From d86e1b5216fd371f10d377b7fcb802af1297129a Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Mon, 13 May 2019 17:03:01 -0700 Subject: [PATCH 01/14] Updating istio install guide --- docs/serving/installing-istio.md | 178 ------------------------------- 1 file changed, 178 deletions(-) delete mode 100644 docs/serving/installing-istio.md diff --git a/docs/serving/installing-istio.md b/docs/serving/installing-istio.md deleted file mode 100644 index 0292f4efa16..00000000000 --- a/docs/serving/installing-istio.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: "Performing a Custom Istio Installation" -weight: 15 -type: "docs" ---- - -Use this guide to perform a custom installation of Istio for use with Knative. - -## Before you begin - -You need: -- A Kubernetes cluster created -- [`helm`](https://helm.sh/) installed - -## Download Istio - -Run below command to download Istio. -```shell -# Download and unpack Istio -export ISTIO_VERSION=1.1.3 -curl -L https://git.io/getLatestIstio | sh - -cd istio-${ISTIO_VERSION} -``` - -## Install Istio CRDs -Default Istio Installation -Run below command to install Istio CRDs first. -```shell -for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done -``` -wait a few seconds for the CRDs to be committed in the Kubernetes API-server - -## Custom Installation - -### Istio with Sidecar Injector - -If you need Istio service mesh, and want to enable it by [automatically -injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection), then Istio sidecar injector and related configurations are needed in your Istio. Run -below command to install the custom Istio. -```shell -# A template with sidecar injection enabled. -helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ - --set global.proxy.autoInject=disabled \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio.yaml - -kubectl apply -f istio.yaml -``` - -### Istio with no Sidecar Injector - -If you don't need Istio service mesh, or want to enable the service by -[manually injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#manual-sidecar-injection), you can install an Istio without sidecar injector. Run below command to install the custom -Istio. -```shell -# A lighter template, with no sidecar injection. -helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=false \ - --set global.proxy.autoInject=disabled \ - --set global.omitSidecarInjectorConfigMap=true \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio-lean.yaml - -kubectl apply -f istio-lean.yaml -``` - -### Install Cluster Local Gateway - -If you want your Routes to be only visible inside the cluster, you may -want to use the feature of [cluster local route](../docs/serving/cluster-local-route.md). In order to use this feature, an extra Istio -cluster local gateway needs to be added into your cluster. Run below command -to add the cluster local gateway. -```shell -# Generate the extra gateway. -helm template --namespace=istio-system \ - --set gateways.custom-gateway.autoscaleMin=1 \ - --set gateways.custom-gateway.autoscaleMax=1 \ - --set gateways.custom-gateway.cpu.targetAverageUtilization=60 \ - --set gateways.custom-gateway.labels.app='cluster-local-gateway' \ - --set gateways.custom-gateway.labels.istio='cluster-local-gateway' \ - --set gateways.custom-gateway.type='ClusterIP' \ - --set gateways.istio-ingressgateway.enabled=false \ - --set gateways.istio-egressgateway.enabled=false \ - --set gateways.istio-ilbgateway.enabled=false \ - install/kubernetes/helm/istio \ - -f install/kubernetes/helm/istio/example-values/values-istio-gateways.yaml \ - | sed -e "s/custom-gateway/cluster-local-gateway/g" -e "s/customgateway/clusterlocalgateway/g" \ - `# Removing trailing whitespaces to make automation happy` \ - | sed "s/[[:space:]]*$//" \ - > ./istio-local-gateway.yaml - -kubectl apply -f istio-local-gateway.yaml -``` - -### Istio with Secret Discovery Service - -[Secret Discovery Service](https://istio.io/docs/tasks/traffic-management/secure-ingress/sds/) is needed if you want to dyanmically update your Gateway -with multiple TLS certificates to terminate TLS connection. The below`helm` flag is needed in your `helm` command to enable `SDS`. -``` ---set gateways.istio-ingressgateway.sds.enabled=true -``` -For example, the `helm` command for installing Istio with Ingress `SDS` and -Istio sidecar injector is -```shell -helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ - --set global.proxy.autoInject=disabled \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# Enable SDS in the gateway to allow dynamically configuring TLS of gateway.` \ - --set gateways.istio-ingressgateway.sds.enabled=true \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio.yaml - - kubectl apply -f istio.yaml - -``` - -## Full Istio Installation Guide. - -1. For the full Istio Installation Guide, check [doc](https://istio.io/docs/setup/kubernetes/). - -1. For the full Istio Installation Option, check [doc](https://istio.io/docs/reference/config/installation-options/). - -## Clean up -Run below command to clean up all of the Istio files. -```shell -cd ../ -rm -rf istio-${ISTIO_VERSION} -``` From d297824bbb0be084c73108d7a39ae1383b4aea47 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Mon, 13 May 2019 17:03:45 -0700 Subject: [PATCH 02/14] Updating istio install guide --- docs/install/installing-istio.md | 281 +++++++++++++++++++++++++++++++ 1 file changed, 281 insertions(+) create mode 100644 docs/install/installing-istio.md diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md new file mode 100644 index 00000000000..4c481cbbe13 --- /dev/null +++ b/docs/install/installing-istio.md @@ -0,0 +1,281 @@ +--- +title: "Installing Istio for Knative" +weight: 15 +type: "docs" +--- + +This guide walks you through manually installing and customizing Istio for use +with Knative. + +If your cloud platform offers a managed Istio installation, we recommend +installing Istio that way, unless you need the ability to customize your +installation. If your cloud platform offers a managed Istio installation, +the [install guide](./) for your specific platform will have those instructions. +For example, the [GKE Install Guide](./knative-with-gke) includes the +instructions for installing Istio on your cluster using `gcloud`. + +## Before you begin + +You need: +- A Kubernetes cluster created +- [`helm`](https://helm.sh/) installed + +## Installing Istio + +When you install Istio, there are a couple of different steps, and a few options +depending on your goals. For a basic Istio installation suitable for most use +cases, see the [Default Istio installation](#default-istio-instllation) +instructions. Those steps will get you up and running quickly without having to +make decisions about Istio. To customize Istio your Istion installion for use +with Knative, see the [Custom Istio installation](#customizing-your-installation) instructions. + +### Default Istio installation +The following steps install a default version of Istio that is appropriate for +most Knative use cases. + +1. Enter the following commands to download Istio: + ```shell + # Download and unpack Istio + export ISTIO_VERSION=1.1.3 + curl -L https://git.io/getLatestIstio | sh - + cd istio-${ISTIO_VERSION} + ``` + +1. Enter the following command to install the Istio CRDs first: + ```shell + for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done + ``` + Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, + then continue with these instructions. + +1. Enter the following command to install Istio: + ```shell + # A template with sidecar injection enabled. + helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ + --set global.proxy.autoInject=disabled \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio.yaml + + kubectl apply -f istio.yaml + ``` + +This default installation enables [automatic sidecar injection][1]. + +## Customizing your installation + +You can easily customize