diff --git a/modules/ossm-auto-route-1x.adoc b/modules/ossm-auto-route-1x.adoc new file mode 100644 index 000000000000..20af42dd9bc4 --- /dev/null +++ b/modules/ossm-auto-route-1x.adoc @@ -0,0 +1,77 @@ +//// +This TASK module included in the following assemblies: +// * service_mesh/v1x/ossm-traffic-manage.adoc +//// + +[id="ossm-auto-route_{context}"] += Automatic route creation + +OpenShift routes for Istio Gateways are automatically managed in {ProductName}. Every time an Istio Gateway is created, updated or deleted inside the service mesh, an OpenShift route is created, updated or deleted. + +[id="ossm-auto-route-enable_{context}"] +== Enabling Automatic Route Creation +A {ProductName} control plane component called Istio OpenShift Routing (IOR) synchronizes the gateway route. Enable IOR as part of the control plane deployment. + +If the Gateway contains a TLS section, the OpenShift Route will be configured to support TLS. + +. In the `ServiceMeshControlPlane` resource, add the `ior_enabled` parameter and set it to `true`. For example, see the following resource snippet: + +[source,yaml] +---- +spec: + istio: + gateways: + istio-egressgateway: + autoscaleEnabled: false + autoscaleMin: 1 + autoscaleMax: 5 + istio-ingressgateway: + autoscaleEnabled: false + autoscaleMin: 1 + autoscaleMax: 5 + ior_enabled: true +---- + + +[id="ossm-auto-route-subdomains_{context}"] +== Subdomains + +{ProductName} creates the route with the subdomain, but {product-title} must be configured to enable it. Subdomains, for example `*.domain.com`, are supported but not by default. + +If the following gateway is created: + +[source,yaml] +---- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: gateway1 +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - www.bookinfo.com + - bookinfo.example.com +---- + +Then, the following OpenShift Routes are created automatically. You can check that the routes are created with the following command. + +[source,terminal] +---- +$ oc -n get routes +---- + +.Expected output +[source,terminal] +---- +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +gateway1-lvlfn bookinfo.example.com istio-ingressgateway None +gateway1-scqhv www.bookinfo.com istio-ingressgateway None +---- + +If the gateway is deleted, {ProductName} deletes the routes. However, routes created manually are never modified by {ProductName}. diff --git a/modules/ossm-auto-route.adoc b/modules/ossm-auto-route.adoc index 49ac96066d67..fe692e55148f 100644 --- a/modules/ossm-auto-route.adoc +++ b/modules/ossm-auto-route.adoc @@ -1,7 +1,6 @@ //// This TASK module included in the following assemblies: -// * service_mesh/v1x/customizing-installation-ossm.adoc -// * service_mesh/v2x/customizing-installation-ossm.adoc +// * service_mesh/v2x/ossm-traffic-manage.adoc //// [id="ossm-auto-route_{context}"] @@ -10,30 +9,20 @@ This TASK module included in the following assemblies: OpenShift routes for Istio Gateways are automatically managed in {ProductName}. Every time an Istio Gateway is created, updated or deleted inside the service mesh, an OpenShift route is created, updated or deleted. [id="ossm-auto-route-enable_{context}"] -== Enabling Automatic Route Creation -A {ProductName} control plane component called Istio OpenShift Routing (IOR) synchronizes the gateway route. Enable IOR as part of the control plane deployment. +== Disabling Automatic Route Creation -If the Gateway contains a TLS section, the OpenShift Route will be configured to support TLS. +By default, the `ServiceMeshControlPlane` automatically synchronizes the Gateway resources with OpenShift routes. -. In the `ServiceMeshControlPlane` resource, add the `ior_enabled` parameter and set it to `true`. For example, see the following resource snippet: +You can disable integration between Istio Gateways and OpenShift Routes by setting the `ServiceMeshControlPlane` field `gateways.openshiftRoute.enabled` to `false`. For example, see the following resource snippet. [source,yaml] ---- spec: - istio: - gateways: - istio-egressgateway: - autoscaleEnabled: false - autoscaleMin: 1 - autoscaleMax: 5 - istio-ingressgateway: - autoscaleEnabled: false - autoscaleMin: 1 - autoscaleMax: 5 - ior_enabled: true + gateways: + openshiftRoute: + enabled: false ---- - [id="ossm-auto-route-subdomains_{context}"] == Subdomains diff --git a/modules/ossm-security-mtls-1x.adoc b/modules/ossm-security-mtls-1x.adoc index 51c710288aba..4d7f1162683b 100644 --- a/modules/ossm-security-mtls-1x.adoc +++ b/modules/ossm-security-mtls-1x.adoc @@ -14,16 +14,17 @@ By default, {ProductName} is set to permissive mode, where the sidecars in {Prod [id="ossm-security-enabling-strict-mtls_{context}"] == Enabling strict mTLS across the mesh -If your workloads do not communicate with services outside your mesh and communication will not be interrupted by only accepting encrypted connections, you can enable mTLS across your mesh quickly. Set `spec.security.controlPlane.mtls` to `true` in your `ServiceMeshControlPlane` resource. The operator creates the required resources. +If your workloads do not communicate with services outside your mesh and communication will not be interrupted by only accepting encrypted connections, you can enable mTLS across your mesh quickly. Set `spec.istio.global.mtls.enabled` to `true` in your `ServiceMeshControlPlane` resource. The operator creates the required resources. [source,yaml] ---- -apiVersion: maistra.io/v2 +apiVersion: maistra.io/v1 kind: ServiceMeshControlPlane spec: - security: - controlPlane: - mtls: true + istio: + global: + mtls: + enabled: true ---- [id="ossm-security-mtls-sidecars-incoming-services_{context}"] diff --git a/modules/ossm-security-mtls.adoc b/modules/ossm-security-mtls.adoc index 5367bdeca413..f6f29a4f5c06 100644 --- a/modules/ossm-security-mtls.adoc +++ b/modules/ossm-security-mtls.adoc @@ -14,15 +14,16 @@ By default, {ProductName} is set to permissive mode, where the sidecars in {Prod [id="ossm-security-enabling-strict-mtls_{context}"] == Enabling strict mTLS across the mesh -If your workloads do not communicate with services outside your mesh and communication will not be interrupted by only accepting encrypted connections, you can enable mTLS across your mesh quickly. Set `spec.security.dataPlane.mtls` to `true` in your `ServiceMeshControlPlane` resource. The operator creates the required resources. +You can quickly enable mTLS across your mesh if your workloads do not communicate with outside services, and communication will not be interrupted by accepting only encrypted connections. Set `spec.security.controlPlane.mtls` to `true` in your `ServiceMeshControlPlane` resource. The operator creates the required resources. [source,yaml] ---- apiVersion: maistra.io/v2 kind: ServiceMeshControlPlane spec: + version: v2.0 security: - dataPlane: + controlPlane: mtls: true ---- diff --git a/modules/ossm-vs-istio-1x.adoc b/modules/ossm-vs-istio-1x.adoc index aa81710579b2..90f79d38b4e6 100644 --- a/modules/ossm-vs-istio-1x.adoc +++ b/modules/ossm-vs-istio-1x.adoc @@ -90,7 +90,7 @@ spec: OpenShift routes for Istio Gateways are automatically managed in {ProductName}. Every time an Istio Gateway is created, updated or deleted inside the service mesh, an OpenShift route is created, updated or deleted. -A {ProductName} control plane component called Istio OpenShift Routing (IOR) synchronizes the gateway route. For more information see the "Automatic route creation" section. +A {ProductName} control plane component called Istio OpenShift Routing (IOR) synchronizes the gateway route. For more information, see Automatic route creation. [id="ossm-catch-all-domains_{context}"] === Catch-all domains diff --git a/modules/ossm-vs-istio.adoc b/modules/ossm-vs-istio.adoc index 56ab6ea64d35..f80f662f1214 100644 --- a/modules/ossm-vs-istio.adoc +++ b/modules/ossm-vs-istio.adoc @@ -74,7 +74,7 @@ The upstream Istio community installation automatically injects the sidecar into OpenShift routes for Istio Gateways are automatically managed in {ProductName}. Every time an Istio Gateway is created, updated or deleted inside the service mesh, an OpenShift route is created, updated or deleted. -A {ProductName} control plane component called Istio OpenShift Routing (IOR) synchronizes the gateway route. For more information see the "Automatic route creation" section. +A {ProductName} control plane component called Istio OpenShift Routing (IOR) synchronizes the gateway route. For more information, see Automatic route creation. [id="ossm-catch-all-domains_{context}"] === Catch-all domains diff --git a/service_mesh/v1x/customizing-installation-ossm.adoc b/service_mesh/v1x/customizing-installation-ossm.adoc index 7c1282d824aa..df9ed5f03441 100644 --- a/service_mesh/v1x/customizing-installation-ossm.adoc +++ b/service_mesh/v1x/customizing-installation-ossm.adoc @@ -4,6 +4,17 @@ include::modules/ossm-document-attributes-1x.adoc[] :context: customizing-installation-ossm-v1x toc::[] +After your default `ServiceMeshControlPlane` resource is deployed, you can configure the resource to suit your environment. + +== Resources for configuring your `ServiceMeshControlPlane` resource + +Read more about how to configure your `ServiceMeshControlPlane` resource further, or skip ahead to Updating the `ServiceMeshControlPlane`. + +* See xref:../../service_mesh/v2x/ossm-observability.adoc#ossm-observability[Data visualization and observability] for more information about Kiali and visualizing your data. +* See xref:../../service_mesh/v2x/ossm-security.adoc#ossm-security[Security] for configuring mTLS, cipher suites, and external certificate authorities. +* See xref:../../service_mesh/v2x/ossm-traffic-manage.adoc#ossm-routing-traffic[Traffic management] to configure your routing. +* See xref:../../service_mesh/v2x/ossm-custom-resources.adoc#ossm-custom-resources[Custom resources] for more information about all the configurable fields in your `ServiceMeshControlPlane` resource. + include::modules/ossm-updating-smcp.adoc[leveloffset=+1] == Next steps diff --git a/service_mesh/v1x/ossm-custom-resources.adoc b/service_mesh/v1x/ossm-custom-resources.adoc index 3e0d8e0b6481..cea1cf8c9f7b 100644 --- a/service_mesh/v1x/ossm-custom-resources.adoc +++ b/service_mesh/v1x/ossm-custom-resources.adoc @@ -19,8 +19,6 @@ include::modules/ossm-cr-istio-global.adoc[leveloffset=+2] include::modules/ossm-cr-gateway.adoc[leveloffset=+2] -include::modules/ossm-auto-route.adoc[leveloffset=+2] - Cluster administrators can refer to xref:../../networking/ingress-operator.html#using-wildcard-routes_configuring-ingress[Using wildcard routes] for instructions on how to enable subdomains. include::modules/ossm-cr-mixer.adoc[leveloffset=+2] diff --git a/service_mesh/v1x/ossm-traffic-manage.adoc b/service_mesh/v1x/ossm-traffic-manage.adoc index 149162b0f193..b9b6d6ad719e 100644 --- a/service_mesh/v1x/ossm-traffic-manage.adoc +++ b/service_mesh/v1x/ossm-traffic-manage.adoc @@ -14,3 +14,5 @@ include::modules/ossm-routing.adoc[leveloffset=+1] include::modules/ossm-routing-ingress.adoc[leveloffset=+1] include::modules/ossm-routing-bookinfo-example.adoc[leveloffset=+1] + +include::modules/ossm-auto-route-1x.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-custom-resources.adoc b/service_mesh/v2x/ossm-custom-resources.adoc index fbcbc4910dd8..9999abb04238 100644 --- a/service_mesh/v2x/ossm-custom-resources.adoc +++ b/service_mesh/v2x/ossm-custom-resources.adoc @@ -19,8 +19,6 @@ include::modules/ossm-cr-istio-global.adoc[leveloffset=+2] include::modules/ossm-cr-gateway.adoc[leveloffset=+2] -include::modules/ossm-auto-route.adoc[leveloffset=+2] - Cluster administrators can refer to xref:../../networking/ingress-operator.html#using-wildcard-routes_configuring-ingress[Using wildcard routes] for instructions on how to enable subdomains. include::modules/ossm-cr-mixer.adoc[leveloffset=+2] diff --git a/service_mesh/v2x/ossm-traffic-manage.adoc b/service_mesh/v2x/ossm-traffic-manage.adoc index 7507f22f8d70..3d83b2f91acb 100644 --- a/service_mesh/v2x/ossm-traffic-manage.adoc +++ b/service_mesh/v2x/ossm-traffic-manage.adoc @@ -14,3 +14,5 @@ include::modules/ossm-routing.adoc[leveloffset=+1] include::modules/ossm-routing-ingress.adoc[leveloffset=+1] include::modules/ossm-routing-bookinfo-example.adoc[leveloffset=+1] + +include::modules/ossm-auto-route.adoc[leveloffset=+1] \ No newline at end of file