External Istiod single cluster steps
Lin Sun edited this page Nov 6, 2020
·
5 revisions
Please use this instruction on istio.io instead.
The steps below are tested using Istio 1.7. It won't work in prior Istio releases.
- Setup required config on remote cluster (c2) using a given ns (istio2). Deploy the following Istio operator config (istiod2-remote.yaml):
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio2
spec:
meshConfig:
defaultConfig:
discoveryAddress: istiod2.x.x:15012
controlPlaneAuthPolicy: MUTUAL_TLS
components:
base:
enabled: true
pilot:
enabled: false
istiodRemote:
enabled: true
ingressGateways:
- name: istio-ingressgateway
enabled: true
values:
global:
caAddress: istiod2.x.x:15012
istioNamespace: istio2
meshConfig:
rootNamespace: istio2
istiodRemote:
injectionURL: https://istiod2.x.x:15017/inject
base:
validationURL: https://istiod2.x.x:15017/validate
telemetry:
enabled: false
v2:
enabled: false
You may generate the yaml using istioctl cmd, then deploy it:
go run "${GOPATH}"/src/istio.io/istio/istioctl/cmd/istioctl/main.go manifest generate -f istiod2-remote.yaml --charts manifests > ../testingdir/istiod2-remote-deploy.yaml
- Create c2's kube config as secret on control plane cluster(c1) in istio2 namespace, e.g.
k create secret generic istio-kubeconfig --from-file=/Users/linsun/go/src/istio.io/testingdir/config -n istio2
- Deploy istiod on control plane cluster(c1), also in the same ns (istio2):
Note:
- base is not enabled, you need to create
istiod-service-account
in ns istio2 first.
k create sa istiod-service-account -n istio2
- You may generate the yaml using istioctl cmd, then deploy it:
istioctl manifest generate -f istiod-cluster.yaml --charts manifests > ../testingdir/istiod-cluster-deploy.yaml
sample istiod-cluster.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio2
spec:
meshConfig:
defaultConfig:
discoveryAddress: istiod2.x.x:15012
controlPlaneAuthPolicy: MUTUAL_TLS
components:
base:
enabled: false
pilot:
enabled: true
ingressGateways:
- name: istio-ingressgateway
enabled: false
values:
global:
caAddress: istiod2.x.x:15012
istioNamespace: istio2
operatorManageWebhooks: true
pilot:
env:
ISTIOD_CUSTOM_HOST: istiod2.x.x
meshConfig:
rootNamespace: istio2
telemetry:
enabled: false
v2:
enabled: false
metadataExchange: {}
prometheus:
enabled: false
- Deploy min profile of Istio plus ingress gw (or default profile) on control plane cluster so that istiod can be exposed on its ingress gateway, e.g. minimal-istio1.yaml below.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio1
spec:
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
service:
ports:
- port: 15021
targetPort: 15021
name: status-port
- port: 80
targetPort: 8080
name: http2
- port: 443
targetPort: 8443
name: https
- port: 15443
targetPort: 15443
name: tls
- port: 15012
targetPort: 15012
name: tls-xds
- port: 15017
targetPort: 15017
name: tls-webhook
addonComponents:
prometheus:
enabled: false
meshConfig:
enableAutoMtls: false
rootNamespace: istio1
values:
global:
istioNamespace: istio1
telemetry:
enabled: false
v2:
enabled: false
prometheus:
enabled: false
Generate the deploy-able yaml file and deploy it:
istioctl manifest generate -f minimal-istio1.yaml --charts manifests > ../testingdir/minimal-istio1-deploy.yaml
- Expose istiod deployed in istio2 ns on the istio ingress gw deployed from minimal profile. Deploy the following config:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istiod2
namespace: istio2
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15012
protocol: tls
name: TLS-XDS
tls:
mode: PASSTHROUGH
hosts:
- "istiod2.x.x"
- port:
number: 15017
protocol: tls
name: TLS-WEBHOOK
tls:
mode: PASSTHROUGH
hosts:
- "istiod2.x.x"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: istiod2-vs
namespace: istio2
spec:
hosts:
- istiod2.x.x
gateways:
- istiod2
tls:
- match:
- port: 15012
sniHosts:
- istiod2.x.x
route:
- destination:
host: istiod
port:
number: 15012
- match:
- port: 15017
sniHosts:
- istiod2.x.x
route:
- destination:
host: istiod
port:
number: 443
-
You may need to restart the istio ingress gw pod(on c2) to allow it reach running status.
-
You should be able to deploy any workloads to the mesh on c2.
-
You can repeat 1,2,3,5 to deploy another istiod on c1 using a new namespace and another remote cluster data plane for that istiod on a different cluster.
Visit istio.io to learn how to use Istio.
- Preparing for Development Mac
- Preparing for Development Linux
- Troubleshooting Development Environment
- Repository Map
- GitHub Workflow
- Github Gmail Filters
- Using the Code Base
- Developing with Minikube
- Remote Debugging
- Verify your Docker Environment
- Istio Test Framework
- Working with Prow
- Test Grid
- Code Coverage FAQ
- Writing Good Integration Tests
- Test Flakes
- Release Manager Expectations
- Preparing Istio Releases
- 1.5 Release Information
- 1.6 Release Information
- 1.7 Release Information
- 1.8 Release Information
- 1.9 Release Information
- 1.10 Release Information
- 1.11 Release Information
- 1.12 Release Information
- 1.13 Release Information
- 1.14 Release Information
- 1.15 Release Information
- 1.16 Release Information
- 1.17 Release Information
- 1.18 Release Information
- 1.19 Release Information
- 1.20 Release Information
- 1.21 Release Information
- 1.22 Release Information
- Collecting Logs and Debug Info
- Dependency FAQ
- Working with discuss.istio.io
- Developing with and hosting upon OpenShift
- Adapter Dev Guide
- Adapter Walkthrough
- Attribute Generating Adapter Walkthrough
- Route Directive Adapter Development Guide
- Out of Tree Adapter Walkthrough
- Running a Local Instance
- Template Dev Guide
- Using a Custom Adapter
- Publishing Adapters and Templates to istio.io
- Enabling Envoy Authorization Service and gRPC Access Log Service With Mixer