github.com/replicatedcom/ship@v0.50.0/integration/init/istio/expected/.ship/upstream/README.md

github.com/replicatedcom/ship@v0.50.0/integration/init/istio/expected/.ship/upstream/README.md (about)

     1  # Istio
     2  
     3  [Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
     4  
     5  ## Introduction
     6  
     7  This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
     8  
     9  ## Chart Details
    10  
    11  This chart can install multiple istio components as subcharts:
    12  - ingress
    13  - ingressgateway
    14  - egressgateway
    15  - sidecarInjectorWebhook
    16  - galley
    17  - mixer
    18  - pilot
    19  - security(citadel)
    20  - grafana
    21  - prometheus
    22  - servicegraph
    23  - tracing(jaeger)
    24  - kiali
    25  
    26  To enable or disable each component, change the corresponding `enabled` flag.
    27  
    28  ## Prerequisites
    29  
    30  - Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required
    31  - Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required
    32  - If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order.
    33  
    34  ## Resources Required
    35  
    36  The chart deploys pods that consume minimum resources as specified in the resources configuration parameter.
    37  
    38  ## Installing the Chart
    39  
    40  1. If a service account has not already been installed for Tiller, install one:
    41  ```
    42  $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
    43  ```
    44  
    45  2. Install Tiller on your cluster with the service account:
    46  ```
    47  $ helm init --service-account tiller
    48  ```
    49  
    50  3. Set and create the namespace where Istio was installed:
    51  ```
    52  $ NAMESPACE=istio-system
    53  $ kubectl create ns $NAMESPACE
    54  ```
    55  
    56  4. Install Istio’s [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver:
    57     ```
    58     $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
    59     ```
    60     **Note**: If you are enabling `certmanager`, you also need to install its CRDs and wait a few seconds for the CRDs to be committed in the kube-apiserver:
    61     ```
    62     $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
    63     ```
    64  
    65  5. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard:
    66     ```
    67     $ echo -n 'admin' | base64
    68     YWRtaW4=
    69     $ echo -n '1f2d1e2e67df' | base64
    70     MWYyZDFlMmU2N2Rm
    71     $ cat <<EOF | kubectl apply -f -
    72     apiVersion: v1
    73     kind: Secret
    74     metadata:
    75       name: kiali
    76       namespace: $NAMESPACE
    77       labels:
    78         app: kiali
    79     type: Opaque
    80     data:
    81       username: YWRtaW4=
    82       passphrase: MWYyZDFlMmU2N2Rm
    83     EOF
    84     ```
    85  
    86  6. If you are using security mode for Grafana, create the secret first as follows:
    87  
    88  Encode username, you can change the username to the name as you want:
    89  ```
    90  $ echo -n 'admin' | base64
    91  YWRtaW4=
    92  ```
    93  
    94  Encode passphrase, you can change the passphrase to the passphrase as you want:
    95  ```
    96  $ echo -n '1f2d1e2e67df' | base64
    97  MWYyZDFlMmU2N2Rm
    98  ```
    99  
   100  Create secret for Grafana:
   101  ```
   102  $ cat <<EOF | kubectl apply -f -
   103  apiVersion: v1
   104  kind: Secret
   105  metadata:
   106    name: grafana
   107    namespace: $NAMESPACE
   108    labels:
   109      app: grafana
   110  type: Opaque
   111  data:
   112    username: YWRtaW4=
   113    passphrase: MWYyZDFlMmU2N2Rm
   114  EOF
   115  ```
   116  
   117  7. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above:
   118      - With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
   119      ```
   120      $ helm install install/kubernetes/helm/istio --name istio --namespace $NAMESPACE
   121      ```
   122  
   123      - Without the sidecar injection webhook:
   124      ```
   125      $ helm install install/kubernetes/helm/istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false
   126      ```
   127  
   128  ## Configuration
   129  
   130  The Helm chart ships with reasonable defaults.  There may be circumstances in which defaults require overrides.
   131  To override Helm values, use `--set key=value` argument during the `helm install` command.  Multiple `--set` operations may be used in the same Helm operation.
   132  
   133  Helm charts expose configuration options which are currently in alpha.  The currently exposed options are explained in the following table:
   134  
   135  | Parameter | Description | Values | Default |
   136  | --- | --- | --- | --- |
   137  | `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
   138  | `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
   139  | `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` |
   140  | `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` |
   141  | `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
   142  | `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
   143  | `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
   144  | `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` |
   145  | `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` |
   146  | `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
   147  | `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
   148  | `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
   149  | `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` |
   150  | `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` |
   151  | `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` |
   152  | `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | `true` |
   153  | `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` |
   154  | `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` |
   155  | `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` |
   156  | `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` |
   157  | `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` |
   158  | `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" |
   159  | `grafana.accessMode` | If `grafana.persist` is true, specifies the [`Access Mode`](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use for the `PersistentVolumeClaim` | RWO/ROX/RWX | `ReadWriteMany` |
   160  | `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` |
   161  | `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` |
   162  | `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` |
   163  | `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` |
   164  
   165  ## Uninstalling the Chart
   166  
   167  To uninstall/delete the `istio` release:
   168  ```
   169  $ helm delete istio
   170  ```
   171  The command removes all the Kubernetes components associated with the chart and deletes the release.
   172  
   173  To uninstall/delete the `istio` release completely and make its name free for later use:
   174  ```
   175  $ helm delete istio --purge
   176  ```