Installation and configuration istio use helm chat and terraform

Installation and Configuration istio use terraform

Pull helm chats to local

 1# add istio helm chat repo url
 2helm repo add istio https://istio-release.storage.googleapis.com/charts
 3# download latest helm chat packages 
 4helm pull istio/base
 5helm pull istio/istiod
 6helm pull istio/gateway
 7
 8# uncompress to relative directory
 9tar -xzvf base-1.17.1.tgz
10tar -xzvf istiod-1.17.1.tgz
11tar -xzvf gateway-1.17.1.tgz
12
13# move the istio components to prefer directory
14mv base ~/code/chats/istio-base
15mv istiod ~/code/chats/istiod
16mv gateway ~/code/chats/istio-gateway

Create the istio namespace and initialization the base resources

 1resource "kubernetes_namespace" "istio_system" {
 2    metadata {
 3      annotations = {
 4        name = "istio-system"
 5      }
 6      labels = {
 7        "kubesphere.io/namespace" = "istio-system"
 8        "kiali.io/member-of"      = "istio-system"
 9      }
10      name = "istio-system"
11    }
12}
13
14resource "helm_release" "istio_base" {
15    name = "istio-base"
16    chart = "~/code/charts/istio-base"
17    namespace = kubernetes_namespace.istio_system.metadata.0.name
18
19    values = [
20        <<-EOF
21        global:
22            istiod:
23                enableAnalysis: true
24        EOF
25    ]
26}

Initialization the istiod control plane

Use custom docker registry in local and send tracing data to signoz open source OTEL product,include the logs, metrics and trace data

 1resource "helm_release" "istiod" {
 2    name = "istiod"
 3    chart = "~/code/charts/istiod"
 4    namespace = kubernetes_namespace.istio_system.metadata.0.name
 5
 6    values = [
 7        <<-EOF
 8        pilot:
 9            hub: "docker.myregistry.me/istio"
10            tag: "1.17.1"
11        global:
12            hub: "docker.myregistry.me/istio"
13            tag: "1.17.1"
14        telemetry:
15          enabled: true
16          v2:
17            prometheus:
18              enabled: true
19        meshConfig:
20          enableTracing: true
21          enablePrometheusMerge: true
22          accessLogEncoding: JSON
23          defaultConfig:
24            tracing:
25              sampling: 100.00
26              zipkin:
27                address: "signoz-otel-collector.signoz.svc.cluster.local:9411"
28              customTags:
29                service.name:
30                  environment:
31                    name: ISTIO_META_WORKLOAD_NAME
32
33          extensionProviders:
34          - name: otel
35            envoyOtelAls:
36              service: signoz-otel-collector.signoz.svc.cluster.local
37              port: 4317
38          - name: zipkin
39            zipkin:
40              service: "signoz-otel-collector.signoz.svc.cluster.local"
41              port: 9411
42          defaultProviders:
43            accessLogging:
44            - envoy
45            - otel
46
47        EOF
48    ]
49}

Use annotations to config istio for indiviual pod

1annotations:
2        ...
3        proxy.istio.io/config: |
4          tracing:
5            sampling: 10
6            custom_tags:
7              my_tag_header:
8                header:
9                  name: host          

Can also use istioctl command view and operator Envoy proxy details

1istioctl proxy-status
2istioctl proxy-status details-v1-6dcc6fbb9d-wsjz4.default
3# Deep dive into Envoy configuration
4istioctl proxy-config cluster -n istio-system istio-ingressgateway-7d6874b48f-qxhn5
5 istioctl proxy-config bootstrap -n istio-system istio-ingressgateway-7d6874b48f-qxhn5
6istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs

Istio config

  • default the ConfigMap istio-sidecar-injector
  • Exactly proxy resource request and limit
1spec:
2  template:
3    metadata:
4      annotations:
5        sidecar.istio.io/proxyCPU: "200m"
6        sidecar.istio.io/proxyMemoryLimit: "5Gi"

Create ServiceEntry for external traffic

adds the ext-svc.example.com external dependency to Istio’s service registry

 1apiVersion: networking.istio.io/v1alpha3
 2kind: ServiceEntry
 3metadata:
 4  name: svc-entry
 5spec:
 6  hosts:
 7  - ext-svc.example.com
 8  ports:
 9  - number: 443
10    name: https
11    protocol: HTTPS
12  location: MESH_EXTERNAL
13  resolution: DNS

Create DestinationRule resource

DestinationRule main specific

  • trafficPolicy
  • mTLS
  • versions to app
 1apiVersion: networking.istio.io/v1alpha3
 2kind: DestinationRule
 3metadata:
 4  name: my-destination-rule
 5spec:
 6  host: my-svc
 7  trafficPolicy:
 8    loadBalancer:
 9      simple: RANDOM
10  subsets:
11  #### This will work only if we have defined version label in the deployment
12  - name: v1
13    labels:
14      version: v1
15  - name: v2
16    labels:
17      version: v2
18    trafficPolicy:
19      loadBalancer:
20        simple: ROUND_ROBIN
21  - name: v3
22    labels:
23      version: v3

Create VirtualService resource

virtualService include some functional

  • timeout
  • url prefix match
  • redirect
  • directResponse
  • delegate
  • rewrite http url
  • retries
  • fault
  • traffic mirror
  • corsPolicy
  • set request header and response header
 1apiVersion: networking.istio.io/v1alpha3
 2kind: VirtualService
 3metadata:
 4  name: gateway-proxy
 5  namespace: kong
 6spec:
 7  hosts:
 8  - gateway-v2.homepartners.dev
 9  gateways:
10  - istio-system/istio-external-gateway
11  http:
12  - name: gateway-proxy
13    # match:
14    # - uri:
15    #     prefix: "/*"
16    timeout: 5s
17    route:
18      - destination:
19          host: gateway-proxy.kong.svc.cluster.local
20          port:
21            number: 80

More case learn can view github samples