Cleanup Istio CNI and Istiod chart installations (#13265)

* remove injected annotation for istio-cni * add injector webhook config back, add tip about it overwriting existing configs * update docs with istio_cni.chained installation config * update helm install instructions * fix linting * pass linter * clarify tip for previous Openshift users to be aware that the injection webhook is not required * update per PR suggestion * generate new snips * update cni docs by removing tip and adding openshift install command per PR * lint fix --------- Co-authored-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
2023-06-23 12:19:39 -06:00 · 2023-06-23 12:19:39 -06:00 · 40274a60df
parent c007262bdd
commit 40274a60df
3 changed files with 68 additions and 50 deletions
--- a/content/en/docs/setup/additional-setup/cni/index.md
+++ b/content/en/docs/setup/additional-setup/cni/index.md
@ -60,6 +60,10 @@ See [compatibility with other CNI plugins](#compatibility-with-other-cni-plugins

 In most environments, a basic Istio cluster with CNI enabled can be installed using the following commands:

+{{< tabset category-name="gateway-install-type" >}}
+
+{{< tab name="IstioOperator" category-value="iop" >}}
+
 {{< text bash >}}
 $ cat <<EOF > istio-cni.yaml
 apiVersion: install.istio.io/v1alpha1
@ -72,6 +76,18 @@ EOF
 $ istioctl install -f istio-cni.yaml -y
 {{< /text >}}

+{{< /tab >}}
+
+{{< tab name="Helm" category-value="helm" >}}
+
+{{< text bash >}}
+$ helm install istio-cni istio/cni -n kube-system --wait
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 This will deploy an `istio-cni-node` DaemonSet into the cluster, which installs the Istio CNI plugin binary to each node and sets up the necessary configuration for the plugin.
 The CNI DaemonSet runs with [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) `PriorityClass`.

@ -91,47 +107,52 @@ This race condition is mitigated by a "detect and repair" method.
 Please take a look at [race condition & mitigation](#race-condition--mitigation) section to understand the implication of this mitigation.
 {{< /tip >}}

+### Installing with Helm
+
+The Istio CNI and Istio discovery chart use different values that require you set the following, either in an overrides values file or at your command prompt when installing the `istiod` chart, to manage network annotations when chaining CNI plugins:
+
+* `values.istio_cni.enabled` should be set to the same value as `values.cni.enabled`.
+
+* `values.istio_cni.chained` should be set to the same value as `values.cni.chained`.
+
+{{< text bash >}}
+$  helm install istiod istio/istiod -n istio-system --set values.istio_cni.enabled=true --wait
+{{< /text >}}
+
 ### Hosted Kubernetes settings

 The `istio-cni` plugin is expected to work with any hosted Kubernetes version using CNI plugins.
 The default installation configuration works with most platforms.
 Some platforms required special installation settings.

-* Google Kubernetes Engine
+{{< tabset category-name="cni-platform" >}}

-    {{< text yaml >}}
-    apiVersion: install.istio.io/v1alpha1
-    kind: IstioOperator
-    spec:
-      components:
-        cni:
-          enabled: true
-          namespace: kube-system
-      values:
-        cni:
-          cniBinDir: /home/kubernetes/bin
-    {{< /text >}}
+{{< tab name="Google Kubernetes Engine" category-value="gke" >}}

-* Red Hat OpenShift 4.2+
+{{< text yaml >}}
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  components:
+    cni:
+      enabled: true
+      namespace: kube-system
+  values:
+    cni:
+      cniBinDir: /home/kubernetes/bin
+{{< /text >}}

-    {{< text yaml >}}
-    apiVersion: install.istio.io/v1alpha1
-    kind: IstioOperator
-    spec:
-      components:
-        cni:
-          enabled: true
-          namespace: kube-system
-      values:
-        sidecarInjectorWebhook:
-          injectedAnnotations:
-            k8s.v1.cni.cncf.io/networks: istio-cni
-        cni:
-          cniBinDir: /var/lib/cni/bin
-          cniConfDir: /etc/cni/multus/net.d
-          cniConfFileName: istio-cni.conf
-          chained: false
-    {{< /text >}}
+{{< /tab >}}
+
+{{< tab name="Red Hat OpenShift 4.2+" category-value="ocp" >}}
+
+{{< text bash >}}
+$ istioctl install --set profile=openshift
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}

 ## Operation details

@ -144,6 +165,8 @@ When upgrading Istio with [canary upgrade](/docs/setup/upgrade/canary/), because
 it is recommended to operate and upgrade the CNI component separately from the revisioned control plane.
 The following `IstioOperator` can be used to operate the CNI component independently.

+This is not a problem for Helm as the istio-cni is installed separately.
+
 {{< text yaml >}}
 apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
--- a/content/en/docs/setup/additional-setup/cni/snips.sh
+++ b/content/en/docs/setup/additional-setup/cni/snips.sh
@ -32,6 +32,14 @@ EOF
 istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true -f istio-cni.yaml -y
 }

+snip_install_istio_with_cni_plugin_2() {
+helm install istio-cni istio/cni -n kube-system --wait
+}
+
+snip_installing_with_helm_1() {
+ helm install istiod istio/istiod -n istio-system --set values.istio_cni.enabled=true --wait
+}
+
 ! read -r -d '' snip_hosted_kubernetes_settings_1 <<\ENDSNIP
 apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
@ -45,24 +53,9 @@ spec:
      cniBinDir: /home/kubernetes/bin
 ENDSNIP

-! read -r -d '' snip_hosted_kubernetes_settings_2 <<\ENDSNIP
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
-  components:
-    cni:
-      enabled: true
-      namespace: kube-system
-  values:
-    sidecarInjectorWebhook:
-      injectedAnnotations:
-        k8s.v1.cni.cncf.io/networks: istio-cni
-    cni:
-      cniBinDir: /var/lib/cni/bin
-      cniConfDir: /etc/cni/multus/net.d
-      cniConfFileName: istio-cni.conf
-      chained: false
-ENDSNIP
+snip_hosted_kubernetes_settings_2() {
+istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --set profile=openshift
+}

 ! read -r -d '' snip_upgrade_1 <<\ENDSNIP
 apiVersion: install.istio.io/v1alpha1
--- a/content/en/docs/setup/install/helm/index.md
+++ b/content/en/docs/setup/install/helm/index.md
@ -64,6 +64,8 @@ You can display the default values of configuration parameters using the `helm s

    In the output locate the entry for `istio-base` and make sure the status is set to `deployed`.

+1. If you intend to use Istio CNI chart you must do so now. See [Install Istio with the CNI plugin](/docs/setup/additional-setup/cni/#installing-with-helm) for more info.
+
 1. Install the Istio discovery chart which deploys the `istiod` service:

    {{< text syntax=bash snip_id=install_discovery >}}