mirror of https://github.com/istio/istio.io.git
modify watch namespace to only Istio-operator (#5183)
* modify watch namespace to only Istio-operator also start the eval with demo profile first. * use demo as the first starting point * update grab script * add watch ns * fix lint
This commit is contained in:
parent
0c464a3bdc
commit
402e41d772
|
@ -30,14 +30,14 @@ instead, which is a stable feature.
|
||||||
$ kubectl apply -f https://preliminary.istio.io/operator.yaml
|
$ kubectl apply -f https://preliminary.istio.io/operator.yaml
|
||||||
{{< /text >}}
|
{{< /text >}}
|
||||||
|
|
||||||
1. (Optionally) change profiles from the default profile to one of the following profiles:
|
1. (Optionally) change profiles from the demo profile to one of the following profiles:
|
||||||
|
|
||||||
{{< tabset cookie-name="profile" >}}
|
{{< tabset cookie-name="profile" >}}
|
||||||
|
|
||||||
{{< tab name="permissive mutual TLS" cookie-value="permissive" >}}
|
{{< tab name="demo" cookie-value="permissive" >}}
|
||||||
When using the [permissive mutual TLS mode](/docs/concepts/security/#permissive-mode), all services accept both plaintext and
|
When using the [permissive mutual TLS mode](/docs/concepts/security/#permissive-mode), all services accept both plaintext and
|
||||||
mutual TLS traffic. Clients send plaintext traffic unless configured for
|
mutual TLS traffic. Clients send plaintext traffic unless configured for
|
||||||
[mutual TLS migration](/docs/tasks/security/mtls-migration/).
|
[mutual TLS migration](/docs/tasks/security/mtls-migration/). This profile is installed during the first step.
|
||||||
|
|
||||||
Choose this profile for:
|
Choose this profile for:
|
||||||
|
|
||||||
|
@ -53,7 +53,7 @@ $ kubectl apply -f https://preliminary.istio.io/operator-profile-demo.yaml
|
||||||
|
|
||||||
{{< /tab >}}
|
{{< /tab >}}
|
||||||
|
|
||||||
{{< tab name="strict mutual TLS" cookie-value="strict" >}}
|
{{< tab name="demo-auth" cookie-value="strict" >}}
|
||||||
This profile will enforce
|
This profile will enforce
|
||||||
[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers.
|
[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers.
|
||||||
|
|
||||||
|
@ -85,9 +85,7 @@ $ kubectl apply -f https://preliminary.istio.io/operator-profile-sds.yaml
|
||||||
{{< /tab >}}
|
{{< /tab >}}
|
||||||
|
|
||||||
{{< tab name="default" cookie-value="default" >}}
|
{{< tab name="default" cookie-value="default" >}}
|
||||||
This profile enables Istio's default settings. This profile is installed during the first step.
|
This profile enables Istio's default settings. Run the following command to switch to this profile:
|
||||||
|
|
||||||
Run the following command to switch to this profile:
|
|
||||||
|
|
||||||
{{< text bash >}}
|
{{< text bash >}}
|
||||||
$ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml
|
$ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml
|
||||||
|
|
|
@ -29,12 +29,7 @@ tempdir_operator="$(mktemp -d)"
|
||||||
# Upstream GIT tags or branches used for the operator repo. The operator is
|
# Upstream GIT tags or branches used for the operator repo. The operator is
|
||||||
# currently only available as a master version. This will change when
|
# currently only available as a master version. This will change when
|
||||||
# 1.4 is tagged.
|
# 1.4 is tagged.
|
||||||
operator_tag="master"
|
operator_tag="release-1.4"
|
||||||
|
|
||||||
# Great care should be taken when modifying the ordering of this list. This
|
|
||||||
# script cats these files together in order with a yaml separator.
|
|
||||||
|
|
||||||
operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_cr.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" )