your Istio installation with `helm`. The below sections +cover a few useful customizations and their purpose. + +### Installing Istio with sidecar injection + +If you need Istio service mesh, and want to enable it by +[automatically injecting the Istio sidecars][1], then you must enable Istio +sidecar injection and add a few related configurations your Istio installation. + +1. Enter the following commands to download Istio: + ```shell + # Download and unpack Istio + export ISTIO_VERSION=1.1.3 + curl -L https://git.io/getLatestIstio | sh - + cd istio-${ISTIO_VERSION} + ``` + +1. Enter the following command to install the Istio CRDs first: + ```shell + for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done + ``` + Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, + then continue with these instructions. + +1. Enter the following command to install Istio: + ```shell + # A template with sidecar injection enabled. + helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ + --set global.proxy.autoInject=disabled \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio.yaml + + kubectl apply -f istio.yaml + ``` + +### Installing Istio with no sidecar injection + +If you don't need Istio service mesh, or want to enable the service by +[manually injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#manual-sidecar-injection), you can install an Istio without sidecar injector. + +1. Enter the following commands to download Istio: + ```shell + # Download and unpack Istio + export ISTIO_VERSION=1.1.3 + curl -L https://git.io/getLatestIstio | sh - + cd istio-${ISTIO_VERSION} + ``` + +1. Enter the following command to install the Istio CRDs first: + ```shell + for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done + ``` + Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, + then continue with these instructions. + +1. Enter the following command to install Istio: + ```shell + # A lighter template, with no sidecar injection. + helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=false \ + --set global.proxy.autoInject=disabled \ + --set global.omitSidecarInjectorConfigMap=true \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio-lean.yaml + + kubectl apply -f istio-lean.yaml + ``` + +### Installing Istio with Secret Discovery Service + +[Secret Discovery Service](https://istio.io/docs/tasks/traffic-management/secure-ingress/sds/) +is needed if you want to dynamically update your Gateway with multiple TLS +certificates to terminate TLS connection. The below `helm` flag is needed in +your `helm` command to enable `SDS`: + +``` +--set gateways.istio-ingressgateway.sds.enabled=true +``` + +For example, the `helm` command for installing Istio with Ingress `SDS` and +Istio sidecar injection is: + +```shell +helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ + --set global.proxy.autoInject=disabled \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# Enable SDS in the gateway to allow dynamically configuring TLS of gateway.` \ + --set gateways.istio-ingressgateway.sds.enabled=true \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio.yaml + + kubectl apply -f istio.yaml + +``` + +### Updating your install to use cluster local gateway + +If you want your Routes to be visible only inside the cluster, you may +want to enable [cluster local routes](../docs/serving/cluster-local-route.md). +To use this feature, add an extra Istio cluster local gateway to your cluster. +Enter the following command to add the cluster local gateway to an existing +Istio installation: + +```shell +# Add the extra gateway. +helm template --namespace=istio-system \ + --set gateways.custom-gateway.autoscaleMin=1 \ + --set gateways.custom-gateway.autoscaleMax=1 \ + --set gateways.custom-gateway.cpu.targetAverageUtilization=60 \ + --set gateways.custom-gateway.labels.app='cluster-local-gateway' \ + --set gateways.custom-gateway.labels.istio='cluster-local-gateway' \ + --set gateways.custom-gateway.type='ClusterIP' \ + --set gateways.istio-ingressgateway.enabled=false \ + --set gateways.istio-egressgateway.enabled=false \ + --set gateways.istio-ilbgateway.enabled=false \ + install/kubernetes/helm/istio \ + -f install/kubernetes/helm/istio/example-values/values-istio-gateways.yaml \ + | sed -e "s/custom-gateway/cluster-local-gateway/g" -e "s/customgateway/clusterlocalgateway/g" \ + `# Removing trailing whitespaces to make automation happy` \ + | sed "s/[[:space:]]*$//" \ + > ./istio-local-gateway.yaml + +kubectl apply -f istio-local-gateway.yaml +``` + +## Istio resources + +- For the official Istio installation guide, see the + [Istio Kubernetes Getting Started Guide](https://istio.io/docs/setup/kubernetes/). + +- For the full list of available configs when installing Istio with `helm`, see + the [Istio Installation Options reference](https://istio.io/docs/reference/config/installation-options/). + +## Clean up Istio +Run below command to clean up all of the Istio files. +```shell +cd ../ +rm -rf istio-${ISTIO_VERSION} +``` + +## What's next + +- [Install Knative](./README.md). +- Try the [Getting Started with App Deployment guide](./getting-started-knative-app/) + for Knative serving. + +[1]: https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection From 2dfef641ffb1a11c8b7cfd95f06d5ce3bf9f0fe5 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 10:28:02 -0700 Subject: [PATCH 03/14] Updating formatting, default install, and adds background info --- docs/install/installing-istio.md | 233 +++++++++++++------------------ 1 file changed, 95 insertions(+), 138 deletions(-) diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index 4c481cbbe13..cd54cb031ac 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -10,8 +10,8 @@ with Knative. If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need the ability to customize your installation. If your cloud platform offers a managed Istio installation, -the [install guide](./) for your specific platform will have those instructions. -For example, the [GKE Install Guide](./knative-with-gke) includes the +the [install guide](./README.md) for your specific platform will have those instructions. +For example, the [GKE Install Guide](./knative-with-gke.md) includes the instructions for installing Istio on your cluster using `gcloud`. ## Before you begin @@ -22,18 +22,20 @@ You need: ## Installing Istio -When you install Istio, there are a couple of different steps, and a few options -depending on your goals. For a basic Istio installation suitable for most use -cases, see the [Default Istio installation](#default-istio-instllation) -instructions. Those steps will get you up and running quickly without having to -make decisions about Istio. To customize Istio your Istion installion for use -with Knative, see the [Custom Istio installation](#customizing-your-installation) instructions. +When you install Istio, there are a few options depending on your goals. For a +basic Istio installation suitable for most Knative use cases, follow the +[Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) +instructions. If you're familiar with Istio and know what kind of +installation you want, read through the options and choose the installation that +suits your needs. -### Default Istio installation -The following steps install a default version of Istio that is appropriate for -most Knative use cases. +You can easily customize your Istio installation with `helm`. The below sections +cover a few useful Istio configurations and their benefits. + +### Downloading Istio and installing CRDs 1. Enter the following commands to download Istio: + ```shell # Download and unpack Istio export ISTIO_VERSION=1.1.3 @@ -42,151 +44,100 @@ most Knative use cases. ``` 1. Enter the following command to install the Istio CRDs first: + ```shell for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done ``` + Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, then continue with these instructions. -1. Enter the following command to install Istio: - ```shell - # A template with sidecar injection enabled. - helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ - --set global.proxy.autoInject=disabled \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio.yaml - - kubectl apply -f istio.yaml - ``` +1. Finish the install by applying your desired Istio configuration: + - [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) (Recommended default installation) + - [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) + - [Installing Istio with SDS to secure the ingress gateway](#installing-istio-with-SDS-to-secure-the-ingress-gateway) -This default installation enables [automatic sidecar injection][1]. -## Customizing your installation +### Installing Istio without sidecar injection -You can easily customize your Istio installation with `helm`. The below sections -cover a few useful customizations and their purpose. +If you want to get up and running with Knative quickly, installing Istio without +sidecar injection is the recommended install. It's also recommended for users +who don't need Istio service mesh, or who want to enable the service by +[manually injecting the Istio sidecars][2]. + +Enter the following command to install Istio: + +```shell +# A lighter template, with no sidecar injection. +helm template --namespace=istio-system \ + --set global.proxy.autoInject=disabled \ + --set global.omitSidecarInjectorConfigMap=true \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio-lean.yaml + +kubectl apply -f istio-lean.yaml +``` ### Installing Istio with sidecar injection -If you need Istio service mesh, and want to enable it by -[automatically injecting the Istio sidecars][1], then you must enable Istio -sidecar injection and add a few related configurations your Istio installation. +If you want to enable the Istio service mesh, you must enable [automatic sidecar injection][1]. The Istio service mesh provides a few benefits: -1. Enter the following commands to download Istio: - ```shell - # Download and unpack Istio - export ISTIO_VERSION=1.1.3 - curl -L https://git.io/getLatestIstio | sh - - cd istio-${ISTIO_VERSION} - ``` +- Allows you to turn on [mutual TLS][4], which secures service-to-service + traffic within the cluster. -1. Enter the following command to install the Istio CRDs first: - ```shell - for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done - ``` - Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, - then continue with these instructions. +- Allows you to use the [Istio authorization policy][5], controlling the access + to each Knative service based on Istio service roles. -1. Enter the following command to install Istio: - ```shell - # A template with sidecar injection enabled. - helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ - --set global.proxy.autoInject=disabled \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio.yaml - - kubectl apply -f istio.yaml - ``` +Enter the following command to install Istio: -### Installing Istio with no sidecar injection +```shell +# A template with sidecar injection enabled. +helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ + --set global.proxy.autoInject=disabled \ + --set global.disablePolicyChecks=true \ + --set prometheus.enabled=false \ + `# Disable mixer prometheus adapter to remove istio default metrics.` \ + --set mixer.adapters.prometheus.enabled=false \ + `# Disable mixer policy check, since in our template we set no policy.` \ + --set global.disablePolicyChecks=true \ + `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ + --set gateways.istio-ingressgateway.autoscaleMin=1 \ + --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ + `# Set pilot trace sampling to 100%` \ + --set pilot.traceSampling=100 \ + install/kubernetes/helm/istio \ + `# Removing trailing whitespaces to make automation happy` \ + | sed 's/[ \t]*$//' \ + > ./istio.yaml -If you don't need Istio service mesh, or want to enable the service by -[manually injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#manual-sidecar-injection), you can install an Istio without sidecar injector. +kubectl apply -f istio.yaml +``` -1. Enter the following commands to download Istio: - ```shell - # Download and unpack Istio - export ISTIO_VERSION=1.1.3 - curl -L https://git.io/getLatestIstio | sh - - cd istio-${ISTIO_VERSION} - ``` +### Installing Istio with SDS to secure the ingress gateway -1. Enter the following command to install the Istio CRDs first: - ```shell - for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done - ``` - Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, - then continue with these instructions. +Install Istio with [Secret Discovery Service (SDS)][3] to secure your ingress gateway -1. Enter the following command to install Istio: - ```shell - # A lighter template, with no sidecar injection. - helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=false \ - --set global.proxy.autoInject=disabled \ - --set global.omitSidecarInjectorConfigMap=true \ - --set global.disablePolicyChecks=true \ - --set prometheus.enabled=false \ - `# Disable mixer prometheus adapter to remove istio default metrics.` \ - --set mixer.adapters.prometheus.enabled=false \ - `# Disable mixer policy check, since in our template we set no policy.` \ - --set global.disablePolicyChecks=true \ - `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ - --set gateways.istio-ingressgateway.autoscaleMin=1 \ - --set gateways.istio-ingressgateway.autoscaleMax=1 \ - `# Set pilot trace sampling to 100%` \ - --set pilot.traceSampling=100 \ - install/kubernetes/helm/istio \ - `# Removing trailing whitespaces to make automation happy` \ - | sed 's/[ \t]*$//' \ - > ./istio-lean.yaml - - kubectl apply -f istio-lean.yaml - ``` - -### Installing Istio with Secret Discovery Service - -[Secret Discovery Service](https://istio.io/docs/tasks/traffic-management/secure-ingress/sds/) -is needed if you want to dynamically update your Gateway with multiple TLS -certificates to terminate TLS connection. The below `helm` flag is needed in +if you want to dynamically update your gateway with multiple TLS +certificates to terminate TLS connections. The below `helm` flag is needed in your `helm` command to enable `SDS`: ``` @@ -227,7 +178,7 @@ helm template --namespace=istio-system \ ``` -### Updating your install to use cluster local gateway +## Updating your install to use cluster local gateway If you want your Routes to be visible only inside the cluster, you may want to enable [cluster local routes](../docs/serving/cluster-local-route.md). @@ -266,7 +217,9 @@ kubectl apply -f istio-local-gateway.yaml the [Istio Installation Options reference](https://istio.io/docs/reference/config/installation-options/). ## Clean up Istio -Run below command to clean up all of the Istio files. + +Enter the following command to remove all of the Istio files: + ```shell cd ../ rm -rf istio-${ISTIO_VERSION} @@ -279,3 +232,7 @@ rm -rf istio-${ISTIO_VERSION} for Knative serving. [1]: https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection +[2]: https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#manual-sidecar-injection +[3]: https://istio.io/docs/tasks/traffic-management/secure-ingress/sds/ +[4]: https://istio.io/docs/tasks/security/mutual-tls/ +[5]: https://istio.io/docs/tasks/security/authz-http/ From 555a6ddc328336d39698de081bc11817d6cd0c6f Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 10:36:06 -0700 Subject: [PATCH 04/14] Updating SDS section --- docs/install/installing-istio.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index cd54cb031ac..bb7368f866f 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -11,6 +11,7 @@ If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need the ability to customize your installation. If your cloud platform offers a managed Istio installation, the [install guide](./README.md) for your specific platform will have those instructions. + For example, the [GKE Install Guide](./knative-with-gke.md) includes the instructions for installing Istio on your cluster using `gcloud`. @@ -48,7 +49,7 @@ cover a few useful Istio configurations and their benefits. ```shell for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done ``` - + Wait a few seconds for the CRDs to be committed in the Kubernetes API-server, then continue with these instructions. @@ -134,18 +135,22 @@ kubectl apply -f istio.yaml ### Installing Istio with SDS to secure the ingress gateway -Install Istio with [Secret Discovery Service (SDS)][3] to secure your ingress gateway +Install Istio with [Secret Discovery Service (SDS)][3] to enable a few additional +configurations for the gateway TLS. This will allow you to: + +- Dynamically update the gateway TLS with multiple TLS certificates to terminate + TLS connections. + +- Use [Auto TLS](../serving/using-auto-tls.md). -if you want to dynamically update your gateway with multiple TLS -certificates to terminate TLS connections. The below `helm` flag is needed in -your `helm` command to enable `SDS`: +The below `helm` flag is needed in your `helm` command to enable `SDS`: ``` --set gateways.istio-ingressgateway.sds.enabled=true ``` -For example, the `helm` command for installing Istio with Ingress `SDS` and -Istio sidecar injection is: +Enter the following command to install Istio with ingress `SDS` and +automatic sidecar injection: ```shell helm template --namespace=istio-system \ From cfae6ae7a9280de67a24f9dca3f1d2c094173a66 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 10:37:24 -0700 Subject: [PATCH 05/14] Adding periods to lists --- docs/install/installing-istio.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index bb7368f866f..97736eb69a4 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -18,8 +18,8 @@ instructions for installing Istio on your cluster using `gcloud`. ## Before you begin You need: -- A Kubernetes cluster created -- [`helm`](https://helm.sh/) installed +- A Kubernetes cluster created. +- [`helm`](https://helm.sh/) installed. ## Installing Istio From 29836887bfdc9a88c1110432833cd30611cb86c2 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 10:50:54 -0700 Subject: [PATCH 06/14] Moving istio info from custom install to Istio page --- docs/install/Knative-custom-install.md | 112 ++----------------------- docs/install/installing-istio.md | 93 +++++++++++++------- 2 files changed, 71 insertions(+), 134 deletions(-) diff --git a/docs/install/Knative-custom-install.md b/docs/install/Knative-custom-install.md index 6e100cf2067..6ccc6342d92 100644 --- a/docs/install/Knative-custom-install.md +++ b/docs/install/Knative-custom-install.md @@ -44,113 +44,13 @@ traffic routing and ingress. You have the option of injecting Istio sidecars and enabling the Istio service mesh, but it's not required for all Knative components. -You should first install the `istio-crds.yaml` file to ensure that the Istio -[Custom Resource Definitions (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) -are created before installing Istio. +If your cloud platform offers a managed Istio installation, we recommend +installing Istio that way, unless you need the ability to customize your +installation. -### Choosing an Istio installation - -You can Istio with or without a service mesh: - -- _automatic sidecar injection_: Enables the Istio service mesh by - [automatically injecting the Istio sidecars](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection). - The sidecars are injected into each pod of your cluster as each pod is - created. - -- _manual sidecar injection_: Provides your Knative installation with traffic - routing and ingress, without the Istio service mesh. You do have the option of - later enabling the service mesh if you - [manually inject the Istio sidecars](https://istio.io/docs/setup/kubernetes/sidecar-injection/#manual-sidecar-injection). - -If you are just getting started with Knative, you should choose automatic -sidecar injection and enable the Istio service mesh. - -Due to current dependencies, some installable Knative options require the Istio -service mesh. If you install any of the following options, you must install -`istio.yaml` so that automatic sidecar injection is enabled: - -- [Knative Eventing](https://github.com/knative/eventing) -- [Knative Eventing Sources](https://github.com/knative/eventing-sources) -- [Observability plugins](../serving/installing-logging-metrics-traces.md) - -#### Istio installation options - -| Istio Install Filename | Description | -| ----------------------- | ---------------------------------------------------------------------- | -| [`istio-crds.yaml`][a]† | Creates CRDs before installing Istio. | -| [`istio.yaml`][b]† | Install Istio with service mesh enabled (automatic sidecar injection). | -| [`istio-lean.yaml`][c] | Install Istio and disable the service mesh by default. | - -† These are the recommended standard install files suitable for most use cases. - -[a]: - https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml -[b]: - https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml -[c]: https://github.com/knative/serving/releases/download/v0.5.2/istio-lean.yaml - -### Installing Istio - -1. If you choose to install the Istio service mesh with automatic sidecar - injection, you must ensure that the - [`MutatingAdmissionWebhook` admission controller](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#mutatingwebhookconfiguration-v1beta1-admissionregistration-k8s-io) - is enabled on your cluster by running the following command: - - ```bash - kubectl api-versions | grep admissionregistration - ``` - - Result: - - ```bash - admissionregistration.k8s.io/v1beta1 - ``` - - If `admissionregistration.k8s.io/v1beta1` is not listed, follow the - [Kubernetes instructions about enabling the `MutatingAdmissionWebhook` admission controller](https://kubernetes.io/docs/admin/admission-controllers/#how-do-i-turn-on-an-admission-controller). - - For example, you add `--enable-admission-plugins=MutatingAdmissionWebhook` to - the `/etc/kubernetes/manifests/kube-apiserver.yaml` file. - -1. Create the Istio CRDs on your cluster: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml - ``` - -1. Install Istio by specifying the filename in the `kubectl apply` command: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/[FILENAME].yaml - ``` - - where `[FILENAME]` is the name of the Istio file that you want to install. - Examples: - - - `istio.yaml` - - `istio-lean.yaml` - -1. If you chose to install the Istio service mesh with automatic sidecar - injection, you must label the default namespace with - `istio-injection=enabled`: - - ```bash - kubectl label namespace default istio-injection=enabled - ``` - - Important: You should set the `istio-injection` namespace, if you intend on - later enabling the Istio service mesh through manual sidecar injection. - -1. View the status of your Istio installation. It might take a few seconds, so - rerun the following command until all of the pods show a `STATUS` of - `Running` or `Completed`: - - ```bash - kubectl get pods --namespace istio-system - ``` - - > Tip: You can append the `--watch` flag to the `kubectl get` commands to - > view the pod status in realtime. You use `CTRL + C` to exit watch mode. +If you prefer to install Istio manually, your cloud provider doesn't offer +a managed Istio installation, or you're installing Knative locally using Minkube +or similar, see the [Installing Istio for Knative guide](./installing-istio.md). ## Installing Knative components diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index 97736eb69a4..e85eab48ca5 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -33,6 +33,29 @@ suits your needs. You can easily customize your Istio installation with `helm`. The below sections cover a few useful Istio configurations and their benefits. +### Choosing an Istio installation + +You can install Istio with or without a service mesh: + +- _automatic sidecar injection_: Enables the Istio service mesh by + [automatically injecting the Istio sidecars][1]. The sidecars are injected + into each pod of your cluster as they are created. + +- _manual sidecar injection_: Provides your Knative installation with traffic + routing and ingress, without the Istio service mesh. You do have the option of + later enabling the service mesh if you [manually inject the Istio sidecars][2]. + +If you are just getting started with Knative, you should choose automatic +sidecar injection and enable the Istio service mesh. + +Due to current dependencies, some installable Knative options require the Istio +service mesh. If you install any of the following options, you must install +Istio with automatic sidecar injection enabled: + +- [Knative Eventing](https://github.com/knative/eventing) +- [Knative Eventing Sources](https://github.com/knative/eventing-sources) +- [Observability plugins](../serving/installing-logging-metrics-traces.md) + ### Downloading Istio and installing CRDs 1. Enter the following commands to download Istio: @@ -58,21 +81,27 @@ cover a few useful Istio configurations and their benefits. - [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) - [Installing Istio with SDS to secure the ingress gateway](#installing-istio-with-SDS-to-secure-the-ingress-gateway) +#### Installing Istio with sidecar injection -### Installing Istio without sidecar injection +If you want to get up and running with Knative quickly, installing Istio with +sidecar injection is the recommended install. If you want to enable the Istio +service mesh, you must enable [automatic sidecar injection][1]. The Istio +service mesh provides a few benefits: -If you want to get up and running with Knative quickly, installing Istio without -sidecar injection is the recommended install. It's also recommended for users -who don't need Istio service mesh, or who want to enable the service by -[manually injecting the Istio sidecars][2]. +- Allows you to turn on [mutual TLS][4], which secures service-to-service + traffic within the cluster. + +- Allows you to use the [Istio authorization policy][5], controlling the access + to each Knative service based on Istio service roles. Enter the following command to install Istio: ```shell -# A lighter template, with no sidecar injection. +# A template with sidecar injection enabled. helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ --set global.proxy.autoInject=disabled \ - --set global.omitSidecarInjectorConfigMap=true \ --set global.disablePolicyChecks=true \ --set prometheus.enabled=false \ `# Disable mixer prometheus adapter to remove istio default metrics.` \ @@ -82,34 +111,33 @@ helm template --namespace=istio-system \ `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ --set gateways.istio-ingressgateway.autoscaleMin=1 \ --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ `# Set pilot trace sampling to 100%` \ --set pilot.traceSampling=100 \ install/kubernetes/helm/istio \ `# Removing trailing whitespaces to make automation happy` \ | sed 's/[ \t]*$//' \ - > ./istio-lean.yaml + > ./istio.yaml -kubectl apply -f istio-lean.yaml +kubectl apply -f istio.yaml ``` -### Installing Istio with sidecar injection +#### Installing Istio without sidecar injection -If you want to enable the Istio service mesh, you must enable [automatic sidecar injection][1]. The Istio service mesh provides a few benefits: - -- Allows you to turn on [mutual TLS][4], which secures service-to-service - traffic within the cluster. - -- Allows you to use the [Istio authorization policy][5], controlling the access - to each Knative service based on Istio service roles. +Installing istio without automatic sidecar injection is recommended for users +who don't need the Istio service mesh, or who want to enable the service mesh by +[manually injecting the Istio sidecars][2]. Enter the following command to install Istio: ```shell -# A template with sidecar injection enabled. +# A lighter template, with no sidecar injection. helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ --set global.proxy.autoInject=disabled \ + --set global.omitSidecarInjectorConfigMap=true \ --set global.disablePolicyChecks=true \ --set prometheus.enabled=false \ `# Disable mixer prometheus adapter to remove istio default metrics.` \ @@ -119,21 +147,17 @@ helm template --namespace=istio-system \ `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ --set gateways.istio-ingressgateway.autoscaleMin=1 \ --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ `# Set pilot trace sampling to 100%` \ --set pilot.traceSampling=100 \ install/kubernetes/helm/istio \ `# Removing trailing whitespaces to make automation happy` \ | sed 's/[ \t]*$//' \ - > ./istio.yaml + > ./istio-lean.yaml -kubectl apply -f istio.yaml +kubectl apply -f istio-lean.yaml ``` -### Installing Istio with SDS to secure the ingress gateway +#### Installing Istio with SDS to secure the ingress gateway Install Istio with [Secret Discovery Service (SDS)][3] to enable a few additional configurations for the gateway TLS. This will allow you to: @@ -183,7 +207,7 @@ helm template --namespace=istio-system \ ``` -## Updating your install to use cluster local gateway +### Updating your install to use cluster local gateway If you want your Routes to be visible only inside the cluster, you may want to enable [cluster local routes](../docs/serving/cluster-local-route.md). @@ -213,6 +237,19 @@ helm template --namespace=istio-system \ kubectl apply -f istio-local-gateway.yaml ``` +### Verifying your Istio install + +View the status of your Istio installation to make sure the install was +successful. It might take a few seconds, so rerun the following command until +all of the pods show a `STATUS` of `Running` or `Completed`: + +```bash +kubectl get pods --namespace istio-system +``` + +> Tip: You can append the `--watch` flag to the `kubectl get` commands to +> view the pod status in realtime. You use `CTRL + C` to exit watch mode. + ## Istio resources - For the official Istio installation guide, see the From 3842c9fd84d7be72c9ebf5514ea236cc1538f50b Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 10:52:48 -0700 Subject: [PATCH 07/14] Makes automatic sidecar injection the default --- docs/install/installing-istio.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index e85eab48ca5..5d1b7ab98ef 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -77,8 +77,8 @@ Istio with automatic sidecar injection enabled: then continue with these instructions. 1. Finish the install by applying your desired Istio configuration: - - [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) (Recommended default installation) - - [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) + - [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) (Recommended default installation) + - [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) - [Installing Istio with SDS to secure the ingress gateway](#installing-istio-with-SDS-to-secure-the-ingress-gateway) #### Installing Istio with sidecar injection From 3a0957c83fff899e4199665f0e20f5ffc183b8c0 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 10:55:59 -0700 Subject: [PATCH 08/14] Adding pointer to new Istio guide from any-k8s install --- docs/install/Knative-with-any-k8s.md | 46 ++++++++-------------------- 1 file changed, 12 insertions(+), 34 deletions(-) diff --git a/docs/install/Knative-with-any-k8s.md b/docs/install/Knative-with-any-k8s.md index 8db8efb62b8..f48fad93b4f 100644 --- a/docs/install/Knative-with-any-k8s.md +++ b/docs/install/Knative-with-any-k8s.md @@ -21,40 +21,18 @@ commands will need to be adjusted for use in a Windows environment. ## Installing Istio -Knative depends on Istio. Istio workloads require privileged mode for Init -Containers. - -1. Install Istio: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - - ```bash - kubectl label namespace default istio-injection=enabled - ``` - -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: - - ```bash - kubectl get pods --namespace istio-system - ``` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. For example, the +[GKE Install Guide](./knative-with-gke.md) includes the instructions for +installing Istio on your cluster using `gcloud`. + +If you prefer to install Istio manually, your cloud provider doesn't offer +a managed Istio installation, or you're installing Knative locally using Minkube +or similar, see the [Installing Istio for Knative guide](./installing-istio.md). + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative From 2d7e84263876bdff352f897510cff2e4b8f0912c Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 11:18:07 -0700 Subject: [PATCH 09/14] Adding pointer to new Istio guide to other installs --- docs/install/Knative-custom-install.md | 4 +-- docs/install/Knative-with-AKS.md | 36 ++++++---------------- docs/install/Knative-with-Gardener.md | 39 ++++++------------------ docs/install/Knative-with-ICP.md | 6 ++++ docs/install/Knative-with-IKS.md | 37 ++++++----------------- docs/install/Knative-with-Minikube.md | 29 +++--------------- docs/install/Knative-with-Minishift.md | 34 +++------------------ docs/install/Knative-with-PKS.md | 41 ++++++++------------------ docs/install/Knative-with-any-k8s.md | 7 +++-- 9 files changed, 60 insertions(+), 173 deletions(-) diff --git a/docs/install/Knative-custom-install.md b/docs/install/Knative-custom-install.md index 6ccc6342d92..9b962476836 100644 --- a/docs/install/Knative-custom-install.md +++ b/docs/install/Knative-custom-install.md @@ -48,8 +48,8 @@ If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need the ability to customize your installation. -If you prefer to install Istio manually, your cloud provider doesn't offer -a managed Istio installation, or you're installing Knative locally using Minkube +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using Minkube or similar, see the [Installing Istio for Knative guide](./installing-istio.md). ## Installing Knative components diff --git a/docs/install/Knative-with-AKS.md b/docs/install/Knative-with-AKS.md index 1f99beb9b9d..aec183cd234 100644 --- a/docs/install/Knative-with-AKS.md +++ b/docs/install/Knative-with-AKS.md @@ -137,35 +137,17 @@ recommended configuration for a cluster is: > Gloo is not currently compatible with the Knative Eventing component. > [Click here](./Knative-with-Gloo.md) to install Knative with Gloo. -Knative depends on Istio. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. -1. Install Istio: +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - - ```bash - kubectl label namespace default istio-injection=enabled - ``` - -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: `bash kubectl get pods --namespace istio-system` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/Knative-with-Gardener.md b/docs/install/Knative-with-Gardener.md index eef0deca9c1..caf8bb05c5d 100644 --- a/docs/install/Knative-with-Gardener.md +++ b/docs/install/Knative-with-Gardener.md @@ -72,36 +72,15 @@ of this guide be sure you have `export KUBECONFIG=my-cluster.yaml` set. ## Installing Istio -Knative depends on Istio. - -1. Install Istio: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -2. Label the default namespace with `istio-injection=enabled`: - ```bash - kubectl label namespace default istio-injection=enabled - ``` -3. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: - ```bash - kubectl get pods --namespace istio-system - ``` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. + +Otherwise, see the +[Installing Istio for Knative guide](./installing-istio.md) to install Istio. + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/Knative-with-ICP.md b/docs/install/Knative-with-ICP.md index 6545e6af77d..dd154e80780 100644 --- a/docs/install/Knative-with-ICP.md +++ b/docs/install/Knative-with-ICP.md @@ -125,6 +125,12 @@ the`knative-build` and `knative-monitoring` namespaces. [Follow the instructions to install and run Istio in IBM Cloud Private](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private). +If you prefer to install Istio manually, see the +[Installing Istio for Knative guide](./installing-istio.md). + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. + ## Installing Knative The following commands install all available Knative components as well as the diff --git a/docs/install/Knative-with-IKS.md b/docs/install/Knative-with-IKS.md index ecad2506ee0..a7dfe4c05b6 100644 --- a/docs/install/Knative-with-IKS.md +++ b/docs/install/Knative-with-IKS.md @@ -154,36 +154,17 @@ forward. ### Installing Istio -Knative depends on Istio. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. -1. Install Istio: +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - ```bash - kubectl label namespace default istio-injection=enabled - ``` -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: - ```bash - kubectl get pods --namespace istio-system - ``` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL+C to -> exit watch mode. +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ### Installing Knative diff --git a/docs/install/Knative-with-Minikube.md b/docs/install/Knative-with-Minikube.md index a723cdd14d9..7d784cf23fa 100644 --- a/docs/install/Knative-with-Minikube.md +++ b/docs/install/Knative-with-Minikube.md @@ -62,32 +62,11 @@ minikube start --memory=8192 --cpus=4 \ > Gloo is not currently compatible with the Knative Eventing component. > [Click here](./Knative-with-Gloo.md) to install Knative with Gloo. -Knative depends on Istio. Run the following to install Istio. (We are changing -`LoadBalancer` to `NodePort` for the `istio-ingress` service). +Knative depends on Istio. See the +[Installing Istio for Knative guide](./installing-istio.md) to install Istio. -```shell -kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && -curl -L https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml \ - | sed 's/LoadBalancer/NodePort/' \ - | kubectl apply --filename - - -# Label the default namespace with istio-injection=enabled. -kubectl label namespace default istio-injection=enabled -``` - -Monitor the Istio components until all of the components show a `STATUS` of -`Running` or `Completed`: - -```shell -kubectl get pods --namespace istio-system -``` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL+C to -> exit watch mode. +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/Knative-with-Minishift.md b/docs/install/Knative-with-Minishift.md index 6d0058761b8..1644ac01f19 100644 --- a/docs/install/Knative-with-Minishift.md +++ b/docs/install/Knative-with-Minishift.md @@ -140,37 +140,11 @@ minishift oc-env #### Installing Istio -Knative depends on Istio. The -[istio-openshift-policies.sh](./scripts/istio-openshift-policies.sh) does run -the required commands to configure necessary -[privileges](https://istio.io/docs/setup/kubernetes/platform-setup/openshift/) -to the service accounts used by Istio. +Knative depends on Istio. See the +[Installing Istio for Knative guide](./installing-istio.md) to install Istio. -```shell -curl -s https://raw.githubusercontent.com/knative/docs/master/docs/install/scripts/istio-openshift-policies.sh | bash -``` - -1. Run the following to install Istio: - - ```shell - oc apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - oc apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `oc apply` command again. - -2. Ensure the istio-sidecar-injector pods runs as privileged: - ```shell - oc get cm istio-sidecar-injector -n istio-system -oyaml | sed -e 's/securityContext:/securityContext:\\n privileged: true/' | oc replace -f - - ``` -3. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: - `shell while oc get pods -n istio-system | grep -v -E "(Running|Completed|STATUS)"; do sleep 5; done` - > **NOTE:** It will take a few minutes for all the components to be up and - > running. +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ### Install Knative diff --git a/docs/install/Knative-with-PKS.md b/docs/install/Knative-with-PKS.md index 503028c6dba..f986a2cc7f8 100644 --- a/docs/install/Knative-with-PKS.md +++ b/docs/install/Knative-with-PKS.md @@ -48,34 +48,19 @@ https://docs.pivotal.io/runtimes/pks/1-1/cluster-credentials.html. ## Installing Istio -Knative depends on Istio. Istio workloads require privileged mode for Init -Containers - -1. Install Istio: - - ```bash - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ - kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml - ``` - - Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also - included in the `istio.yaml` file, but they are pulled out so that the CRD - definitions are created first. If you see an error when creating resources - about an unknown type, run the second `kubectl apply` command again. - -1. Label the default namespace with `istio-injection=enabled`: - ```bash - kubectl label namespace default istio-injection=enabled - ``` -1. Monitor the Istio components until all of the components show a `STATUS` of - `Running` or `Completed`: `bash kubectl get pods --namespace istio-system` - -It will take a few minutes for all the components to be up and running; you can -rerun the command to see the current status. - -> Note: Instead of rerunning the command, you can add `--watch` to the above -> command to view the component's status updates in real time. Use CTRL + C to -> exit watch mode. +Knative depends on Istio. If your cloud platform offers a managed Istio +installation, we recommend installing Istio that way, unless you need the +ability to customize your installation. For example, the +[GKE Install Guide](./knative-with-gke.md) includes the instructions for +installing Istio on your cluster using `gcloud`. + +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). + +You must install Istio on your Kubernetes cluster before continuing with these +instructions to install Knative. ## Installing Knative diff --git a/docs/install/Knative-with-any-k8s.md b/docs/install/Knative-with-any-k8s.md index f48fad93b4f..b6b0a57ec82 100644 --- a/docs/install/Knative-with-any-k8s.md +++ b/docs/install/Knative-with-any-k8s.md @@ -27,9 +27,10 @@ ability to customize your installation. For example, the [GKE Install Guide](./knative-with-gke.md) includes the instructions for installing Istio on your cluster using `gcloud`. -If you prefer to install Istio manually, your cloud provider doesn't offer -a managed Istio installation, or you're installing Knative locally using Minkube -or similar, see the [Installing Istio for Knative guide](./installing-istio.md). +If you prefer to install Istio manually, if your cloud provider doesn't offer +a managed Istio installation, or if you're installing Knative locally using +Minkube or similar, see the +[Installing Istio for Knative guide](./installing-istio.md). You must install Istio on your Kubernetes cluster before continuing with these instructions to install Knative. From ccfd3df848cca3b0c287cde22eb655896daf9d1f Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 11:20:09 -0700 Subject: [PATCH 10/14] Reverting minikube changes --- docs/install/Knative-with-Minikube.md | 29 +++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/docs/install/Knative-with-Minikube.md b/docs/install/Knative-with-Minikube.md index 7d784cf23fa..a723cdd14d9 100644 --- a/docs/install/Knative-with-Minikube.md +++ b/docs/install/Knative-with-Minikube.md @@ -62,11 +62,32 @@ minikube start --memory=8192 --cpus=4 \ > Gloo is not currently compatible with the Knative Eventing component. > [Click here](./Knative-with-Gloo.md) to install Knative with Gloo. -Knative depends on Istio. See the -[Installing Istio for Knative guide](./installing-istio.md) to install Istio. +Knative depends on Istio. Run the following to install Istio. (We are changing +`LoadBalancer` to `NodePort` for the `istio-ingress` service). -You must install Istio on your Kubernetes cluster before continuing with these -instructions to install Knative. +```shell +kubectl apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && +curl -L https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - + +# Label the default namespace with istio-injection=enabled. +kubectl label namespace default istio-injection=enabled +``` + +Monitor the Istio components until all of the components show a `STATUS` of +`Running` or `Completed`: + +```shell +kubectl get pods --namespace istio-system +``` + +It will take a few minutes for all the components to be up and running; you can +rerun the command to see the current status. + +> Note: Instead of rerunning the command, you can add `--watch` to the above +> command to view the component's status updates in real time. Use CTRL+C to +> exit watch mode. ## Installing Knative From f994f9c7ea3fafe4be6d7ae2e1a8b58aa12c1056 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 11:31:57 -0700 Subject: [PATCH 11/14] Makes automatic sidecar injection the default --- docs/install/installing-istio.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index 5d1b7ab98ef..6a1010059c6 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -25,7 +25,7 @@ You need: When you install Istio, there are a few options depending on your goals. For a basic Istio installation suitable for most Knative use cases, follow the -[Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) +[Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) instructions. If you're familiar with Istio and know what kind of installation you want, read through the options and choose the installation that suits your needs. From 8b4a8f9373b076615d336866bcd848f4aa4264c5 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Tue, 14 May 2019 11:34:13 -0700 Subject: [PATCH 12/14] Reverting minishift changes too --- docs/install/Knative-with-Minishift.md | 34 +++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/docs/install/Knative-with-Minishift.md b/docs/install/Knative-with-Minishift.md index 1644ac01f19..6d0058761b8 100644 --- a/docs/install/Knative-with-Minishift.md +++ b/docs/install/Knative-with-Minishift.md @@ -140,11 +140,37 @@ minishift oc-env #### Installing Istio -Knative depends on Istio. See the -[Installing Istio for Knative guide](./installing-istio.md) to install Istio. +Knative depends on Istio. The +[istio-openshift-policies.sh](./scripts/istio-openshift-policies.sh) does run +the required commands to configure necessary +[privileges](https://istio.io/docs/setup/kubernetes/platform-setup/openshift/) +to the service accounts used by Istio. -You must install Istio on your Kubernetes cluster before continuing with these -instructions to install Knative. +```shell +curl -s https://raw.githubusercontent.com/knative/docs/master/docs/install/scripts/istio-openshift-policies.sh | bash +``` + +1. Run the following to install Istio: + + ```shell + oc apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio-crds.yaml && \ + oc apply --filename https://raw.githubusercontent.com/knative/serving/v0.5.2/third_party/istio-1.0.7/istio.yaml + ``` + + Note: the resources (CRDs) defined in the `istio-crds.yaml`file are also + included in the `istio.yaml` file, but they are pulled out so that the CRD + definitions are created first. If you see an error when creating resources + about an unknown type, run the second `oc apply` command again. + +2. Ensure the istio-sidecar-injector pods runs as privileged: + ```shell + oc get cm istio-sidecar-injector -n istio-system -oyaml | sed -e 's/securityContext:/securityContext:\\n privileged: true/' | oc replace -f - + ``` +3. Monitor the Istio components until all of the components show a `STATUS` of + `Running` or `Completed`: + `shell