Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
istio-playbook
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
hub: docker.io/istio
tag: 1.4.3
defaultNamespace: istio-system
# Traffic management feature
trafficManagement:
enabled: true
components:
pilot:
enabled: true
k8s:
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
hpaSpec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-pilot
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
resources:
requests:
cpu: 500m
memory: 2048Mi
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
# Policy feature
policy:
enabled: true
components:
policy:
enabled: true
k8s:
hpaSpec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-policy
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
# Telemetry feature
telemetry:
enabled: true
components:
telemetry:
enabled: true
k8s:
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: GOMAXPROCS
value: "6"
hpaSpec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-telemetry
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
replicaCount: 1
resources:
requests:
cpu: 1000m
memory: 1G
limits:
cpu: 4800m
memory: 4G
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
# Security feature
security:
enabled: true
components:
citadel:
enabled: true
k8s:
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
certManager:
enabled: false
nodeAgent:
enabled: false
# Config management feature
configManagement:
enabled: true
components:
galley:
enabled: true
k8s:
replicaCount: 1
resources:
requests:
cpu: 100m
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
# Auto injection feature
autoInjection:
enabled: true
components:
injector:
enabled: true
k8s:
replicaCount: 1
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
# Istio Gateway feature
gateways:
enabled: true
components:
ingressGateway:
enabled: true
k8s:
hpaSpec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
egressGateway:
enabled: true
k8s:
hpaSpec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-egressgateway
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
strategy:
rollingUpdate:
maxSurge: "100%"
maxUnavailable: "25%"
# Istio CNI feature
cni:
enabled: false
# Global values passed through to helm global.yaml.
values:
global:
logging:
level: "default:info"
logAsJson: false
k8sIngress:
enabled: false
gatewayName: ingressgateway
enableHttps: false
proxy:
image: proxyv2
clusterDomain: "cluster.local"
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
concurrency: 2
accessLogFile: ""
accessLogFormat: ""
accessLogEncoding: TEXT
envoyAccessLogService:
enabled: false
host: # example: accesslog-service.istio-system
port: # example: 15000
logLevel: warning
componentLogLevel: "misc:error"
dnsRefreshRate: 300s
protocolDetectionTimeout: 100ms
privileged: false
enableCoreDump: false
statusPort: 15020
readinessInitialDelaySeconds: 1
readinessPeriodSeconds: 2
readinessFailureThreshold: 30
includeIPRanges: "*"
excludeIPRanges: ""
excludeOutboundPorts: ""
kubevirtInterfaces: ""
includeInboundPorts: "*"
excludeInboundPorts: ""
autoInject: enabled
envoyStatsd:
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
envoyMetricsService:
enabled: false
host: # example: metrics-service.istio-system
port: # example: 15000
tlsSettings:
mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
clientCertificate: # example: /etc/istio/ms/cert-chain.pem
privateKey: # example: /etc/istio/ms/key.pem
caCertificates: # example: /etc/istio/ms/root-cert.pem
sni: # example: ms.somedomain
subjectAltNames: []
tcpKeepalive:
probes: 3
time: 10s
interval: 10s
tracer: "zipkin"
proxy_init:
image: proxyv2
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
imagePullPolicy: IfNotPresent
certificates: []
operatorManageWebhooks: false
controlPlaneSecurityEnabled: true
disablePolicyChecks: true
policyCheckFailOpen: false
enableTracing: true
tracer:
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
secure: true # example: true|false
cacertPath: "" # example: /etc/lightstep/cacert.pem
zipkin:
address: ""
datadog:
address: "$(HOST_IP):8126"
mtls:
enabled: false
auto: false
imagePullSecrets: []
arch:
amd64: 2
s390x: 2
ppc64le: 2
oneNamespace: false
defaultNodeSelector: {}
configValidation: true
meshExpansion:
enabled: false
useILB: false
multiCluster:
enabled: false
clusterName: ""
omitSidecarInjectorConfigMap: false
network: ""
defaultResources:
requests:
cpu: 10m
defaultPodDisruptionBudget:
enabled: true
priorityClassName: ""
useMCP: true
trustDomain: "cluster.local"
outboundTrafficPolicy:
mode: ALLOW_ANY
sds:
enabled: false
udsPath: ""
token:
aud: istio-ca
meshNetworks: {}
localityLbSetting:
enabled: true
enableHelmTest: false
pilot:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
replicaCount: 1
image: pilot
traceSampling: 1.0
configNamespace: istio-config
appNamespaces: []
env: {}
cpu:
targetAverageUtilization: 80
nodeSelector: {}
tolerations: []
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
keepaliveMaxServerConnectionAge: 30m
enableProtocolSniffingForOutbound: true
enableProtocolSniffingForInbound: false
deploymentLabels:
meshNetworks:
networks: {}
configMap: true
ingress:
ingressService: istio-ingressgateway
ingressControllerMode: "OFF"
ingressClass: istio
policy:
enabled: false
useMCP: true
telemetry:
enabled: true
v1:
enabled: true
v2:
