knative
/
docs
mirror of https://github.com/knative/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use istioctl instead of helm to install istio (#2458) 

* Use istioctl instead of helm to install istio

* Simplify istio operator manifest
This commit is contained in:
Kenjiro Nakayama 2020-05-24 23:13:46 +09:00 committed by GitHub
parent 3484cdb97d
commit cc7bcdd410
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 79 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

283
docs/install/installing-istio.md
View File

@ -18,7 +18,7 @@ instructions.
You need:
- A Kubernetes cluster created.
- [`helm`](https://helm.sh/) installed.
- [`istioctl`](https://istio.io/docs/setup/install/istioctl/) (v1.5.4 or later) installed.
## Installing Istio
@ -29,235 +29,116 @@ instructions. If you're familiar with Istio and know what kind of installation
you want, read through the options and choose the installation that suits your
needs.
You can easily customize your Istio installation with `helm`. The below sections
You can easily customize your Istio installation with `istioctl`. The below sections
cover a few useful Istio configurations and their benefits.
### Choosing an Istio installation
You can install Istio with or without a service mesh:
- _automatic sidecar injection_: Enables the Istio service mesh by
[automatically injecting the Istio sidecars][1]. The sidecars are injected
into each pod of your cluster as they are created.
- _manual sidecar injection_: Provides your Knative installation with traffic
routing and ingress, without the Istio service mesh. You do have the option of
later enabling the service mesh if you [manually inject the Istio
sidecars][2].
If you are just getting started with Knative, we recommend installing Istio
without automatic sidecar injection.
### Downloading Istio and installing CRDs
1. Enter the following commands to download Istio:
```shell
# Download and unpack Istio
export ISTIO_VERSION=1.4.6
curl -L https://git.io/getLatestIstio | sh -
cd istio-${ISTIO_VERSION}
```
1. Enter the following command to install the Istio CRDs first:
```shell
for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
```
Wait a few seconds for the CRDs to be committed in the Kubernetes API-server,
then continue with these instructions.
1. Create `istio-system` namespace
```shell
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
labels:
istio-injection: disabled
EOF
```
1. Finish the install by applying your desired Istio configuration:
- [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection)(Recommended
- [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection)(Recommended
default installation)
- [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection)
- [Installing Istio with SDS to secure the ingress gateway](#installing-istio-with-sds-to-secure-the-ingress-gateway)
#### Installing Istio without sidecar injection
- [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection)
If you want to get up and running with Knative quickly, we recommend installing
Istio without automatic sidecar injection. This install is also recommended for
users who don't need the Istio service mesh, or who want to enable the service
mesh by [manually injecting the Istio sidecars][2].
mesh by [manually injecting the Istio sidecars][1].
Enter the following command to install Istio:
```shell
# A lighter template, with just pilot/gateway.
# Based on install/kubernetes/helm/istio/values-istio-minimal.yaml
helm template --namespace=istio-system \
--set prometheus.enabled=false \
--set mixer.enabled=false \
--set mixer.policy.enabled=false \
--set mixer.telemetry.enabled=false \
`# Pilot doesn't need a sidecar.` \
--set pilot.sidecar=false \
--set pilot.resources.requests.memory=128Mi \
`# Disable galley (and things requiring galley).` \
--set galley.enabled=false \
--set global.useMCP=false \
`# Disable security / policy.` \
--set security.enabled=false \
--set global.disablePolicyChecks=true \
`# Disable sidecar injection.` \
--set sidecarInjectorWebhook.enabled=false \
--set global.proxy.autoInject=disabled \
--set global.omitSidecarInjectorConfigMap=true \
--set gateways.istio-ingressgateway.autoscaleMin=1 \
--set gateways.istio-ingressgateway.autoscaleMax=2 \
`# Set pilot trace sampling to 100%` \
--set pilot.traceSampling=100 \
--set global.mtls.auto=false \
install/kubernetes/helm/istio \
> ./istio-lean.yaml
cat << EOF > ./istio-minimal-operator.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
proxy:
