istio deployment -helm

reference

• cleaned / cleaned
• istio / Kubernetes
• Customizable Install with Helm
• Istio installation parameters introduced

1. Istio Chart Directory Structure

• PATH: istio-1.1.7/install/kubernetes/helm

1.1 Chart.yaml

• Chart of basic information file, which contains the version number, name, keywords and other metadata information.

Values ​​1.2 - *. Yaml

• Istio provided in various scenarios key configuration template, template file as the input files helm, typical of istio be customized;
• After the rewrite of the input file, use the helm templatecommand to generate a final deployment file.

1.3 requirements.yaml

• Dependency Management Chart for the pair, wherein the switch defines a set of variable '
• Define the relevant variables in the input content helm, can be modified deployment file istio to control the component corresponding to the enabled state.

1.4 templates

1.4.1 _affinity.tpl

• Generating a set of mutually exclusive elements or nodes and affinity for the various components used in rendering YAML;
• In this document the use of a series of variable node assembly for controlling istio affinity, i.e. istio selected node at the time of deployment.
• It defines two local template:
  • nodeAffinityRequiredDuringScheduling : node would restrict the deployment parameters according to the global variable arch; pod istio assembly will decide whether to deploy one of the servers, and the weight determined in accordance with various types of servers according to server weights arch type parameter list priority.
  • nodeAffinityPreferredDuringScheduling : Similar nodeAffinityRequiredDuringScheduling, but soft limit

1.4.2 sidecar-injector-configmap.yaml

• This eventually generates a file ConfigMapobject stored in the object data is configured for Sidecarimplantation;
• istio completed manually or automatically injecting injection, will reference the ConfigMapobject, that is, if desired to modify istio the Sidecarinjection process and the specific behavior, from the corresponding file or ConfigMapstart.

1.4.3 configmap.yaml

• Generating called istiothe ConfigMapobject that provides the boot configuration data Pilot.

1.5 charts

Directory is a subdirectory istio components:

• certmanager: ACME a certificate-based client Jetstack Cert-Manager program for automatically request a certificate, access and distribution.
• galley: istio use galley configuration and management work.
• gateways: to configure gateways chart, can install multiple gateway controller.
• grafana: graphical istio dashboard.
• ingress: Legacy design, the default closed, closed after the upgrade flow control protocol to network.istio.io/v1alpha3, it has recommended deprecated.
• kiali: with distributed tracking, configuration dashboard multiple functions of checking.
• mixer: istio policy enforcement components.
• pilot: istio traffic management components.
• prometheus: monitoring software, which includes istio specific indicators crawl settings.
• security: citadel components for automatic certificate management.
• servicegraph: Distributed tracking component is configured to obtain and display service call graph, is about to be abolished.
• sidecarInjectorWebhook: Webhook configuration of the automatic injector.
• tracing: Distributed tracking component, the use of Jaeger achieved, replace the original servicegraph components.

2. Global Variables

Sons istio chart is divided into two layers, thus having a global and a local variable two.

• Global variables using the reserved word globaldefined;
• Sub chart can reference global variables by values.global way;
• In the main chart chart may also specify a variable value sub chart.var manner.

2.1 hub & tag

• In most cases, these two variables representing the addresses of all the mirrors, typically in a specific name {{ .Values.global.hub }}/[component]/:{{ .Values.global.tag }}mosaic form;
• In proxy_init, Mixer, Grafanaand PilotDeployment template, once its image path variable contains character "/" will be abandoned global.hub, the direct use of the defined image.

2.2 ingress.enabled

• Istio used to control whether to enable the ingress controller;
• Set to True, it will enable support for Kubernetes Ingress resources, which is a compatibility feature, istio not recommended ingress of use, it is recommended to replace the use of ingress gateway;
• k8sIngressSelector & k8sIngressHttps two variables by ingress.enabled impact (when set to True, two variables related content to take effect).

2.3 proxy-related parameters

Define a set of proxy variables values.yaml, the control for Sidecar.

2.3.1 proxy.resources

• Sidecar is used to allocate resources.

2.3.2 proxy.concurrency

• Proxy Worker of the number of threads;
• If it is set 0(default), then the CPU is allocated according to the number of threads or cores.

2.3.3 proxy.accessLogFile

• Sidecar access log position;
• If it is set to an empty string disables the access log function;
• Default value: / dev / stdout.

2.3.4 proxy.privileged

• istio-init & istio-proxy switch privileged mode, the default value false.

2.3.5 proxy.enableCoreDump

• If open, the newly injected Sidecar CoreDump function starts, Pod added in the initialization container enable-core-dump;
• The default value false.

2.3.6 proxy.includeIPRanges

• Whitelist hijacked IP ranges;
• The default value *indicates hijack all traffic;
• In the sidecar-injector-configmap.yamlapplication of this variable is used to generate istio-sidecar-injectorthis ConfigMap, this ConfigMapset of operating parameters istio-init, proxy.includeIPRangesto accomplish this task by a "-i" istio-init parameters to be modified.

2.3.7 proxy.excludeIPRanges

• Hijacking blacklist IP range;
• The default is an empty string indicates hijacked IP outside of this range;
• proxy.excludeIPRanges Impact "-x" parameter istio-init's.

