istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

modify watch namespace to only Istio-operator (#5183) 

* modify watch namespace to only Istio-operator

also start the eval with demo profile first.

* use demo as the first starting point

* update grab script

* add watch ns

* fix lint
This commit is contained in:
Lin Sun 2019-10-20 18:00:36 -04:00 committed by Istio Automation
parent 0c464a3bdc
commit 402e41d772
3 changed files with 89 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
content/en/docs/setup/install/standalone-operator/index.md
View File

@ -30,14 +30,14 @@ instead, which is a stable feature.
$ kubectl apply -f https://preliminary.istio.io/operator.yaml $ kubectl apply -f https://preliminary.istio.io/operator.yaml
{{< /text >}} {{< /text >}}
1. (Optionally) change profiles from the default profile to one of the following profiles: 1. (Optionally) change profiles from the demo profile to one of the following profiles:
{{< tabset cookie-name="profile" >}} {{< tabset cookie-name="profile" >}}
{{< tab name="permissive mutual TLS" cookie-value="permissive" >}} {{< tab name="demo" cookie-value="permissive" >}}
When using the [permissive mutual TLS mode](/docs/concepts/security/#permissive-mode), all services accept both plaintext and When using the [permissive mutual TLS mode](/docs/concepts/security/#permissive-mode), all services accept both plaintext and
mutual TLS traffic. Clients send plaintext traffic unless configured for mutual TLS traffic. Clients send plaintext traffic unless configured for
[mutual TLS migration](/docs/tasks/security/mtls-migration/). [mutual TLS migration](/docs/tasks/security/mtls-migration/). This profile is installed during the first step.
Choose this profile for: Choose this profile for:
@ -53,7 +53,7 @@ $ kubectl apply -f https://preliminary.istio.io/operator-profile-demo.yaml
{{< /tab >}} {{< /tab >}}
{{< tab name="strict mutual TLS" cookie-value="strict" >}} {{< tab name="demo-auth" cookie-value="strict" >}}
This profile will enforce This profile will enforce
[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers. [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers.
@ -85,9 +85,7 @@ $ kubectl apply -f https://preliminary.istio.io/operator-profile-sds.yaml
{{< /tab >}} {{< /tab >}}
{{< tab name="default" cookie-value="default" >}} {{< tab name="default" cookie-value="default" >}}
This profile enables Istio's default settings. This profile is installed during the first step. This profile enables Istio's default settings. Run the following command to switch to this profile:
Run the following command to switch to this profile:
{{< text bash >}} {{< text bash >}}
$ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml $ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml

28
scripts/grab_operator_yamls.sh
View File

@ -29,12 +29,7 @@ tempdir_operator="$(mktemp -d)"
# Upstream GIT tags or branches used for the operator repo. The operator is # Upstream GIT tags or branches used for the operator repo. The operator is
# currently only available as a master version. This will change when # currently only available as a master version. This will change when
# 1.4 is tagged. # 1.4 is tagged.
operator_tag="master" operator_tag="release-1.4"
# Great care should be taken when modifying the ordering of this list. This
# script cats these files together in order with a yaml separator.
operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_cr.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" )
# Add profiles here to have them automatically added to the website. # Add profiles here to have them automatically added to the website.
# It is important to also document these files, which is not done automatically. # It is important to also document these files, which is not done automatically.
@ -49,13 +44,6 @@ git clone -q --single-branch --branch "${operator_tag}" https://github.com/istio
pushd operator >/dev/null || exit pushd operator >/dev/null || exit
git checkout -q "${operator_tag}" git checkout -q "${operator_tag}"
# Generate the main manifest
for manifest_file in "${operator_manifest_files[@]}"
do
cat "${manifest_file}" >> "${output_dir}"/operator.yaml
echo "---" >> "${output_dir}"/operator.yaml
done
# Generate the profiles # Generate the profiles
for profile in "${operator_profiles[@]}" for profile in "${operator_profiles[@]}"
do do
@ -64,5 +52,19 @@ do
sed -i "s/profile: default/profile: ${profile}/g" "${output_dir}"/operator-profile-"${profile}".yaml sed -i "s/profile: default/profile: ${profile}/g" "${output_dir}"/operator-profile-"${profile}".yaml
done done
# Great care should be taken when modifying the ordering of this list. This
# script cats these files together in order with a yaml separator.
operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "${output_dir}/operator-profile-demo.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" )
# Generate the main manifest
for manifest_file in "${operator_manifest_files[@]}"
do
echo "manifest_file is $manifest_file"
cat "${manifest_file}" >> "${output_dir}"/operator.yaml
echo "---" >> "${output_dir}"/operator.yaml
done
popd >/dev/null || exit popd >/dev/null || exit
rm -rf "${tempdir_operator}" > /dev/null 2>&1 rm -rf "${tempdir_operator}" > /dev/null 2>&1

