This repository has been archived by the owner on Oct 24, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 527
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: update stale Istio page and example (#3639)
- Loading branch information
Showing
2 changed files
with
56 additions
and
90 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,67 +1,31 @@ | ||
# Kubernetes - Service Mesh | ||
|
||
There are numerous implementations of a service mesh which integrate with kubernetes such as Istio, [Linkerd](http://linkerd.io), and [Conduit](https://conduit.io/). [This is one blog post](https://medium.com/microservices-in-practice/service-mesh-for-microservices-2953109a3c9a) which explains some fundamentals behind what it is and why to use it. | ||
There are numerous implementations of a service mesh which integrate with Kubernetes such as Istio, [Linkerd](http://linkerd.io), and [Conduit](https://conduit.io/). This blog [post](https://medium.com/microservices-in-practice/service-mesh-for-microservices-2953109a3c9a) explains what a service mesh is and why to use one. | ||
|
||
Some service mesh implementations **may** benefit from or require additional [customizations to the kubernetes cluster itself](https://github.com/Azure/aks-engine/blob/master/docs/clusterdefinition.md). | ||
This page details the customizations required to successfully deploy some of these service mesh implementations. | ||
|
||
## Istio | ||
|
||
The `istio.json` file in this directory enables the kubernetes API server options to support automatic sidecar injection using [Isitio](https://istio.io/). If automatic sidecar injection isn't enabled, then all services must then manually inject the sidecar configuration into every deployment, every time. | ||
_The steps below were validated using AKS Engine v0.53.0 and Kubernetes v1.17_ | ||
|
||
The main changes this configuration makes is adding these flags to the apiserver `MutatingAdmissionWebhook,ValidatingAdmissionWebhook`. | ||
### Secret Discovery Service | ||
|
||
### Installation | ||
To accomodate to the changes in [Secret Discovery Service](https://istio.io/latest/blog/2019/trustworthy-jwt-sds/) since Istio 1.3, | ||
please refer to sample apimodel [istio.json](./istio.json) | ||
|
||
#### Create Azure Resources | ||
This sample shows the extra Kubernetes API server flags that are required to enable `Service Account Token Volume Projection`as indicated | ||
[here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection). | ||
|
||
1. Create Resource Group | ||
You may have to adjust `--service-account-api-audiences` and `--service-account-issuer` to your specific use case. | ||
|
||
``` | ||
az group create --name "<resourceGroupName>" --location "eastus" | ||
``` | ||
|
||
2. Create Service Principal | ||
|
||
``` | ||
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>" | ||
``` | ||
|
||
#### Update istio.json | ||
|
||
3. Ensure `orchestratorRelease` is 1.9+. | ||
4. Update `--admission-control` to include `MutatingAdmissionWebhook,ValidatingAdmissionWebhook` | ||
|
||
**Note**: admission-controls need to be entered in the order defined on the kubernetes [docs](https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use). | ||
|
||
Your updates should look like this. | ||
``` | ||
"orchestratorProfile": { | ||
"orchestratorType": "Kubernetes", | ||
"orchestratorRelease": "1.9", | ||
"kubernetesConfig": { | ||
"apiServerConfig": { | ||
"--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,DenyEscalatingExec,AlwaysPullImages,ValidatingAdmissionWebhook,ResourceQuota", | ||
} | ||
```json | ||
{ | ||
"kubernetesConfig": { | ||
"apiServerConfig": { | ||
"--service-account-api-audiences": "api,istio-ca", | ||
"--service-account-issuer": "kubernetes.default.svc", | ||
"--service-account-signing-key-file": "/etc/kubernetes/certs/apiserver.key" | ||
} | ||
} | ||
``` | ||
|
||
4. Add Service Principal ID and Secret | ||
``` | ||
"servicePrincipalProfile": { | ||
"clientId": "<Insert Service Principal Client ID>", | ||
"secret": "<Insert Service Principal Client Secret>" | ||
} | ||
``` | ||
|
||
|
||
### Post installation | ||
|
||
Once the template has been successfully deployed, then Istio can be installed via either: | ||
|
||
1. Manual - follow the website [Installation steps](https://istio.io/docs/setup/kubernetes/quick-start.html#installation-steps). | ||
1. Helm Chart - is maintained in the Istio repository itself (no longer hub.kubeapps.com). [See these instructions on the Istio website](https://istio.io/docs/setup/kubernetes/helm.html). | ||
|
||
> Note: So far it seems the manual steps are more well maintained and up-to-date than the helm chart. | ||
After Istio has been installed, consider [walking through the various Tasks](https://istio.io/docs/tasks/) which use the Book info example application. | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,41 +1,43 @@ | ||
{ | ||
"apiVersion": "vlabs", | ||
"properties": { | ||
"orchestratorProfile": { | ||
"orchestratorType": "Kubernetes", | ||
"orchestratorRelease": "1.15", | ||
"kubernetesConfig": { | ||
"apiServerConfig": { | ||
"--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,DenyEscalatingExec,AlwaysPullImages" | ||
} | ||
} | ||
}, | ||
"masterProfile": { | ||
"count": 1, | ||
"dnsPrefix": "", | ||
"vmSize": "Standard_DS2_v2" | ||
}, | ||
"agentPoolProfiles": [ | ||
{ | ||
"name": "agentpool1", | ||
"count": 2, | ||
"vmSize": "Standard_DS2_v2", | ||
"availabilityProfile": "AvailabilitySet" | ||
} | ||
], | ||
"linuxProfile": { | ||
"adminUsername": "azureuser", | ||
"ssh": { | ||
"publicKeys": [ | ||
{ | ||
"keyData": "" | ||
} | ||
] | ||
"apiVersion": "vlabs", | ||
"properties": { | ||
"orchestratorProfile": { | ||
"orchestratorType": "Kubernetes", | ||
"orchestratorRelease": "1.17", | ||
"kubernetesConfig": { | ||
"apiServerConfig": { | ||
"--service-account-api-audiences": "api,istio-ca", | ||
"--service-account-issuer": "kubernetes.default.svc", | ||
"--service-account-signing-key-file": "/etc/kubernetes/certs/apiserver.key" | ||
} | ||
}, | ||
"servicePrincipalProfile": { | ||
"clientId": "", | ||
"secret": "" | ||
} | ||
}, | ||
"masterProfile": { | ||
"count": 1, | ||
"dnsPrefix": "", | ||
"vmSize": "Standard_DS2_v2" | ||
}, | ||
"agentPoolProfiles": [ | ||
{ | ||
"name": "agentpool1", | ||
"count": 2, | ||
"vmSize": "Standard_DS2_v2", | ||
"availabilityProfile": "AvailabilitySet" | ||
} | ||
], | ||
"linuxProfile": { | ||
"adminUsername": "azureuser", | ||
"ssh": { | ||
"publicKeys": [ | ||
{ | ||
"keyData": "" | ||
} | ||
] | ||
} | ||
}, | ||
"servicePrincipalProfile": { | ||
"clientId": "", | ||
"secret": "" | ||
} | ||
} | ||
} |