Update istio-demo install instructions (#3520)

* Update istio-demo install instructions * improve verify step * fix circleci errors * typo * Change title * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/tasks/security/authn-policy/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/tasks/security/plugin-ca-cert/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * Update content/docs/setup/kubernetes/install/kubernetes/index.md Co-Authored-By: frankbu <frankb@ca.ibm.com> * spelling
2019-03-05 17:47:20 -05:00 · 2019-03-05 17:47:20 -05:00 · 76fc94137e
parent d69c54ca6d
commit 76fc94137e
6 changed files with 101 additions and 83 deletions
--- a/.spelling
+++ b/.spelling
@ -300,6 +300,7 @@ Multicluster
 multicluster
 mutatingwebhookconfiguration
 mutual-tls
+mTLS
 myapp
 MySQL
 mysql
--- a/content/docs/setup/kubernetes/install/kubernetes/index.md
+++ b/content/docs/setup/kubernetes/install/kubernetes/index.md
@ -1,59 +1,67 @@
 ---
-title: Install Istio on a Kubernetes Cluster
-description: Instructions to install the Istio service mesh in a Kubernetes cluster.
+title: Quick Start Evaluation Install
+description: Instructions to install and configure an Istio mesh in a Kubernetes cluster for evaluation.
 weight: 55
 keywords: [kubernetes]
 aliases:
    - /docs/setup/kubernetes/quick-start/
 ---

+Follow this path to quickly evaluate Istio in a Kubernetes cluster on any platform.
+This path installs a preconfigured Istio **demo profile** using basic Kubernetes commands
+without needing to download or install [Helm](https://github.com/helm/helm).
+
 {{< tip >}}
-Istio {{< istio_version >}} has been tested with these Kubernetes releases: {{< supported_kubernetes_versions >}}.
+To install Istio for production use, we recommend using the
+[Helm Installation guide](/docs/setup/kubernetes/install/helm/) instead,
+which provides many more options for selecting and managing the Istio configuration.
+This permits customization of Istio to operator specific requirements.
 {{< /tip >}}

-Follow this path to install and configure an Istio mesh in a Kubernetes cluster
-for evaluation.
-
-To install Istio for production follow the [Helm Installation guide](/docs/setup/kubernetes/install/helm/).
-
 ## Prerequisites

 1. [Download the Istio release](/docs/setup/kubernetes/download-release/).

 1. [Kubernetes platform setup](/docs/setup/kubernetes/platform-setup/):
-  * [Alibaba Cloud](/docs/setup/kubernetes/platform-setup/alicloud/)
-  * [Amazon Web Services (AWS) with Kops](/docs/setup/kubernetes/platform-setup/aws/)
-  * [Azure](/docs/setup/kubernetes/platform-setup/azure/)
-  * [Docker For Desktop](/docs/setup/kubernetes/platform-setup/docker/)
-  * [Google Container Engine (GKE)](/docs/setup/kubernetes/platform-setup/gke/)
-  * [IBM Cloud](/docs/setup/kubernetes/platform-setup/ibm/)
-  * [Minikube](/docs/setup/kubernetes/platform-setup/minikube/)
-  * [OpenShift Origin](/docs/setup/kubernetes/platform-setup/openshift/)
-  * [Oracle Cloud Infrastructure (OKE)](/docs/setup/kubernetes/platform-setup/oci/)
+
+    * [Alibaba Cloud](/docs/setup/kubernetes/platform-setup/alicloud/)
+    * [Amazon Web Services (AWS) with Kops](/docs/setup/kubernetes/platform-setup/aws/)
+    * [Azure](/docs/setup/kubernetes/platform-setup/azure/)
+    * [Docker For Desktop](/docs/setup/kubernetes/platform-setup/docker/)
+    * [Google Container Engine (GKE)](/docs/setup/kubernetes/platform-setup/gke/)
+    * [IBM Cloud](/docs/setup/kubernetes/platform-setup/ibm/)
+    * [Minikube](/docs/setup/kubernetes/platform-setup/minikube/)
+    * [OpenShift Origin](/docs/setup/kubernetes/platform-setup/openshift/)
+    * [Oracle Cloud Infrastructure (OKE)](/docs/setup/kubernetes/platform-setup/oci/)
+
+    {{< tip >}}
+    Istio {{< istio_version >}} has been tested with these Kubernetes releases: {{< supported_kubernetes_versions >}}.
+    {{< /tip >}}

 1. Check the [Requirements for Pods and Services](/docs/setup/kubernetes/additional-setup/requirements//).

 ## Installation steps

-1. Install all the Istio [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) (CRDs) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
+1. Install all the Istio
+    [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
+    (CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:

    {{< text bash >}}
    $ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
    {{< /text >}}

-1. To install Istio's core components you can choose any of the following four
-**mutually exclusive** options described below. However, for a production setup of Istio,
-we recommend installing with the
-[Helm Chart](/docs/setup/kubernetes/install/helm/), to use all the
-configuration options. This permits customization of Istio to operator specific requirements.
+1. Install one of the following variants of the **demo profile**:

-### Option 1: Install Istio with mutual TLS enabled and set to use permissive mode between sidecars
+{{< tabset cookie-name="profile" >}}

-Visit our
-[mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode)
+{{% tab name="permissive mTLS" cookie-value="permissive" %}}
+When using the mTLS permissive mode, all services accept both plain text and
+mutual TLS traffic. Clients send plain text traffic unless configured for
+[mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic).
+Visit our [mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode)
 for more information.

-Choose this option for:
+Choose this variant for:

 * Clusters with existing applications,
 * Applications where services with an Istio sidecar need to be able to
@ -63,68 +71,72 @@ Choose this option for:
 * Headless services, or
 * `StatefulSets`

-To install Istio with mutual TLS enabled and set to use permissive mode
-between sidecars:
+Run the following command to install this variant:

 {{< text bash >}}
 $ kubectl apply -f install/kubernetes/istio-demo.yaml
 {{< /text >}}

-In this option, all services, as servers, can accept both plain text and
-mutual TLS traffic. However, all services, as clients, will send plain
-text traffic.
-Visit [mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic)
-for how to configure client behavior. To enforce mutual TLS authentication for both clients and servers, choose [Option 2](#option-2-install-istio-with-default-mutual-tls-authentication) instead.
+{{% /tab %}}

-### Option 2: Install Istio with default mutual TLS authentication
+{{% tab name="strict mTLS" cookie-value="strict" %}}
+This variant will enforce
+[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers.

-Use this option only on a fresh Kubernetes cluster where newly deployed
-workloads are guaranteed to have Istio sidecars installed.
+Use this variant only on a fresh Kubernetes cluster where all workloads will be Istio-enabled.
+All newly deployed workloads will have Istio sidecars installed.

-To Install Istio and enforce [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication)
-between sidecars by default:
+Run the following command to install this variant:

 {{< text bash >}}
 $ kubectl apply -f install/kubernetes/istio-demo-auth.yaml
 {{< /text >}}

-### Option 3: Render Kubernetes manifest with Helm and deploy with `kubectl`
+{{% /tab %}}

-Follow our setup instructions to
-[render the Kubernetes manifest with Helm and deploy with `kubectl`](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template).
-
-### Option 4: Use Helm and Tiller to manage the Istio deployment
-
-Follow our instructions on how to
-[use Helm and Tiller to manage the Istio deployment](/docs/setup/kubernetes/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install).
+{{< /tabset >}}

 ## Verifying the installation

-1.  To ensure the following Kubernetes services are deployed: `istio-citadel`,
-    `istio-engressgateway`, `istio-galley`, `istio-ingress`, `istio-ingressgateway`,
-    `istio-pilot`, `istio-policy`, `istio-statsd-prom-bridge`, `istio-telemetry`,
-    `prometheus`, and optionally, `istio-sidecar-injector`, verify they all have
-    an appropriate `CLUSTER-IP`:
+1.  Ensure the following Kubernetes services are deployed and verify they all have an appropriate `CLUSTER-IP`:

    {{< text bash >}}
    $ kubectl get svc -n istio-system
+    NAME                     TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                                                                      AGE
+    istio-citadel            ClusterIP      172.21.113.238   <none>          8060/TCP,15014/TCP                                                                                                           8d
+    istio-egressgateway      ClusterIP      172.21.32.42     <none>          80/TCP,443/TCP,15443/TCP                                                                                                     8d
+    istio-galley             ClusterIP      172.21.137.255   <none>          443/TCP,15014/TCP,9901/TCP                                                                                                   8d
+    istio-ingressgateway     LoadBalancer   172.21.229.108   158.85.108.37   80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31324/TCP,15030:31752/TCP,15031:30314/TCP,15032:30953/TCP,15443:30550/TCP   8d
+    istio-pilot              ClusterIP      172.21.100.28    <none>          15010/TCP,15011/TCP,8080/TCP,15014/TCP                                                                                       8d
+    istio-policy             ClusterIP      172.21.83.199    <none>          9091/TCP,15004/TCP,15014/TCP                                                                                                 8d
+    istio-sidecar-injector   ClusterIP      172.21.198.98    <none>          443/TCP                                                                                                                      8d
+    istio-telemetry          ClusterIP      172.21.84.130    <none>          9091/TCP,15004/TCP,15014/TCP,42422/TCP                                                                                       8d
+    prometheus               ClusterIP      172.21.140.237   <none>          9090/TCP                                                                                                                     8d
    {{< /text >}}

    {{< tip >}}
    If your cluster is running in an environment that does not
    support an external load balancer (e.g., minikube), the
-    `EXTERNAL-IP` of `istio-ingress` and `istio-ingressgateway` will
-    say `<pending>`. You will need to access it using the service's
+    `EXTERNAL-IP` of `istio-ingressgateway` will
+    `<pending>`. To access the gateway, use the service's
    `NodePort`, or use port-forwarding instead.
    {{< /tip >}}

-1.  Ensure the corresponding Kubernetes pods are deployed and all containers: `istio-citadel-*`,
-    `istio-egressgateway-*`, `istio-galley-*`, `istio-ingressgateway-*`, `istio-pilot-*`,
-    `istio-policy-*`, `istio-telemetry-*`, `prometheus-*`, and, optionally, `istio-ingress-*`,
-    `istio-sidecar-injector-*`, have a `STATUS` of `Running`:
+1.  Ensure corresponding Kubernetes pods are deployed and have a `STATUS` of `Running`:

    {{< text bash >}}
    $ kubectl get pods -n istio-system
+    NAME                                      READY     STATUS      RESTARTS   AGE
+    istio-citadel-5c4f467b9c-m8lhb            1/1       Running     0          8d
+    istio-cleanup-secrets-1.1.0-rc.0-msbk7    0/1       Completed   0          8d
+    istio-egressgateway-fbfb4865d-rv2f4       1/1       Running     0          8d
+    istio-galley-7799878d-hnphl               1/1       Running     0          8d
+    istio-ingressgateway-7cf9598b9c-s797z     1/1       Running     0          8d
+    istio-pilot-698687d96d-76j5m              2/2       Running     0          8d
+    istio-policy-55758d8898-sd7b8             2/2       Running     3          8d
+    istio-sidecar-injector-5948ffdfc8-wz69v   1/1       Running     0          8d
+    istio-telemetry-67d8545b68-wgkmg          2/2       Running     3          8d
+    prometheus-c8d8657bf-gwsc7                1/1       Running     0          8d
    {{< /text >}}

 ## Deploy your application
@ -137,20 +149,17 @@ The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its H
 traffic; HTTP/1.0 is not supported.
 {{< /warning >}}

-If you started the
-[Istio-sidecar-injector](/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection),
-you can deploy the application directly using `kubectl apply`.
-
-The Istio-Sidecar-injector will automatically inject Envoy containers into your
-application pods. The injector assumes the application pods are running in
-namespaces labeled with `istio-injection=enabled`
+When you deploy your application using `kubectl apply`,
+the [Istio sidecar injector](/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection)
+will automatically inject Envoy containers into your
+application pods if they are started in namespaces labeled with `istio-injection=enabled`:

 {{< text bash >}}
 $ kubectl label namespace <namespace> istio-injection=enabled
 $ kubectl create -n <namespace> -f <your-app-spec>.yaml
 {{< /text >}}

-If you don't have the Istio-sidecar-injector installed, you must use
+In namespaces without the `istio-injection` label, you can use
 [`istioctl kube-inject`](/docs/reference/commands/istioctl/#istioctl-kube-inject)
 to manually inject Envoy containers in your application pods before deploying
 them:
@ -159,27 +168,35 @@ them:
 $ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
 {{< /text >}}

-## Uninstall Istio core components
+## Uninstall

 The uninstall deletes the RBAC permissions, the `istio-system` namespace, and
 all resources hierarchically under it. It is safe to ignore errors for
 non-existent resources because they may have been deleted hierarchically.

