Skip to content

Instantly share code, notes, and snippets.

@dudash

dudash/istio-1.5.4-on-OpenShift.md

Last active July 9, 2020 19:25
Show Gist options
  • Save dudash/70171f2224ea9facc62e965f80f4e158 to your computer and use it in GitHub Desktop.
Save dudash/70171f2224ea9facc62e965f80f4e158 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
istio-1.5.4-on-OpenShift.md

How to install

run this

  • ./openshift-install create cluster --dir=. --log-level=info

to destroy

  • ./openshift-install destroy cluster
  • mv terraform.tfstate old-terraform.tfstate-MM-DD-YY

Setup Istio

istioctl manifest generate --set profile=demo \
--set components.cni.enabled=true \
--set components.cni.namespace=kube-system \
--set values.cni.cniBinDir=/var/lib/cni/bin \
--set values.cni.cniConfDir=/etc/cni/multus/net.d \
--set values.cni.chained=false \
--set values.cni.cniConfFileName="istio-cni.conf" \
--set values.sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"=istio-cni \
> istio-1.5-generated-demo-cni-multus.yaml

Edit yaml as desired

  • kubectl apply -f istio-1.5-generated-demo-cni-multus.yaml

Gateway expose

cat <<EOF | kubectl -n istio-system create -f -
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: istio-ingressgateway
  namespace: istio-system
spec:
  rules:
    - host: istio.apps.donatello.nub3s.io
      http:
        paths:
          - path: /
            backend:
              serviceName: istio-ingressgateway
              servicePort: 80
EOF

Kiali

if it didn't happen automatically (it should have), create the kiali secret:

  • kubctl create secret generic kiali -n istio-system --from-literal "username=gooduser" --from-literal "passphrase=badpassword"

Setup an ingress to access Kiali:

cat <<EOF | kubectl -n istio-system create -f -
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: kiali
  namespace: istio-system
spec:
  rules:
    - host: kiali.apps.donatello.nub3s.io
      http:
        paths:
          - path: /
            backend:
              serviceName: kiali
              servicePort: 20001
EOF

Httpbin test

  • kubctl new-project httpbin
  • kubectl label namespace httpbin istio-injection=enabled

Individual project setup for for CNI/Multus to work

  • oc adm policy add-scc-to-group privileged system:serviceaccounts:httpbin
  • oc adm policy add-scc-to-group anyuid system:serviceaccounts:httpbin
cat <<EOF | kubectl -n httpbin create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: istio-cni
EOF

create resources

  • kubectl apply -f samples/httpbin/httpbin.yaml
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - uri:
        prefix: /headers
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
EOF

now you can test by going to your exposed ingress-router and see httbin headers

kubectl get svc -n istio-system

  • find the EXTERNAL-IP for your router and open it in a webbrowser + /headers

Remove Istio

  • kubectl delete -f istio-1.5-generated-demo-cni-multus.yaml

References for Istio

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment