Add istio make commands

Add istio makefile with targets to help install/uninstall istio using istoctl. The default is to install it in it's own namespace `istio-system` since this is more likely how it will be deployed in a real world scenario. The install is also using the `default` profile which installs an ingress controller into the istio namespace `istio-ingressgateway`. Any example port-forward commands need to point to this ingress service: ``` kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 ``` A temporary patch for the istio install and make targets to configure a hard coded kuadrant/authorino setup for dev/test purposes is also added. These are triggered using seperate make targets `istio-install-with-patch` and `post-deploy-hacks` and will be removed once the operator itself has taken over the responsibility of creating/configuring these resources.
Kuadrant · Jan 28, 2022 · e9ad6f7 · e9ad6f7
1 parent c2d4e96
commit e9ad6f7
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 1 deletion.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -64,6 +64,9 @@ jobs:
       - name: Run make install
         run: |
           make install
+      - name: Run make istio-install
+        run: |
+          make istio-install
       - name: Load test image
         run: |
           kind load docker-image ${{ env.TEST_IMG }} --name ${{ env.KIND_CLUSTER_NAME }}
@@ -73,6 +76,9 @@ jobs:
       - name: Wait for deployment
         run: |
           kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all
+      - name: Run make istio-install-with-patch
+        run: |
+          make istio-install-with-patch
       # Note: This doesn't run any actual tests yet!
       - name: Run make undeploy
         run: |

diff --git a/Makefile b/Makefile
@@ -176,6 +176,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/deploy | kubectl apply -f -
+	${MAKE} post-deploy-hacks
 
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/deploy | kubectl delete -f -
@@ -190,10 +191,20 @@ uninstall-olm:
 
 deploy-olm: ## Deploy controller to the K8s cluster specified in ~/.kube/config using OLM catalog image.
 	$(KUSTOMIZE) build config/deploy/olm | kubectl apply -f -
+	${MAKE} post-deploy-hacks
 
 undeploy-olm: ## Undeploy controller from the K8s cluster specified in ~/.kube/config using OLM catalog image.
 	$(KUSTOMIZE) build config/deploy/olm | kubectl delete -f -
 
+#This target is temporary to aid dev/test of the operator. Eventually it will be the responsibility of the
+# operator itself to create/configure these things as part of the reconciliation of a kuadrant CR.
+post-deploy-hacks:
+	# Wait for deployment to complete
+	timeout 60s bash -c 'until kubectl -n kuadrant-system get deployments/kuadrant-operator-controller-manager; do sleep 10; done;'
+	kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all
+	kubectl apply -f config/dependencies/istio/default-gateway.yaml -n kuadrant-system
+	kubectl apply -f config/dependencies/authorino/authorino.yaml -n kuadrant-system
+
 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/[email protected])

diff --git a/config/dependencies/authorino/authorino.yaml b/config/dependencies/authorino/authorino.yaml
@@ -0,0 +1,14 @@
+apiVersion: operator.authorino.kuadrant.io/v1beta1
+kind: Authorino
+metadata:
+  name: authorino
+  namespace: kuadrant-system
+spec:
+  replicas: 1
+  clusterWide: false
+  listener:
+    tls:
+      enabled: false
+  oidcServer:
+    tls:
+      enabled: false
diff --git a/config/dependencies/istio/default-gateway.yaml b/config/dependencies/istio/default-gateway.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: kuadrant-gateway
+  namespace: kuadrant-system
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
diff --git a/config/dependencies/istio/patches/istio-externalProvider.yaml b/config/dependencies/istio/patches/istio-externalProvider.yaml
@@ -0,0 +1,9 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  meshConfig:
+    extensionProviders:
+      - name: "kuadrant-authorization"
+        envoyExtAuthzGrpc:
+          service: "authorino-authorino-authorization.kuadrant-system.svc.cluster.local"
+          port: 50051
diff --git a/make/istio.mk b/make/istio.mk
@@ -0,0 +1,42 @@
+
+##@ Istio
+
+## Targets to help install and configure istio
+
+ISTIO_PATCHES_DIR = config/dependencies/istio/patches
+ISTIO_NAMESPACE = istio-system
+ISTIO_INSTALL_OPTIONS ?= --set profile=default \
+	--set values.gateways.istio-ingressgateway.autoscaleEnabled=false \
+	--set values.pilot.autoscaleEnabled=false \
+	--set values.global.istioNamespace=$(ISTIO_NAMESPACE)
+
+# istioctl tool
+ISTIOCTL=$(shell pwd)/bin/istioctl
+ISTIOVERSION = 1.12.1
+$(ISTIOCTL):
+	mkdir -p $(PROJECT_PATH)/bin
+	$(eval TMP := $(shell mktemp -d))
+	cd $(TMP); curl -sSL https://istio.io/downloadIstio | ISTIO_VERSION=$(ISTIOVERSION) sh -
+	cp $(TMP)/istio-$(ISTIOVERSION)/bin/istioctl ${ISTIOCTL}
+	-rm -rf $(TMP)
+
+.PHONY: istioctl
+istioctl: $(ISTIOCTL) ## Download istioctl locally if necessary.
+
+.PHONY: istio-install
+istio-install: istioctl ## Install istio.
+	$(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS)
+
+#Note: This target is here temporarily to aid dev/test of the operator. Eventually it will be the responsibility of the
+# operator itself to configure istio as part of the reconciliation of a kuadrant CR.
+.PHONY: istio-install-with-patch
+istio-install-with-patch: istioctl ## Install istio with patch to add authorino auth extension.
+	$(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS) -f $(ISTIO_PATCHES_DIR)/istio-externalProvider.yaml
+
+.PHONY: istio-uninstall
+istio-uninstall: istioctl ## Uninstall istio.
+	$(ISTIOCTL) x uninstall -y --purge
+
+.PHONY: istio-verify-install
+istio-verify-install: istioctl ## Verify istio installation.
+	$(ISTIOCTL) verify-install -i $(ISTIO_NAMESPACE)
diff --git a/make/kind.mk b/make/kind.mk
@@ -19,9 +19,10 @@ kind-delete-cluster: ## Delete the "kuadrant-local" kind cluster.
 
 .PHONY: kind-create-kuadrant-cluster
 kind-create-kuadrant-cluster: export IMG := quay.io/kuadrant/kuadrant-operator:dev
-kind-create-kuadrant-cluster: kind-create-cluster ## Create a kind cluster with kuadrant deployed.
+kind-create-kuadrant-cluster: kind-create-cluster istio-install ## Create a kind cluster with kuadrant deployed.
 	$(MAKE) docker-build
 	$(KIND) load docker-image $(IMG) --name $(KIND_CLUSTER_NAME)
 	$(MAKE) install
 	$(MAKE) deploy
 	kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all
+	$(MAKE) istio-install-with-patch