-
Notifications
You must be signed in to change notification settings - Fork 8
/
deploy-istio.sh
executable file
·152 lines (143 loc) · 3.95 KB
/
deploy-istio.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/bash
set -euo pipefail
trap 's=$?; echo >&2 "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
for cmd in "istioctl" "kubectl"; do
type $cmd >/dev/null 2>&1 || { echo >&2 "$cmd required but it's not installed; aborting."; exit 1; }
done
CONTEXT=${CONTEXT-}
CERT_ISSUER_ID=${CERT_ISSUER_ID-}
SERVICE_MESH_HA=${SERVICE_MESH_HA-no}
SERVICE_MESH_TRACES_ENABLED=${SERVICE_MESH_TRACES_ENABLED-no}
PILOT_REPLICAS="1"
if [[ "${SERVICE_MESH_HA}" == "yes" ]]; then
PILOT_REPLICAS="3"
fi
TRACES_ENABLED="false"
if [[ "${SERVICE_MESH_TRACES_ENABLED}" == "yes" ]]; then
TRACES_ENABLED="true"
fi
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
labels:
topology.istio.io/network: ${CONTEXT}
EOF
# https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/
kubectl create secret generic cacerts -n istio-system \
--from-file=root-cert.pem=istio-root-ca.crt \
--from-file=ca-cert.pem=istio-${CERT_ISSUER_ID}.crt \
--from-file=ca-key.pem=istio-${CERT_ISSUER_ID}.key \
--from-file=cert-chain.pem=istio-${CERT_ISSUER_ID}-chain.crt
# https://istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/
# https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/
cat <<EOF | istioctl install -y -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
meshID: mesh1
multiCluster:
clusterName: ${CONTEXT}
network: ${CONTEXT}
proxy:
resources:
limits:
cpu: '0'
memory: '0'
requests:
cpu: '0'
memory: '0'
proxy_init:
resources:
limits:
cpu: '0'
memory: '0'
requests:
cpu: '0'
memory: '0'
meshConfig:
defaultConfig:
holdApplicationUntilProxyStarts: true
proxyMetadata:
ISTIO_META_DNS_CAPTURE: "true"
ISTIO_META_DNS_AUTO_ALLOCATE: "true"
enableTracing: ${TRACES_ENABLED}
extensionProviders:
- name: otel-tracing
opentelemetry:
port: 4317
service: grafana-alloy.observability.svc.cluster.local
resource_detectors:
environment: {}
components:
pilot:
k8s:
replicaCount: ${PILOT_REPLICAS}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: istiod
topologyKey: kubernetes.io/hostname
ingressGateways:
- name: lgtm-gateway
label:
istio: lgtm-gateway
app: lgtm-gateway
topology.istio.io/network: ${CONTEXT}
enabled: true
k8s:
env:
# traffic through this gateway should be routed inside the network
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: ${CONTEXT}
resources:
limits:
cpu: '0'
memory: '0'
requests:
cpu: '0'
memory: '0'
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: tls
port: 15443
targetPort: 15443
- name: tls-istiod
port: 15012
targetPort: 15012
- name: tls-webhook
port: 15017
targetPort: 15017
EOF
# Multi-Cluster communication
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
name: cross-network-gateway
namespace: istio-system
spec:
selector:
# Must match label from Ingress Gateway
istio: lgtm-gateway
servers:
- port:
number: 15443
name: tls
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
hosts:
- "*.local"
EOF
# Istio Monitoring
curl https://raw.githubusercontent.com/istio/istio/refs/heads/master/samples/addons/extras/prometheus-operator.yaml 2>/dev/null \
| sed '/release/s/istio/monitor/' | kubectl apply -f -