istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Tweak line wrappings in integrations (#13525)

This commit is contained in:
Michael 2023-07-09 08:25:35 +08:00 committed by GitHub
parent 45099342bd
commit db22487bf3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 100 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
content/en/docs/ops/integrations/certmanager/index.md
View File

@ -10,17 +10,23 @@ owner: istio/wg-environments-maintainers
test: no
---
[cert-manager](https://cert-manager.io/) is a tool that automates certificate management. This can be integrated with Istio gateways to manage TLS certificates.
[cert-manager](https://cert-manager.io/) is a tool that automates certificate management.
This can be integrated with Istio gateways to manage TLS certificates.
## Configuration
Consult the [cert-manager installation documentation](https://cert-manager.io/docs/installation/kubernetes/) to get started. No special changes are needed to work with Istio.
Consult the [cert-manager installation documentation](https://cert-manager.io/docs/installation/kubernetes/)
to get started. No special changes are needed to work with Istio.
## Usage
### Istio Gateway
cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway. To get started, configure a `Certificate` resource, following the [cert-manager documentation](https://cert-manager.io/docs/usage/certificate/). The `Certificate` should be created in the same namespace as the `istio-ingressgateway` deployment. For example, a `Certificate` may look like:
cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway.
To get started, configure a `Certificate` resource, following the
[cert-manager documentation](https://cert-manager.io/docs/usage/certificate/).
The `Certificate` should be created in the same namespace as the `istio-ingressgateway` deployment.
For example, a `Certificate` may look like:
{{< text yaml >}}
apiVersion: cert-manager.io/v1
@ -36,7 +42,8 @@ spec:
...
{{< /text >}}
Once we have the certificate created, we should see the secret created in the `istio-system` namespace. This can then be referenced in the `tls` config for a Gateway under `credentialName`:
Once we have the certificate created, we should see the secret created in the `istio-system` namespace.
This can then be referenced in the `tls` config for a Gateway under `credentialName`:
{{< text yaml >}}
apiVersion: networking.istio.io/v1alpha3
@ -60,9 +67,13 @@ spec:
### Kubernetes Ingress
cert-manager provides direct integration with Kubernetes Ingress by configuring an [annotation on the Ingress object](https://cert-manager.io/docs/usage/ingress/). If this method is used, the Ingress must reside in the same namespace as the `istio-ingressgateway` deployment, as secrets will only be read within the same namespace.
cert-manager provides direct integration with Kubernetes Ingress by configuring an
[annotation on the Ingress object](https://cert-manager.io/docs/usage/ingress/).
If this method is used, the Ingress must reside in the same namespace as the
`istio-ingressgateway` deployment, as secrets will only be read within the same namespace.
Alternatively, a `Certificate` can be created as described in [Istio Gateway](#istio-gateway), then referenced in the `Ingress` object:
Alternatively, a `Certificate` can be created as described in [Istio Gateway](#istio-gateway),
then referenced in the `Ingress` object:
{{< text yaml >}}
apiVersion: networking.k8s.io/v1beta1

23
content/en/docs/ops/integrations/grafana/index.md
View File

@ -7,11 +7,14 @@ owner: istio/wg-environments-maintainers
test: no
---
[Grafana](https://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio. You can use Grafana to monitor the health of Istio and of applications within the service mesh.
[Grafana](https://grafana.com/) is an open source monitoring solution that can be
used to configure dashboards for Istio. You can use Grafana to monitor the health
of Istio and of applications within the service mesh.
## Configuration
While you can build your own dashboards, Istio offers a set of preconfigured dashboards for all of the most important metrics for the mesh and for the control plane.
While you can build your own dashboards, Istio offers a set of preconfigured dashboards
for all of the most important metrics for the mesh and for the control plane.
* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh.
* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service.
@ -23,17 +26,21 @@ There are a few ways to configure Grafana to use these dashboards:
### Option 1: Quick start
Istio provides a basic sample installation to quickly get Grafana up and running, bundled with all of the Istio dashboards already installed:
Istio provides a basic sample installation to quickly get Grafana up and running,
bundled with all of the Istio dashboards already installed:
{{< text bash >}}
$ kubectl apply -f {{< github_file >}}/samples/addons/grafana.yaml
{{< /text >}}
This will deploy Grafana into your cluster. This is intended for demonstration only, and is not tuned for performance or security.
This will deploy Grafana into your cluster. This is intended for demonstration only,
and is not tuned for performance or security.
### Option 2: Import from `grafana.com` into an existing deployment
To quickly import the Istio dashboards to an existing Grafana instance, you can use the [**Import** button in the Grafana UI](https://grafana.com/docs/grafana/latest/reference/export_import/#importing-a-dashboard) to add the dashboard links above. When you import the dashboards, note that you must select a Prometheus data source.
To quickly import the Istio dashboards to an existing Grafana instance, you can use the
[**Import** button in the Grafana UI](https://grafana.com/docs/grafana/latest/reference/export_import/#importing-a-dashboard)
to add the dashboard links above. When you import the dashboards, note that you must select a Prometheus data source.
You can also use a script to import all dashboards at once. For example:
@ -63,12 +70,14 @@ $ done
{{< /text >}}
{{< tip >}}
A new revision of the dashboards is created for each version of Istio. To ensure compatibility, it is recommended that you select the appropriate revision for the Istio version you are deploying.
A new revision of the dashboards is created for each version of Istio. To ensure compatibility,
it is recommended that you select the appropriate revision for the Istio version you are deploying.
{{< /tip >}}
### Option 3: Implementation-specific methods
Grafana can be installed and configured through other methods. To import Istio dashboards, refer to the documentation for the installation method. For example:
Grafana can be installed and configured through other methods. To import Istio dashboards,
refer to the documentation for the installation method. For example:
* [Grafana provisioning](https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards) official documentation.
* [Importing dashboards](https://github.com/helm/charts/tree/master/stable/grafana#import-dashboards) for the `stable/grafana` Helm chart.

17
content/en/docs/ops/integrations/jaeger/index.md
View File

@ -9,7 +9,8 @@ test: n/a
{{< boilerplate telemetry-tracing-tips >}}
[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems.
[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system,
allowing users to monitor and troubleshoot transactions in complex distributed systems.
## Installation
@ -21,14 +22,20 @@ Istio provides a basic sample installation to quickly get Jaeger up and running:
$ kubectl apply -f {{< github_file >}}/samples/addons/jaeger.yaml
{{< /text >}}
This will deploy Jaeger into your cluster. This is intended for demonstration only, and is not tuned for performance or security.
This will deploy Jaeger into your cluster. This is intended for demonstration only,
and is not tuned for performance or security.
### Option 2: Customizable install
Consult the [Jaeger documentation](https://www.jaegertracing.io/) to get started. No special changes are needed for Jaeger to work with Istio.
Consult the [Jaeger documentation](https://www.jaegertracing.io/) to get started.
No special changes are needed for Jaeger to work with Istio.
Once Jaeger is installed, you will need to point Istio proxies to send traces to the deployment. This can be configured with `--set meshConfig.defaultConfig.tracing.zipkin.address=<jaeger-collector-address>:9411` at installation time. See the [`ProxyConfig.Tracing`](/docs/reference/config/istio.mesh.v1alpha1/#Tracing) for advanced configuration such as TLS settings.
Once Jaeger is installed, you will need to point Istio proxies to send traces to the deployment.
This can be configured with `--set meshConfig.defaultConfig.tracing.zipkin.address=<jaeger-collector-address>:9411`
at installation time. See the [`ProxyConfig.Tracing`](/docs/reference/config/istio.mesh.v1alpha1/#Tracing)
for advanced configuration such as TLS settings.
## Usage
For more information on using Jaeger, please refer to the [Jaeger task](/docs/tasks/observability/distributed-tracing/jaeger/).
For more information on using Jaeger, please refer to the
[Jaeger task](/docs/tasks/observability/distributed-tracing/jaeger/).

4
content/en/docs/ops/integrations/kiali/index.md
View File

@ -32,7 +32,9 @@ authentication strategy other than `anonymous`.
### Option 2: Customizable install
The Kiali project offers its own [quick start guide](https://kiali.io/docs/installation/quick-start) and [customizable installation methods](https://kiali.io/docs/installation/installation-guide). We recommend production users follow those instructions to ensure they stay up to date with the latest versions and best practices.
The Kiali project offers its own [quick start guide](https://kiali.io/docs/installation/quick-start)
and [customizable installation methods](https://kiali.io/docs/installation/installation-guide).
We recommend production users follow those instructions to ensure they stay up to date with the latest versions and best practices.
## Usage