124
static/operator.yaml
View File

@ -14,6 +14,8 @@ spec:
listKind: IstioControlPlaneList listKind: IstioControlPlaneList
plural: istiocontrolplanes plural: istiocontrolplanes
singular: istiocontrolplane singular: istiocontrolplane
shortNames:
- icp
scope: Namespaced scope: Namespaced
subresources: subresources:
status: {} status: {}
@ -47,7 +49,8 @@ metadata:
namespace: istio-operator namespace: istio-operator
name: example-istiocontrolplane name: example-istiocontrolplane
spec: spec:
profile: default profile: demo
---
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -61,6 +64,25 @@ metadata:
creationTimestamp: null creationTimestamp: null
name: istio-operator name: istio-operator
rules: rules:
# istio groups
- apiGroups:
- authentication.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- install.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups: - apiGroups:
- networking.istio.io - networking.istio.io
resources: resources:
@ -74,57 +96,17 @@ rules:
verbs: verbs:
- '*' - '*'
- apiGroups: - apiGroups:
- config.istio.io - security.istio.io
resources: resources:
- '*' - '*'
verbs: verbs:
- '*' - '*'
- apiGroups: # k8s groups
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups: - apiGroups:
- admissionregistration.k8s.io - admissionregistration.k8s.io
resources: resources:
- mutatingwebhookconfigurations - mutatingwebhookconfigurations
verbs: - validatingwebhookconfigurations
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- ""
resources:
- serviceaccounts
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- namespaces
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs: verbs:
- '*' - '*'
- apiGroups: - apiGroups:
@ -134,6 +116,24 @@ rules:
- customresourcedefinitions - customresourcedefinitions
verbs: verbs:
- '*' - '*'
- apiGroups:
- apps
- extensions
resources:
- daemonsets
- deployments
- deployments/finalizers
- ingresses
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups: - apiGroups:
- monitoring.coreos.com - monitoring.coreos.com
resources: resources:
@ -142,18 +142,32 @@ rules:
- get - get
- create - create
- apiGroups: - apiGroups:
- apps - policy
resourceNames:
- istio-operator
resources: resources:
- deployments/finalizers - poddisruptionbudgets
verbs: verbs:
- update
- apiGroups:
- install.istio.io
resources:
- '*' - '*'
- istiocontrolplanes - apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- events
- namespaces
- pods
- persistentvolumeclaims
- secrets
- services
- serviceaccounts
verbs: verbs:
- '*' - '*'
--- ---
@ -203,14 +217,14 @@ spec:
serviceAccountName: istio-operator serviceAccountName: istio-operator
containers: containers:
- name: istio-operator - name: istio-operator
image: gcr.io/istio-testing/operator:master-latest-daily image: gcr.io/istio-testing/operator:1.4-dev
command: command:
- istio-operator - istio-operator
- server - server
imagePullPolicy: Always imagePullPolicy: Always
env: env:
- name: WATCH_NAMESPACE - name: WATCH_NAMESPACE
value: "" value: "istio-operator"
- name: LEADER_ELECTION_NAMESPACE - name: LEADER_ELECTION_NAMESPACE
valueFrom: valueFrom:
fieldRef: fieldRef: