mirror of https://github.com/istio/istio.io.git
189 lines
5.3 KiB
Bash
189 lines
5.3 KiB
Bash
#!/bin/bash
|
|
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
|
|
|
|
# Copyright Istio Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
####################################################################################################
|
|
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
|
|
# docs/setup/additional-setup/gateway/index.md
|
|
####################################################################################################
|
|
|
|
! IFS=$'\n' read -r -d '' snip_deploying_a_gateway_1 <<\ENDSNIP
|
|
apiVersion: install.istio.io/v1alpha1
|
|
kind: IstioOperator
|
|
metadata:
|
|
name: ingress
|
|
spec:
|
|
profile: empty # Do not install CRDs or the control plane
|
|
components:
|
|
ingressGateways:
|
|
- name: istio-ingressgateway
|
|
namespace: istio-ingress
|
|
enabled: true
|
|
label:
|
|
# Set a unique label for the gateway. This is required to ensure Gateways
|
|
# can select this workload
|
|
istio: ingressgateway
|
|
values:
|
|
gateways:
|
|
istio-ingressgateway:
|
|
# Enable gateway injection
|
|
injectionTemplate: gateway
|
|
ENDSNIP
|
|
|
|
snip_deploying_a_gateway_2() {
|
|
kubectl create namespace istio-ingress
|
|
istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true -f ingress.yaml
|
|
}
|
|
|
|
snip_deploying_a_gateway_3() {
|
|
kubectl create namespace istio-ingress
|
|
helm install istio-ingressgateway istio/gateway -n istio-ingress
|
|
}
|
|
|
|
snip_deploying_a_gateway_4() {
|
|
helm install istio-ingressgateway istio/gateway -n istio-ingress -f manifests/charts/gateway/openshift-values.yaml
|
|
}
|
|
|
|
! IFS=$'\n' read -r -d '' snip_deploying_a_gateway_5 <<\ENDSNIP
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: istio-ingressgateway
|
|
namespace: istio-ingress
|
|
spec:
|
|
type: LoadBalancer
|
|
selector:
|
|
istio: ingressgateway
|
|
ports:
|
|
- port: 80
|
|
name: http
|
|
- port: 443
|
|
name: https
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: istio-ingressgateway
|
|
namespace: istio-ingress
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
istio: ingressgateway
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
# Select the gateway injection template (rather than the default sidecar template)
|
|
inject.istio.io/templates: gateway
|
|
labels:
|
|
# Set a unique label for the gateway. This is required to ensure Gateways can select this workload
|
|
istio: ingressgateway
|
|
# Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
|
|
sidecar.istio.io/inject: "true"
|
|
spec:
|
|
# Allow binding to all ports (such as 80 and 443)
|
|
securityContext:
|
|
sysctls:
|
|
- name: net.ipv4.ip_unprivileged_port_start
|
|
value: "0"
|
|
containers:
|
|
- name: istio-proxy
|
|
image: auto # The image will automatically update each time the pod starts.
|
|
# Drop all privileges, allowing to run as non-root
|
|
securityContext:
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
runAsUser: 1337
|
|
runAsGroup: 1337
|
|
---
|
|
# Set up roles to allow reading credentials for TLS
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: istio-ingressgateway-sds
|
|
namespace: istio-ingress
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "watch", "list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: istio-ingressgateway-sds
|
|
namespace: istio-ingress
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: istio-ingressgateway-sds
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: default
|
|
ENDSNIP
|
|
|
|
snip_deploying_a_gateway_6() {
|
|
kubectl create namespace istio-ingress
|
|
kubectl apply -f ingress.yaml
|
|
}
|
|
|
|
! IFS=$'\n' read -r -d '' snip_gateway_selectors_1 <<\ENDSNIP
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: Gateway
|
|
metadata:
|
|
name: gateway
|
|
spec:
|
|
selector:
|
|
istio: ingressgateway
|
|
...
|
|
ENDSNIP
|
|
|
|
! IFS=$'\n' read -r -d '' snip_canary_upgrade_advanced_1 <<\ENDSNIP
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: istio-ingressgateway-canary
|
|
namespace: istio-ingress
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
istio: ingressgateway
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
inject.istio.io/templates: gateway
|
|
labels:
|
|
istio: ingressgateway
|
|
istio.io/rev: canary # Set to the control plane revision you want to deploy
|
|
spec:
|
|
containers:
|
|
- name: istio-proxy
|
|
image: auto
|
|
ENDSNIP
|
|
|
|
snip_canary_upgrade_advanced_2() {
|
|
kubectl get endpoints -n istio-ingress -o "custom-columns=NAME:.metadata.name,PODS:.subsets[*].addresses[*].targetRef.name"
|
|
}
|
|
|
|
! IFS=$'\n' read -r -d '' snip_canary_upgrade_advanced_2_out <<\ENDSNIP
|
|
NAME PODS
|
|
istio-ingressgateway istio-ingressgateway-...,istio-ingressgateway-canary-...
|
|
ENDSNIP
|
|
|
|
snip_cleanup_1() {
|
|
istioctl uninstall --istioNamespace istio-ingress -y --purge
|
|
kubectl delete ns istio-ingress
|
|
}
|