13
content/en/docs/ops/integrations/loadbalancers/index.md
View File

@ -7,7 +7,10 @@ owner: istio/wg-networking-maintainers
test: n/a
---
Istio provides both an ingress and service mesh implementation, which can be used together or separately. While these are designed to work together seamlessly, there are times when integrating with a third party ingress is required. This could be for migration purposes, feature requirements, or personal preferences.
Istio provides both an ingress and service mesh implementation, which can be used
together or separately. While these are designed to work together seamlessly, there
are times when integrating with a third party ingress is required. This could be
for migration purposes, feature requirements, or personal preferences.
## Integration Modes
@ -49,10 +52,12 @@ Vendor specific configuration is required to support chained mode or standalone
### Google HTTP(S) Load Balancer
Integration with Google HTTP(S) Load Balancers only works out of the box with standalone mode if mTLS is not required as
mTLS is not supported.
Integration with Google HTTP(S) Load Balancers only works out of the box with standalone mode
if mTLS is not required as mTLS is not supported.
Chained mode is possible. See [Google documentation](https://cloud.google.com/architecture/exposing-service-mesh-apps-through-gke-ingress) for setup instructions.
Chained mode is possible. See
[Google documentation](https://cloud.google.com/architecture/exposing-service-mesh-apps-through-gke-ingress)
for setup instructions.
## In-Cluster Load Balancers

