jeremyxu2010/istio-sidecar-post-setup.sh

## istio-sidecar-post-setup.sh
#!/bin/bash

# local-vm-ip                e.g. 192.168.2.200
# istio-control-plane-vm-ip  e.g. 192.168.2.100
# k8s-service-cidr           e.g. 10.68.0.0/16
# k8s-pod-cidr               e.g. 172.20.0.0/24
# k8s-dns-svc-ip             e.g. 10.68.0.10
# app-namespace              e.g. bookinfo
# app-namespace-certs        e.g. /tmp/certs.tar
# app-inbound-ports          e.g. 8081,8082,8083

function usage {
    echo -e "Usage: \n"
    "e.g. bash ./istio-sidecar-post-setup.sh"
    "--local-vm-ip=192.168.2.200"
    "--istio-control-plane-vm-ip=192.168.2.100"
    "--k8s-service-cidr=10.68.0.0/16"
    "--k8s-pod-cidr=172.20.0.0/24"
    "--k8s-dns-svc-ip=10.68.0.10"
    "--app-namespace=bookinfo"
    "--app-namespace-certs=/tmp/certs.tar"
    "--app-inbound-ports=8081,8082,8083"
}

GETOPT_CMD=getopt
if [[ "$OSTYPE" == "darwin"* ]]; then
    GETOPT_CMD=/usr/local/opt/gnu-getopt/bin/getopt
fi

ARGS=`"${GETOPT_CMD}" -a -o L:I:S:P:D:n:c:p:h --long local-vm-ip:,istio-control-plane-vm-ip:,k8s-service-cidr:,k8s-pod-cidr:,k8s-dns-svc-ip:,app-namespace:,app-namespace-certs:,app-inbound-ports:,help -- "$@"`

[[ $? -ne 0 ]] && echo "Arguments error!" && usage && exit 1

eval set -- "${ARGS}"
while true
do
    case "$1" in
    -L|--local-vm-ip)
        local_vm_ip="$2"
        shift
        ;;
    -I|--istio-control-plane-vm-ip)
        istio_control_plane_vm_ip="$2"
        shift
        ;;
    -S|--k8s-service-cidr)
        k8s_service_cidr="$2"
        shift
        ;;
    -P|--k8s-pod-cidr)
        k8s_pod_cidr="$2"
        shift
        ;;
    -D|--k8s-dns-svc-ip)
        k8s_dns_svc_ip="$2"
        shift
        ;;
    -n|--app-namespace)
        app_namespace="$2"
        shift
        ;;
    -c|--app-namespace-certs)
        app_namespace_certs="$2"
        shift
        ;;
    -p|--app-inbound-ports)
        app_inbound_ports="$2"
        shift
        ;;
    -h|--help)
        usage
        exit 0
        ;;
    --)
        shift
        break
        ;;
    esac
    shift
done

echo 'local_vm_ip: ' ${local_vm_ip}
echo 'istio_control_plane_vm_ip: ' ${istio_control_plane_vm_ip}
echo 'k8s_service_cidr: ' ${k8s_service_cidr}
echo 'k8s_pod_cidr: ' ${k8s_pod_cidr}
echo 'k8s_dns_svc_ip: ' ${k8s_dns_svc_ip}
echo 'app_namespace: ' ${app_namespace}
echo 'app_namespace_certs: ' ${app_namespace_certs}
echo 'app_inbound_ports: ' ${app_inbound_ports}

function check_args {
  # TODO
}

function install_pkgs {
  yum install -y istio-sidecar dnsmasq net-tools bind-utils chrony
}

function config_route_rules {
  ip route add ${k8s_service_cidr} via ${istio_control_plane_vm_ip}
  ip route add ${k8s_pod_cidr} via ${istio_control_plane_vm_ip}
}

function config_chrony_service {
  sed -i -e 's/^server/#server/g' /etc/chrony.conf
  echo "server ${istio_control_plane_vm_ip} iburst" | tee -a /etc/chrony.conf
  sed -i -e 's/^#keyfile/keyfile/' /etc/chrony.conf
  systemctl restart chronyd
  timedatectl set-ntp 1
  chronyc -a makestep
}

function generate_istio_sidecar_cfg {
  KUBE_DNS_SVC_IP=${k8s_dns_svc_ip}
  ISTIO_POLICY_SVC_IP=$(dig istio-policy.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v  -E '^;'|grep 'IN A'|awk '{print $5}')
  ISTIO_TELEMETRY_SVC_IP=$(dig istio-telemetry.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v  -E '^;'|grep 'IN A'|awk '{print $5}')
  ISTIO_PILOT_SVC_IP=$(dig istio-pilot.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v  -E '^;'|grep 'IN A'|awk '{print $5}')
  ISTIO_CITADEL_SVC_IP=$(dig istio-citadel.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v  -E '^;'|grep 'IN A'|awk '{print $5}')
  ZIPKIN_SVC_IP=$(dig zipkin.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v  -E '^;'|grep 'IN A'|awk '{print $5}')
  cat << EOF > /etc/dnsmasq.d/kubedns
server=/svc.cluster.local/${KUBE_DNS_SVC_IP}
address=/istio-policy/${ISTIO_POLICY_SVC_IP}
address=/istio-telemetry/${ISTIO_TELEMETRY_SVC_IP}
address=/istio-pilot/${ISTIO_PILOT_SVC_IP}
address=/istio-citadel/${ISTIO_CITADEL_SVC_IP}
address=/istio-ca/${ISTIO_CITADEL_SVC_IP}
address=/zipkin/${ZIPKIN_SVC_IP}
address=/istio-policy.istio-system/${ISTIO_POLICY_SVC_IP}
address=/istio-telemetry.istio-system/${ISTIO_TELEMETRY_SVC_IP}
address=/istio-pilot.istio-system/${ISTIO_PILOT_SVC_IP}
address=/istio-citadel.istio-system/${ISTIO_CITADEL_SVC_IP}
address=/istio-ca.istio-system/${ISTIO_CITADEL_SVC_IP}
address=/zipkin.istio-system/${ZIPKIN_SVC_IP}
EOF
  systemctl restart dnsmasq
  systemctl enable dnsmasq

  cat << EOF > /etc/istio/envoy/cluster.env
ISTIO_SERVICE_CIDR=${k8s_service_cidr}
ISTIO_SYSTEM_NAMESPACE=istio-system
ISTIO_CP_AUTH=NONE
ISTIO_INBOUND_PORTS=${app_inbound_ports}
ISTIO_NAMESPACE=${app_namespace}
ISTIO_SVC_IP=${local_vm_ip}
EOF
  chown istio-proxy.istio-proxy /etc/istio/envoy/cluster.env
}

function config_dns {
  sed -i -e '/^\[main\]$/ s/$/\nplugins=ifcfg-rh\ndns=none/' /etc/NetworkManager/NetworkManager.conf
  systemctl restart NetworkManager
  sed -i -e "1s/^/search ${app_namespace}.svc.cluster.local svc.cluster.local\nnameserver 127.0.0.1\n/" /etc/resolv.conf
}

function extract_app_namespace_certs {
  tar -xzf ${app_namespace_certs} -C /etc/certs
  chown -R istio-proxy.istio-proxy /etc/certs
}

function restart_istio_sidecar_service {
  systemctl restart istio
  systemctl restart istio-auth-node-agent
}

function main {
  # 1. check arguments
  check_args

  # 2. install istio-sidecar, dnsmasq, net-tools, bind-utils, chrony
  install_pkgs

  # 3. add route rules
  config_route_rules

  # 4. configure NTP client
  config_chrony_service

  # 5. generate cluster.env and kubedns
  generate_istio_sidecar_cfg

  # 6. disable network-manager, configure /etc/resolv.conf
  config_dns

  # 7. extract app namespace's certs to /etc/certs
  extract_app_namespace_certs

  # 8. restart istio-auth-node-agent, istio service
  restart_istio_sidecar_service
}

main
	#!/bin/bash

	# local-vm-ip e.g. 192.168.2.200
	# istio-control-plane-vm-ip e.g. 192.168.2.100
	# k8s-service-cidr e.g. 10.68.0.0/16
	# k8s-pod-cidr e.g. 172.20.0.0/24
	# k8s-dns-svc-ip e.g. 10.68.0.10
	# app-namespace e.g. bookinfo
	# app-namespace-certs e.g. /tmp/certs.tar
	# app-inbound-ports e.g. 8081,8082,8083

