istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/packaging/common/istio-start.sh (about) 1 #!/bin/bash 2 # 3 # Copyright Istio Authors. All Rights Reserved. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 # 17 ################################################################################ 18 # 19 # Script to configure and start the Istio sidecar. 20 21 set -ea 22 23 # Load optional config variables 24 ISTIO_SIDECAR_CONFIG=${ISTIO_SIDECAR_CONFIG:-./var/lib/istio/envoy/sidecar.env} 25 if [[ -r ${ISTIO_SIDECAR_CONFIG} ]]; then 26 # shellcheck disable=SC1090 27 . "$ISTIO_SIDECAR_CONFIG" 28 fi 29 30 # Load config variables ISTIO_SYSTEM_NAMESPACE, CONTROL_PLANE_AUTH_POLICY 31 ISTIO_CLUSTER_CONFIG=${ISTIO_CLUSTER_CONFIG:-./var/lib/istio/envoy/cluster.env} 32 if [[ -r ${ISTIO_CLUSTER_CONFIG} ]]; then 33 # shellcheck disable=SC1090 34 . "$ISTIO_CLUSTER_CONFIG" 35 fi 36 set +a 37 38 # Set defaults 39 ISTIO_BIN_BASE=${ISTIO_BIN_BASE:-/usr/local/bin} 40 ISTIO_LOG_DIR=${ISTIO_LOG_DIR:-./var/log/istio} 41 NS=${ISTIO_NAMESPACE:-default} 42 SVC=${ISTIO_SERVICE:-rawvm} 43 ISTIO_SYSTEM_NAMESPACE=${ISTIO_SYSTEM_NAMESPACE:-istio-system} 44 45 # If set, override the default 46 CONTROL_PLANE_AUTH_POLICY=${ISTIO_CP_AUTH:-"MUTUAL_TLS"} 47 48 if [ -z "${ISTIO_SVC_IP:-}" ]; then 49 ISTIO_SVC_IP=$(hostname --all-ip-addresses | cut -d ' ' -f 1) 50 fi 51 52 if [ -z "${POD_NAME:-}" ]; then 53 POD_NAME=$(hostname -s) 54 fi 55 56 if [[ ${1-} == "clean" ]] ; then 57 if [ "${ISTIO_CUSTOM_IP_TABLES}" != "true" ] ; then 58 # clean the previous Istio iptables chains. 59 "${ISTIO_BIN_BASE}/pilot-agent" istio-clean-iptables 60 fi 61 exit 0 62 fi 63 64 # Init option will only initialize iptables. set ISTIO_CUSTOM_IP_TABLES to true if you would like to ignore this step 65 if [ "${ISTIO_CUSTOM_IP_TABLES}" != "true" ] ; then 66 if [[ ${1-} == "init" || ${1-} == "-p" ]] ; then 67 # clean the previous Istio iptables chains. This part is different from the init image mode, 68 # where the init container runs in a fresh environment and there cannot be previous Istio chains 69 "${ISTIO_BIN_BASE}/pilot-agent" istio-clean-iptables 70 71 # Update iptables, based on current config. This is for backward compatibility with the init image mode. 72 # The sidecar image can replace the k8s init image, to avoid downloading 2 different images. 