From d5482da0aa11d432c645de5d1471fae528c53285 Mon Sep 17 00:00:00 2001 From: Steven Dake Date: Tue, 15 Oct 2019 09:55:20 -0700 Subject: [PATCH] A compromise PR of a long original work (#5146) * A compromise PR of a long original work See PR: https://github.com/istio/istio.io/pull/5142 Pretty much everything about this PR is compromised... * Apply reviewer comments. --- Makefile.core.mk | 3 + .../install/standalone-operator/index.md | 212 +++++++++++++++++ scripts/grab_operator_yamls.sh | 68 ++++++ static/operator-profile-default.yaml | 8 + static/operator-profile-demo-auth.yaml | 8 + static/operator-profile-demo.yaml | 8 + static/operator-profile-minimal.yaml | 8 + static/operator-profile-sds.yaml | 8 + static/operator.yaml | 224 ++++++++++++++++++ 9 files changed, 547 insertions(+) create mode 100644 content/en/docs/setup/install/standalone-operator/index.md create mode 100755 scripts/grab_operator_yamls.sh create mode 100644 static/operator-profile-default.yaml create mode 100644 static/operator-profile-demo-auth.yaml create mode 100644 static/operator-profile-demo.yaml create mode 100644 static/operator-profile-minimal.yaml create mode 100644 static/operator-profile-sds.yaml create mode 100644 static/operator.yaml diff --git a/Makefile.core.mk b/Makefile.core.mk index 7a5c3e581f..7d374680f9 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -57,4 +57,7 @@ archive: update_ref_docs: @scripts/grab_reference_docs.sh +update_operator_yamls: + @scripts/grab_operator_yamls.sh + include common/Makefile.common.mk diff --git a/content/en/docs/setup/install/standalone-operator/index.md b/content/en/docs/setup/install/standalone-operator/index.md new file mode 100644 index 0000000000..566b2119ce --- /dev/null +++ b/content/en/docs/setup/install/standalone-operator/index.md @@ -0,0 +1,212 @@ +--- +title: Standalone Operator Quick Start Evaluation Install [Experimental] +description: Instructions to install Istio in a Kubernetes cluster for evaluation. +weight: 11 +keywords: [kubernetes, operator] +aliases: +--- + +This guide installs Istio using the standalone Istio operator. The only dependencies +required are a supported Kubernetes cluster and the `kubectl` command. This +installation method lets you quickly evaluate Istio in a Kubernetes cluster on +any platform using a variety of profiles. + +To install Istio for production use, we recommend using the [Helm Installation guide](/docs/setup/install/helm/) +instead, which is a stable feature. + +## Prerequisites + +1. [Download the Istio release](/docs/setup/#downloading-the-release). + +1. Perform any necessary [platform-specific setup](/docs/setup/platform-setup/). + +1. Check the [Requirements for Pods and Services](/docs/setup/additional-setup/requirements/). + +## Installation steps + +1. Install Istio using the operator with the default profile: + + {{< text bash >}} + $ kubectl apply -f https://preliminary.istio.io/operator.yaml + {{< /text >}} + +1. (Optionally) change profiles from the default profile to one of the following profiles: + +{{< tabset cookie-name="profile" >}} + +{{< tab name="permissive mutual TLS" cookie-value="permissive" >}} +When using the [permissive mutual TLS mode](/docs/concepts/security/#permissive-mode), all services accept both plaintext and +mutual TLS traffic. Clients send plaintext traffic unless configured for +[mutual TLS migration](/docs/tasks/security/mtls-migration/). + +Choose this profile for: + +* Clusters with existing applications, or +* Applications where services with an Istio sidecar need to be able to + communicate with other non-Istio Kubernetes services + +Run the following command to switch to this profile: + +{{< text bash >}} +$ kubectl apply -f https://preliminary.istio.io/operator-profile-demo.yaml +{{< /text >}} + +{{< /tab >}} + +{{< tab name="strict mutual TLS" cookie-value="strict" >}} +This profile will enforce +[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers. + +Use this profile only on a fresh Kubernetes cluster where all workloads will be Istio-enabled. +All newly deployed workloads will have Istio sidecars installed. + +Run the following command to switch to this profile: + +{{< text bash >}} +$ kubectl