istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

A compromise PR of a long original work (#5146) 

* A compromise PR of a long original work

See PR: https://github.com/istio/istio.io/pull/5142

Pretty much everything about this PR is compromised...

* Apply reviewer comments.
This commit is contained in:
Steven Dake 2019-10-15 09:55:20 -07:00 committed by Istio Automation
parent f7dd8c6613
commit d5482da0aa
9 changed files with 547 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile.core.mk
View File

@ -57,4 +57,7 @@ archive:
update_ref_docs:
@scripts/grab_reference_docs.sh
update_operator_yamls:
@scripts/grab_operator_yamls.sh
include common/Makefile.common.mk

212
content/en/docs/setup/install/standalone-operator/index.md Normal file
View File

@ -0,0 +1,212 @@
---
title: Standalone Operator Quick Start Evaluation Install [Experimental]
description: Instructions to install Istio in a Kubernetes cluster for evaluation.
weight: 11
keywords: [kubernetes, operator]
aliases:
---
This guide installs Istio using the standalone Istio operator. The only dependencies
required are a supported Kubernetes cluster and the `kubectl` command. This
installation method lets you quickly evaluate Istio in a Kubernetes cluster on
any platform using a variety of profiles.
To install Istio for production use, we recommend using the [Helm Installation guide](/docs/setup/install/helm/)
instead, which is a stable feature.
## Prerequisites
1. [Download the Istio release](/docs/setup/#downloading-the-release).
1. Perform any necessary [platform-specific setup](/docs/setup/platform-setup/).
1. Check the [Requirements for Pods and Services](/docs/setup/additional-setup/requirements/).
## Installation steps
1. Install Istio using the operator with the default profile:
{{< text bash >}}
$ kubectl apply -f https://preliminary.istio.io/operator.yaml
{{< /text >}}
1. (Optionally) change profiles from the default profile to one of the following profiles:
{{< tabset cookie-name="profile" >}}
{{< tab name="permissive mutual TLS" cookie-value="permissive" >}}
When using the [permissive mutual TLS mode](/docs/concepts/security/#permissive-mode), all services accept both plaintext and
mutual TLS traffic. Clients send plaintext traffic unless configured for
[mutual TLS migration](/docs/tasks/security/mtls-migration/).
Choose this profile for:
* Clusters with existing applications, or
* Applications where services with an Istio sidecar need to be able to
communicate with other non-Istio Kubernetes services
Run the following command to switch to this profile:
{{< text bash >}}
$ kubectl apply -f https://preliminary.istio.io/operator-profile-demo.yaml
{{< /text >}}
{{< /tab >}}
{{< tab name="strict mutual TLS" cookie-value="strict" >}}
This profile will enforce
[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers.
Use this profile only on a fresh Kubernetes cluster where all workloads will be Istio-enabled.
All newly deployed workloads will have Istio sidecars installed.
Run the following command to switch to this profile:
{{< text bash >}}
$ kubectl apply -f https://preliminary.istio.io/operator-profile-demo-auth.yaml
{{< /text >}}
{{< /tab >}}
{{< tab name="SDS" cookie-value="sds" >}}
This profile enables
[Secret Discovery Service](/docs/tasks/security/auth-sds) between all clients and servers.
Use this profile to enhance startup performance of services in the Kubernetes cluster. Additionally
improve security as Kubernetes secrets that contain known
[risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks) are not used.
Run the following command to switch to this profile:
{{< text bash >}}
$ kubectl apply -f https://preliminary.istio.io/operator-profile-sds.yaml
{{< /text >}}
{{< /tab >}}
{{< tab name="default" cookie-value="default" >}}
This profile enables Istio's default settings. This profile is installed during the first step.
Run the following command to switch to this profile:
{{< text bash >}}
$ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml
{{< /text >}}
{{< /tab >}}
{{< tab name="minimal" cookie-value="minimal" >}}
This profile deploys a Istio's minimum components to function.
Run the following command to switch to this profile:
{{< text bash >}}
$ kubectl apply -f https://preliminary.istio.io/operator-profile-minimal.yaml
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
## Verifying the installation
{{< warning >}}
This document is a work in progress. Expect verification steps for each of the profiles to
