...
- helm_release: v3.8.2
- kubernetes_release: v1.23.8
- istio_release: 1.1417.10
- Cert-Manager: 1.5.4
- Strimzi-Operator: 0.30.0
...
Configure the Helm repository:
Code Block $ helm repo add istio https://istio-release.storage.googleapis.com/charts $ helm repo update
Create a namespace for "mesh-level" configurations
Code Block $ kubectl create namespace istio-config
Create a namespace istio-system for Istio components:
Code Block $ kubectl create namespace istio-system
Install the Istio Base chart which contains cluster-wide resources used by the Istio control plane:
Code Block $ helm upgrade -i istio-base istio/base -n istio-system --version 1.1417.10
Install the Istio Discovery chart which deploys the istiod service:
(enable the variable to enforce the (sidecar) proxy startup before the container start)
Code Block |
---|
$ helm upgrade -i istiod istio/istiod -n istio-system --version 1.14.1 --wait --set global.proxy.holdApplicationUntilProxyStarts=true --set meshConfig.rootNamespace=istio-config |
Add an EnvoyFilter for HTTP header case
When handling HTTP/1.1, Envoy will normalize the header keys to be all lowercase.
While this is compliant with the HTTP/1.1 spec, in practice this can result in issues when migrating existing systems that might rely on specific header casing.
In our case a problem was detected in the SDC client implementation, thich relies on uppercase header values.
To solve this problem in general
- we add a EnvoyFilter to keep the uppercase header in the istio-config namespace to apply for all namespaces.
- but set the context to SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and Services
Create a EnvoyFilter file (e.g. envoyfilter-case.yaml)
...
Create a values-override.yaml file to override settings (required for oauth2-proxy):
Code Block |
---|
global:
proxy:
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
holdApplicationUntilProxyStarts: true
#logging:
# level: "default:debug"
meshConfig:
rootNamespace: istio-config
extensionProviders:
- name: oauth2-proxy
envoyExtAuthzHttp:
service: oauth2-proxy.default.svc.cluster.local
port: 80
timeout: 1.5s
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
headersToDownstreamOnDeny: ["content-type", "set-cookie"]
pilot:
env:
PILOT_ENABLE_MYSQL_FILTER: true
PILOT_HTTP10: true |
Install Istio Discovery using the override file
Code Block |
---|
$ helm upgrade -i istiod istio/istiod -n istio-system --version 1.17.0 --wait -f ./values-override.yaml |
Add an EnvoyFilter for HTTP header case
When handling HTTP/1.1, Envoy will normalize the header keys to be all lowercase.
While this is compliant with the HTTP/1.1 spec, in practice this can result in issues when migrating existing systems that might rely on specific header casing.
In our case a problem was detected in the SDC client implementation, thich relies on uppercase header values.
To solve this problem in general
- we add a EnvoyFilter to keep the uppercase header in the istio-config namespace to apply for all namespaces.
- but set the context to SIDECAR_INBOUND and SIDECAR_OUTBOUND to avoid problems in the connection between Istio-Gateway and Services
Create a EnvoyFilter file (e.g. envoyfilter-case.yaml)
Code Block --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: header-casing-inbound namespace: istio-config #annotations: # argocd.argoproj.io/hook: PostSync spec: configPatches: - applyTo: CLUSTER match: context: SIDECAR_INBOUND patch: operation: MERGE value: typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions use_downstream_protocol_config: http_protocol_options: header_key_format: stateful_formatter: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig - applyTo: NETWORK_FILTER match: listener: filterChain: filter: name: envoy.filters.network.http_connection_manager patch: operation: MERGE value: typed_config: '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager http_protocol_options: header_key_format: stateful_formatter: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: header-casing-outbound namespace: istio-config #annotations: # argocd.argoproj.io/hook: PostSync spec: configPatches: - applyTo: CLUSTER match: context: SIDECAR_INBOUNDOUTBOUND patch: operation: MERGE value: typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions use_downstream_protocol_config: http_protocol_options: header_key_format: stateful_formatter: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig - applyTo: NETWORK_FILTER match: listener: filterChain: filter: name: envoy.filters.network.http_connection_manager patch: operation: MERGE value: typed_config: '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager http_protocol_options: header_key_format: stateful_formatter: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig
Apply the change to Istio
Code Block $ kubectl apply -f envoyfilter-case.yaml
...
Create a namespace istio-ingress for the Istio Ingress gateway and enable istio-injection:
Code Block $ kubectl create namespace istio-ingress $ kubectl label namespace istio-ingress istio-injection=enabled
Install the Istio Gateway chart:
Code Block $ helm upgrade -i istio-ingressgatewayingress istio/gateway -n istio-ingress --version 1.1415.1 --wait
(Addon required for
Install Jaeger/Kiali
Kiali Installation
...
Create kiali-operator Namespace
Code Block $ kubectl create namespace kiali-operator $ kubectl label namespace kiali-operator istio-injection=enabled
Install Kiali Operator
Code Block $ helm repo add kiali https://kiali.org/helm-charts $ helm repo update kiali $ helm install \ --namespace kiali-operator \ kiali/kiali-operator
Create Kiali CR file (e.g. kiali.yaml)
Code Block title kiali.yaml collapse true apiVersion: kiali.io/v1alpha1 kind: Kiali metadata: name: kiali namespace: istio-system annotations: ansible.operator-sdk/verbosity: "1" spec: auth: strategy: anonymous istio_component_namespaces: prometheus: monitoring external_services: grafana: in_cluster_url: http://prometheus-stack-grafana.monitoring prometheus: url: http://prometheus-stack-kube-prom-prometheus.monitoring:9090 tracing: in_cluster_url: http://istio-query.observability:16686 deployment: accessible_namespaces: ["**"] view_only_mode: false server: web_root: "/kiali"
Install Kiali
Code Block $ kubectl apply -f kiali.yaml
Create Ingress gateway entry for the Kiali web interface
Code Block title kiali-Ingress.yaml collapse true apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: kiali-gateway spec: selector: istio: ingressgatewayingress servers: - hosts: - kiali.simpledemo.onap.org port: name: http number: 80 protocol: HTTP --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: kiali-service spec: hosts: - kiali.simpledemo.onap.org gateways: - kiali-gateway http: - route: - destination: port: number: 20001 host: kiali
Add the Ingress entry for Kiali
Code Block $ kubectl -n istio-system apply -f kiali-ingress.yaml
...