|
|
||||||
|
|
||||||
# Add profiles here to have them automatically added to the website.
|
# Add profiles here to have them automatically added to the website.
|
||||||
# It is important to also document these files, which is not done automatically.
|
# It is important to also document these files, which is not done automatically.
|
||||||
|
@ -49,13 +44,6 @@ git clone -q --single-branch --branch "${operator_tag}" https://github.com/istio
|
||||||
pushd operator >/dev/null || exit
|
pushd operator >/dev/null || exit
|
||||||
git checkout -q "${operator_tag}"
|
git checkout -q "${operator_tag}"
|
||||||
|
|
||||||
# Generate the main manifest
|
|
||||||
for manifest_file in "${operator_manifest_files[@]}"
|
|
||||||
do
|
|
||||||
cat "${manifest_file}" >> "${output_dir}"/operator.yaml
|
|
||||||
echo "---" >> "${output_dir}"/operator.yaml
|
|
||||||
done
|
|
||||||
|
|
||||||
# Generate the profiles
|
# Generate the profiles
|
||||||
for profile in "${operator_profiles[@]}"
|
for profile in "${operator_profiles[@]}"
|
||||||
do
|
do
|
||||||
|
@ -64,5 +52,19 @@ do
|
||||||
sed -i "s/profile: default/profile: ${profile}/g" "${output_dir}"/operator-profile-"${profile}".yaml
|
sed -i "s/profile: default/profile: ${profile}/g" "${output_dir}"/operator-profile-"${profile}".yaml
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Great care should be taken when modifying the ordering of this list. This
|
||||||
|
# script cats these files together in order with a yaml separator.
|
||||||
|
|
||||||
|
operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "${output_dir}/operator-profile-demo.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" )
|
||||||
|
|
||||||
|
# Generate the main manifest
|
||||||
|
for manifest_file in "${operator_manifest_files[@]}"
|
||||||
|
do
|
||||||
|
echo "manifest_file is $manifest_file"
|
||||||
|
cat "${manifest_file}" >> "${output_dir}"/operator.yaml
|
||||||
|
echo "---" >> "${output_dir}"/operator.yaml
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
popd >/dev/null || exit
|
popd >/dev/null || exit
|
||||||
rm -rf "${tempdir_operator}" > /dev/null 2>&1
|
rm -rf "${tempdir_operator}" > /dev/null 2>&1
|
||||||
|
|
|
@ -14,6 +14,8 @@ spec:
|
||||||
listKind: IstioControlPlaneList
|
listKind: IstioControlPlaneList
|
||||||
plural: istiocontrolplanes
|
plural: istiocontrolplanes
|
||||||
singular: istiocontrolplane
|
singular: istiocontrolplane
|
||||||
|
shortNames:
|
||||||
|
- icp
|
||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
subresources:
|
subresources:
|
||||||
status: {}
|
status: {}
|
||||||
|
@ -47,7 +49,8 @@ metadata:
|
||||||
namespace: istio-operator
|
namespace: istio-operator
|
||||||
name: example-istiocontrolplane
|
name: example-istiocontrolplane
|
||||||
spec:
|
spec:
|
||||||
profile: default
|
profile: demo
|
||||||
|
---
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
|
@ -61,6 +64,25 @@ metadata:
|
||||||
creationTimestamp: null
|
creationTimestamp: null
|
||||||
name: istio-operator
|
name: istio-operator
|
||||||
rules:
|
rules:
|
||||||
|
# istio groups
|
||||||
|
- apiGroups:
|
||||||
|
- authentication.istio.io
|
||||||
|
resources:
|
||||||
|
- '*'
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- config.istio.io
|
||||||
|
resources:
|
||||||
|
- '*'
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- install.istio.io
|
||||||
|
resources:
|
||||||
|
- '*'
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- networking.istio.io
|
- networking.istio.io
|
||||||
resources:
|
resources:
|
||||||
|
@ -74,57 +96,17 @@ rules:
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- '*'
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- config.istio.io
|
- security.istio.io
|
||||||
resources:
