diff --git a/modules/ossm-about-control-plane-and-infrastructure-nodes.adoc b/modules/ossm-about-control-plane-and-infrastructure-nodes.adoc new file mode 100644 index 000000000000..71f583315676 --- /dev/null +++ b/modules/ossm-about-control-plane-and-infrastructure-nodes.adoc @@ -0,0 +1,13 @@ +// Module included in the following assemblies: +// * service_mesh/v2x/ossm-create-smcp.adoc + +:_content-type: CONCEPT +[id="ossm-about-control-plane-and-infrastructure-nodes_{context}"] += About control plane and infrastructure nodes + +Infrastructure nodes provide a way to isolate infrastructure workloads for two primary purposes: + +* To prevent incurring billing costs against subscription counts. +* To separate maintenance and management. + +You can configure some or all of the {SMProductShortName} control plane components to run on infrastructure nodes. diff --git a/modules/ossm-config-control-plane-infrastructure-node.adoc b/modules/ossm-config-control-plane-infrastructure-node-cli.adoc similarity index 67% rename from modules/ossm-config-control-plane-infrastructure-node.adoc rename to modules/ossm-config-control-plane-infrastructure-node-cli.adoc index 6f9a0263e9ed..4a78a248ee53 100644 --- a/modules/ossm-config-control-plane-infrastructure-node.adoc +++ b/modules/ossm-config-control-plane-infrastructure-node-cli.adoc @@ -3,10 +3,10 @@ // * service_mesh/v2x/ossm-deployment-models.adoc :_content-type: PROCEDURE -[id="ossm-config-control-plane-infrastructure-node_{context}"] -= Configuring all {SMProductShortName} control plane components to run on infrastructure nodes +[id="ossm-config-control-plane-infrastructure-node-cli_{context}"] += Configuring all control plane components to run on infrastructure nodes with the CLI -This task should only be performed if all of the components deployed by the {SMProductShortName} control plane (including Istiod, Ingress Gateway, and Egress Gateway) along with optional elements (such as Prometheus, Grafana, and Distributed Tracing) are running on infrastructure nodes. +You can configure all of the {SMProductShortName} control plane components to run on infrastructure nodes using the CLI. This task should only be performed if all of the components deployed by the {SMProductShortName} control plane, including Istiod, Ingress Gateway, and Egress Gateway, along with optional elements, such as Prometheus, Grafana, and Distributed Tracing, are running on infrastructure nodes. If the control plane runs on a worker node, skip this task. diff --git a/modules/ossm-config-control-plane-infrastructure-node-console.adoc b/modules/ossm-config-control-plane-infrastructure-node-console.adoc new file mode 100644 index 000000000000..8f627d841db2 --- /dev/null +++ b/modules/ossm-config-control-plane-infrastructure-node-console.adoc @@ -0,0 +1,65 @@ +// Module included in the following assemblies: +// +// * service_mesh/v2x/ossm-deployment-models.adoc + +:_content-type: PROCEDURE +[id="ossm-config-control-plane-infrastructure-node-console_{context}"] += Configuring all control plane components to run on infrastructure nodes using the web console + +Perform this task if all of the components deployed by the {SMProductShortName} control plane, including Istiod, Ingress Gateway, and Egress Gateway, along with optional elements, such as Prometheus, Grafana, and Distributed Tracing, run on infrastructure nodes. + +If the control plane runs on a worker node, skip this task. + +.Prerequisites + +* The {SMProductName} Operator must be installed. +* An account with the `cluster-admin` role. If you use {product-dedicated}, you must have an account with the `dedicated-admin` role. + +.Procedure + +. Log in to the {product-title} web console. + +. Create a project named `istio-system`. ++ +.. Navigate to *Home* -> *Projects*. ++ +.. Click *Create Project*. ++ +.. In the *Name* field, enter `istio-system`. The `ServiceMeshControlPlane` resource