vary from these verification steps. Inconsistencies will be resolved prior to the publishing of
Istio 1.4. Until that time, these verification steps only apply to the `profile-istio-demo.yaml` profile.
{{< /warning >}}
1. Ensure the following Kubernetes services are deployed and verify they all have an appropriate `CLUSTER-IP` except the `jaeger-agent` service:
{{< text bash >}}
$ kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 172.21.211.123 <none> 3000/TCP 2m
istio-citadel ClusterIP 172.21.177.222 <none> 8060/TCP,15014/TCP 2m
istio-egressgateway ClusterIP 172.21.113.24 <none> 80/TCP,443/TCP,15443/TCP 2m
istio-galley ClusterIP 172.21.132.247 <none> 443/TCP,15014/TCP,9901/TCP 2m
istio-ingressgateway LoadBalancer 172.21.144.254 52.116.22.242 15020:31831/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30318/TCP,15030:32645/TCP,15031:31933/TCP,15032:31188/TCP,15443:30838/TCP 2m
istio-pilot ClusterIP 172.21.105.205 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m
istio-policy ClusterIP 172.21.14.236 <none> 9091/TCP,15004/TCP,15014/TCP 2m
istio-sidecar-injector ClusterIP 172.21.155.47 <none> 443/TCP,15014/TCP 2m
istio-telemetry ClusterIP 172.21.196.79 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m
jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 2m
jaeger-collector ClusterIP 172.21.135.51 <none> 14267/TCP,14268/TCP 2m
jaeger-query ClusterIP 172.21.26.187 <none> 16686/TCP 2m
kiali ClusterIP 172.21.155.201 <none> 20001/TCP 2m
prometheus ClusterIP 172.21.63.159 <none> 9090/TCP 2m
tracing ClusterIP 172.21.2.245 <none> 80/TCP 2m
zipkin ClusterIP 172.21.182.245 <none> 9411/TCP 2m
{{< /text >}}
{{< tip >}}
If your cluster is running in an environment that does not
support an external load balancer (e.g., minikube), the
`EXTERNAL-IP` of `istio-ingressgateway` will say
`<pending>`. To access the gateway, use the service's
`NodePort`, or use port-forwarding instead.
{{< /tip >}}
1. Ensure corresponding Kubernetes pods are deployed and have a `STATUS` of `Running`:
{{< text bash >}}
$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-f8467cc6-rbjlg 1/1 Running 0 1m
istio-citadel-78df5b548f-g5cpw 1/1 Running 0 1m
istio-cleanup-secrets-release-1.1-20190308-09-16-8s2mp 0/1 Completed 0 2m
istio-egressgateway-78569df5c4-zwtb5 1/1 Running 0 1m
istio-galley-74d5f764fc-q7nrk 1/1 Running 0 1m
istio-grafana-post-install-release-1.1-20190308-09-16-2p7m5 0/1 Completed 0 2m
istio-ingressgateway-7ddcfd665c-dmtqz 1/1 Running 0 1m
istio-pilot-f479bbf5c-qwr28 2/2 Running 0 1m
istio-policy-6fccc5c868-xhblv 2/2 Running 2 1m
istio-security-post-install-release-1.1-20190308-09-16-bmfs4 0/1 Completed 0 2m
istio-sidecar-injector-78499d85b8-x44m6 1/1 Running 0 1m
istio-telemetry-78b96c6cb6-ldm9q 2/2 Running 2 1m
istio-tracing-69b5f778b7-s2zvw 1/1 Running 0 1m
kiali-99f7467dc-6rvwp 1/1 Running 0 1m
prometheus-67cdb66cbb-9w2hm 1/1 Running 0 1m
{{< /text >}}
## Deploy your application
You can now deploy your own application or one of the sample applications
provided with the installation like [Bookinfo](/docs/examples/bookinfo/).
{{< warning >}}
The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its HTTP
traffic; HTTP/1.0 is not supported.
{{< /warning >}}
When you deploy your application using `kubectl apply`,
the [Istio sidecar injector](/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection)
will automatically inject Envoy containers into your
application pods if they are started in namespaces labeled with `istio-injection=enabled`:
{{< text bash >}}
$ kubectl label namespace <namespace> istio-injection=enabled
$ kubectl create -n <namespace> -f <your-app-spec>.yaml
{{< /text >}}
In namespaces without the `istio-injection` label, you can use
[`istioctl kube-inject`](/docs/reference/commands/istioctl/#istioctl-kube-inject)
to manually inject Envoy containers in your application pods before deploying
them:
{{< text bash >}}
$ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -
{{< /text >}}
## Uninstall
Delete the Istio Operator and Istio deployment:
{{< text bash >}}
$ kubectl -n istio-operator get IstioControlPlane example-istiocontrolplane -o=json | jq '.metadata.finalizers = null' | kubectl apply -f -
$ kubectl delete ns istio-operator --grace-period=0 --force
$ kubectl delete ns istio-system --grace-period=0 --force
{{< /text >}}
Please be aware that Istio's CRDs are leaked into the Kubernetes environment. This is intentional as to not
cause data loss of the user's Istio configuration.

68
scripts/grab_operator_yamls.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This scripts obtains the operator's yaml files and constructs them into
# one manifest. Additionally IstioControlPlane custom resources are generated
# for each of the profiles for easy switching between deployment modes.
# Find the output directory
scriptpath="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
rootdir=$(dirname "${scriptpath}")
output_dir="${rootdir}/static"
# Temporary directories securely created
tempdir_operator="$(mktemp -d)"
# Upstream GIT tags or branches used for the operator repo. The operator is
# currently only available as a master version. This will change when
# 1.4 is tagged.
operator_tag="master"
# Great care should be taken when modifying the ordering of this list. This
# script cats these files together in order with a yaml separator.
operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_cr.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" )
# Add profiles here to have them automatically added to the website.
# It is important to also document these files, which is not done automatically.
operator_profiles=( "default" "demo" "demo-auth" "sds" "minimal" )
rm -f "${output_dir}"/operator.yaml
touch "${output_dir}"/operator.yaml
echo "operator/*"
pushd "${tempdir_operator}" >/dev/null || exit
git clone -q --single-branch --branch "${operator_tag}" https://github.com/istio/operator.git
pushd operator >/dev/null || exit
git checkout -q "${operator_tag}"
# Generate the main manifest
for manifest_file in "${operator_manifest_files[@]}"
do
cat "${manifest_file}" >> "${output_dir}"/operator.yaml
echo "---" >> "${output_dir}"/operator.yaml
done
# Generate the profiles
for profile in "${operator_profiles[@]}"
do
cp deploy/crds/istio_v1alpha2_istiocontrolplane_cr.yaml "${output_dir}"/operator-profile-"${profile}".yaml
echo "---" >> "${output_dir}"/operator-profile-"${profile}".yaml
sed -i "s/profile: default/profile: ${profile}/g" "${output_dir}"/operator-profile-"${profile}".yaml
done
popd >/dev/null || exit
rm -rf "${tempdir_operator}" > /dev/null 2>&1

8
static/operator-profile-default.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: default
---

8
static/operator-profile-demo-auth.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: demo-auth
---

8
static/operator-profile-demo.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: demo
---

8
static/operator-profile-minimal.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: minimal
---

8
static/operator-profile-sds.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: sds
---

224
static/operator.yaml Normal file
View File

@ -0,0 +1,224 @@
apiVersion: v1
kind: Namespace
metadata:
name: istio-operator
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: istiocontrolplanes.install.istio.io
spec:
group: install.istio.io
names:
kind: IstioControlPlane
listKind: IstioControlPlaneList
plural: istiocontrolplanes
singular: istiocontrolplane
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
status:
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: istio-operator
name: istio-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: istio-operator
rules:
- apiGroups:
- networking.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- rbac.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- ""
resources:
- serviceaccounts
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- namespaces
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions.apiextensions.k8s.io
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- istio-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- install.istio.io
resources:
- '*'
- istiocontrolplanes
verbs:
- '*'
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: istio-operator
subjects:
- kind: ServiceAccount
name: istio-operator
namespace: istio-operator
roleRef:
kind: ClusterRole
name: istio-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Service
metadata:
namespace: istio-operator
labels:
name: istio-operator
name: istio-operator-metrics
spec:
ports:
- name: http-metrics
port: 8383
targetPort: 8383
selector:
name: istio-operator
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: istio-operator
name: istio-operator
spec:
replicas: 1
selector:
matchLabels:
name: istio-operator
template:
metadata:
labels:
name: istio-operator
spec:
serviceAccountName: istio-operator
containers:
- name: istio-operator
image: gcr.io/istio-testing/operator:master-latest-daily
command:
- istio-operator
- server
imagePullPolicy: Always
env:
- name: WATCH_NAMESPACE
value: ""
- name: LEADER_ELECTION_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "istio-operator"
---