73 "${ISTIO_BIN_BASE}/pilot-agent" istio-iptables "${@}" 74 exit 0 75 fi 76 77 if [[ ${1-} != "run" ]] ; then 78 # clean the previous Istio iptables chains. This part is different from the init image mode, 79 # where the init container runs in a fresh environment and there cannot be previous Istio chains 80 "${ISTIO_BIN_BASE}/pilot-agent" istio-clean-iptables 81 82 # Update iptables, based on config file 83 "${ISTIO_BIN_BASE}/pilot-agent" istio-iptables 84 fi 85 fi 86 87 EXEC_USER=${EXEC_USER:-istio-proxy} 88 if [ "${ISTIO_INBOUND_INTERCEPTION_MODE}" = "TPROXY" ] ; then 89 # In order to allow redirect inbound traffic using TPROXY, run envoy with the CAP_NET_ADMIN capability. 90 # This allows configuring listeners with the "transparent" socket option set to true. 91 EXEC_USER=root 92 fi 93 94 # The default matches the default istio.yaml - use sidecar.env to override ISTIO_PILOT_PORT or CA_ADDR if you 95 # enable auth. This requires node-agent to be running. 96 DEFAULT_PILOT_ADDRESS="istiod.${ISTIO_SYSTEM_NAMESPACE}.svc:15012" 97 CUSTOM_PILOT_ADDRESS="${PILOT_ADDRESS:-}" 98 if [ -z "${CUSTOM_PILOT_ADDRESS}" ] && [ -n "${ISTIO_PILOT_PORT:-}" ]; then 99 CUSTOM_PILOT_ADDRESS=istiod.${ISTIO_SYSTEM_NAMESPACE}.svc:${ISTIO_PILOT_PORT} 100 fi 101 102 # CA_ADDR > PILOT_ADDRESS > ISTIO_PILOT_PORT 103 CA_ADDR=${CA_ADDR:-${CUSTOM_PILOT_ADDRESS:-${DEFAULT_PILOT_ADDRESS}}} 104 PROV_CERT=${PROV_CERT-./etc/certs} 105 OUTPUT_CERTS=${OUTPUT_CERTS-./etc/certs} 106 107 export PROV_CERT 108 export OUTPUT_CERTS 109 export CA_ADDR 110 111 # If predefined ISTIO_AGENT_FLAGS is null, make it an empty string. 112 ISTIO_AGENT_FLAGS=${ISTIO_AGENT_FLAGS:-} 113 # Split ISTIO_AGENT_FLAGS by spaces. 114 IFS=' ' read -r -a ISTIO_AGENT_FLAGS_ARRAY <<< "$ISTIO_AGENT_FLAGS" 115 116 DEFAULT_PROXY_CONFIG=" 117 serviceCluster: $SVC 118 controlPlaneAuthPolicy: ${CONTROL_PLANE_AUTH_POLICY} 119 " 120 if [ -n "${CUSTOM_PILOT_ADDRESS}" ]; then 121 PROXY_CONFIG="$PROXY_CONFIG 122 discoveryAddress: ${CUSTOM_PILOT_ADDRESS} 123 " 124 fi 125 126 # PROXY_CONFIG > PILOT_ADDRESS > ISTIO_PILOT_PORT 127 export PROXY_CONFIG=${PROXY_CONFIG:-${DEFAULT_PROXY_CONFIG}} 128 129 if [ "${EXEC_USER}" == "${USER:-}" ] ; then 130 # if started as istio-proxy (or current user), do a normal start, without 131 # redirecting stderr. 132 INSTANCE_IP=${ISTIO_SVC_IP} POD_NAME=${POD_NAME} POD_NAMESPACE=${NS} "${ISTIO_BIN_BASE}/pilot-agent" proxy "${ISTIO_AGENT_FLAGS_ARRAY[@]}" 133 else 134 # Will run: ${ISTIO_BIN_BASE}/envoy -c $ENVOY_CFG --restart-epoch 0 --drain-time-s 2 --parent-shutdown-time-s 3 --service-cluster $SVC --service-node 'sidecar~${ISTIO_SVC_IP}~${POD_NAME}.${NS}.svc.cluster.local~${NS}.svc.cluster.local' $ISTIO_DEBUG >${ISTIO_LOG_DIR}/istio.log" istio-proxy 135 exec sudo -E -u "${EXEC_USER}" -s /bin/bash -c "INSTANCE_IP=${ISTIO_SVC_IP} POD_NAME=${POD_NAME} POD_NAMESPACE=${NS} exec ${ISTIO_BIN_BASE}/pilot-agent proxy ${ISTIO_AGENT_FLAGS_ARRAY[*]} 2>> ${ISTIO_LOG_DIR}/istio.err.log >> ${ISTIO_LOG_DIR}/istio.log" 136 fi