Last active
September 17, 2019 07:59
-
-
Save ams0/b420dbe87a32bf70431a5c3e400b96f9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kubectl create ns istio-system | |
| kubectl config set-context $(kubectl config current-context) --namespace=istio-system | |
| alias h3='helm3' | |
| h3 repo add istio https://storage.googleapis.com/istio-release/releases/1.1.7/charts/ | |
| h3 repo update | |
| #install istio-cni | |
| h3 upgrade --install istio-cni istio/istio-cni --set istio_cni.enabled=true | |
| #install CRDs | |
| h3 upgrade --install istio-init istio/istio-init | |
| #create kiali/kiali and grafana/grafana | |
| curl https://gist.githubusercontent.com/ams0/51db61c7c11957b1d0695710d658a0ca/raw/b69dade68de20fffc1dc1b2aecee080a006bf1cc/create_kiali_grafana_secret.sh | bash | |
| #install Cert-manager CRDS if missing | |
| kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml | |
| #Wait a few minutes if you get Error: apiVersion "config.istio.io/v1alpha2" in istio/charts/mixer/templates/config.yaml is not available | |
| #install istio | |
| h3 upgrade istio --install istio/istio \ | |
| --set global.controlPlaneSecurityEnabled=true \ | |
| --set mixer.adapters.useAdapterCRDs=false \ | |
| --set grafana.enabled=true --set grafana.security.enabled=true \ | |
| --set tracing.enabled=true \ | |
| --set kiali.enabled=true \ | |
| --set gateways.istio-ingressgateway.externalTrafficPolicy=Local \ | |
| --set k8singress.enabled=true \ | |
| --set istio_cni.enabled=true \ | |
| --set certmanager.enabled=true \ | |
| --set certmanager.tag=v0.8.0 \ | |
| --set mixer.policy.enabled=true \ | |
| --set gateways.istio-ingressgateway.sds.enabled=true \ | |
| --set certmanager.email='[email protected]' \ | |
| --set nodeagent.env.CA_PROVIDER="Citadel" \ | |
| --set nodeagent.env.CA_ADDR="istio-citadel:8060" \ | |
| --set mixer.telemetry.resources.requests.memory=512m \ | |
| --set pilot.resources.requests.memory=1G | |
| #Validation | |
| az network dns record-set a delete -g dns -z cookingwithazure.com -n *.ingress -y | |
| az network dns record-set a add-record -g dns -z cookingwithazure.com -n *.ingress -a `kubectl get -n istio-system svc istio-ingressgateway -o json|jq -r .status.loadBalancer.ingress[0].ip` | |
| az network dns record-set a update -n *.ingress -g dns -z cookingwithazure.com --set ttl=10 | |
| dig @8.8.8.8 +noall +answer nginx.ingress.cookingwithazure.com | |
| #https://medium.com/@gregoire.waymel/istio-cert-manager-lets-encrypt-demystified-c1cbed011d67 | |
| #create the magic gateway | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: istio-autogenerated-k8s-ingress | |
| namespace: istio-system | |
| labels: | |
| app: ingressgateway | |
| spec: | |
| selector: | |
| istio: ingressgateway | |
| servers: | |
| - port: | |
| number: 80 | |
| protocol: HTTP2 | |
| name: http | |
| hosts: | |
| - "*" | |
| --- | |
| EOF | |
| #create a certificate, should turn to Ready | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: certmanager.k8s.io/v1alpha1 | |
| kind: Certificate | |
| metadata: | |
| name: ngnix-certificate | |
| spec: | |
| secretName: nginx-certificate | |
| issuerRef: | |
| name: letsencrypt | |
| kind: ClusterIssuer | |
| commonName: nginx.ingress.cookingwithazure.com | |
| dnsNames: | |
| - nginx.ingress.cookingwithazure.com | |
| acme: | |
| config: | |
| - http01: | |
| ingressClass: istio | |
| domains: | |
| - nginx.ingress.cookingwithazure.com | |
| --- | |
| EOF | |
| #delete the magic gw | |
| k delete gw istio-autogenerated-k8s-ingress | |
