From e9ad6f7584dfeaafc94f7d4a102d11eb1ff70aeb Mon Sep 17 00:00:00 2001 From: Michael Nairn Date: Wed, 26 Jan 2022 13:35:29 +0000 Subject: [PATCH] Add istio make commands Add istio makefile with targets to help install/uninstall istio using istoctl. The default is to install it in it's own namespace `istio-system` since this is more likely how it will be deployed in a real world scenario. The install is also using the `default` profile which installs an ingress controller into the istio namespace `istio-ingressgateway`. Any example port-forward commands need to point to this ingress service: ``` kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 ``` A temporary patch for the istio install and make targets to configure a hard coded kuadrant/authorino setup for dev/test purposes is also added. These are triggered using seperate make targets `istio-install-with-patch` and `post-deploy-hacks` and will be removed once the operator itself has taken over the responsibility of creating/configuring these resources. --- .github/workflows/test.yaml | 6 +++ Makefile | 11 +++++ config/dependencies/authorino/authorino.yaml | 14 +++++++ .../dependencies/istio/default-gateway.yaml | 15 +++++++ .../istio/patches/istio-externalProvider.yaml | 9 ++++ make/istio.mk | 42 +++++++++++++++++++ make/kind.mk | 3 +- 7 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 config/dependencies/authorino/authorino.yaml create mode 100644 config/dependencies/istio/default-gateway.yaml create mode 100644 config/dependencies/istio/patches/istio-externalProvider.yaml create mode 100644 make/istio.mk diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index b92383f29..6175fa310 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -64,6 +64,9 @@ jobs: - name: Run make install run: | make install + - name: Run make istio-install + run: | + make istio-install - name: Load test image run: | kind load docker-image ${{ env.TEST_IMG }} --name ${{ env.KIND_CLUSTER_NAME }} @@ -73,6 +76,9 @@ jobs: - name: Wait for deployment run: | kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all + - name: Run make istio-install-with-patch + run: | + make istio-install-with-patch # Note: This doesn't run any actual tests yet! - name: Run make undeploy run: | diff --git a/Makefile b/Makefile index df3d88835..6dbb530ea 100644 --- a/Makefile +++ b/Makefile @@ -176,6 +176,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/deploy | kubectl apply -f - + ${MAKE} post-deploy-hacks undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/deploy | kubectl delete -f - @@ -190,10 +191,20 @@ uninstall-olm: deploy-olm: ## Deploy controller to the K8s cluster specified in ~/.kube/config using OLM catalog image. $(KUSTOMIZE) build config/deploy/olm | kubectl apply -f - + ${MAKE} post-deploy-hacks undeploy-olm: ## Undeploy controller from the K8s cluster specified in ~/.kube/config using OLM catalog image. $(KUSTOMIZE) build config/deploy/olm | kubectl delete -f - +#This target is temporary to aid dev/test of the operator. Eventually it will be the responsibility of the +# operator itself to create/configure these things as part of the reconciliation of a kuadrant CR. +post-deploy-hacks: + # Wait for deployment to complete + timeout 60s bash -c 'until kubectl -n kuadrant-system get deployments/kuadrant-operator-controller-manager; do sleep 10; done;' + kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all + kubectl apply -f config/dependencies/istio/default-gateway.yaml -n kuadrant-system + kubectl apply -f config/dependencies/authorino/authorino.yaml -n kuadrant-system + CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: ## Download controller-gen locally if necessary. $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.7.0) diff --git a/config/dependencies/authorino/authorino.yaml b/config/dependencies/authorino/authorino.yaml new file mode 100644 index 000000000..49bf82e04 --- /dev/null +++ b/config/dependencies/authorino/authorino.yaml @@ -0,0 +1,14 @@ +apiVersion: operator.authorino.kuadrant.io/v1beta1 +kind: Authorino +metadata: + name: authorino + namespace: kuadrant-system +spec: + replicas: 1 + clusterWide: false + listener: + tls: + enabled: false + oidcServer: + tls: + enabled: false diff --git a/config/dependencies/istio/default-gateway.yaml b/config/dependencies/istio/default-gateway.yaml new file mode 100644 index 000000000..e0f4b04d9 --- /dev/null +++ b/config/dependencies/istio/default-gateway.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kuadrant-gateway + namespace: kuadrant-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" diff --git a/config/dependencies/istio/patches/istio-externalProvider.yaml b/config/dependencies/istio/patches/istio-externalProvider.yaml new file mode 100644 index 000000000..63463af86 --- /dev/null +++ b/config/dependencies/istio/patches/istio-externalProvider.yaml @@ -0,0 +1,9 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + extensionProviders: + - name: "kuadrant-authorization" + envoyExtAuthzGrpc: + service: "authorino-authorino-authorization.kuadrant-system.svc.cluster.local" + port: 50051 diff --git a/make/istio.mk b/make/istio.mk new file mode 100644 index 000000000..b1e9260a3 --- /dev/null +++ b/make/istio.mk @@ -0,0 +1,42 @@ + +##@ Istio + +## Targets to help install and configure istio + +ISTIO_PATCHES_DIR = config/dependencies/istio/patches +ISTIO_NAMESPACE = istio-system +ISTIO_INSTALL_OPTIONS ?= --set profile=default \ + --set values.gateways.istio-ingressgateway.autoscaleEnabled=false \ + --set values.pilot.autoscaleEnabled=false \ + --set values.global.istioNamespace=$(ISTIO_NAMESPACE) + +# istioctl tool +ISTIOCTL=$(shell pwd)/bin/istioctl +ISTIOVERSION = 1.12.1 +$(ISTIOCTL): + mkdir -p $(PROJECT_PATH)/bin + $(eval TMP := $(shell mktemp -d)) + cd $(TMP); curl -sSL https://istio.io/downloadIstio | ISTIO_VERSION=$(ISTIOVERSION) sh - + cp $(TMP)/istio-$(ISTIOVERSION)/bin/istioctl ${ISTIOCTL} + -rm -rf $(TMP) + +.PHONY: istioctl +istioctl: $(ISTIOCTL) ## Download istioctl locally if necessary. + +.PHONY: istio-install +istio-install: istioctl ## Install istio. + $(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS) + +#Note: This target is here temporarily to aid dev/test of the operator. Eventually it will be the responsibility of the +# operator itself to configure istio as part of the reconciliation of a kuadrant CR. +.PHONY: istio-install-with-patch +istio-install-with-patch: istioctl ## Install istio with patch to add authorino auth extension. + $(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS) -f $(ISTIO_PATCHES_DIR)/istio-externalProvider.yaml + +.PHONY: istio-uninstall +istio-uninstall: istioctl ## Uninstall istio. + $(ISTIOCTL) x uninstall -y --purge + +.PHONY: istio-verify-install +istio-verify-install: istioctl ## Verify istio installation. + $(ISTIOCTL) verify-install -i $(ISTIO_NAMESPACE) diff --git a/make/kind.mk b/make/kind.mk index 885e61b2a..1cad3ec9f 100644 --- a/make/kind.mk +++ b/make/kind.mk @@ -19,9 +19,10 @@ kind-delete-cluster: ## Delete the "kuadrant-local" kind cluster. .PHONY: kind-create-kuadrant-cluster kind-create-kuadrant-cluster: export IMG := quay.io/kuadrant/kuadrant-operator:dev -kind-create-kuadrant-cluster: kind-create-cluster ## Create a kind cluster with kuadrant deployed. +kind-create-kuadrant-cluster: kind-create-cluster istio-install ## Create a kind cluster with kuadrant deployed. $(MAKE) docker-build $(KIND) load docker-image $(IMG) --name $(KIND_CLUSTER_NAME) $(MAKE) install $(MAKE) deploy kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all + $(MAKE) istio-install-with-patch