# For Null VM case now. If enabled, will set disableMixerHttpReports to true and not define mixerReportServer
# also enable metadata exchange and stats filter.
enabled: false
# prometheus stats filter settings.
prometheus:
# stats filter would be enabled when telemetry and v2 is enabled.
enabled: true
# stackdriver filter settings.
stackdriver:
enabled: false
logging: false
monitoring: false
topology: false
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
configOverride: {}
mixer:
adapters:
stdio:
enabled: false
outputAsJson: false
prometheus:
enabled: true
metricsExpiryDuration: 10m
kubernetesenv:
enabled: true
stackdriver:
enabled: false
auth:
appCredentials: false
apiKey: ""
serviceAccountPath: ""
tracer:
enabled: false
sampleProbability: 1
useAdapterCRDs: false
telemetry:
image: mixer
replicaCount: 1
autoscaleEnabled: true
sessionAffinityEnabled: false
loadshedding:
mode: enforce
latencyThreshold: 100ms
reportBatchMaxEntries: 100
reportBatchMaxTime: 1s
useMCP: true
env:
GOMAXPROCS: "6"
nodeSelector: {}
tolerations: []
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
policy:
autoscaleEnabled: true
image: mixer
sessionAffinityEnabled: false
adapters:
kubernetesenv:
enabled: true
useAdapterCRDs: false
galley:
image: galley
enableAnalysis: false
security:
image: citadel
selfSigned: true # indicate if self-signed CA is used.
trustDomain: cluster.local # indicate the domain used in SPIFFE identity URL
enableNamespacesByDefault: true
dnsCerts:
istio-pilot-service-account.istio-control: istio-pilot.istio-control
certmanager:
hub: quay.io/jetstack
tag: v0.6.2
image: cert-manager-controller
nodeagent:
image: node-agent-k8s
gateways:
istio-egressgateway:
autoscaleEnabled: true
zvpn:
suffix: global
enabled: true
type: ClusterIP
env:
ISTIO_META_ROUTER_MODE: "sni-dnat"
ports:
- port: 80
name: http2
- port: 443
name: https
- port: 15443
targetPort: 15443
name: tls
secretVolumes:
- name: egressgateway-certs
secretName: istio-egressgateway-certs
mountPath: /etc/istio/egressgateway-certs
- name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
mountPath: /etc/istio/egressgateway-ca-certs
istio-ingressgateway:
autoscaleEnabled: true
applicationPorts: ""
debug: info
domain: ""
type: LoadBalancer
zvpn:
enabled: true
suffix: global
sds:
enabled: false
image: node-agent-k8s
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
env:
ISTIO_META_ROUTER_MODE: "sni-dnat"
ports:
- port: 15020
targetPort: 15020
name: status-port
- port: 80
targetPort: 80
name: http2
- port: 443
name: https
- port: 15029
targetPort: 15029
name: kiali
- port: 15030
targetPort: 15030
name: prometheus
- port: 15031
targetPort: 15031
name: grafana
- port: 15032
targetPort: 15032
name: tracing
- port: 15443
targetPort: 15443
name: tls
meshExpansionPorts:
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
- port: 853
targetPort: 853
name: tcp-dns-tls
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
sidecarInjectorWebhook:
image: sidecar_injector
enableNamespacesByDefault: false
rewriteAppHTTPProbe: false
selfSigned: false
injectLabel: istio-injection
objectSelector:
enabled: false
autoInject: true
prometheus:
enabled: true
replicaCount: 1
hub: docker.io/prom
tag: v2.12.0
retention: 6h
scrapeInterval: 15s
contextPath: /prometheus
ingress:
enabled: false
hosts:
- prometheus.local
annotations:
tls:
security:
enabled: true
nodeSelector: {}
tolerations: []