| kubectl create ns nginx | |
| kubectl config set-context $(kubectl config current-context) --namespace=nginx | |
| kubectl label namespace nginx istio-injection=enabled | |
| kubectl run nginx --image=nginx --port=80 --expose | |
| #HTTPS | |
| kubectl apply -f - <<EOF | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: nginx-gateway | |
| labels: | |
| app: ingressgateway | |
| spec: | |
| selector: | |
| istio: ingressgateway # use istio default controller | |
| servers: | |
| - port: | |
| number: 443 | |
| name: https | |
| protocol: HTTPS | |
| tls: | |
| mode: SIMPLE | |
| serverCertificate: "sds" | |
| privateKey: "sds" | |
| credentialName: "nginx-certificate" | |
| hosts: | |
| - "nginx.ingress.cookingwithazure.com" | |
| EOF | |
| kubectl apply -f - <<EOF | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: nginx-vs | |
| spec: | |
| hosts: | |
| - "nginx.ingress.cookingwithazure.com" | |
| gateways: | |
| - nginx-gateway | |
| http: | |
| - route: | |
| - destination: | |
| host: nginx | |
| port: | |
| number: 80 | |
| EOF | |
| #now, you can recreate the magic gw | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: istio-autogenerated-k8s-ingress | |
| namespace: istio-system | |
| labels: | |
| app: ingressgateway | |
| spec: | |
| selector: | |
| istio: ingressgateway | |
| servers: | |
| - port: | |
| number: 80 | |
| protocol: HTTP2 | |
| name: http | |
| hosts: | |
| - "*" | |
| --- | |
| EOF | |
| #this is how you expose kiali via HTTPS: | |
| kubectl config set-context $(kubectl config current-context) --namespace=istio-system | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: certmanager.k8s.io/v1alpha1 | |
| kind: Certificate | |
| metadata: | |
| name: kiali-certificate | |
| spec: | |
| secretName: kiali-certificate | |
| issuerRef: | |
| name: letsencrypt | |
| kind: ClusterIssuer | |
| commonName: kiali.ingress.cookingwithazure.com | |
| dnsNames: | |
| - kiali.ingress.cookingwithazure.com | |
| acme: | |
| config: | |
| - http01: | |
| ingressClass: istio | |
| domains: | |
| - kiali.ingress.cookingwithazure.com | |
| --- | |
| EOF | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: kiali-gw | |
| namespace: istio-system | |
| spec: | |
| selector: | |
| istio: ingressgateway | |
| servers: | |
| - port: | |
| number: 443 | |
| name: https | |
| protocol: HTTPS | |
| tls: | |
| mode: SIMPLE | |
| serverCertificate: "sds" | |
| privateKey: "sds" | |
| credentialName: "kiali-certificate" | |
| hosts: | |
| - "kiali.ingress.cookingwithazure.com" | |
| EOF | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: kiali | |
| spec: | |
| hosts: | |
| - kiali.ingress.cookingwithazure.com | |
| gateways: | |
| - kiali-gw | |
| http: | |
| - match: | |
| - uri: | |
| prefix: / | |
| route: | |
| - destination: | |
| port: | |
| number: 20001 | |
| host: kiali | |
| EOF | |
| #appendix | |
| #normal HTTP | |
| kubectl apply -f - <<EOF | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: nginx-gateway | |
| spec: | |
| selector: | |
| istio: ingressgateway # use istio default controller | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - "nginx.ingress.cookingwithazure.com" | |
| EOF | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: nginx | |
| spec: | |
| hosts: | |
| - nginx.ingress.cookingwithazure.com | |
| gateways: | |
| - nginx-gateway | |
| http: | |
| - match: | |
| - uri: | |
| prefix: / | |
| route: | |
| - destination: | |
| port: | |
| number: 80 | |
| host: nginx.nginx.svc.cluster.local | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment