diff --git a/docs/install/Knative-custom-install.md b/docs/install/Knative-custom-install.md index 6e100cf2067..9b962476836 100644 --- a/docs/install/Knative-custom-install.md +++ b/docs/install/Knative-custom-install.md @@ -44,113 +44,13 @@ traffic routing and ingress. You have the option of injecting Istio sidecars and enabling the Istio service mesh, but it's not required for all Knative components. -You should first install the `istio-crds.yaml` file to ensure that the Istio -[Custom Resource Definitions (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) -are created before installing Istio. +If your cloud platform offers a managed Istio installation, we recommend +installing Istio that way, unless you need the ability to customize your +installation. -### Choosing an Istio installation - -You can Istio with or without a service mesh: - -- _automatic sidecar injection_: Enables the Istio service mesh by - [automatically injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection). - The sidecars are injected into each pod of your cluster as each pod is - created. - -- _manual sidecar injection_: Provides your Knative installation with traffic - routing and ingress, without the Istio service mesh. You do have the option of - later enabling the service mesh if you - [manually inject the Istio sidecars](https://istio.io/docs/setup/kubernetes/sidecar-injection/#manual-sidecar-injection). - -If you are just getting started with Knative, you should choose automatic -sidecar injection and enable the Istio service mesh. - -Due to current dependencies, some installable Knative options require the Istio -service mesh. If you install any of the following options, you must install -`istio.yaml` so that automatic sidecar injection is enabled: - -- [Knative Eventing](https://github.com/knative/eventing) -- [Knative Eventing Sources](https://github.com/knative/eventing-sources) -- [Observability plugins](../serving/installing-logging-metrics-traces.md) - -#### Istio installation options - -| Istio Install Filename | Description | -| ----------------------- | ---------------------------------------------------------------------- | -| [`istio-crds.yaml`][a]† | Creates CRDs before installing Istio. | -| [`istio.yaml`][b]† | Install Istio with service mesh enabled (automatic sidecar injection). | -| [`istio-lean.yaml`][c] | Install Istio and disable the service mesh by default. | - -† These are the recommended standard install files suitable for most use cases. - -[a]: - https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml -[b]: - https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml -[c]: https://github.com/knative/serving/releases/download/v0.5.2/istio-lean.yaml - -### Installing Istio - -1. If you choose to install the Istio service mesh with automatic sidecar - injection, you must ensure that the - [`MutatingAdmissionWebhook` admission controller](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#mutatingwebhookconfiguration-v1beta1-admissionregistration-k8s-io) - is enabled on your cluster by running the following command: - - ```bash - kubectl api-versions | grep admissionregistration - ``` - - Result: - - ```bash - admissionregistration.k8s.io/v1beta1 - ``` - - If `admissionregistration.k8s.io/v1beta1` is not listed, follow the - [Kubernetes instructions about enabling the `MutatingAdmissionWebhook` admission controller](https://kubernetes.io/docs/admin/admission-controllers/#how-do-i-turn-on-an-admission-controller). - - For example, you add `--enable-admission-plugins=MutatingAdmissionWebhook` to - the `/etc/kubernetes/manifests/kube-apiserver.yaml` file. - -1. Create the Istio CRDs on your cluster: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml - ``` - -1. Install Istio by specifying the filename in the `kubectl apply` command: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/[FILENAME].yaml - ``` - - where `[FILENAME]` is the name of the Istio file that you want to install. - Examples: - - - `istio.yaml` - - `istio-lean.yaml` - -1. If you chose to install the Istio service mesh with automatic sidecar - injection, you must label the default namespace with - `istio-injection=enabled`: - - ```bash - kubectl label namespace default istio-injection=enabled - ``` - - Important: You should set the `istio-injection` namespace, if you intend on - later enabling the Istio service mesh through manual sidecar injection. - -1. View the status of your Istio installation. It might take a few seconds, so - rerun the following command until all of the pods show a `STATUS` of - `Running` or `Completed`: - - ```bash - kubectl get pods --namespace istio-system - ``` - - > Tip: You can append the `--watch` flag to the `kubectl get` commands to - > view the pod status in realtime. You use `CTRL + C` to exit watch mode. +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using Minkube +or similar, see the [Installing Istio for Knative guide](./installing-istio.md). ## Installing Knative components diff --git a/docs/install/Knative-with-AKS.md b/docs/install/Knative-with-AKS.md index 1f99beb9b9d..aec183cd234 100644 --- a/docs/install/Knative-with-AKS.md +++ b/docs/install/Knative-with-AKS.md @@ -137,35 +137,17 @@ recommended configuration for a cluster is: > Gloo is not currently compatible with the Knative Eventing component. > [Click here](./Knative-with-Gloo.md) to install Knative with Gloo. -Knative depends on Istio. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. -1. Install Istio: +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - - ```bash - kubectl label namespace default istio-injection=enabled - ``` - -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: `bash kubectl get pods --namespace istio-system` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/Knative-with-Gardener.md b/docs/install/Knative-with-Gardener.md index eef0deca9c1..caf8bb05c5d 100644 --- a/docs/install/Knative-with-Gardener.md +++ b/docs/install/Knative-with-Gardener.md @@ -72,36 +72,15 @@ of this guide be sure you have `export KUBECONFIG=my-cluster.yaml` set. ## Installing Istio -Knative depends on Istio. - -1. Install Istio: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -2. Label the default namespace with `istio-injection=enabled`: - ```bash - kubectl label namespace default istio-injection=enabled - ``` -3. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: - ```bash - kubectl get pods --namespace istio-system - ``` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. + +Otherwise, see the +[Installing Istio for Knative guide](./installing-istio.md) to install Istio. + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/Knative-with-ICP.md b/docs/install/Knative-with-ICP.md index 6545e6af77d..dd154e80780 100644 --- a/docs/install/Knative-with-ICP.md +++ b/docs/install/Knative-with-ICP.md @@ -125,6 +125,12 @@ the`knative-build` and `knative-monitoring` namespaces. [Follow the instructions to install and run Istio in IBM Cloud Private](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private). +If you prefer to install Istio manually, see the +[Installing Istio for Knative guide](./installing-istio.md). + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. + ## Installing Knative The following commands install all available Knative components as well as the diff --git a/docs/install/Knative-with-IKS.md b/docs/install/Knative-with-IKS.md index ecad2506ee0..a7dfe4c05b6 100644 --- a/docs/install/Knative-with-IKS.md +++ b/docs/install/Knative-with-IKS.md @@ -154,36 +154,17 @@ forward. ### Installing Istio -Knative depends on Istio. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. -1. Install Istio: +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - ```bash - kubectl label namespace default istio-injection=enabled - ``` -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: - ```bash - kubectl get pods --namespace istio-system - ``` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL+C to -> exit watch mode. +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ### Installing Knative diff --git a/docs/install/Knative-with-PKS.md b/docs/install/Knative-with-PKS.md index 503028c6dba..f986a2cc7f8 100644 --- a/docs/install/Knative-with-PKS.md +++ b/docs/install/Knative-with-PKS.md @@ -48,34 +48,19 @@ https://docs.pivotal.io/runtimes/pks/1-1/cluster-credentials.html. ## Installing Istio -Knative depends on Istio. Istio workloads require privileged mode for Init -Containers - -1. Install Istio: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - ```bash - kubectl label namespace default istio-injection=enabled - ``` -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: `bash kubectl get pods --namespace istio-system` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. For example, the +[GKE Install Guide](./knative-with-gke.md) includes the instructions for +installing Istio on your cluster using `gcloud`. + +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/Knative-with-any-k8s.md b/docs/install/Knative-with-any-k8s.md index 8db8efb62b8..b6b0a57ec82 100644 --- a/docs/install/Knative-with-any-k8s.md +++ b/docs/install/Knative-with-any-k8s.md @@ -21,40 +21,19 @@ commands will need to be adjusted for use in a Windows environment. ## Installing Istio -Knative depends on Istio. Istio workloads require privileged mode for Init -Containers. - -1. Install Istio: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - - ```bash - kubectl label namespace default istio-injection=enabled - ``` - -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: - - ```bash - kubectl get pods --namespace istio-system - ``` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. For example, the +[GKE Install Guide](./knative-with-gke.md) includes the instructions for +installing Istio on your cluster using `gcloud`. + +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md new file mode 100644 index 00000000000..b85ad41bd5d --- /dev/null +++ b/docs/install/installing-istio.md @@ -0,0 +1,272 @@ +--- +title: "Installing Istio for Knative" +weight: 15 +type: "docs" +--- + +This guide walks you through manually installing and customizing Istio for use +with Knative. + +If your cloud platform offers a managed Istio installation, we recommend +installing Istio that way, unless you need the ability to customize your +installation. If your cloud platform offers a managed Istio installation, +the [install guide](./README.md) for your specific platform will have those +instructions. + +For example, the [GKE Install Guide](./knative-with-gke.md) includes the +instructions for installing Istio on your cluster using `gcloud`. + +## Before you begin + +You need: +- A Kubernetes cluster created. +- [`helm`](https://helm.sh/) installed. + +## Installing Istio + +When you install Istio, there are a few options depending on your goals. For a +basic Istio installation suitable for most Knative use cases, follow the +[Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) +instructions. If you're familiar with Istio and know what kind of +installation you want, read through the options and choose the installation that +suits your needs. + +You can easily customize your Istio installation with `helm`. The below sections +cover a few useful Istio configurations and their benefits. + +### Choosing an Istio installation + +You can install Istio with or without a service mesh: + +- _automatic sidecar injection_: Enables the Istio service mesh by + [automatically injecting the Istio sidecars][1]. The sidecars are injected + into each pod of your cluster as they are created. + +- _manual sidecar injection_: Provides your Knative installation with traffic + routing and ingress, without the Istio service mesh. You do have the option of + later enabling the service mesh if you [manually inject the Istio sidecars][2]. + +If you are just getting started with Knative, we recommend installing Istio +without automatic sidecar injection. + +### Downloading Istio and installing CRDs + +1. Enter the following commands to download Istio: + + ```shell + # Download and unpack Istio + export ISTIO_VERSION=1.1.3 + curl -L https://git.io/getLatestIstio | sh - + cd istio-${ISTIO_VERSION} + ``` + +1. Enter the following command to install the Istio CRDs first: + + ```shell + for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done + ``` + + Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, + then continue with these instructions. + +1. Finish the install by applying your desired Istio configuration: + - [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection)(Recommended default installation) + - [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) + - [Installing Istio with SDS to secure the ingress gateway](#installing-istio-with-SDS-to-secure-the-ingress-gateway) + +#### Installing Istio without sidecar injection + +If you want to get up and running with Knative quickly, we recommend installing +Istio without automatic sidecar injection. This install is also recommended for +users who don't need the Istio service mesh, or who want to enable the service +mesh by [manually injecting the Istio sidecars][2]. + +Enter the following command to install Istio: + +```shell +# A lighter template, with no sidecar injection. +helm template --namespace=istio-system \ + --set global.proxy.autoInject=disabled \ + --set global.omitSidecarInjectorConfigMap=true \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio-lean.yaml + +kubectl apply -f istio-lean.yaml +``` + +#### Installing Istio with sidecar injection + +If you want to enable the Istio service mesh, you must enable +[automatic sidecar injection][1]. The Istio service mesh provides a few benefits: + +- Allows you to turn on [mutual TLS][4], which secures service-to-service + traffic within the cluster. + +- Allows you to use the [Istio authorization policy][5], controlling the access + to each Knative service based on Istio service roles. + +Enter the following command to install Istio: + +```shell +# A template with sidecar injection enabled. +helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ + --set global.proxy.autoInject=disabled \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio.yaml + +kubectl apply -f istio.yaml +``` + +#### Installing Istio with SDS to secure the ingress gateway + +Install Istio with [Secret Discovery Service (SDS)][3] to enable a few additional +configurations for the gateway TLS. This will allow you to: + +- Dynamically update the gateway TLS with multiple TLS certificates to terminate + TLS connections. + +- Use [Auto TLS](../serving/using-auto-tls.md). + +The below `helm` flag is needed in your `helm` command to enable `SDS`: + +``` +--set gateways.istio-ingressgateway.sds.enabled=true +``` + +Enter the following command to install Istio with ingress `SDS` and +automatic sidecar injection: + +```shell +helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ + --set global.proxy.autoInject=disabled \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# Enable SDS in the gateway to allow dynamically configuring TLS of gateway.` \ + --set gateways.istio-ingressgateway.sds.enabled=true \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio.yaml + + kubectl apply -f istio.yaml + +``` + +### Updating your install to use cluster local gateway + +If you want your Routes to be visible only inside the cluster, you may +want to enable [cluster local routes](../docs/serving/cluster-local-route.md). +To use this feature, add an extra Istio cluster local gateway to your cluster. +Enter the following command to add the cluster local gateway to an existing +Istio installation: + +```shell +# Add the extra gateway. +helm template --namespace=istio-system \ + --set gateways.custom-gateway.autoscaleMin=1 \ + --set gateways.custom-gateway.autoscaleMax=1 \ + --set gateways.custom-gateway.cpu.targetAverageUtilization=60 \ + --set gateways.custom-gateway.labels.app='cluster-local-gateway' \ + --set gateways.custom-gateway.labels.istio='cluster-local-gateway' \ + --set gateways.custom-gateway.type='ClusterIP' \ + --set gateways.istio-ingressgateway.enabled=false \ + --set gateways.istio-egressgateway.enabled=false \ + --set gateways.istio-ilbgateway.enabled=false \ + install/kubernetes/helm/istio \ + -f install/kubernetes/helm/istio/example-values/values-istio-gateways.yaml \ + | sed -e "s/custom-gateway/cluster-local-gateway/g" -e "s/customgateway/clusterlocalgateway/g" \ + `# Removing trailing whitespaces to make automation happy` \ + | sed "s/[[:space:]]*$//" \ + > ./istio-local-gateway.yaml + +kubectl apply -f istio-local-gateway.yaml +``` + +### Verifying your Istio install + +View the status of your Istio installation to make sure the install was +successful. It might take a few seconds, so rerun the following command until +all of the pods show a `STATUS` of `Running` or `Completed`: + +```bash +kubectl get pods --namespace istio-system +``` + +> Tip: You can append the `--watch` flag to the `kubectl get` commands to +> view the pod status in realtime. You use `CTRL + C` to exit watch mode. + +## Istio resources + +- For the official Istio installation guide, see the + [Istio Kubernetes Getting Started Guide](https://istio.io/docs/setup/kubernetes/). + +- For the full list of available configs when installing Istio with `helm`, see + the [Istio Installation Options reference](https://istio.io/docs/reference/config/installation-options/). + +## Clean up Istio + +Enter the following command to remove all of the Istio files: + +```shell +cd ../ +rm -rf istio-${ISTIO_VERSION} +``` + +## What's next + +- [Install Knative](./README.md). +- Try the [Getting Started with App Deployment guide](./getting-started-knative-app/) + for Knative serving. + +[1]: https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection +[2]: https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#manual-sidecar-injection +[3]: https://istio.io/docs/tasks/traffic-management/secure-ingress/sds/ +[4]: https://istio.io/docs/tasks/security/mutual-tls/ +[5]: https://istio.io/docs/tasks/security/authz-http/ diff --git a/docs/serving/installing-istio.md b/docs/serving/installing-istio.md deleted file mode 100644 index 0292f4efa16..00000000000 --- a/docs/serving/installing-istio.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: "Performing a Custom Istio Installation" -weight: 15 -type: "docs" ---- - -Use this guide to perform a custom installation of Istio for use with Knative. - -## Before you begin - -You need: -- A Kubernetes cluster created -- [`helm`](https://helm.sh/) installed - -## Download Istio - -Run below command to download Istio. -```shell -# Download and unpack Istio -export ISTIO_VERSION=1.1.3 -curl -L https://git.io/getLatestIstio | sh - -cd istio-${ISTIO_VERSION} -``` - -## Install Istio CRDs -Default Istio Installation -Run below command to install Istio CRDs first. -```shell -for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done -``` -wait a few seconds for the CRDs to be committed in the Kubernetes API-server - -## Custom Installation - -### Istio with Sidecar Injector - -If you need Istio service mesh, and want to enable it by [automatically -injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection), then Istio sidecar injector and related configurations are needed in your Istio. Run -below command to install the custom Istio. -```shell -# A template with sidecar injection enabled. -helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ - --set global.proxy.autoInject=disabled \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio.yaml - -kubectl apply -f istio.yaml -``` - -### Istio with no Sidecar Injector - -If you don't need Istio service mesh, or want to enable the service by -[manually injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#manual-sidecar-injection), you can install an Istio without sidecar injector. Run below command to install the custom -Istio. -```shell -# A lighter template, with no sidecar injection. -helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=false \ - --set global.proxy.autoInject=disabled \ - --set global.omitSidecarInjectorConfigMap=true \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio-lean.yaml - -kubectl apply -f istio-lean.yaml -``` - -### Install Cluster Local Gateway - -If you want your Routes to be only visible inside the cluster, you may -want to use the feature of [cluster local route](../docs/serving/cluster-local-route.md). In order to use this feature, an extra Istio -cluster local gateway needs to be added into your cluster. Run below command -to add the cluster local gateway. -```shell -# Generate the extra gateway. -helm template --namespace=istio-system \ - --set gateways.custom-gateway.autoscaleMin=1 \ - --set gateways.custom-gateway.autoscaleMax=1 \ - --set gateways.custom-gateway.cpu.targetAverageUtilization=60 \ - --set gateways.custom-gateway.labels.app='cluster-local-gateway' \ - --set gateways.custom-gateway.labels.istio='cluster-local-gateway' \ - --set gateways.custom-gateway.type='ClusterIP' \ - --set gateways.istio-ingressgateway.enabled=false \ - --set gateways.istio-egressgateway.enabled=false \ - --set gateways.istio-ilbgateway.enabled=false \ - install/kubernetes/helm/istio \ - -f install/kubernetes/helm/istio/example-values/values-istio-gateways.yaml \ - | sed -e "s/custom-gateway/cluster-local-gateway/g" -e "s/customgateway/clusterlocalgateway/g" \ - `# Removing trailing whitespaces to make automation happy` \ - | sed "s/[[:space:]]*$//" \ - > ./istio-local-gateway.yaml - -kubectl apply -f istio-local-gateway.yaml -``` - -### Istio with Secret Discovery Service - -[Secret Discovery Service](https://istio.io/docs/tasks/traffic-management/secure-ingress/sds/) is needed if you want to dyanmically update your Gateway -with multiple TLS certificates to terminate TLS connection. The below`helm` flag is needed in your `helm` command to enable `SDS`. -``` ---set gateways.istio-ingressgateway.sds.enabled=true -``` -For example, the `helm` command for installing Istio with Ingress `SDS` and -Istio sidecar injector is -```shell -helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ - --set global.proxy.autoInject=disabled \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# Enable SDS in the gateway to allow dynamically configuring TLS of gateway.` \ - --set gateways.istio-ingressgateway.sds.enabled=true \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio.yaml - - kubectl apply -f istio.yaml - -``` - -## Full Istio Installation Guide. - -1. For the full Istio Installation Guide, check [doc](https://istio.io/docs/setup/kubernetes/). - -1. For the full Istio Installation Option, check [doc](https://istio.io/docs/reference/config/installation-options/). - -## Clean up -Run below command to clean up all of the Istio files. -```shell -cd ../ -rm -rf istio-${ISTIO_VERSION} -```