	function usage {
	echo -e "Usage: \n"
	"e.g. bash ./istio-sidecar-post-setup.sh"
	"--local-vm-ip=192.168.2.200"
	"--istio-control-plane-vm-ip=192.168.2.100"
	"--k8s-service-cidr=10.68.0.0/16"
	"--k8s-pod-cidr=172.20.0.0/24"
	"--k8s-dns-svc-ip=10.68.0.10"
	"--app-namespace=bookinfo"
	"--app-namespace-certs=/tmp/certs.tar"
	"--app-inbound-ports=8081,8082,8083"
	}

	GETOPT_CMD=getopt
	if [[ "$OSTYPE" == "darwin"* ]]; then
	GETOPT_CMD=/usr/local/opt/gnu-getopt/bin/getopt
	fi

	ARGS=`"${GETOPT_CMD}" -a -o L:I:S:P:D:n:c:p:h --long local-vm-ip:,istio-control-plane-vm-ip:,k8s-service-cidr:,k8s-pod-cidr:,k8s-dns-svc-ip:,app-namespace:,app-namespace-certs:,app-inbound-ports:,help -- "$@"`

	[[ $? -ne 0 ]] && echo "Arguments error!" && usage && exit 1

	eval set -- "${ARGS}"
	while true
	do
	case "$1" in
	-L\|--local-vm-ip)
	local_vm_ip="$2"
	shift
	;;
	-I\|--istio-control-plane-vm-ip)
	istio_control_plane_vm_ip="$2"
	shift
	;;
	-S\|--k8s-service-cidr)
	k8s_service_cidr="$2"
	shift
	;;
	-P\|--k8s-pod-cidr)
	k8s_pod_cidr="$2"
	shift
	;;
	-D\|--k8s-dns-svc-ip)
	k8s_dns_svc_ip="$2"
	shift
	;;
	-n\|--app-namespace)
	app_namespace="$2"
	shift
	;;
	-c\|--app-namespace-certs)
	app_namespace_certs="$2"
	shift
	;;
	-p\|--app-inbound-ports)
	app_inbound_ports="$2"
	shift
	;;
	-h\|--help)
	usage
	exit 0
	;;
	--)
	shift
	break
	;;
	esac
	shift
	done

	echo 'local_vm_ip: ' ${local_vm_ip}
	echo 'istio_control_plane_vm_ip: ' ${istio_control_plane_vm_ip}
	echo 'k8s_service_cidr: ' ${k8s_service_cidr}
	echo 'k8s_pod_cidr: ' ${k8s_pod_cidr}
	echo 'k8s_dns_svc_ip: ' ${k8s_dns_svc_ip}
	echo 'app_namespace: ' ${app_namespace}
	echo 'app_namespace_certs: ' ${app_namespace_certs}
	echo 'app_inbound_ports: ' ${app_inbound_ports}

	function check_args {
	# TODO
	}

	function install_pkgs {
	yum install -y istio-sidecar dnsmasq net-tools bind-utils chrony
	}

	function config_route_rules {
	ip route add ${k8s_service_cidr} via ${istio_control_plane_vm_ip}
	ip route add ${k8s_pod_cidr} via ${istio_control_plane_vm_ip}
	}

	function config_chrony_service {
	sed -i -e 's/^server/#server/g' /etc/chrony.conf
	echo "server ${istio_control_plane_vm_ip} iburst" \| tee -a /etc/chrony.conf
	sed -i -e 's/^#keyfile/keyfile/' /etc/chrony.conf
	systemctl restart chronyd
	timedatectl set-ntp 1
	chronyc -a makestep
	}

	function generate_istio_sidecar_cfg {
	KUBE_DNS_SVC_IP=${k8s_dns_svc_ip}
	ISTIO_POLICY_SVC_IP=$(dig istio-policy.istio-system.svc.cluster.local @${k8s_dns_svc_ip}\|grep -v -E '^;'\|grep 'IN A'\|awk '{print $5}')
	ISTIO_TELEMETRY_SVC_IP=$(dig istio-telemetry.istio-system.svc.cluster.local @${k8s_dns_svc_ip}\|grep -v -E '^;'\|grep 'IN A'\|awk '{print $5}')
	ISTIO_PILOT_SVC_IP=$(dig istio-pilot.istio-system.svc.cluster.local @${k8s_dns_svc_ip}\|grep -v -E '^;'\|grep 'IN A'\|awk '{print $5}')
	ISTIO_CITADEL_SVC_IP=$(dig istio-citadel.istio-system.svc.cluster.local @${k8s_dns_svc_ip}\|grep -v -E '^;'\|grep 'IN A'\|awk '{print $5}')
	ZIPKIN_SVC_IP=$(dig zipkin.istio-system.svc.cluster.local @${k8s_dns_svc_ip}\|grep -v -E '^;'\|grep 'IN A'\|awk '{print $5}')
	cat << EOF > /etc/dnsmasq.d/kubedns
	server=/svc.cluster.local/${KUBE_DNS_SVC_IP}
	address=/istio-policy/${ISTIO_POLICY_SVC_IP}
	address=/istio-telemetry/${ISTIO_TELEMETRY_SVC_IP}
	address=/istio-pilot/${ISTIO_PILOT_SVC_IP}
	address=/istio-citadel/${ISTIO_CITADEL_SVC_IP}
	address=/istio-ca/${ISTIO_CITADEL_SVC_IP}
	address=/zipkin/${ZIPKIN_SVC_IP}
	address=/istio-policy.istio-system/${ISTIO_POLICY_SVC_IP}
	address=/istio-telemetry.istio-system/${ISTIO_TELEMETRY_SVC_IP}
	address=/istio-pilot.istio-system/${ISTIO_PILOT_SVC_IP}
	address=/istio-citadel.istio-system/${ISTIO_CITADEL_SVC_IP}
	address=/istio-ca.istio-system/${ISTIO_CITADEL_SVC_IP}
	address=/zipkin.istio-system/${ZIPKIN_SVC_IP}
	EOF
	systemctl restart dnsmasq
	systemctl enable dnsmasq

	cat << EOF > /etc/istio/envoy/cluster.env
	ISTIO_SERVICE_CIDR=${k8s_service_cidr}
	ISTIO_SYSTEM_NAMESPACE=istio-system
	ISTIO_CP_AUTH=NONE
	ISTIO_INBOUND_PORTS=${app_inbound_ports}
	ISTIO_NAMESPACE=${app_namespace}
	ISTIO_SVC_IP=${local_vm_ip}
	EOF
	chown istio-proxy.istio-proxy /etc/istio/envoy/cluster.env
	}

	function config_dns {
	sed -i -e '/^\[main\]$/ s/$/\nplugins=ifcfg-rh\ndns=none/' /etc/NetworkManager/NetworkManager.conf
	systemctl restart NetworkManager
	sed -i -e "1s/^/search ${app_namespace}.svc.cluster.local svc.cluster.local\nnameserver 127.0.0.1\n/" /etc/resolv.conf
	}

	function extract_app_namespace_certs {
	tar -xzf ${app_namespace_certs} -C /etc/certs
	chown -R istio-proxy.istio-proxy /etc/certs
	}

	function restart_istio_sidecar_service {
	systemctl restart istio
	systemctl restart istio-auth-node-agent
	}

	function main {
	# 1. check arguments
	check_args

	# 2. install istio-sidecar, dnsmasq, net-tools, bind-utils, chrony
	install_pkgs

	# 3. add route rules
	config_route_rules

	# 4. configure NTP client
	config_chrony_service

	# 5. generate cluster.env and kubedns
	generate_istio_sidecar_cfg

	# 6. disable network-manager, configure /etc/resolv.conf
	config_dns

	# 7. extract app namespace's certs to /etc/certs
	extract_app_namespace_certs

	# 8. restart istio-auth-node-agent, istio service
	restart_istio_sidecar_service
	}

	main