diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index bd2121c060..d67d4105a9 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -6,7 +6,6 @@ ARG USER_GID=$USER_UID ARG HELM_VERSION=3.3.1 ARG KUBECTL_VERSION=1.22.4 -ARG ISTIOCTL_VERSION=1.8.1 RUN : INSTALL APT REQUIREMENTS \ && export DEBIAN_FRONTEND=noninteractive \ @@ -33,11 +32,6 @@ RUN : INSTALL HELM BINARY \ && chmod +x ./kubectl \ && mv ./kubectl /usr/local/bin/kubectl \ && kubectl version --client \ - && : INSTALL ISTIOCTl BINARY \ - && curl -fsSLO https://github.com/istio/istio/releases/download/${ISTIOCTL_VERSION}/istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && tar -xzof istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin istioctl \ - && rm istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && chmod +x /usr/local/bin/istioctl RUN : INSTALL GEM REQUIREMENTS \ && gem install \ diff --git a/Dockerfile b/Dockerfile index af8ab3e56f..d9a7272aea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,6 @@ ARG USER_GID=$USER_UID ARG HELM_VERSION=3.3.1 ARG KUBECTL_VERSION=1.22.4 -ARG ISTIOCTL_VERSION=1.8.1 ENV EPICLI_DOCKER_SHARED_DIR=/shared @@ -27,11 +26,6 @@ RUN : INSTALL APT REQUIREMENTS \ && chmod +x ./kubectl \ && mv ./kubectl /usr/local/bin/kubectl \ && kubectl version --client \ - && : INSTALL ISTIOCTL BINARY \ - && curl -fsSLO https://github.com/istio/istio/releases/download/${ISTIOCTL_VERSION}/istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && tar -xzof istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin istioctl \ - && rm istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && chmod +x /usr/local/bin/istioctl \ \ && : INSTALL GEM REQUIREMENTS \ && gem install \ diff --git a/ansible/playbooks/roles/applications/tasks/applications/istio/deploy-istio-operator.yml b/ansible/playbooks/roles/applications/tasks/applications/istio/deploy-istio-operator.yml deleted file mode 100644 index 05d513a5a5..0000000000 --- a/ansible/playbooks/roles/applications/tasks/applications/istio/deploy-istio-operator.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Decide if internal docker registry will be used - set_fact: - use_epiphany_image_registry: >- - {{ (not _k8s_as_cloud_service) and _use_local_image_registry }} - vars: - # Be extra paranoid - _k8s_as_cloud_service: >- - {{ k8s_as_cloud_service | bool }} - # Enable by default - _use_local_image_registry: >- - {{ (data.use_local_image_registry is undefined) or (data.use_local_image_registry | bool) }} - -- name: Init istio operator - command: istioctl operator init {{ _init_args | join(' ') }} - vars: - _common_args: - - --istioNamespace={{ data.namespaces.istio }} - - --operatorNamespace={{ data.namespaces.operator }} - - --watchedNamespaces={{ data.namespaces.watched | join(',') }} - _hub_arg: --hub={{ image_registry_address }}/istio - _init_args: >- - {{ _common_args + [ _hub_arg ] if (use_epiphany_image_registry) else - _common_args }} diff --git a/ansible/playbooks/roles/applications/tasks/applications/istio/main.yml b/ansible/playbooks/roles/applications/tasks/applications/istio/main.yml deleted file mode 100644 index 14ae5f6a0a..0000000000 --- a/ansible/playbooks/roles/applications/tasks/applications/istio/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Deploy Istio operator - include_tasks: deploy-istio-operator.yml - -- name: Deploy Istio - include_tasks: deploy-k8s-app.yml - vars: - app_dir_name: "{{ data.name }}" diff --git a/ansible/playbooks/roles/applications/templates/istio/00-namespace.yml.j2 b/ansible/playbooks/roles/applications/templates/istio/00-namespace.yml.j2 deleted file mode 100644 index fe8220374a..0000000000 --- a/ansible/playbooks/roles/applications/templates/istio/00-namespace.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ -{% for namespace in data.namespaces.watched %} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ namespace }} -{% endfor %} -{% if data.namespaces.istio not in data.namespaces.watched %} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ data.namespaces.istio }} -{% endif %} diff --git a/ansible/playbooks/roles/applications/templates/istio/01-profile.yml.j2 b/ansible/playbooks/roles/applications/templates/istio/01-profile.yml.j2 deleted file mode 100644 index 76e5728253..0000000000 --- a/ansible/playbooks/roles/applications/templates/istio/01-profile.