must be installed in a project that is separate from your microservices and Operators. ++ +These steps use `istio-system` as an example, but you can deploy your {SMProductShortName} control plane in any project as long as it is separate from the project that contains your services. ++ +.. Click *Create*. + +. Navigate to *Operators* -> *Installed Operators*. + +. Click the {SMProductName} Operator, then click *Istio Service Mesh Control Plane*. + +. Click the name of the control plane resource. For example, `basic`. + +. Click *YAML*. + +. Modify the YAML to run all of the {SMProductShortName} components deployed by the `ServiceMeshControlPlane` on infrastructure nodes. Add the `nodeSelector` and `tolerations` fields to the `spec.runtime.defaults.pod` spec in the `ServiceMeshControlPlane` resource: ++ +[source,yaml] +---- +spec: + runtime: + defaults: + pod: + nodeSelector: <1> + node-role.kubernetes.io/infra: "" + tolerations: <2> + - effect: NoSchedule + key: node-role.kubernetes.io/infra + value: reserved + - effect: NoExecute + key: node-role.kubernetes.io/infra + value: reserved +---- +<1> Ensures that the SMCP pods are only scheduled on an infrastructure node. +<2> Ensures that the pods are accepted by the infrastructure node. + +. Click *Save*. + +. Click *Reload*. \ No newline at end of file diff --git a/modules/ossm-config-individual-control-plane-infrastructure-node.adoc b/modules/ossm-config-individual-control-plane-infrastructure-node-cli.adoc similarity index 83% rename from modules/ossm-config-individual-control-plane-infrastructure-node.adoc rename to modules/ossm-config-individual-control-plane-infrastructure-node-cli.adoc index f525cc2be391..eb39dcd6f21c 100644 --- a/modules/ossm-config-individual-control-plane-infrastructure-node.adoc +++ b/modules/ossm-config-individual-control-plane-infrastructure-node-cli.adoc @@ -3,12 +3,12 @@ // * service_mesh/v2x/ossm-deployment-models.adoc :_content-type: PROCEDURE -[id="ossm-config-individual-control-plane-infrastructure-node_{context}"] -= Configuring individual {SMProductShortName} control plane components to run on infrastructure nodes +[id="ossm-config-individual-control-plane-infrastructure-node-cli_{context}"] += Configuring individual control plane components to run on infrastructure nodes using the CLI -This task should only be performed if individual {SMProductShortName} control plane components (such as Istiod, the Ingress Gateway, and the Egress Gateway) will run on infrastructure nodes. +Perform this task if individual {SMProductShortName} control plane components, such as Istiod, the Ingress Gateway, and the Egress Gateway, run on infrastructure nodes. -If the control plane will run on a worker node, skip this task. +If the control plane runs on a worker node, skip this task. .Procedure diff --git a/modules/ossm-config-individual-control-plane-infrastructure-node-console.adoc b/modules/ossm-config-individual-control-plane-infrastructure-node-console.adoc new file mode 100644 index 000000000000..236a43ccf928 --- /dev/null +++ b/modules/ossm-config-individual-control-plane-infrastructure-node-console.adoc @@ -0,0 +1,100 @@ +// Module included in the following assemblies: +// +// * service_mesh/v2x/ossm-deployment-models.adoc + +:_content-type: PROCEDURE +[id="ossm-config-individual-control-plane-infrastructure-node-console_{context}"] += Configuring individual control plane components to run on infrastructure nodes using the web console + +You can configure individual {SMProductShortName} control plane components to run on infrastructure nodes using the CLI. This task should only be performed if individual {SMProductShortName} control plane components, such as Istiod, the Ingress Gateway, and the Egress Gateway, run on infrastructure nodes. + +If the control plane runs on a worker node, skip this task. + +.Prerequisites + +* The {SMProductName} Operator must be