apply -f https://preliminary.istio.io/operator-profile-demo-auth.yaml +{{< /text >}} + +{{< /tab >}} + +{{< tab name="SDS" cookie-value="sds" >}} +This profile enables +[Secret Discovery Service](/docs/tasks/security/auth-sds) between all clients and servers. + +Use this profile to enhance startup performance of services in the Kubernetes cluster. Additionally +improve security as Kubernetes secrets that contain known +[risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks) are not used. + +Run the following command to switch to this profile: + +{{< text bash >}} +$ kubectl apply -f https://preliminary.istio.io/operator-profile-sds.yaml +{{< /text >}} + +{{< /tab >}} + +{{< tab name="default" cookie-value="default" >}} +This profile enables Istio's default settings. This profile is installed during the first step. + +Run the following command to switch to this profile: + +{{< text bash >}} +$ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml +{{< /text >}} + +{{< /tab >}} + +{{< tab name="minimal" cookie-value="minimal" >}} +This profile deploys a Istio's minimum components to function. + +Run the following command to switch to this profile: + +{{< text bash >}} +$ kubectl apply -f https://preliminary.istio.io/operator-profile-minimal.yaml +{{< /text >}} + +{{< /tab >}} + +{{< /tabset >}} + +## Verifying the installation + +{{< warning >}} +This document is a work in progress. Expect verification steps for each of the profiles to +vary from these verification steps. Inconsistencies will be resolved prior to the publishing of +Istio 1.4. Until that time, these verification steps only apply to the `profile-istio-demo.yaml` profile. +{{< /warning >}} + +1. Ensure the following Kubernetes services are deployed and verify they all have an appropriate `CLUSTER-IP` except the `jaeger-agent` service: + + {{< text bash >}} + $ kubectl get svc -n istio-system + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + grafana ClusterIP 172.21.211.123 3000/TCP 2m + istio-citadel ClusterIP 172.21.177.222 8060/TCP,15014/TCP 2m + istio-egressgateway ClusterIP 172.21.113.24 80/TCP,443/TCP,15443/TCP 2m + istio-galley ClusterIP 172.21.132.247 443/TCP,15014/TCP,9901/TCP 2m + istio-ingressgateway LoadBalancer 172.21.144.254 52.116.22.242 15020:31831/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30318/TCP,15030:32645/TCP,15031:31933/TCP,15032:31188/TCP,15443:30838/TCP 2m + istio-pilot ClusterIP 172.21.105.205 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2m + istio-policy ClusterIP 172.21.14.236 9091/TCP,15004/TCP,15014/TCP 2m + istio-sidecar-injector ClusterIP 172.21.155.47 443/TCP,15014/TCP 2m + istio-telemetry ClusterIP 172.21.196.79 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2m + jaeger-agent ClusterIP None 5775/UDP,6831/UDP,6832/UDP 2m + jaeger-collector ClusterIP 172.21.135.51 14267/TCP,14268/TCP 2m + jaeger-query ClusterIP 172.21.26.187 16686/TCP 2m + kiali ClusterIP 172.21.155.201 20001/TCP 2m + prometheus ClusterIP 172.21.63.159 9090/TCP 2m + tracing ClusterIP 172.21.2.245 80/TCP 2m + zipkin ClusterIP 172.21.182.245 9411/TCP 2m + {{< /text >}} + + {{< tip >}} + If your cluster is running in an environment that does not + support an external load balancer (e.g., minikube), the + `EXTERNAL-IP` of `istio-ingressgateway` will say + ``. To access the gateway, use the service's + `NodePort`, or use port-forwarding instead. + {{< /tip >}} + +1. Ensure corresponding Kubernetes pods are deployed and have a `STATUS` of `Running`: + + {{< text bash >}} + $ kubectl get pods -n istio-system + NAME READY STATUS RESTARTS AGE + grafana-f8467cc6-rbjlg 1/1 Running 0 1m + istio-citadel-78df5b548f-g5cpw 1/1 Running 0 1m + istio-cleanup-secrets-release-1.1-20190308-09-16-8s2mp 0/1 Completed 0 2m + istio-egressgateway-78569df5c4-zwtb5 1/1 Running 0 1m + istio-galley-74d5f764fc-q7nrk 1/1 Running 0 1m + istio-grafana-post-install-release-1.1-20190308-09-16-2p7m5 0/1 Completed 0 2m + istio-ingressgateway-7ddcfd665c-dmtqz 1/1 Running 0 1m + istio-pilot-f479bbf5c-qwr28 2/2 Running 0 1m + istio-policy-6fccc5c868-xhblv 2/2 Running 2 1m + istio-security-post-install-release-1.1-20190308-09-16-bmfs4 0/1 Completed 0 2m + istio-sidecar-injector-78499d85b8-x44m6 1/1 Running 0 1m + istio-telemetry-78b96c6cb6-ldm9q 2/2 Running 2 1m + istio-tracing-69b5f778b7-s2zvw 1/1 Running 0 1m + kiali-99f7467dc-6rvwp 1/1 Running 0 1m + prometheus-67cdb66cbb-9w2hm 1/1 Running 0 1m + {{< /text >}} + +## Deploy your application + +You can now deploy your own application or one of the sample applications +provided with the installation like [Bookinfo](/docs/examples/bookinfo/). + +{{< warning >}} +The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its HTTP +traffic; HTTP/1.0 is not supported. +{{< /warning >}} + +When you deploy your application using `kubectl apply`, +the [Istio sidecar injector](/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) +will automatically inject Envoy containers into your +application pods if they are started in namespaces labeled with `istio-injection=enabled`: + +{{< text bash >}} +$ kubectl label namespace istio-injection=enabled +$ kubectl create -n -f .yaml +{{< /text >}} + +In namespaces without the `istio-injection` label, you can use +[`istioctl kube-inject`](/docs/reference/commands/istioctl/#istioctl-kube-inject) +to manually inject Envoy containers in your application pods before deploying +them: + +{{< text bash >}} +$ istioctl kube-inject -f .yaml | kubectl apply -f - +{{< /text >}} + +## Uninstall + +Delete the Istio Operator and Istio deployment: + +{{< text bash >}} +$ kubectl -n istio-operator get IstioControlPlane example-istiocontrolplane -o=json | jq '.metadata.finalizers = null' | kubectl apply -f - +$ kubectl delete ns istio-operator --grace-period=0 --force +$ kubectl delete ns istio-system --grace-period=0 --force +{{< /text >}} + +Please be aware that Istio's CRDs are leaked into the Kubernetes environment. This is intentional as to not +cause data loss of the user's Istio configuration. diff --git a/scripts/grab_operator_yamls.sh b/scripts/grab_operator_yamls.sh new file mode 100755 index 0000000000..76f0941a29 --- /dev/null +++ b/scripts/grab_operator_yamls.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This scripts obtains the operator's yaml files and constructs them into +# one manifest. Additionally IstioControlPlane custom resources are generated +# for each of the profiles for easy switching between deployment modes. + +# Find the output directory +scriptpath="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +rootdir=$(dirname "${scriptpath}") +output_dir="${rootdir}/static" + +# Temporary directories securely created +tempdir_operator="$(mktemp -d)" + +# Upstream GIT tags or branches used for the operator repo. The operator is +# currently only available as a master version. This will change when +# 1.4 is tagged. +operator_tag="master" + +# Great care should be taken when modifying the ordering of this list. This +# script cats these files together in order with a yaml separator. + +operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_cr.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" ) + +# Add profiles here to have them automatically added to the website. +# It is important to also document these files, which is not done automatically. + +operator_profiles=( "default" "demo" "demo-auth" "sds" "minimal" ) + +rm -f "${output_dir}"/operator.yaml +touch "${output_dir}"/operator.yaml +echo "operator/*" +pushd "${tempdir_operator}" >/dev/null || exit +git clone -q --single-branch --branch "${operator_tag}" https://github.com/istio/operator.git +pushd operator >/dev/null || exit +git checkout -q "${operator_tag}" + +# Generate the main manifest +for manifest_file in "${operator_manifest_files[@]}" +do + cat "${manifest_file}" >> "${output_dir}"/operator.yaml + echo "---" >> "${output_dir}"/operator.yaml +done + +# Generate the profiles +for profile in "${operator_profiles[@]}" +do + cp deploy/crds/istio_v1alpha2_istiocontrolplane_cr.yaml "${output_dir}"/operator-profile-"${profile}".yaml + echo "---" >> "${output_dir}"/operator-profile-"${profile}".yaml + sed -i "s/profile: default/profile: ${profile}/g" "${output_dir}"/operator-profile-"${profile}".yaml +done + +popd >/dev/null || exit +rm -rf "${tempdir_operator}" > /dev/null 2>&1 diff --git a/static/operator-profile-default.yaml b/static/operator-profile-default.yaml new file mode 100644 index 0000000000..1f3f06ea22 --- /dev/null +++ b/static/operator-profile-default.