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: {{ data.namespaces.watched[0] }} - name: {{ data.istio_spec.name }} -spec: - profile: {{ data.istio_spec.profile }} -{% if use_epiphany_image_registry %} - hub: {{ image_registry_address }}/istio -{% endif %} - values: - global: - istioNamespace: {{ data.namespaces.istio }} diff --git a/ansible/playbooks/roles/preflight/defaults/main.yml b/ansible/playbooks/roles/preflight/defaults/main.yml index d29247746b..542c8c6b52 100644 --- a/ansible/playbooks/roles/preflight/defaults/main.yml +++ b/ansible/playbooks/roles/preflight/defaults/main.yml @@ -17,7 +17,6 @@ supported_oses: unsupported_apps: x86_64: [] aarch64: - - istio - pgbouncer - pgpool diff --git a/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt b/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt index 8dc6f611fb..ce108d73d7 100644 --- a/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt +++ b/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt @@ -211,10 +211,6 @@ vault:1.7.0 epiphanyplatform/ignite:2.9.1 bitnami/pgpool:4.2.4 bitnami/pgbouncer:1.16.0 -# istio -istio/pilot:1.8.1 -istio/proxyv2:1.8.1 -istio/operator:1.8.1 epiphanyplatform/keycloak:14.0.0 rabbitmq:3.8.9 # K8s diff --git a/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt b/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt index 79ab22372d..340cea5b82 100644 --- a/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt +++ b/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt @@ -209,10 +209,6 @@ vault:1.7.0 epiphanyplatform/ignite:2.9.1 bitnami/pgpool:4.2.4 bitnami/pgbouncer:1.16.0 -# istio -istio/pilot:1.8.1 -istio/proxyv2:1.8.1 -istio/operator:1.8.1 epiphanyplatform/keycloak:14.0.0 rabbitmq:3.8.9 # K8s diff --git a/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt b/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt index 37a928db2f..c038f48d74 100644 --- a/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt +++ b/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt @@ -246,10 +246,7 @@ vault:1.7.0 epiphanyplatform/ignite:2.9.1 bitnami/pgpool:4.2.4 bitnami/pgbouncer:1.16.0 -# istio -istio/pilot:1.8.1 -istio/proxyv2:1.8.1 -istio/operator:1.8.1 + epiphanyplatform/keycloak:14.0.0 rabbitmq:3.8.9 # K8s diff --git a/docs/home/ARM.md b/docs/home/ARM.md index 2510fdd533..2e50d80441 100644 --- a/docs/home/ARM.md +++ b/docs/home/ARM.md @@ -48,7 +48,6 @@ Besides making sure that the selected providers, operating systems, components a | auth-service | :heavy_check_mark: | | pgpool | :x: | | pgbouncer | :x: | -| istio | :x: | ***Notes*** diff --git a/docs/home/COMPONENTS.md b/docs/home/COMPONENTS.md index b415c60cac..55a5268a99 100644 --- a/docs/home/COMPONENTS.md +++ b/docs/home/COMPONENTS.md @@ -42,7 +42,6 @@ Note that versions are default versions and can be changed in certain cases thro | Apache2 | 2.4.29 | https://httpd.apache.org/ | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | | Hashicorp Vault | 1.7.0 | https://github.com/hashicorp/vault | [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/master/LICENSE) | | Hashicorp Vault Helm Chart | 0.11.0 | https://github.com/hashicorp/vault-helm | [Mozilla Public License 2.0](https://github.com/hashicorp/vault-helm/blob/master/LICENSE.md) | -| Istio | 1.8.1 | https://github.com/istio/istio | [Apache License 2.0](https://github.com/istio/istio/blob/master/LICENSE) | ## Epicli binary dependencies diff --git a/docs/home/SECURITY.md b/docs/home/SECURITY.md index 2b466a0514..3c65ec69c2 100644 --- a/docs/home/SECURITY.md +++ b/docs/home/SECURITY.md @@ -153,7 +153,7 @@ different values. The list does not include ports that are bound to the loopback ### Connection protocols and ciphers used by components in Epiphany Below you can find list of cipersuites and protocols used for communication set in Epiphany on per component basis. This -doesn't contain information about potentially deprecated components: Apache Ignite, Istio, Hashicorp Vault. +doesn't contain information about potentially deprecated components: Apache Ignite, Hashicorp Vault. 