-* If you installed Istio with `istio-demo.yaml`:
+* Uninstall the `demo profile` corresponding to the mTLS mode you enabled:

-    {{< text bash >}}
-    $ kubectl delete -f install/kubernetes/istio-demo.yaml
-    {{< /text >}}
+{{< tabset cookie-name="profile" >}}

-* If you installed Istio with `istio-demo-auth.yaml`:
+{{% tab name="permissive mTLS" cookie-value="permissive" %}}

-    {{< text bash >}}
-    $ kubectl delete -f install/kubernetes/istio-demo-auth.yaml
-    {{< /text >}}
+{{< text bash >}}
+$ kubectl delete -f install/kubernetes/istio-demo.yaml
+{{< /text >}}

-* If you installed Istio with Helm, follow the uninstall steps in [Istio Installation with Helm](/docs/setup/kubernetes/install/helm).
+{{% /tab %}}

-* If desired, delete the CRDs:
+{{% tab name="strict mTLS" cookie-value="strict" %}}
+
+{{< text bash >}}
+$ kubectl delete -f install/kubernetes/istio-demo-auth.yaml
+{{< /text >}}
+
+{{% /tab %}}
+
+{{< /tabset >}}
+
+* If desired, delete the Istio CRDs:

    {{< text bash >}}
    $ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl delete -f $i; done
--- a/content/docs/tasks/security/authn-policy/index.md
+++ b/content/docs/tasks/security/authn-policy/index.md
@ -234,8 +234,8 @@ EOF
 {{< /text >}}

 {{< tip >}}
-If you install Istio with the [default mutual TLS option](/docs/setup/kubernetes/install/kubernetes/#option-2-install-istio-with-default-mutual-tls-authentication),
-this rule, together with the global authentication policy and destination rule above will be injected to the system during installation process.
+This rule, along with the global authentication policy and destination rule, above,
+is automatically injected into the system when you install Istio with mutual TLS enabled.
 {{< /tip >}}

 Re-run the testing command above to confirm that it returns 200 after the rule is added:
--- a/content/docs/tasks/security/plugin-ca-cert/index.md
+++ b/content/docs/tasks/security/plugin-ca-cert/index.md
@ -16,7 +16,7 @@ operator-specified root certificate. This task demonstrates an example to plug c
 * Set up Istio by following the instructions in the
 [quick start](/docs/setup/kubernetes/install/kubernetes/) with global mutual TLS enabled:

-  Install from the [demo yaml file](/docs/setup/kubernetes/install/kubernetes/#option-2-install-istio-with-default-mutual-tls-authentication).
+  Follow the [installation instructions](/docs/setup/kubernetes/install/kubernetes/#installation-steps) install Istio with the **strict mTLS mode** enabled.

  _**OR**_

--- a/content/help/faq/security/accessing-non-istio-services.md
+++ b/content/help/faq/security/accessing-non-istio-services.md
@ -22,8 +22,8 @@ EOF
 {{< /text >}}

 {{< tip >}}
-This destination rule is already added to the system as part of the
-[Istio installation with default mutual TLS](/docs/setup/kubernetes/install/kubernetes/#option-2-install-istio-with-default-mutual-tls-authentication).
+This destination rule is already added to the system when
+Istio is installed with mutual TLS enabled.
 {{< /tip >}}

 Similarly, you can add destination rules for other non-Istio services. For more examples, see [task](/docs/tasks/security/authn-policy/#request-from-istio-services-to-non-istio-services).
--- a/content_zh/help/faq/security/accessing-non-istio-services.md
+++ b/content_zh/help/faq/security/accessing-non-istio-services.md
@ -20,7 +20,7 @@ EOF
 {{< /text >}}

 {{< tip >}}
-这个目标规则已作为 [Istio 安装的一部分添加到系统中，并具有默认的双向 TLS](/docs/setup/kubernetes/install/kubernetes/#option-2-install-istio-with-default-mutual-tls-authentication)
+这个目标规则已作为 Istio 安装的一部分添加到系统中，并具有默认的双向 TLS
 {{< /tip >}}

 同样，您可以为其他非 Istio 服务添加目标规则。 有关更多示例，请参阅[任务](/docs/tasks/security/authn-policy/#request-from-istio-services-to-non-istio-services)。