|
resources:
|
||||||
- '*'
|
- '*'
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- '*'
|
||||||
- apiGroups:
|
# k8s groups
|
||||||
- rbac.authorization.k8s.io
|
|
||||||
resources:
|
|
||||||
- clusterrolebindings
|
|
||||||
- clusterroles
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- policy
|
|
||||||
resources:
|
|
||||||
- poddisruptionbudgets
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- admissionregistration.k8s.io
|
- admissionregistration.k8s.io
|
||||||
resources:
|
resources:
|
||||||
- mutatingwebhookconfigurations
|
- mutatingwebhookconfigurations
|
||||||
verbs:
|
- validatingwebhookconfigurations
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- autoscaling
|
|
||||||
resources:
|
|
||||||
- horizontalpodautoscalers
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- serviceaccounts
|
|
||||||
- pods
|
|
||||||
- services
|
|
||||||
- endpoints
|
|
||||||
- persistentvolumeclaims
|
|
||||||
- events
|
|
||||||
- configmaps
|
|
||||||
- secrets
|
|
||||||
- namespaces
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- apps
|
|
||||||
resources:
|
|
||||||
- deployments
|
|
||||||
- daemonsets
|
|
||||||
- replicasets
|
|
||||||
- statefulsets
|
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- '*'
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
|
@ -134,6 +116,24 @@ rules:
|
||||||
- customresourcedefinitions
|
- customresourcedefinitions
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- apps
|
||||||
|
- extensions
|
||||||
|
resources:
|
||||||
|
- daemonsets
|
||||||
|
- deployments
|
||||||
|
- deployments/finalizers
|
||||||
|
- ingresses
|
||||||
|
- replicasets
|
||||||
|
- statefulsets
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- autoscaling
|
||||||
|
resources:
|
||||||
|
- horizontalpodautoscalers
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- monitoring.coreos.com
|
- monitoring.coreos.com
|
||||||
resources:
|
resources:
|
||||||
|
@ -142,18 +142,32 @@ rules:
|
||||||
- get
|
- get
|
||||||
- create
|
- create
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- apps
|
- policy
|
||||||
resourceNames:
|
|
||||||
- istio-operator
|
|
||||||
resources:
|
resources:
|
||||||
- deployments/finalizers
|
- poddisruptionbudgets
|
||||||
verbs:
|
verbs:
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- install.istio.io
|
|
||||||
resources:
|
|
||||||
- '*'
|
- '*'
|
||||||
- istiocontrolplanes
|
- apiGroups:
|
||||||
|
- rbac.authorization.k8s.io
|
||||||
|
resources:
|
||||||
|
- clusterrolebindings
|
||||||
|
- clusterroles
|
||||||
|
- roles
|
||||||
|
- rolebindings
|
||||||
|
verbs:
|
||||||
|
- '*'
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
- endpoints
|
||||||
|
- events
|
||||||
|
- namespaces
|
||||||
|
- pods
|
||||||
|
- persistentvolumeclaims
|
||||||
|
- secrets
|
||||||
|
- services
|
||||||
|
- serviceaccounts
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- '*'
|
||||||
---
|
---
|
||||||
|
@ -203,14 +217,14 @@ spec:
|
||||||
serviceAccountName: istio-operator
|
serviceAccountName: istio-operator
|
||||||
containers:
|
containers:
|
||||||
- name: istio-operator
|
- name: istio-operator
|
||||||
image: gcr.io/istio-testing/operator:master-latest-daily
|
image: gcr.io/istio-testing/operator:1.4-dev
|
||||||
command:
|
command:
|
||||||
- istio-operator
|
- istio-operator
|
||||||
- server
|
- server
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: Always
|
||||||
env:
|
env:
|
||||||
- name: WATCH_NAMESPACE
|
- name: WATCH_NAMESPACE
|
||||||
value: ""
|
value: "istio-operator"
|
||||||
- name: LEADER_ELECTION_NAMESPACE
|
- name: LEADER_ELECTION_NAMESPACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
|
|
Loading…
Reference in New Issue