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha2 +kind: IstioControlPlane +metadata: + namespace: istio-operator + name: example-istiocontrolplane +spec: + profile: default +--- diff --git a/static/operator-profile-demo-auth.yaml b/static/operator-profile-demo-auth.yaml new file mode 100644 index 0000000000..f3b97eff62 --- /dev/null +++ b/static/operator-profile-demo-auth.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha2 +kind: IstioControlPlane +metadata: + namespace: istio-operator + name: example-istiocontrolplane +spec: + profile: demo-auth +--- diff --git a/static/operator-profile-demo.yaml b/static/operator-profile-demo.yaml new file mode 100644 index 0000000000..a8c70776d3 --- /dev/null +++ b/static/operator-profile-demo.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha2 +kind: IstioControlPlane +metadata: + namespace: istio-operator + name: example-istiocontrolplane +spec: + profile: demo +--- diff --git a/static/operator-profile-minimal.yaml b/static/operator-profile-minimal.yaml new file mode 100644 index 0000000000..4b5c9dae37 --- /dev/null +++ b/static/operator-profile-minimal.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha2 +kind: IstioControlPlane +metadata: + namespace: istio-operator + name: example-istiocontrolplane +spec: + profile: minimal +--- diff --git a/static/operator-profile-sds.yaml b/static/operator-profile-sds.yaml new file mode 100644 index 0000000000..d3a047ee2a --- /dev/null +++ b/static/operator-profile-sds.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha2 +kind: IstioControlPlane +metadata: + namespace: istio-operator + name: example-istiocontrolplane +spec: + profile: sds +--- diff --git a/static/operator.yaml b/static/operator.yaml new file mode 100644 index 0000000000..ddc7ad3c33 --- /dev/null +++ b/static/operator.yaml @@ -0,0 +1,224 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-operator +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiocontrolplanes.install.istio.io +spec: + group: install.istio.io + names: + kind: IstioControlPlane + listKind: IstioControlPlaneList + plural: istiocontrolplanes + singular: istiocontrolplane + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + status: + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: install.istio.io/v1alpha2 +kind: IstioControlPlane +metadata: + namespace: istio-operator + name: example-istiocontrolplane +spec: + profile: default +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: istio-operator + name: istio-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: istio-operator +rules: +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + verbs: + - '*' +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - "" + resources: + - serviceaccounts + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - namespaces + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - istio-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - install.istio.io + resources: + - '*' + - istiocontrolplanes + verbs: + - '*' +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-operator +subjects: +- kind: ServiceAccount + name: istio-operator + namespace: istio-operator +roleRef: + kind: ClusterRole + name: istio-operator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: Service +metadata: + namespace: istio-operator + labels: + name: istio-operator + name: istio-operator-metrics +spec: + ports: + - name: http-metrics + port: 8383 + targetPort: 8383 + selector: + name: istio-operator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: istio-operator + name: istio-operator +spec: + replicas: 1 + selector: + matchLabels: + name: istio-operator + template: + metadata: + labels: + name: istio-operator + spec: + serviceAccountName: istio-operator + containers: + - name: istio-operator + image: gcr.io/istio-testing/operator:master-latest-daily + command: + - istio-operator + - server + imagePullPolicy: Always + env: + - name: WATCH_NAMESPACE + value: "" + - name: LEADER_ELECTION_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "istio-operator" +---