installed. +* An account with the `cluster-admin` role. If you use {product-dedicated}, you must have an account with the `dedicated-admin` role. + +.Procedure + +. Log in to the {product-title} web console. + +. Create a project named `istio-system`. ++ +.. Navigate to *Home* -> *Projects*. ++ +.. Click *Create Project*. ++ +.. In the *Name* field, enter `istio-system`. The `ServiceMeshControlPlane` resource must be installed in a project that is separate from your microservices and Operators. ++ +These steps use `istio-system` as an example, but you can deploy your {SMProductShortName} control plane in any project as long as it is separate from the project that contains your services. ++ +.. Click *Create*. + +. Navigate to *Operators* -> *Installed Operators*. + +. Click the {SMProductName} Operator, then click *Istio Service Mesh Control Plane*. + +. Click the name of the control plane resource. For example, `basic`. + +. Click *YAML*. + +. Modify the YAML to run the Istiod component on an infrastructure node. Add the `nodeSelector` and the `tolerations` fields to the `spec.runtime.components.pilot.pod` spec in the `ServiceMeshControlPlane` resource. ++ +[source,yaml] +---- +spec: + runtime: + components: + pilot: + pod: + nodeSelector: <1> + node-role.kubernetes.io/infra: "" + tolerations: <2> + - effect: NoSchedule + key: node-role.kubernetes.io/infra + value: reserved + - effect: NoExecute + key: node-role.kubernetes.io/infra + value: reserved +---- +<1> Ensures that the Istiod pod is only scheduled on an infrastructure node. +<2> Ensures that the pod is accepted by the infrastructure node. + +. Modify the YAML to run Ingress and Egress Gateways on infrastructure nodes. Add the `nodeSelector` and the `tolerations` fields to the `spec.gateways.ingress.runtime.pod` spec and the `spec.gateways.egress.runtime.pod` spec in the `ServiceMeshControlPlane` resource. ++ +[source,yaml] +---- +spec: + gateways: + ingress: + runtime: + pod: + nodeSelector: <1> + node-role.kubernetes.io/infra: "" + tolerations: <2> + - effect: NoSchedule + key: node-role.kubernetes.io/infra + value: reserved + - effect: NoExecute + key: node-role.kubernetes.io/infra + value: reserved + egress: + runtime: + pod: + nodeSelector: <1> + node-role.kubernetes.io/infra: "" + tolerations: <2> + - effect: NoSchedule + key: node-role.kubernetes.io/infra + value: reserved + - effect: NoExecute + key: node-role.kubernetes.io/infra + value: reserved +---- +<1> Ensures that the gateway pod is only scheduled on an infrastructure node +<2> Ensures that the pod is accepted by the infrastructure node. + +. Click *Save*. + +. Click *Reload*. \ No newline at end of file diff --git a/service_mesh/v2x/ossm-create-smcp.adoc b/service_mesh/v2x/ossm-create-smcp.adoc index 53617d445141..a266f9deeedd 100644 --- a/service_mesh/v2x/ossm-create-smcp.adoc +++ b/service_mesh/v2x/ossm-create-smcp.adoc @@ -29,11 +29,17 @@ include::modules/ossm-control-plane-cli.adoc[leveloffset=+1] include::modules/ossm-validate-smcp-cli.adoc[leveloffset=+1] -include::modules/ossm-config-control-plane-infrastructure-node.adoc[leveloffset=+1] +include::modules/ossm-about-control-plane-and-infrastructure-nodes.adoc[leveloffset=+1] -include::modules/ossm-config-individual-control-plane-infrastructure-node.adoc[leveloffset=+1] +include::modules/ossm-config-control-plane-infrastructure-node-console.adoc[leveloffset=+2] -include::modules/ossm-confirm-smcp-infrastructure-node.adoc[leveloffset=+1] +include::modules/ossm-config-individual-control-plane-infrastructure-node-console.adoc[leveloffset=+2] + +include::modules/ossm-config-control-plane-infrastructure-node-cli.adoc[leveloffset=+2] + +include::modules/ossm-config-individual-control-plane-infrastructure-node-cli.adoc[leveloffset=+2] + +include::modules/ossm-confirm-smcp-infrastructure-node.adoc[leveloffset=+2] include::modules/ossm-validate-smcp-kiali.adoc[leveloffset=+1]