57
content/en/docs/ops/integrations/prometheus/index.md
View File

@ -7,7 +7,10 @@ owner: istio/wg-environments-maintainers
test: n/a
---
[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database. You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh. You can visualize metrics using tools like [Grafana](/docs/ops/integrations/grafana/) and [Kiali](/docs/tasks/observability/kiali/).
[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database.
You can use Prometheus with Istio to record metrics that track the health of Istio and of
applications within the service mesh. You can visualize metrics using tools like
[Grafana](/docs/ops/integrations/grafana/) and [Kiali](/docs/tasks/observability/kiali/).
## Installation
@ -30,11 +33,16 @@ to identify trends and differences in traffic over time, access to historical da
### Option 2: Customizable install
Consult the [Prometheus documentation](https://www.prometheus.io/) to get started deploying Prometheus into your environment. See [Configuration](#configuration) for more information on configuring Prometheus to scrape Istio deployments.
Consult the [Prometheus documentation](https://www.prometheus.io/) to get started
deploying Prometheus into your environment. See [Configuration](#configuration)
for more information on configuring Prometheus to scrape Istio deployments.
## Configuration
In an Istio mesh, each component exposes an endpoint that emits metrics. Prometheus works by scraping these endpoints and collecting the results. This is configured through the [Prometheus configuration file](https://prometheus.io/docs/prometheus/latest/configuration/configuration/) which controls settings for which endpoints to query, the port and path to query, TLS settings, and more.
In an Istio mesh, each component exposes an endpoint that emits metrics. Prometheus works
by scraping these endpoints and collecting the results. This is configured through the
[Prometheus configuration file](https://prometheus.io/docs/prometheus/latest/configuration/configuration/)
which controls settings for which endpoints to query, the port and path to query, TLS settings, and more.
To gather metrics for the entire mesh, configure Prometheus to scrape:
@ -47,20 +55,30 @@ To simplify the configuration of metrics, Istio offers two modes of operation.
### Option 1: Metrics merging
To simplify configuration, Istio has the ability to control scraping entirely by `prometheus.io` annotations. This allows Istio scraping to work out of the box with standard configurations such as the ones provided by the [Helm `stable/prometheus`](https://github.com/helm/charts/tree/master/stable/prometheus) charts.
To simplify configuration, Istio has the ability to control scraping entirely by
`prometheus.io` annotations. This allows Istio scraping to work out of the box with
standard configurations such as the ones provided by the
[Helm `stable/prometheus`](https://github.com/helm/charts/tree/master/stable/prometheus) charts.
{{< tip >}}
While `prometheus.io` annotations are not a core part of Prometheus, they have become the de facto standard to configure scraping.
While `prometheus.io` annotations are not a core part of Prometheus,
they have become the de facto standard to configure scraping.
{{< /tip >}}
This option is enabled by default but can be disabled by passing `--set meshConfig.enablePrometheusMerge=false` during [installation](/docs/setup/install/istioctl/). When enabled, appropriate `prometheus.io` annotations will be added to all data plane pods to set up scraping. If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will merge Istio's metrics with the application metrics. The merged metrics will be scraped from `:15020/stats/prometheus`.
This option is enabled by default but can be disabled by passing
`--set meshConfig.enablePrometheusMerge=false` during [installation](/docs/setup/install/istioctl/).
When enabled, appropriate `prometheus.io` annotations will be added to all data plane pods to set up scraping.
If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will
merge Istio's metrics with the application metrics. The merged metrics will be scraped from `:15020/stats/prometheus`.
This option exposes all the metrics in plain text.
This feature may not suit your needs in the following situations:
* You need to scrape metrics using TLS.
* Your application exposes metrics with the same names as Istio metrics. For example, your application metrics expose an `istio_requests_total` metric. This might happen if the application is itself running Envoy.
* Your application exposes metrics with the same names as Istio metrics. For example,
your application metrics expose an `istio_requests_total` metric.
This might happen if the application is itself running Envoy.
* Your Prometheus deployment is not configured to scrape based on standard `prometheus.io` annotations.
If required, this feature can be disabled per workload by adding a `prometheus.istio.io/merge-metrics: "false"` annotation on a pod.
@ -84,7 +102,8 @@ To configure an existing Prometheus instance to scrape stats generated by Istio,
regex: istiod;http-monitoring
{{< /text >}}
* To scrape Envoy stats, including sidecar proxies and gateway proxies, the following job can be added to scrape ports that end with `-envoy-prom`:
* To scrape Envoy stats, including sidecar proxies and gateway proxies,
the following job can be added to scrape ports that end with `-envoy-prom`:
{{< text yaml >}}
- job_name: 'envoy-stats'
@ -98,14 +117,21 @@ To configure an existing Prometheus instance to scrape stats generated by Istio,
regex: '.*-envoy-prom'
{{< /text >}}
* For application stats, if [Strict mTLS](/docs/tasks/security/authentication/authn-policy/#globally-enabling-istio-mutual-tls-in-strict-mode) is not enabled, your existing scraping configuration should still work. Otherwise, Prometheus needs to be configured to [scrape with Istio certs](#tls-settings).
* For application stats, if [Strict mTLS](/docs/tasks/security/authentication/authn-policy/#globally-enabling-istio-mutual-tls-in-strict-mode)
is not enabled, your existing scraping configuration should still work. Otherwise,
Prometheus needs to be configured to [scrape with Istio certs](#tls-settings).
#### TLS settings
The control plane, gateway, and Envoy sidecar metrics will all be scraped over cleartext. However, the application metrics will follow whatever Istio configuration has been configured for the workload. In particular, if [Strict mTLS](/docs/tasks/security/authentication/authn-policy/#globally-enabling-istio-mutual-tls-in-strict-mode) is enabled, then Prometheus will need to be configured to scrape using Istio certificates.
The control plane, gateway, and Envoy sidecar metrics will all be scraped over cleartext.
However, the application metrics will follow whatever Istio configuration has been configured
for the workload. In particular, if [Strict mTLS](/docs/tasks/security/authentication/authn-policy/#globally-enabling-istio-mutual-tls-in-strict-mode)
is enabled, then Prometheus will need to be configured to scrape using Istio certificates.
One way to provision Istio certificates for Prometheus is by injecting a sidecar which will rotate SDS certificates and output them to a volume that can be shared with Prometheus.
However, the sidecar should not intercept requests for Prometheus because Prometheus's model of direct endpoint access is incompatible with Istio's sidecar proxy model.
One way to provision Istio certificates for Prometheus is by injecting a sidecar
which will rotate SDS certificates and output them to a volume that can be shared with Prometheus.
However, the sidecar should not intercept requests for Prometheus because Prometheus's
model of direct endpoint access is incompatible with Istio's sidecar proxy model.
To achieve this, configure a cert volume mount on the Prometheus server container:
@ -122,7 +148,8 @@ volumes:
name: istio-certs
{{< /text >}}
Then add the following annotations to the Prometheus deployment pod template, and deploy it with [sidecar injection](/docs/setup/additional-setup/sidecar-injection/).
Then add the following annotations to the Prometheus deployment pod template,
and deploy it with [sidecar injection](/docs/setup/additional-setup/sidecar-injection/).
This configures the sidecar to write a certificate to the shared volume, but without configuring traffic redirection:
{{< text yaml >}}
@ -151,4 +178,6 @@ tls_config:
## Best practices
For larger meshes, advanced configuration might help Prometheus scale. See [Using Prometheus for production-scale monitoring](/docs/ops/best-practices/observability/#using-prometheus-for-production-scale-monitoring) for more information.
For larger meshes, advanced configuration might help Prometheus scale.
See [Using Prometheus for production-scale monitoring](/docs/ops/best-practices/observability/#using-prometheus-for-production-scale-monitoring)
for more information.