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
grafana:
enabled: true
replicaCount: 1
image:
repository: grafana/grafana
tag: 6.4.3
persist: false
storageClassName: ""
accessMode: ReadWriteMany
security:
enabled: false
secretName: grafana
usernameKey: username
passphraseKey: passphrase
contextPath: /grafana
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 3000
loadBalancerIP:
loadBalancerSourceRanges:
ingress:
enabled: false
hosts:
- grafana.local
annotations:
tls:
datasources:
datasources.yaml:
apiVersion: 1
datasources:
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'istio'
orgId: 1
folder: 'istio'
type: file
disableDeletion: false
options:
path: /var/lib/grafana/dashboards/istio
nodeSelector: {}
tolerations: []
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
env: {}
envSecrets: {}
tracing:
enabled: true
provider: jaeger
nodeSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
jaeger:
hub: docker.io/jaegertracing
tag: "1.14"
memory:
max_traces: 50000
spanStorageType: badger
persist: false
storageClassName: ""
accessMode: ReadWriteMany
zipkin:
hub: docker.io/openzipkin
tag: 2.14.2
probeStartupDelay: 200
queryPort: 9411
resources:
limits:
cpu: 300m
memory: 900Mi
requests:
cpu: 150m
memory: 900Mi
javaOptsHeap: 700
maxSpans: 500000
node:
cpus: 2
opencensus:
hub: docker.io/omnition
tag: 0.1.9
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 200m
memory: 400Mi
exporters:
stackdriver:
enable_tracing: true
service:
annotations: {}
name: http-query
type: ClusterIP
externalPort: 9411
ingress:
enabled: false
hosts:
annotations:
tls:
istiocoredns:
enabled: false
coreDNSImage: coredns/coredns
coreDNSTag: 1.6.2
coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1
kiali:
enabled: true
replicaCount: 1
hub: quay.io/kiali
tag: v1.9
contextPath: /kiali
nodeSelector: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
ingress:
enabled: false
hosts:
- kiali.local
annotations:
tls:
dashboard:
secretName: kiali
usernameKey: username
passphraseKey: passphrase
viewOnlyMode: false
grafanaURL:
jaegerURL:
prometheusNamespace:
createDemoSecret: false
security:
enabled: false
cert_file: /kiali-cert/cert-chain.pem
private_key_file: /kiali-cert/key.pem
# TODO: derive from operator API
version: ""
clusterResources: true
#!/bin/bash
# istio env
ISTIO_VERSION=1.4.3
INSTALL_ENV=default
# download istio release version
curl -L https://istio.io/downloadIstio | sh -
cd istio-${ISTIO_VERSION}
# verify installation
bin/istioctl verify-install
# customize installation env
# bin/istioctl manifest apply \
# --set values.global.mtls.auto=true \
# --set values.security.citadelHealthCheck=true \
# --set values.pilot.policy.enabled=true \
# --set values.gateways.istio-egressgateway.enabled=true \
# --set values.gateways.istio-ingressgateway.type=LoadBalancer \
# --set values.global.disablePolicyChecks=false \
# --set values.global.k8sIngress.gatewayName=ingressgateway \
# --set cni.enabled=true \
# --set cni.components.cni.enabled=true \
# --set values.cni.logLevel=info \
# --set values.kiali.enabled=true \
# --set values.grafana.enabled=true \
# --set values.tracing.enabled=true \
# --set profile=default
# install istio by specify env file
bin/istioctl manifest apply -f default.yaml
# delete istio
# bin/istioctl manifest generate -f default.yaml | kubectl delete -f -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment