init-service-account
+      containers:
+      - name: istio-init-crd-10
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        volumeMounts:
+        - name: crd-10
+          mountPath: /etc/istio/crd-10
+          readOnly: true
+        command: ["kubectl",  "delete", "-f", "/etc/istio/crd-10/crd-10.yaml"]
+      volumes:
+      - name: crd-10
+        configMap:
+          name: istio-crd-10
+      restartPolicy: Never
+  backoffLimit: 4
+{{- end }}
\ No newline at end of file

charts/rancher-istio/0.0.2/charts/istio-init/templates/job-crd-11.yaml

@@ -12,7 +12,7 @@ spec:
       serviceAccountName: istio-init-service-account
       containers:
       - name: istio-init-crd-11
-        image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
         volumeMounts:
         - name: crd-11

charts/rancher-istio/0.0.2/charts/istio-init/templates/job-crd-12.yaml

@@ -12,7 +12,7 @@ spec:
       serviceAccountName: istio-init-service-account
       containers:
         - name: istio-init-crd-12
-          image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+          image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
           imagePullPolicy: {{ .Values.global.imagePullPolicy }}
           volumeMounts:
             - name: crd-12
@@ -24,3 +24,37 @@ spec:
           configMap:
             name: istio-crd-12
       restartPolicy: OnFailure
+
+{{- if .Values.deleteCRDs }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: istio-init-delete-crd-12
+  annotations:
+    "helm.sh/hook": "pre-delete"
+    "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation"
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      serviceAccountName: istio-init-service-account
+      containers:
+      - name: istio-init-crd-12
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        volumeMounts:
+        - name: crd-12
+          mountPath: /etc/istio/crd-12
+          readOnly: true
+        command: ["kubectl",  "delete", "-f", "/etc/istio/crd-12/crd-12.yaml"]
+      volumes:
+      - name: crd-12
+        configMap:
+          name: istio-crd-12
+      restartPolicy: Never
+  backoffLimit: 4
+{{- end }}

charts/rancher-istio/0.0.2/charts/istio-init/templates/job-crd-certmanager-10.yaml

@@ -13,7 +13,7 @@ spec:
       serviceAccountName: istio-init-service-account
       containers:
       - name: istio-init-crd-certmanager-10
-        image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
         volumeMounts:
         - name: crd-certmanager-10
@@ -25,4 +25,39 @@ spec:
         configMap:
           name: istio-crd-certmanager-10
       restartPolicy: OnFailure
+
+{{- if .Values.deleteCRDs }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: istio-init-delete-crd-certmanager-10
+  annotations:
+    "helm.sh/hook": "pre-delete"
+    "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation"
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      serviceAccountName: istio-init-service-account
+      containers:
+      - name: istio-init-crd-certmanager-10
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        volumeMounts:
+        - name: crd-certmanager-10
+          mountPath: /etc/istio/crd-certmanager-10
+          readOnly: true
+        command: ["kubectl",  "delete", "-f", "/etc/istio/crd-certmanager-10/crd-certmanager-10.yaml"]
+      volumes:
+      - name: crd-certmanager-10
+        configMap:
+          name: istio-crd-certmanager-10
+      restartPolicy: Never
+  backoffLimit: 4
+{{- end }}
 {{- end }}
+

charts/rancher-istio/0.0.2/charts/istio-init/templates/job-crd-certmanager-11.yaml

@@ -13,7 +13,7 @@ spec:
       serviceAccountName: istio-init-service-account
       containers:
       - name: istio-init-crd-certmanager-11
-        image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
         volumeMounts:
         - name: crd-certmanager-11
@@ -25,4 +25,41 @@ spec:
         configMap:
           name: istio-crd-certmanager-11
       restartPolicy: OnFailure
+
+{{- if .Values.deleteCRDs }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: istio-init-delete-crd-certmanager-11
+  annotations:
+    "helm.sh/hook": "pre-delete"
+    "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation"
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        "helm.sh/hook": "post-delete"
+        "helm.sh/hook-weight": "-5"
+        "helm.sh/hook-delete-policy": hook-succeeded
+    spec:
+      serviceAccountName: istio-init-service-account
+      containers:
+      - name: istio-init-crd-certmanager-11
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        volumeMounts:
+        - name: crd-certmanager-11
+          mountPath: /etc/istio/crd-certmanager-11
+          readOnly: true
+        command: ["kubectl",  "delete", "-f", "/etc/istio/crd-certmanager-11/crd-certmanager-11.yaml"]
+      volumes:
+      - name: crd-certmanager-11
+        configMap:
+          name: istio-crd-certmanager-11
+      restartPolicy: Never
+  backoffLimit: 4
+{{- end }}
 {{- end }}

charts/rancher-istio/0.0.2/charts/istio-init/values.yaml

-global:
-  # Default hub for Istio images.
-  # Releases are published to docker hub under 'istio' project.
-  # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
-  hub: gcr.io/istio-release
-
-  # Default tag for Istio images.
-  tag: release-1.2-latest-daily
-
-  # imagePullPolicy is applied to istio control plane components.
-  # local tests require IfNotPresent, to avoid uploading to dockerhub.
-  # TODO: Switch to Always as default, and override in the local tests.
-  imagePullPolicy: IfNotPresent
-
 certmanager:
   enabled: false
+deleteCRDs: true

charts/rancher-istio/0.0.2/requirements.yaml

@@ -38,3 +38,6 @@ dependencies:
   - name: certmanager
     version: 1.1.0
     condition: certmanager.enabled
+  - name: istio-init
+    version: 1.1.0
+    condition: istio-init.enabled

charts/rancher-istio/0.0.2/templates/crd-certmanager.yaml

 {{- if and .Values.enableCRDs .Values.certmanager.enabled }}
+{{- if not (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") }}
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
@@ -160,3 +161,4 @@ spec:
     plural: challenges
   scope: Namespaced
 {{- end }}
+{{- end }}

charts/rancher-istio/0.0.2/values.yaml

@@ -10,6 +10,9 @@
 #
 enableCRDs: true
 
+istio-init:
+  enable: true
+
 #
 # Gateways Configuration, refer to the charts/gateways/values.yaml
 # for detailed configuration