Merge pull request cloudnativedaysjp#390 from Himalayan-wildcat/featu…

…re/update-istio-ambient

Istio ambientチャプター更新

README.md

@@ -18,7 +18,7 @@
 - [chapter_istio](./chapter_istio/)
 - [chapter_cilium](./chapter_cilium/)
 - [chapter_argo-rollouts](./chapter_argo-rollouts/)
-- [chapter_istio-ambientmesh](./chapter_istio-ambientmesh/)
+- [chapter_istio-ambient-mode](./chapter_istio-ambient-mode/)
 - [chapter_hubble](./chapter_hubble/)
 - [chapter_loki](./chapter_loki/)
 - [chapter_tempo](./chapter_tempo/)
@@ -41,7 +41,7 @@ flowchart TD
     istio[chapter_istio]
     cilium[chapter_cilium]
     argorollouts[chapter_argo-rollouts]
-    istioambient[chapter_istio-ambientmesh]
+    istioambient[chapter_istio-ambient-mode]
     hubble[chapter_hubble]
     loki[chapter_loki]
     tempo[chapter_tempo]

chapter_istio-ambientmesh/app/curl-allow.yaml → chapter_istio-ambient-mode/app/curl-allow.yaml

@@ -9,8 +9,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   labels:
-    app: curl-allow
-    version: v1
     content: layer4-authz
     prometheus-monitor-ignore: ""
   name: curl-allow

chapter_istio-ambientmesh/app/curl-deny.yaml → chapter_istio-ambient-mode/app/curl-deny.yaml

@@ -9,8 +9,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   labels:
-    app: curl-deny
-    version: v1
     content: layer4-authz
     prometheus-monitor-ignore: ""
   name: curl-deny

chapter_istio-ambientmesh/app/curl.yaml → chapter_istio-ambient-mode/app/curl.yaml

@@ -3,14 +3,14 @@ apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: false
 metadata:
+  labels:
+    content: layer7-authz
   name: curl
 ---
 apiVersion: v1
 kind: Pod
 metadata:
   labels:
-    app: curl
-    version: v1
     content: layer7-authz
     prometheus-monitor-ignore: ""
   name: curl

chapter_istio-ambientmesh/helm/helmfile.yaml → chapter_istio-ambient-mode/helm/helmfile.yaml

@@ -11,9 +11,10 @@ releases:
   chart: istio-official/base
   version: 1.23.2
 - name: istiod
-  namespace: istio-system
   chart: istio-official/istiod
   version: 1.23.2
+  namespace: istio-system
+  createNamespace: true
   wait: true
   values:
   - values/istiod.values.yaml

chapter_istio-ambientmesh/helm/values/istio-cni.values.yaml → chapter_istio-ambient-mode/helm/values/istio-cni.values.yaml

@@ -2,16 +2,12 @@ global:
   imagePullPolicy: IfNotPresent
   logAsJson: true
 cni:
-  logLevel: info
   resources:
     requests:
       cpu: 200m
       memory: 256Mi
     limits:
       cpu: 200m
     memory: 256Mi
-  privileged: true
   ambient:
     enabled: true
-  excludeNamespaces:
-  - kube-system

chapter_istio-ambientmesh/helm/values/istiod.values.yaml → chapter_istio-ambient-mode/helm/values/istiod.values.yaml

@@ -19,15 +19,9 @@ pilot:
       cpu: 100m
       memory: 128Mi
   env:
-    VERIFY_CERTIFICATE_AT_CLIENT: "true"
-    ENABLE_AUTO_SNI: "true"
-    PILOT_ENABLE_HBONE: "true"
-    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
-    PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+    # cf.) https://istio.io/latest/docs/reference/commands/pilot-discovery/#envvars
+    PILOT_ENABLE_AMBIENT: "true"
 meshConfig:
-  defaultConfig:
-    proxyMetadata:
-      ISTIO_META_ENABLE_HBONE: "true"
   defaultProviders:
     metrics:
     - prometheus

chapter_istio-ambientmesh/helm/values/kiali.values.yaml → chapter_istio-ambient-mode/helm/values/kiali.values.yaml

@@ -29,5 +29,12 @@ external_services:
   tracing:
     enabled: false
 server:
-  port: 28080
-  metrics_enabled: false
+  node_port: 32766
+  observability:
+    metrics:
+      enabled: false
+# 新しいsigning_keyが毎apply/syncで作成されてしまうことが原因で、
+# kialiのhelm versionが毎回更新される(pod)が毎回再作成されることを
+# 回避するために、ダミー用のsigning_keyを指定する。
+login_token:
+  signing_key: "dummy key"

chapter_istio-ambientmesh/helm/values/prometheus-stack.values.yaml → chapter_istio-ambient-mode/helm/values/prometheus-stack.values.yaml

@@ -14,6 +14,7 @@ prometheusOperator:
       memory: 256Mi
 prometheus:
   prometheusSpec:
+    logFormat: json
     resources:
       requests:
         cpu: 250m

chapter_istio-ambientmesh/helm/values/ztunnel.values.yaml → chapter_istio-ambient-mode/helm/values/ztunnel.values.yaml

@@ -11,4 +11,6 @@ resources:
   limits:
     cpu: 100m
     memory: 84Mi
+env:
+  LOG_FORMAT: json
 imagePullPolicy: IfNotPresent

chapter_istio-ambient-mode/kind/config.yaml

@@ -0,0 +1,13 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: istio-ambient
+nodes:
+- role: control-plane
+  image: kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865
+  extraPortMappings:
+  - containerPort: 32766
+    hostPort: 28080
+    listenAddress: "0.0.0.0"
+    protocol: TCP
+- role: worker
+  image: kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865

chapter_istio-ambientmesh/networking/L7-authorization-policy.yaml → chapter_istio-ambient-mode/networking/L7-authorization-policy.yaml

@@ -6,9 +6,10 @@ metadata:
   labels:
     content: layer7-authz
 spec:
-  selector:
-    matchLabels:
-     istio.io/gateway-name: handson
+  targetRefs:
+  - kind: Service
+    group: ""
+    name: handson
   action: DENY
   rules:
   - from:

chapter_istio-ambientmesh/networking/k8s-gateway.yaml → chapter_istio-ambient-mode/networking/k8s-gateway.yaml

@@ -1,11 +1,11 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
+---
+apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
-  annotations:
-    istio.io/for-service-account: handson-blue
   labels:
+    istio.io/waypoint-for: service
     app.kubernetes.io/component: waypoint-proxy
-  name: handson
+  name: waypoint
 spec:
   gatewayClassName: istio-waypoint
   listeners: