Last active
June 2, 2023 09:01
-
-
Save hongmengwang/501d3a686f9086bc2a44875f13c0531e to your computer and use it in GitHub Desktop.
istio-playbook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: install.istio.io/v1alpha2 | |
kind: IstioControlPlane | |
spec: | |
hub: docker.io/istio | |
tag: 1.4.3 | |
defaultNamespace: istio-system | |
# Traffic management feature | |
trafficManagement: | |
enabled: true | |
components: | |
pilot: | |
enabled: true | |
k8s: | |
env: | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
hpaSpec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-pilot | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
readinessProbe: | |
httpGet: | |
path: /ready | |
port: 8080 | |
initialDelaySeconds: 5 | |
periodSeconds: 30 | |
timeoutSeconds: 5 | |
resources: | |
requests: | |
cpu: 500m | |
memory: 2048Mi | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
# Policy feature | |
policy: | |
enabled: true | |
components: | |
policy: | |
enabled: true | |
k8s: | |
hpaSpec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-policy | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
env: | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
# Telemetry feature | |
telemetry: | |
enabled: true | |
components: | |
telemetry: | |
enabled: true | |
k8s: | |
env: | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: GOMAXPROCS | |
value: "6" | |
hpaSpec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-telemetry | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
replicaCount: 1 | |
resources: | |
requests: | |
cpu: 1000m | |
memory: 1G | |
limits: | |
cpu: 4800m | |
memory: 4G | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
# Security feature | |
security: | |
enabled: true | |
components: | |
citadel: | |
enabled: true | |
k8s: | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
certManager: | |
enabled: false | |
nodeAgent: | |
enabled: false | |
# Config management feature | |
configManagement: | |
enabled: true | |
components: | |
galley: | |
enabled: true | |
k8s: | |
replicaCount: 1 | |
resources: | |
requests: | |
cpu: 100m | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
# Auto injection feature | |
autoInjection: | |
enabled: true | |
components: | |
injector: | |
enabled: true | |
k8s: | |
replicaCount: 1 | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
# Istio Gateway feature | |
gateways: | |
enabled: true | |
components: | |
ingressGateway: | |
enabled: true | |
k8s: | |
hpaSpec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-ingressgateway | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
resources: | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
limits: | |
cpu: 2000m | |
memory: 1024Mi | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
egressGateway: | |
enabled: true | |
k8s: | |
hpaSpec: | |
maxReplicas: 5 | |
minReplicas: 1 | |
scaleTargetRef: | |
apiVersion: apps/v1 | |
kind: Deployment | |
name: istio-egressgateway | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
targetAverageUtilization: 80 | |
resources: | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
limits: | |
cpu: 2000m | |
memory: 1024Mi | |
strategy: | |
rollingUpdate: | |
maxSurge: "100%" | |
maxUnavailable: "25%" | |
# Istio CNI feature | |
cni: | |
enabled: false | |
# Global values passed through to helm global.yaml. | |
values: | |
global: | |
logging: | |
level: "default:info" | |
logAsJson: false | |
k8sIngress: | |
enabled: false | |
gatewayName: ingressgateway | |
enableHttps: false | |
proxy: | |
image: proxyv2 | |
clusterDomain: "cluster.local" | |
resources: | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
limits: | |
cpu: 2000m | |
memory: 1024Mi | |
concurrency: 2 | |
accessLogFile: "" | |
accessLogFormat: "" | |
accessLogEncoding: TEXT | |
envoyAccessLogService: | |
enabled: false | |
host: # example: accesslog-service.istio-system | |
port: # example: 15000 | |
logLevel: warning | |
componentLogLevel: "misc:error" | |
dnsRefreshRate: 300s | |
protocolDetectionTimeout: 100ms | |
privileged: false | |
enableCoreDump: false | |
statusPort: 15020 | |
readinessInitialDelaySeconds: 1 | |
readinessPeriodSeconds: 2 | |
readinessFailureThreshold: 30 | |
includeIPRanges: "*" | |
excludeIPRanges: "" | |
excludeOutboundPorts: "" | |
kubevirtInterfaces: "" | |
includeInboundPorts: "*" | |
excludeInboundPorts: "" | |
autoInject: enabled | |
envoyStatsd: | |
enabled: false | |
host: # example: statsd-svc.istio-system | |
port: # example: 9125 | |
envoyMetricsService: | |
enabled: false | |
host: # example: metrics-service.istio-system | |
port: # example: 15000 | |
tlsSettings: | |
mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL | |
clientCertificate: # example: /etc/istio/ms/cert-chain.pem | |
privateKey: # example: /etc/istio/ms/key.pem | |
caCertificates: # example: /etc/istio/ms/root-cert.pem | |
sni: # example: ms.somedomain | |
subjectAltNames: [] | |
tcpKeepalive: | |
probes: 3 | |
time: 10s | |
interval: 10s | |
tracer: "zipkin" | |
proxy_init: | |
image: proxyv2 | |
resources: | |
limits: | |
cpu: 100m | |
memory: 50Mi | |
requests: | |
cpu: 10m | |
memory: 10Mi | |
imagePullPolicy: IfNotPresent | |
certificates: [] | |
operatorManageWebhooks: false | |
controlPlaneSecurityEnabled: true | |
disablePolicyChecks: true | |
policyCheckFailOpen: false | |
enableTracing: true | |
tracer: | |
lightstep: | |
address: "" # example: lightstep-satellite:443 | |
accessToken: "" # example: abcdefg1234567 | |
secure: true # example: true|false | |
cacertPath: "" # example: /etc/lightstep/cacert.pem | |
zipkin: | |
address: "" | |
datadog: | |
address: "$(HOST_IP):8126" | |
mtls: | |
enabled: false | |
auto: false | |
imagePullSecrets: [] | |
arch: | |
amd64: 2 | |
s390x: 2 | |
ppc64le: 2 | |
oneNamespace: false | |
defaultNodeSelector: {} | |
configValidation: true | |
meshExpansion: | |
enabled: false | |
useILB: false | |
multiCluster: | |
enabled: false | |
clusterName: "" | |
omitSidecarInjectorConfigMap: false | |
network: "" | |
defaultResources: | |
requests: | |
cpu: 10m | |
defaultPodDisruptionBudget: | |
enabled: true | |
priorityClassName: "" | |
useMCP: true | |
trustDomain: "cluster.local" | |
outboundTrafficPolicy: | |
mode: ALLOW_ANY | |
sds: | |
enabled: false | |
udsPath: "" | |
token: | |
aud: istio-ca | |
meshNetworks: {} | |
localityLbSetting: | |
enabled: true | |
enableHelmTest: false | |
pilot: | |
autoscaleEnabled: true | |
autoscaleMin: 1 | |
autoscaleMax: 5 | |
replicaCount: 1 | |
image: pilot | |
traceSampling: 1.0 | |
configNamespace: istio-config | |
appNamespaces: [] | |
env: {} | |
cpu: | |
targetAverageUtilization: 80 | |
nodeSelector: {} | |
tolerations: [] | |
podAntiAffinityLabelSelector: [] | |
podAntiAffinityTermLabelSelector: [] | |
keepaliveMaxServerConnectionAge: 30m | |
enableProtocolSniffingForOutbound: true | |
enableProtocolSniffingForInbound: false | |
deploymentLabels: | |
meshNetworks: | |
networks: {} | |
configMap: true | |
ingress: | |
ingressService: istio-ingressgateway | |
ingressControllerMode: "OFF" | |
ingressClass: istio | |
policy: | |
enabled: false | |
useMCP: true | |
telemetry: | |
enabled: true | |
v1: | |
enabled: true | |
v2: | |
# For Null VM case now. If enabled, will set disableMixerHttpReports to true and not define mixerReportServer | |
# also enable metadata exchange and stats filter. | |
enabled: false | |
# prometheus stats filter settings. | |
prometheus: | |
# stats filter would be enabled when telemetry and v2 is enabled. | |
enabled: true | |
# stackdriver filter settings. | |
stackdriver: | |
enabled: false | |
logging: false | |
monitoring: false | |
topology: false | |
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter. | |
configOverride: {} | |
mixer: | |
adapters: | |
stdio: | |
enabled: false | |
outputAsJson: false | |
prometheus: | |
enabled: true | |
metricsExpiryDuration: 10m | |
kubernetesenv: | |
enabled: true | |
stackdriver: | |
enabled: false | |
auth: | |
appCredentials: false | |
apiKey: "" | |
serviceAccountPath: "" | |
tracer: | |
enabled: false | |
sampleProbability: 1 | |
useAdapterCRDs: false | |
telemetry: | |
image: mixer | |
replicaCount: 1 | |
autoscaleEnabled: true | |
sessionAffinityEnabled: false | |
loadshedding: | |
mode: enforce | |
latencyThreshold: 100ms | |
reportBatchMaxEntries: 100 | |
reportBatchMaxTime: 1s | |
useMCP: true | |
env: | |
GOMAXPROCS: "6" | |
nodeSelector: {} | |
tolerations: [] | |
podAntiAffinityLabelSelector: [] | |
podAntiAffinityTermLabelSelector: [] | |
policy: | |
autoscaleEnabled: true | |
image: mixer | |
sessionAffinityEnabled: false | |
adapters: | |
kubernetesenv: | |
enabled: true | |
useAdapterCRDs: false | |
galley: | |
image: galley | |
enableAnalysis: false | |
security: | |
image: citadel | |
selfSigned: true # indicate if self-signed CA is used. | |
trustDomain: cluster.local # indicate the domain used in SPIFFE identity URL | |
enableNamespacesByDefault: true | |
dnsCerts: | |
istio-pilot-service-account.istio-control: istio-pilot.istio-control | |
certmanager: | |
hub: quay.io/jetstack | |
tag: v0.6.2 | |
image: cert-manager-controller | |
nodeagent: | |
image: node-agent-k8s | |
gateways: | |
istio-egressgateway: | |
autoscaleEnabled: true | |
zvpn: | |
suffix: global | |
enabled: true | |
type: ClusterIP | |
env: | |
ISTIO_META_ROUTER_MODE: "sni-dnat" | |
ports: | |
- port: 80 | |
name: http2 | |
- port: 443 | |
name: https | |
- port: 15443 | |
targetPort: 15443 | |
name: tls | |
secretVolumes: | |
- name: egressgateway-certs | |
secretName: istio-egressgateway-certs | |
mountPath: /etc/istio/egressgateway-certs | |
- name: egressgateway-ca-certs | |
secretName: istio-egressgateway-ca-certs | |
mountPath: /etc/istio/egressgateway-ca-certs | |
istio-ingressgateway: | |
autoscaleEnabled: true | |
applicationPorts: "" | |
debug: info | |
domain: "" | |
type: LoadBalancer | |
zvpn: | |
enabled: true | |
suffix: global | |
sds: | |
enabled: false | |
image: node-agent-k8s | |
resources: | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
limits: | |
cpu: 2000m | |
memory: 1024Mi | |
env: | |
ISTIO_META_ROUTER_MODE: "sni-dnat" | |
ports: | |
- port: 15020 | |
targetPort: 15020 | |
name: status-port | |
- port: 80 | |
targetPort: 80 | |
name: http2 | |
- port: 443 | |
name: https | |
- port: 15029 | |
targetPort: 15029 | |
name: kiali | |
- port: 15030 | |
targetPort: 15030 | |
name: prometheus | |
- port: 15031 | |
targetPort: 15031 | |
name: grafana | |
- port: 15032 | |
targetPort: 15032 | |
name: tracing | |
- port: 15443 | |
targetPort: 15443 | |
name: tls | |
meshExpansionPorts: | |
- port: 15011 | |
targetPort: 15011 | |
name: tcp-pilot-grpc-tls | |
- port: 8060 | |
targetPort: 8060 | |
name: tcp-citadel-grpc-tls | |
- port: 853 | |
targetPort: 853 | |
name: tcp-dns-tls | |
secretVolumes: | |
- name: ingressgateway-certs | |
secretName: istio-ingressgateway-certs | |
mountPath: /etc/istio/ingressgateway-certs | |
- name: ingressgateway-ca-certs | |
secretName: istio-ingressgateway-ca-certs | |
mountPath: /etc/istio/ingressgateway-ca-certs | |
sidecarInjectorWebhook: | |
image: sidecar_injector | |
enableNamespacesByDefault: false | |
rewriteAppHTTPProbe: false | |
selfSigned: false | |
injectLabel: istio-injection | |
objectSelector: | |
enabled: false | |
autoInject: true | |
prometheus: | |
enabled: true | |
replicaCount: 1 | |
hub: docker.io/prom | |
tag: v2.12.0 | |
retention: 6h | |
scrapeInterval: 15s | |
contextPath: /prometheus | |
ingress: | |
enabled: false | |
hosts: | |
- prometheus.local | |
annotations: | |
tls: | |
security: | |
enabled: true | |
nodeSelector: {} | |
tolerations: [] | |
podAntiAffinityLabelSelector: [] | |
podAntiAffinityTermLabelSelector: [] | |
grafana: | |
enabled: true | |
replicaCount: 1 | |
image: | |
repository: grafana/grafana | |
tag: 6.4.3 | |
persist: false | |
storageClassName: "" | |
accessMode: ReadWriteMany | |
security: | |
enabled: false | |
secretName: grafana | |
usernameKey: username | |
passphraseKey: passphrase | |
contextPath: /grafana | |
service: | |
annotations: {} | |
name: http | |
type: ClusterIP | |
externalPort: 3000 | |
loadBalancerIP: | |
loadBalancerSourceRanges: | |
ingress: | |
enabled: false | |
hosts: | |
- grafana.local | |
annotations: | |
tls: | |
datasources: | |
datasources.yaml: | |
apiVersion: 1 | |
datasources: | |
dashboardProviders: | |
dashboardproviders.yaml: | |
apiVersion: 1 | |
providers: | |
- name: 'istio' | |
orgId: 1 | |
folder: 'istio' | |
type: file | |
disableDeletion: false | |
options: | |
path: /var/lib/grafana/dashboards/istio | |
nodeSelector: {} | |
tolerations: [] | |
podAntiAffinityLabelSelector: [] | |
podAntiAffinityTermLabelSelector: [] | |
env: {} | |
envSecrets: {} | |
tracing: | |
enabled: true | |
provider: jaeger | |
nodeSelector: {} | |
podAntiAffinityLabelSelector: [] | |
podAntiAffinityTermLabelSelector: [] | |
jaeger: | |
hub: docker.io/jaegertracing | |
tag: "1.14" | |
memory: | |
max_traces: 50000 | |
spanStorageType: badger | |
persist: false | |
storageClassName: "" | |
accessMode: ReadWriteMany | |
zipkin: | |
hub: docker.io/openzipkin | |
tag: 2.14.2 | |
probeStartupDelay: 200 | |
queryPort: 9411 | |
resources: | |
limits: | |
cpu: 300m | |
memory: 900Mi | |
requests: | |
cpu: 150m | |
memory: 900Mi | |
javaOptsHeap: 700 | |
maxSpans: 500000 | |
node: | |
cpus: 2 | |
opencensus: | |
hub: docker.io/omnition | |
tag: 0.1.9 | |
resources: | |
limits: | |
cpu: "1" | |
memory: 2Gi | |
requests: | |
cpu: 200m | |
memory: 400Mi | |
exporters: | |
stackdriver: | |
enable_tracing: true | |
service: | |
annotations: {} | |
name: http-query | |
type: ClusterIP | |
externalPort: 9411 | |
ingress: | |
enabled: false | |
hosts: | |
annotations: | |
tls: | |
istiocoredns: | |
enabled: false | |
coreDNSImage: coredns/coredns | |
coreDNSTag: 1.6.2 | |
coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 | |
kiali: | |
enabled: true | |
replicaCount: 1 | |
hub: quay.io/kiali | |
tag: v1.9 | |
contextPath: /kiali | |
nodeSelector: {} | |
podAntiAffinityLabelSelector: [] | |
podAntiAffinityTermLabelSelector: [] | |
ingress: | |
enabled: false | |
hosts: | |
- kiali.local | |
annotations: | |
tls: | |
dashboard: | |
secretName: kiali | |
usernameKey: username | |
passphraseKey: passphrase | |
viewOnlyMode: false | |
grafanaURL: | |
jaegerURL: | |
prometheusNamespace: | |
createDemoSecret: false | |
security: | |
enabled: false | |
cert_file: /kiali-cert/cert-chain.pem | |
private_key_file: /kiali-cert/key.pem | |
# TODO: derive from operator API | |
version: "" | |
clusterResources: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# istio env | |
ISTIO_VERSION=1.4.3 | |
INSTALL_ENV=default | |
# download istio release version | |
curl -L https://istio.io/downloadIstio | sh - | |
cd istio-${ISTIO_VERSION} | |
# verify installation | |
bin/istioctl verify-install | |
# customize installation env | |
# bin/istioctl manifest apply \ | |
# --set values.global.mtls.auto=true \ | |
# --set values.security.citadelHealthCheck=true \ | |
# --set values.pilot.policy.enabled=true \ | |
# --set values.gateways.istio-egressgateway.enabled=true \ | |
# --set values.gateways.istio-ingressgateway.type=LoadBalancer \ | |
# --set values.global.disablePolicyChecks=false \ | |
# --set values.global.k8sIngress.gatewayName=ingressgateway \ | |
# --set cni.enabled=true \ | |
# --set cni.components.cni.enabled=true \ | |
# --set values.cni.logLevel=info \ | |
# --set values.kiali.enabled=true \ | |
# --set values.grafana.enabled=true \ | |
# --set values.tracing.enabled=true \ | |
# --set profile=default | |
# install istio by specify env file | |
bin/istioctl manifest apply -f default.yaml | |
# delete istio | |
# bin/istioctl manifest generate -f default.yaml | kubectl delete -f - |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment