diff --git a/multi_cluster/tools/README.md b/multi_cluster/tools/README.md index b9e09744d..8809191ec 100644 --- a/multi_cluster/tools/README.md +++ b/multi_cluster/tools/README.md @@ -5,15 +5,15 @@ The script is intended to install Istio in the multi E2E clusters that we have c Steps to run the script and verify it: * Install the istioctl binary: - `curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.9.1 sh -` + `curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.27.1 sh -` `export PATH=$PATH:$HOME/.istioctl/bin` * Export cluster variables: `export CTX_CLUSTER1=e2e.cluster1.mongokubernetes.com` - + `export CTX_CLUSTER2=e2e.cluster2.mongokubernetes.com ` * Run the script : `sh ./install_istio.sh` -* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/) \ No newline at end of file +* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/) diff --git a/multi_cluster/tools/download_istio.sh b/multi_cluster/tools/download_istio.sh index 0fb687682..880644f48 100755 --- a/multi_cluster/tools/download_istio.sh +++ b/multi_cluster/tools/download_istio.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -Eeou pipefail -export VERSION=${VERSION:-1.16.1} +export VERSION=${VERSION:-1.27.1} ISTIO_SCRIPT_CHECKSUM="254c6bd6aa5b8ac8c552561c84d8e9b3a101d9e613e2a8edd6db1f19c1871dbf" echo "Checking if we need to download Istio ${VERSION}" diff --git a/multi_cluster/tools/install_istio.sh b/multi_cluster/tools/install_istio.sh index 8e65b56fc..3574cfb6f 100755 --- a/multi_cluster/tools/install_istio.sh +++ b/multi_cluster/tools/install_istio.sh @@ -5,7 +5,7 @@ set -eux export CTX_CLUSTER1=${CTX_CLUSTER1:-e2e.cluster1.mongokubernetes.com} export CTX_CLUSTER2=${CTX_CLUSTER2:-e2e.cluster2.mongokubernetes.com} export CTX_CLUSTER3=${CTX_CLUSTER3:-e2e.cluster3.mongokubernetes.com} -export VERSION=${VERSION:-1.12.8} +export VERSION=${VERSION:-1.27.1} IS_KIND="false" if [[ $CTX_CLUSTER1 = kind* ]]; then @@ -38,6 +38,7 @@ make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER3}-cacerts" || make # create cluster secret objects with the certs and keys kubectl --context="${CTX_CLUSTER1}" delete ns istio-system || true kubectl --context="${CTX_CLUSTER1}" create ns istio-system +kubectl --context="${CTX_CLUSTER1}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-system \ --from-file=${CTX_CLUSTER1}/ca-cert.pem \ --from-file=${CTX_CLUSTER1}/ca-key.pem \ @@ -46,6 +47,7 @@ kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-syste kubectl --context="${CTX_CLUSTER2}" delete ns istio-system || true kubectl --context="${CTX_CLUSTER2}" create ns istio-system +kubectl --context="${CTX_CLUSTER2}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-system \ --from-file=${CTX_CLUSTER2}/ca-cert.pem \ --from-file=${CTX_CLUSTER2}/ca-key.pem \ @@ -54,6 +56,7 @@ kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-syste kubectl --context="${CTX_CLUSTER3}" delete ns istio-system || true kubectl --context="${CTX_CLUSTER3}" create ns istio-system +kubectl --context="${CTX_CLUSTER3}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged kubectl --context="${CTX_CLUSTER3}" create secret generic cacerts -n istio-system \ --from-file=${CTX_CLUSTER3}/ca-cert.pem \ --from-file=${CTX_CLUSTER3}/ca-key.pem \ @@ -67,6 +70,10 @@ apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: tag: ${VERSION} + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -81,13 +88,17 @@ spec: network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -y & +bin/istioctl install --context="${CTX_CLUSTER1}" --set components.cni.enabled=true -f cluster1.yaml -y & cat <cluster2.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: tag: ${VERSION} + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -102,13 +113,17 @@ spec: network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml -y & +bin/istioctl install --context="${CTX_CLUSTER2}" --set components.cni.enabled=true -f cluster2.yaml -y & cat <cluster3.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: tag: ${VERSION} + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -123,7 +138,7 @@ spec: network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml -y & +bin/istioctl install --context="${CTX_CLUSTER3}" --set components.cni.enabled=true -f cluster3.yaml -y & wait @@ -131,46 +146,46 @@ CLUSTER_1_ADDITIONAL_OPTS="" CLUSTER_2_ADDITIONAL_OPTS="" CLUSTER_3_ADDITIONAL_OPTS="" if [[ $IS_KIND == "true" ]]; then - CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER1} get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" - CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER2} get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" - CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER3} get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER1}" get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER2}" get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER3}" get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" fi # enable endpoint discovery bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER1}" \ -n istio-system \ - --name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} | + --name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER2}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER1}" \ -n istio-system \ - --name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} | + --name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER3}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER2}" \ -n istio-system \ - --name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} | + --name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER1}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER2}" \ -n istio-system \ - --name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} | + --name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER3}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER3}" \ -n istio-system \ - --name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} | + --name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER1}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER3}" \ -n istio-system \ - --name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} | + --name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER2}" # disable namespace injection explicitly for istio-system namespace kubectl --context="${CTX_CLUSTER1}" label namespace istio-system istio-injection=disabled diff --git a/multi_cluster/tools/install_istio_central.sh b/multi_cluster/tools/install_istio_central.sh index da6f84477..2fcdadc12 100755 --- a/multi_cluster/tools/install_istio_central.sh +++ b/multi_cluster/tools/install_istio_central.sh @@ -2,12 +2,12 @@ set -eux -export VERSION=${VERSION:-1.14.2} +export VERSION=${VERSION:-1.27.1} export CTX_CLUSTER=${CTX_CLUSTER:-e2e.operator.mongokubernetes.com} source multi_cluster/tools/download_istio.sh -cd istio-${VERSION} +cd istio-"${VERSION}" bin/istioctl x uninstall --context="${CTX_CLUSTER}" --purge --skip-confirmation -bin/istioctl install --context="${CTX_CLUSTER}" --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation +bin/istioctl install --context="${CTX_CLUSTER}" --set components.cni.enabled=true --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation diff --git a/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh b/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh index a27cc779e..9033ece35 100755 --- a/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh +++ b/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh @@ -1,5 +1,5 @@ CTX_CLUSTER1=${K8S_CLUSTER_0_CONTEXT_NAME} \ CTX_CLUSTER2=${K8S_CLUSTER_1_CONTEXT_NAME} \ CTX_CLUSTER3=${K8S_CLUSTER_2_CONTEXT_NAME} \ -ISTIO_VERSION="1.20.2" \ +ISTIO_VERSION="1.27.1" \ ./install_istio_separate_network.sh diff --git a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh index 12f063bc1..2ad345e17 100755 --- a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh +++ b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh @@ -9,7 +9,7 @@ set -eux -export ISTIO_VERSION=${ISTIO_VERSION:-1.20.2} +export ISTIO_VERSION=${ISTIO_VERSION:-1.27.1} if [[ ! -d istio-${ISTIO_VERSION} ]]; then # download Istio under the path @@ -80,6 +80,10 @@ cat < cluster1.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -93,7 +97,8 @@ spec: clusterName: cluster1 network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -y +bin/istioctl install --context="${CTX_CLUSTER1}" --set components.cni.enabled=true -f cluster1.yaml -y + samples/multicluster/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster1 --network network1 | \ bin/istioctl --context="${CTX_CLUSTER1}" install -y -f - @@ -116,6 +121,10 @@ cat < cluster2.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -130,7 +139,7 @@ spec: network: network2 EOF -bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml -y +bin/istioctl install --context="${CTX_CLUSTER2}" --set components.cni.enabled=true -f cluster2.yaml -y samples/multicluster/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster2 --network network2 | \ @@ -150,6 +159,10 @@ cat < cluster3.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -164,7 +177,7 @@ spec: network: network3 EOF -bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml -y +bin/istioctl install --context="${CTX_CLUSTER3}" --set components.cni.enabled=true -f cluster3.yaml -y samples/multicluster/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster3 --network network3 | \ diff --git a/scripts/release/kubectl-mongodb/install_istio_separate_network.sh b/scripts/release/kubectl-mongodb/install_istio_separate_network.sh deleted file mode 100755 index adda0ff92..000000000 --- a/scripts/release/kubectl-mongodb/install_istio_separate_network.sh +++ /dev/null @@ -1,188 +0,0 @@ -#!/usr/bin/env bash - -set -eux - -# define here or provide the cluster names externally -export CTX_CLUSTER1=${CTX_CLUSTER1} -export CTX_CLUSTER2=${CTX_CLUSTER2} -export CTX_CLUSTER3=${CTX_CLUSTER3} -export ISTIO_VERSION=${ISTIO_VERSION} - -# download Istio under the path -curl -L https://istio.io/downloadIstio | sh - - -# checks if external IP has been assigned to a service object, in our case we are interested in east-west gateway -function_check_external_ip_assigned() { - while : ; do - ip=$(kubectl --context="$1" get svc istio-eastwestgateway -n istio-system --output jsonpath='{.status.loadBalancer.ingress[0].ip}') - if [ -n "${ip}" ] - then - echo "external ip assigned ${ip}" - break - else - echo "waiting for external ip to be assigned" - fi -done -} - -cd "istio-${ISTIO_VERSION}" -mkdir -p certs -pushd certs - -# create root trust for the clusters -make -f ../tools/certs/Makefile.selfsigned.mk root-ca -make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER1}-cacerts" -make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER2}-cacerts" -make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER3}-cacerts" - -kubectl --context="${CTX_CLUSTER1}" create ns istio-system -kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-system \ - --from-file="${CTX_CLUSTER1}/ca-cert.pem" \ - --from-file="${CTX_CLUSTER1}/ca-key.pem" \ - --from-file="${CTX_CLUSTER1}/root-cert.pem" \ - --from-file="${CTX_CLUSTER1}/cert-chain.pem" - -kubectl --context="${CTX_CLUSTER2}" create ns istio-system -kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-system \ - --from-file="${CTX_CLUSTER2}/ca-cert.pem" \ - --from-file="${CTX_CLUSTER2}/ca-key.pem" \ - --from-file="${CTX_CLUSTER2}/root-cert.pem" \ - --from-file="${CTX_CLUSTER2}/cert-chain.pem" - -kubectl --context="${CTX_CLUSTER3}" create ns istio-system -kubectl --context="${CTX_CLUSTER3}" create secret generic cacerts -n istio-system \ - --from-file="${CTX_CLUSTER3}/ca-cert.pem" \ - --from-file="${CTX_CLUSTER3}/ca-key.pem" \ - --from-file="${CTX_CLUSTER3}/root-cert.pem" \ - --from-file="${CTX_CLUSTER3}/cert-chain.pem" -popd - -# label namespace in cluster1 -kubectl --context="${CTX_CLUSTER1}" get namespace istio-system && \ - kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1 - -cat < cluster1.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - meshID: mesh1 - multiCluster: - clusterName: cluster1 - network: network1 -EOF -bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -samples/multicluster/gen-eastwest-gateway.sh \ - --mesh mesh1 --cluster cluster1 --network network1 | \ - bin/istioctl --context="${CTX_CLUSTER1}" install -y -f - - - -# check if external IP is assigned to east-west gateway in cluster1 -function_check_external_ip_assigned "${CTX_CLUSTER1}" - - -# expose services in cluster1 -kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \ - samples/multicluster/expose-services.yaml - - -kubectl --context="${CTX_CLUSTER2}" get namespace istio-system && \ - kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2 - - -cat < cluster2.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - meshID: mesh1 - multiCluster: - clusterName: cluster2 - network: network2 -EOF - -bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml - -samples/multicluster/gen-eastwest-gateway.sh \ - --mesh mesh1 --cluster cluster2 --network network2 | \ - bin/istioctl --context="${CTX_CLUSTER2}" install -y -f - - -# check if external IP is assigned to east-west gateway in cluster2 -function_check_external_ip_assigned "${CTX_CLUSTER2}" - -kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \ - samples/multicluster/expose-services.yaml - -# cluster3 -kubectl --context="${CTX_CLUSTER3}" get namespace istio-system && \ - kubectl --context="${CTX_CLUSTER3}" label namespace istio-system topology.istio.io/network=network3 - -cat < cluster3.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - meshID: mesh1 - multiCluster: - clusterName: cluster3 - network: network3 -EOF - -bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml - -samples/multicluster/gen-eastwest-gateway.sh \ - --mesh mesh1 --cluster cluster3 --network network3 | \ - bin/istioctl --context="${CTX_CLUSTER3}" install -y -f - - - -# check if external IP is assigned to east-west gateway in cluster3 -function_check_external_ip_assigned "${CTX_CLUSTER3}" - -kubectl --context="${CTX_CLUSTER3}" apply -n istio-system -f \ - samples/multicluster/expose-services.yaml - - -# enable endpoint discovery -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER1}" \ - -n istio-system \ - --name=cluster1 | \ - kubectl apply -f - --context="${CTX_CLUSTER2}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER1}" \ - -n istio-system \ - --name=cluster1 | \ - kubectl apply -f - --context="${CTX_CLUSTER3}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER2}" \ - -n istio-system \ - --name=cluster2 | \ - kubectl apply -f - --context="${CTX_CLUSTER1}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER2}" \ - -n istio-system \ - --name=cluster2 | \ - kubectl apply -f - --context="${CTX_CLUSTER3}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER3}" \ - -n istio-system \ - --name=cluster3 | \ - kubectl apply -f - --context="${CTX_CLUSTER1}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER3}" \ - -n istio-system \ - --name=cluster3 | \ - kubectl apply -f - --context="${CTX_CLUSTER2}" - - # cleanup: delete the istio repo at the end -cd .. -rm -r "istio-${ISTIO_VERSION}" -rm -f cluster1.yaml cluster2.yaml cluster3.yaml