2.3.8 proxy.includeInboundPorts

• Whitelist port hijacking of inbound traffic;
• All the range from the flow port access will be hijacked Pod;
• proxy.includeInboundPorts Impact "-b" argument istio-init's.

2.3.9 proxy.excludeInboundPorts

• Inbound traffic hijacking port blacklist;
• Inbound traffic outside the port range would be hijacked;
• proxy.excludeInboundPorts Impact "-d" parameter istio-init's.

2.3.10 proxy.autoInject

• Automatically controlling whether the injection work Sidecar.

2.3.11 proxy.envoyStatsd

• The default values ​​are as follows:
  • enabled: true
  • host: istio-statsd-prom-bridge
  • port: 9125
• Envoy of the parameter set "--statsdUdpAddress" parameter in certain parameters (e.g., without installation Mixer) can be closed.

2.4 proxy_init.image

• Specifies the initialization container mirror. Pod grid service before starting, first run a mirror to complete initialization traffic hijacking work.

2.5 imagePullPolicy

• Mirror pulling strategy;
• The default value IfNotPresent.

2.6 controlPlaneSecurityEnabled

• Specifies whether to enable communication on istio mTLS control surface assembly;
• When enabled, the control plane between Sidecar components, and communication between the control plane component, will be changed to mTLS embodiment;
• Affected components include: Ingress, Mixer, Pilot and Sidecar.

2.7 disablePloicyChecks

• Is set True, it will disable the preflight function Mixer;
• Preflight function is a synchronous process, it may cause obstruction due to the slow pre-screening business applications.

2.8 enableTracing

• Whether to enable distributed tracking;
• The default value true.

2.9 mtls.enabled

• Whether the service is enabled by default between mTLS connection;
• If set true, then the communication between the interior grid will be used by all services mTLS safety reinforcement;
• This variable is global, for each service can also be used alone or by the rules of the target service as annotations, to decide whether to adopt mTLS reinforcement.

2.10 imagePullSecrets

• ServiceAccount partitioned image for pulling the authentication credentials required for the process;
• The default value is empty.

2.11 arch

• Provided istio affinity node assembly process using the list of the content of this variable can be used to determine the range of nodes for deployment, and the priority set according to different server architecture;

• The default list reads as follows:

  amd64: 2
  s390x: 2
  ppc64le: 2

2.12 oneNamespace

• The default value false, Pilot monitoring service will change in all namespaces;
• If set true, it will be in Pilot service discovery parameters adding "-a", this time Pilot will only istio assembly where the namespace to be monitored.

2.13 configValidation

• Whether an open configuration for configuring the authentication server;
• The default value true;
• After turning, it will generate a "ValidatingWebhookConfiguration" objects, and are included to Galley configuration, checking function is enabled.

2.14 meshExpansion

• When the grid needs to be extended physical or virtual machine, this variable;
• The default value false;
• When enabled, the Citadel will open Pilot and services on the Ingress Gateway.

2.15 meshExpansionILB

• Pilot and whether the port is disclosed in the interior Citadel gateway;
• The default value false, only when the grid extensions will use this variable.

2.16 defaultResources

• Provide a minimum resource limit for all istio components;
• The default setting only one request 10mvalue of CPU resources;
• Resource requirements may be respectively provided at each of the local variables in Chart.

2.17 hypercube

• During setup istio will use a mirror to perform some Job, such as the CRD initialize an earlier version of the installation process, or to clean up now expired certificates and other tasks;
• Mirror quay.io/coreos:v1.7.6_coreos.0default: .

2.18 priorityClassName

• In Kubernetes v1.11.0 or later there is priorityClassthe concept, with priority Pod will not be expelled or seize resources;
• The default value is null, optional values: system-cluster-criticaland system-node-critical.

2.19 crds

• This variable is used to decide whether to include the definition of CRD;
• If you use the heml templatecommand, or 2.10 above version of the heml installcommand, it should be set true;
• Otherwise, you need to perform before you install kubectl apply -f install/kubernetes/helm/istio/templates/crds.yamland set this variable false.

3. Custom Installation

3.1 Install with Helm via helm template

According to the actual needs of customized values.yamldocuments, including the son of Chart values.yaml. Such as:

• Mirroring address
• system resource
• Service type
• Services open visual components

3.1.1 ready

# 创建 "namespace"
kubectl create namespace istio-system

# 安装 Istio Custom Resource Definitions (CRDs)
helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -

# "CRDs" 部署后，需要等待一些时间(3~5min)，待其完全向 Kubernetes API-servera 注册提交
# "CRDs" 数量默认是 "53"，如果启用 "cert-manager" ，则是 "58" 
# istio "CRDs" 以 "istio.io" 或 "certmanager.k8s.io" 结尾
kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l

3.1.2 generated deployment manifest

# --name: 设置生成的部署内容的基础名称；
# --namespace: 设置命名空间；
# -f: 从指定文件获取输入内容。
helm template install/kubernetes/helm/istio --name istio --namespace istio-system -f values-demo.yaml > istio-demo.yaml

3.1.3 deployment

# default profile 
# helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl apply -f -

# 采用生成的部署清单
kubectl apply -f istio-demo.yaml

3.2 Install with Helm and Tiller via helm install

• helm installApproach requires Tillerserver-side, will not generate a manifest file;
• If you need to manage release, it is recommended to use this way.
• Reference: Helm install