while oc get pods -n istio-system | grep -v -E "(Running|Completed|STATUS)"; do sleep 5; done` + > **NOTE:** It will take a few minutes for all the components to be up and + > running. ### Install Knative From 290e9e9b9cd6efab3302b78c8cf28f6c9374dfb2 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Wed, 15 May 2019 09:49:05 -0700 Subject: [PATCH 13/14] Changing default to without sidecar injection --- docs/install/installing-istio.md | 74 ++++++++++++++------------------ 1 file changed, 33 insertions(+), 41 deletions(-) diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index 6a1010059c6..f4a1c1d6e31 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -10,7 +10,8 @@ with Knative. If your cloud platform offers a managed Istio installation, we recommend installing Istio that way, unless you need the ability to customize your installation. If your cloud platform offers a managed Istio installation, -the [install guide](./README.md) for your specific platform will have those instructions. +the [install guide](./README.md) for your specific platform will have those +instructions. For example, the [GKE Install Guide](./knative-with-gke.md) includes the instructions for installing Istio on your cluster using `gcloud`. @@ -45,16 +46,8 @@ You can install Istio with or without a service mesh: routing and ingress, without the Istio service mesh. You do have the option of later enabling the service mesh if you [manually inject the Istio sidecars][2]. -If you are just getting started with Knative, you should choose automatic -sidecar injection and enable the Istio service mesh. - -Due to current dependencies, some installable Knative options require the Istio -service mesh. If you install any of the following options, you must install -Istio with automatic sidecar injection enabled: - -- [Knative Eventing](https://github.com/knative/eventing) -- [Knative Eventing Sources](https://github.com/knative/eventing-sources) -- [Observability plugins](../serving/installing-logging-metrics-traces.md) +If you are just getting started with Knative, we recommend installing Istio +without automatic sidecar injection. ### Downloading Istio and installing CRDs @@ -77,31 +70,24 @@ Istio with automatic sidecar injection enabled: then continue with these instructions. 1. Finish the install by applying your desired Istio configuration: - - [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) (Recommended default installation) - - [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) + - [Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection)(Recommended default installation) + - [Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) - [Installing Istio with SDS to secure the ingress gateway](#installing-istio-with-SDS-to-secure-the-ingress-gateway) -#### Installing Istio with sidecar injection - -If you want to get up and running with Knative quickly, installing Istio with -sidecar injection is the recommended install. If you want to enable the Istio -service mesh, you must enable [automatic sidecar injection][1]. The Istio -service mesh provides a few benefits: - -- Allows you to turn on [mutual TLS][4], which secures service-to-service - traffic within the cluster. +#### Installing Istio without sidecar injection -- Allows you to use the [Istio authorization policy][5], controlling the access - to each Knative service based on Istio service roles. +If you want to get up and running with Knative quickly, we recommend installing +Istio without automatic sidecar injection. This install is also recommended for +users who don't need the Istio service mesh, or who want to enable the service +mesh by [manually injecting the Istio sidecars][2]. Enter the following command to install Istio: ```shell -# A template with sidecar injection enabled. +# A lighter template, with no sidecar injection. helm template --namespace=istio-system \ - --set sidecarInjectorWebhook.enabled=true \ - --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ --set global.proxy.autoInject=disabled \ + --set global.omitSidecarInjectorConfigMap=true \ --set global.disablePolicyChecks=true \ --set prometheus.enabled=false \ `# Disable mixer prometheus adapter to remove istio default metrics.` \ @@ -111,33 +97,35 @@ helm template --namespace=istio-system \ `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ --set gateways.istio-ingressgateway.autoscaleMin=1 \ --set gateways.istio-ingressgateway.autoscaleMax=1 \ - --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ - --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ - `# More pilot replicas for better scale` \ - --set pilot.autoscaleMin=2 \ `# Set pilot trace sampling to 100%` \ --set pilot.traceSampling=100 \ install/kubernetes/helm/istio \ `# Removing trailing whitespaces to make automation happy` \ | sed 's/[ \t]*$//' \ - > ./istio.yaml + > ./istio-lean.yaml -kubectl apply -f istio.yaml +kubectl apply -f istio-lean.yaml ``` -#### Installing Istio without sidecar injection +#### Installing Istio with sidecar injection -Installing istio without automatic sidecar injection is recommended for users -who don't need the Istio service mesh, or who want to enable the service mesh by -[manually injecting the Istio sidecars][2]. +If you want to enable the Istio service mesh, you must enable +[automatic sidecar injection][1]. The Istio service mesh provides a few benefits: + +- Allows you to turn on [mutual TLS][4], which secures service-to-service + traffic within the cluster. + +- Allows you to use the [Istio authorization policy][5], controlling the access + to each Knative service based on Istio service roles. Enter the following command to install Istio: ```shell -# A lighter template, with no sidecar injection. +# A template with sidecar injection enabled. helm template --namespace=istio-system \ + --set sidecarInjectorWebhook.enabled=true \ + --set sidecarInjectorWebhook.enableNamespacesByDefault=true \ --set global.proxy.autoInject=disabled \ - --set global.omitSidecarInjectorConfigMap=true \ --set global.disablePolicyChecks=true \ --set prometheus.enabled=false \ `# Disable mixer prometheus adapter to remove istio default metrics.` \ @@ -147,14 +135,18 @@ helm template --namespace=istio-system \ `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \ --set gateways.istio-ingressgateway.autoscaleMin=1 \ --set gateways.istio-ingressgateway.autoscaleMax=1 \ + --set gateways.istio-ingressgateway.resources.requests.cpu=500m \ + --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \ + `# More pilot replicas for better scale` \ + --set pilot.autoscaleMin=2 \ `# Set pilot trace sampling to 100%` \ --set pilot.traceSampling=100 \ install/kubernetes/helm/istio \ `# Removing trailing whitespaces to make automation happy` \ | sed 's/[ \t]*$//' \ - > ./istio-lean.yaml + > ./istio.yaml -kubectl apply -f istio-lean.yaml +kubectl apply -f istio.yaml ``` #### Installing Istio with SDS to secure the ingress gateway From c08ce928a75a1c6c77893641c7b878cae9c42047 Mon Sep 17 00:00:00 2001 From: Sam O'Dell Date: Wed, 15 May 2019 12:09:54 -0700 Subject: [PATCH 14/14] Changing default to without sidecar injection --- docs/install/installing-istio.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/installing-istio.md b/docs/install/installing-istio.md index f4a1c1d6e31..b85ad41bd5d 100644 --- a/docs/install/installing-istio.md +++ b/docs/install/installing-istio.md @@ -26,7 +26,7 @@ You need: When you install Istio, there are a few options depending on your goals. For a basic Istio installation suitable for most Knative use cases, follow the -[Installing Istio with sidecar injection](#installing-istio-with-sidecar-injection) +[Installing Istio without sidecar injection](#installing-istio-without-sidecar-injection) instructions. If you're familiar with Istio and know what kind of installation you want, read through the options and choose the installation that suits your needs.