Installation and configuration istio use helm chat and terraform
Installation and Configuration istio use terraform
Pull helm chats to local
1# add istio helm chat repo url
2helm repo add istio https://istio-release.storage.googleapis.com/charts
3# download latest helm chat packages
4helm pull istio/base
5helm pull istio/istiod
6helm pull istio/gateway
7
8# uncompress to relative directory
9tar -xzvf base-1.17.1.tgz
10tar -xzvf istiod-1.17.1.tgz
11tar -xzvf gateway-1.17.1.tgz
12
13# move the istio components to prefer directory
14mv base ~/code/chats/istio-base
15mv istiod ~/code/chats/istiod
16mv gateway ~/code/chats/istio-gateway
Create the istio namespace and initialization the base resources
1resource "kubernetes_namespace" "istio_system" {
2 metadata {
3 annotations = {
4 name = "istio-system"
5 }
6 labels = {
7 "kubesphere.io/namespace" = "istio-system"
8 "kiali.io/member-of" = "istio-system"
9 }
10 name = "istio-system"
11 }
12}
13
14resource "helm_release" "istio_base" {
15 name = "istio-base"
16 chart = "~/code/charts/istio-base"
17 namespace = kubernetes_namespace.istio_system.metadata.0.name
18
19 values = [
20 <<-EOF
21 global:
22 istiod:
23 enableAnalysis: true
24 EOF
25 ]
26}
Initialization the istiod control plane
Use custom docker registry in local and send tracing data to signoz open source OTEL product,include the logs, metrics and trace data
1resource "helm_release" "istiod" {
2 name = "istiod"
3 chart = "~/code/charts/istiod"
4 namespace = kubernetes_namespace.istio_system.metadata.0.name
5
6 values = [
7 <<-EOF
8 pilot:
9 hub: "docker.myregistry.me/istio"
10 tag: "1.17.1"
11 global:
12 hub: "docker.myregistry.me/istio"
13 tag: "1.17.1"
14 telemetry:
15 enabled: true
16 v2:
17 prometheus:
18 enabled: true
19 meshConfig:
20 enableTracing: true
21 enablePrometheusMerge: true
22 accessLogEncoding: JSON
23 defaultConfig:
24 tracing:
25 sampling: 100.00
26 zipkin:
27 address: "signoz-otel-collector.signoz.svc.cluster.local:9411"
28 customTags:
29 service.name:
30 environment:
31 name: ISTIO_META_WORKLOAD_NAME
32
33 extensionProviders:
34 - name: otel
35 envoyOtelAls:
36 service: signoz-otel-collector.signoz.svc.cluster.local
37 port: 4317
38 - name: zipkin
39 zipkin:
40 service: "signoz-otel-collector.signoz.svc.cluster.local"
41 port: 9411
42 defaultProviders:
43 accessLogging:
44 - envoy
45 - otel
46
47 EOF
48 ]
49}
Use annotations to config istio for indiviual pod
1annotations:
2 ...
3 proxy.istio.io/config: |
4 tracing:
5 sampling: 10
6 custom_tags:
7 my_tag_header:
8 header:
9 name: host
Can also use istioctl command view and operator Envoy proxy details
1istioctl proxy-status
2istioctl proxy-status details-v1-6dcc6fbb9d-wsjz4.default
3# Deep dive into Envoy configuration
4istioctl proxy-config cluster -n istio-system istio-ingressgateway-7d6874b48f-qxhn5
5 istioctl proxy-config bootstrap -n istio-system istio-ingressgateway-7d6874b48f-qxhn5
6istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs
Istio config
- default the ConfigMap
istio-sidecar-injector
- Exactly proxy resource request and limit
1spec:
2 template:
3 metadata:
4 annotations:
5 sidecar.istio.io/proxyCPU: "200m"
6 sidecar.istio.io/proxyMemoryLimit: "5Gi"
Create ServiceEntry for external traffic
adds the ext-svc.example.com external dependency to Istio’s service registry
1apiVersion: networking.istio.io/v1alpha3
2kind: ServiceEntry
3metadata:
4 name: svc-entry
5spec:
6 hosts:
7 - ext-svc.example.com
8 ports:
9 - number: 443
10 name: https
11 protocol: HTTPS
12 location: MESH_EXTERNAL
13 resolution: DNS
Create DestinationRule resource
DestinationRule main specific
- trafficPolicy
- mTLS
- versions to app
1apiVersion: networking.istio.io/v1alpha3
2kind: DestinationRule
3metadata:
4 name: my-destination-rule
5spec:
6 host: my-svc
7 trafficPolicy:
8 loadBalancer:
9 simple: RANDOM
10 subsets:
11 #### This will work only if we have defined version label in the deployment
12 - name: v1
13 labels:
14 version: v1
15 - name: v2
16 labels:
17 version: v2
18 trafficPolicy:
19 loadBalancer:
20 simple: ROUND_ROBIN
21 - name: v3
22 labels:
23 version: v3
Create VirtualService resource
virtualService include some functional
- timeout
- url prefix match
- redirect
- directResponse
- delegate
- rewrite http url
- retries
- fault
- traffic mirror
- corsPolicy
- set request header and response header
1apiVersion: networking.istio.io/v1alpha3
2kind: VirtualService
3metadata:
4 name: gateway-proxy
5 namespace: kong
6spec:
7 hosts:
8 - gateway-v2.homepartners.dev
9 gateways:
10 - istio-system/istio-external-gateway
11 http:
12 - name: gateway-proxy
13 # match:
14 # - uri:
15 # prefix: "/*"
16 timeout: 5s
17 route:
18 - destination:
19 host: gateway-proxy.kong.svc.cluster.local
20 port:
21 number: 80