autoInject: disabled
useMCP: false
# The third-party-jwt is not enabled on all k8s.
# See: https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
jwtPolicy: first-party-jwt
kubectl apply -f istio-lean.yaml
addonComponents:
pilot:
enabled: true
prometheus:
enabled: false
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
- name: cluster-local-gateway
enabled: true
label:
istio: cluster-local-gateway
app: cluster-local-gateway
k8s:
service:
type: ClusterIP
ports:
- port: 15020
name: status-port
- port: 80
name: http2
- port: 443
name: https
EOF
istioctl manifest apply -f istio-minimal-operator.yaml
```
#### Installing Istio with sidecar injection
If you want to enable the Istio service mesh, you must enable [automatic sidecar
injection][1]. The Istio service mesh provides a few benefits:
injection][2]. The Istio service mesh provides a few benefits:
- Allows you to turn on [mutual TLS][4], which secures service-to-service
- Allows you to turn on [mutual TLS][3], which secures service-to-service
traffic within the cluster.
- Allows you to use the [Istio authorization policy][5], controlling the access
- Allows you to use the [Istio authorization policy][4], controlling the access
to each Knative service based on Istio service roles.
Enter the following command to install Istio:
```shell
# A template with sidecar injection enabled.
helm template --namespace=istio-system \
--set sidecarInjectorWebhook.enabled=true \
--set sidecarInjectorWebhook.enableNamespacesByDefault=true \
--set global.proxy.autoInject=disabled \
--set global.disablePolicyChecks=true \
--set prometheus.enabled=false \
`# Disable mixer prometheus adapter to remove istio default metrics.` \
--set mixer.adapters.prometheus.enabled=false \
`# Disable mixer policy check, since in our template we set no policy.` \
--set global.disablePolicyChecks=true \
--set gateways.istio-ingressgateway.autoscaleMin=1 \
--set gateways.istio-ingressgateway.autoscaleMax=2 \
--set gateways.istio-ingressgateway.resources.requests.cpu=500m \
--set gateways.istio-ingressgateway.resources.requests.memory=256Mi \
`# More pilot replicas for better scale` \
--set pilot.autoscaleMin=2 \
`# Set pilot trace sampling to 100%` \
--set pilot.traceSampling=100 \
install/kubernetes/helm/istio \
> ./istio.yaml
kubectl apply -f istio.yaml
```
#### Installing Istio with SDS to secure the ingress gateway
Install Istio with [Secret Discovery Service (SDS)][3] to enable a few
additional configurations for the gateway TLS. This will allow you to:
- Dynamically update the gateway TLS with multiple TLS certificates to terminate
TLS connections.
- Use [Auto TLS](../serving/using-auto-tls.md).
The below `helm` flag is needed in your `helm` command to enable `SDS`:
To automatic sidecar injection, set `autoInject: enabled` in addition to above
operator configuration.
```
--set gateways.istio-ingressgateway.sds.enabled=true
global:
proxy:
autoInject: enabled
```
Enter the following command to install Istio with ingress `SDS` and automatic
sidecar injection:
#### Using Istio mTLS feature
```shell
helm template --namespace=istio-system \
--set sidecarInjectorWebhook.enabled=true \
--set sidecarInjectorWebhook.enableNamespacesByDefault=true \
--set global.proxy.autoInject=disabled \
--set global.disablePolicyChecks=true \
--set prometheus.enabled=false \
`# Disable mixer prometheus adapter to remove istio default metrics.` \
--set mixer.adapters.prometheus.enabled=false \
`# Disable mixer policy check, since in our template we set no policy.` \
--set global.disablePolicyChecks=true \
--set gateways.istio-ingressgateway.autoscaleMin=1 \
--set gateways.istio-ingressgateway.autoscaleMax=2 \
--set gateways.istio-ingressgateway.resources.requests.cpu=500m \
--set gateways.istio-ingressgateway.resources.requests.memory=256Mi \
`# Enable SDS in the gateway to allow dynamically configuring TLS of gateway.` \
--set gateways.istio-ingressgateway.sds.enabled=true \
`# More pilot replicas for better scale` \
--set pilot.autoscaleMin=2 \
`# Set pilot trace sampling to 100%` \
--set pilot.traceSampling=100 \
install/kubernetes/helm/istio \
> ./istio.yaml
Since there are some networking communications between knative-serving namespace
and the namespace where your services running on, you need additional
preparations for mTLS enabled environment.
kubectl apply -f istio.yaml
- Enable sidecar container on `knative-serving` system namespace.
```bash
kubectl label namespace knative-serving istio-injection=enabled
```
### Updating your install to use cluster local gateway
- Set `PeerAuthentication` to `PERMISSIVE` on knative-serving system namespace.
If you want your Routes to be visible only inside the cluster, you may want to
enable [cluster local routes](../serving/cluster-local-route.md). To use this
feature, add an extra Istio cluster local gateway to your cluster. Enter the
following command to add the cluster local gateway to an existing Istio
installation:
```shell
# Add the extra gateway.
helm template --namespace=istio-system \
--set gateways.custom-gateway.autoscaleMin=1 \
--set gateways.custom-gateway.autoscaleMax=2 \
--set gateways.custom-gateway.cpu.targetAverageUtilization=60 \
--set gateways.custom-gateway.labels.app='cluster-local-gateway' \
--set gateways.custom-gateway.labels.istio='cluster-local-gateway' \
--set gateways.custom-gateway.type='ClusterIP' \
--set gateways.istio-ingressgateway.enabled=false \
--set gateways.istio-egressgateway.enabled=false \
--set gateways.istio-ilbgateway.enabled=false \
--set global.mtls.auto=false \
install/kubernetes/helm/istio \
-f install/kubernetes/helm/istio/example-values/values-istio-gateways.yaml \
| sed -e "s/custom-gateway/cluster-local-gateway/g" -e "s/customgateway/clusterlocalgateway/g" \
> ./istio-local-gateway.yaml
kubectl apply -f istio-local-gateway.yaml
```bash
cat <<EOF | kubectl apply -f -
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "knative-serving"
spec:
mtls:
mode: PERMISSIVE
EOF
```
Alternatively, if you want to install the cluster local gateway for **development purposes**, enter the following command
without `helm` for an easy installation:
```shell
# Istio minor version should be 1.4 or 1.5
export ISTIO_MINOR_VERSION=1.4
export VERSION=$(curl https://raw.githubusercontent.com/knative/serving/master/third_party/istio-${ISTIO_MINOR_VERSION}-latest)
kubectl apply -f https://raw.githubusercontent.com/knative/serving/master/third_party/${VERSION}/istio-knative-extras.yaml
```
**Note:** This method is only for development purposes. The production readiness of the above
installation method is not ensured. For a production-ready installation, see the `helm` installation method above.
### Verifying your Istio install
View the status of your Istio installation to make sure the install was
@ -314,18 +195,13 @@ data:
- For the official Istio installation guide, see the
[Istio Kubernetes Getting Started Guide](https://istio.io/docs/setup/kubernetes/).
- For the full list of available configs when installing Istio with `helm`, see
- For the full list of available configs when installing Istio with `istioctl`, see
the
[Istio Installation Options reference](https://istio.io/docs/reference/config/installation-options/).
[Istio Installation Options reference](https://istio.io/docs/setup/install/istioctl/).
## Clean up Istio
Enter the following command to remove all of the Istio files:
```shell
cd ../
rm -rf istio-${ISTIO_VERSION}
```
See the [Uninstall Istio](https://istio.io/docs/setup/install/istioctl/#uninstall-istio).
## What's next
@ -335,9 +211,8 @@ rm -rf istio-${ISTIO_VERSION}
for Knative serving.
[1]:
https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection
[2]:
https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#manual-sidecar-injection
[3]: https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/
[4]: https://istio.io/docs/concepts/security/#mutual-tls-authentication
[5]: https://istio.io/docs/tasks/security/authz-http/
[2]:
https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection
[3]: https://istio.io/docs/concepts/security/#mutual-tls-authentication
[4]: https://istio.io/docs/tasks/security/authz-http/