1. OS services: diff --git a/docs/home/howto/ISTIO.md b/docs/home/howto/ISTIO.md deleted file mode 100644 index d5ba0a5c52..0000000000 --- a/docs/home/howto/ISTIO.md +++ /dev/null @@ -1,115 +0,0 @@ -## Istio - -Open source platform which allows you to run service mesh for distributed microservice architecture. It allows to connect, manage and run secure connections between microservices and brings lots of features such as load balancing, monitoring and service-to-service authentication without any changes in service code. Read more about Istio [here](https://istio.io/latest/docs/concepts/what-is-istio/). - -### Installing Istio - -Istio in Epiphany is provided as K8s application. By default, it is not installed. To deploy it you need to add "configuration/applications" document to your configuration yaml file, similar to the example below (`enabled` flag must be set as `true`): - -Istio is installed using Istio Operator. Operator is a software extension to the Kubernetes API which has a deep knowledge how Istio deployments should look like and how to react if any problem appears. It is also very easy to make upgrades and automate tasks that would normally be executed by user/admin. - -```yaml ---- -kind: configuration/applications -version: 0.8.0 -title: "Kubernetes Applications Config" -provider: aws -name: default -specification: - applications: - ... - -## --- istio --- - - - name: istio - enabled: true - use_local_image_registry: true - namespaces: - operator: istio-operator # namespace where operator will be deployed - watched: # list of namespaces which operator will watch - - istio-system - istio: istio-system # namespace where Istio control plane will be deployed - istio_spec: - profile: default # Check all possibilites https://istio.io/latest/docs/setup/additional-setup/config-profiles/ - name: istiocontrolplane - -``` - -Using this configuration file, controller will detect Istio Operator resource in first of watched namespaces and will install Istio components corresponding to the specified profile (default). Using the default profile, Istio control plane and Istio ingress gateway will be deployed in istio-system namespace. - -### How to set up service mesh for an application - -The default Istio installation uses automcatic sidecar injection. You need to label the namespace where application will be hosted: - -```bash -kubectl label namespace default istio-injection=enabled -``` - -Once the proper namespaces are labeled and Istio is deployed, you can deploy your applications or restart existing ones. - -You may need to make an application accessible from outside of your Kubernetes cluster. An Istio Gateway which was deployed using default profile is used for this purpose. Define the ingress gateway deploying gateway and virtual service specification. The gateway specification describes the L4-L6 properties of a load balancer and the virtual service specification describes the L7 properties of a load balancer. - -Example of the gateway and virtual service specification (You have to adapt the entire specification to the application): - -[Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/): - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: httpbin-gateway -spec: - selector: - istio: ingressgateway # use Istio default gateway implementation - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "httpbin.example.com" -``` - -[Virtual Service](https://istio.io/latest/docs/reference/config/networking/virtual-service/): - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: httpbin -spec: - hosts: - - "httpbin.example.com" - gateways: - - httpbin-gateway - http: - - match: - - uri: - prefix: /status - - uri: - prefix: /delay - route: - - destination: - port: - number: 8000 - host: httpbin -``` - -:warning: Pay attention to the network policies in your cluster if a CNI plugin is used that supports them (such as Calico or Canal). In this case, you should set up secure network policies for inter-microservice communication and communication between Envoy proxy and Istio control plane in your application's namespace. You can also just apply the following `NetworkPolicy`: - -```yaml -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - namespace: - name: allow-istio-communication -spec: - podSelector: {} - egress: - - {} - ingress: - - {} - policyTypes: - - Egress - - Ingress -``` diff --git a/docs/home/howto/KUBERNETES.md b/docs/home/howto/KUBERNETES.md index b7e002736f..bd0b1543b8 100644 --- a/docs/home/howto/KUBERNETES.md +++ b/docs/home/howto/KUBERNETES.md @@ -38,7 +38,6 @@ Currently, Epiphany provides the following predefined applications which may be - auth-service (Keycloak) - pgpool - pgbouncer -- istio All of them have [default configuration](https://github.com/epiphany-platform/epiphany/blob/develop/schema/common/defaults/configuration/applications.yml). diff --git a/docs/home/howto/UPGRADE.md b/docs/home/howto/UPGRADE.md index 171c88ee7c..2c1e212e29 100644 --- a/docs/home/howto/UPGRADE.md +++ b/docs/home/howto/UPGRADE.md @@ -331,39 +331,6 @@ Before K8s version upgrade make sure that deprecated API versions are not used: - [v1.21](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md) - [v1.22](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md) -### Upgrade - ---- -**NOTE** - -If the K8s cluster that is going to be upgraded has the Istio control plane application deployed, issues can occur. The -default [profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/) we currently support for -installing Istio only deploy a single replica for the control services with a `PodDisruptionBudgets` value of 0. This -will result in the following error while draining pods during an upgrade: - -```shell -Cannot evict pod as it would violate the pods disruption budget. -``` - -As we currently don't support any kind of advanced configuration of the Istio control plane components outside the -default profiles, we need to scale up all components manually before the upgrade. This can be done with the following -command: - -```shell -kubectl scale deploy -n istio-system --replicas=2 --all -``` - -After the upgrade, the deployments can be scaled down to the original capacity: - -```shell -kubectl scale deploy -n istio-system --replicas=1 --all -``` - -**Note: The ```istio-system``` namespace value is the default value and should be set to whatever is being used in the -Istio application configuration.** - ---- - ## PostgreSQL upgrade --- diff --git a/schema/common/defaults/configuration/applications.yml b/schema/common/defaults/configuration/applications.yml index dc9952263d..6bc40919fe 100644 --- a/schema/common/defaults/configuration/applications.yml +++ b/schema/common/defaults/configuration/applications.yml @@ -167,17 +167,3 @@ specification: RESERVE_POOL_SIZE: 25 POOL_MODE: session CLIENT_IDLE_TIMEOUT: 0 - -## --- istio --- - - - name: istio - enabled: false - use_local_image_registry: true - namespaces: - operator: istio-operator # namespace where operator will be deployed - watched: # list of namespaces which operator will watch - - istio-system - istio: istio-system # namespace where istio control plane will be deployed - istio_spec: - profile: default # Check all possibilities https://istio.io/latest/docs/setup/additional-setup/config-profiles/ - name: istiocontrolplane diff --git a/schema/common/defaults/configuration/image-registry.yml b/schema/common/defaults/configuration/image-registry.yml index 549a9fd518..c70e92d47d 100644 --- a/schema/common/defaults/configuration/image-registry.yml +++ b/schema/common/defaults/configuration/image-registry.yml @@ -23,12 +23,6 @@ specification: file_name: vault-1.7.0.tar - name: "hashicorp/vault-k8s:0.10.0" file_name: vault-k8s-0.10.0.tar - - name: "istio/proxyv2:1.8.1" - file_name: proxyv2-1.8.1.tar - - name: "istio/pilot:1.8.1" - file_name: pilot-1.8.1.tar - - name: "istio/operator:1.8.1" - file_name: operator-1.8.1.tar # postgres - name: bitnami/pgpool:4.2.4 file_name: pgpool-4.2.4.tar diff --git a/schema/common/validation/configuration/applications.yml b/schema/common/validation/configuration/applications.yml index 958a8399f1..4867cad707 100644 --- a/schema/common/validation/configuration/applications.yml +++ b/schema/common/validation/configuration/applications.yml @@ -324,12 +324,3 @@ properties: type: array items: - type: string - istio: - type: string - istio_spec: - type: object - properties: - profile: - type: string - name: - type: string