diff --git a/istio-ambient/README.md b/istio-ambient/README.md new file mode 100644 index 0000000..e4ac749 --- /dev/null +++ b/istio-ambient/README.md @@ -0,0 +1,39 @@ +# Istio-Ambient Stack + +This stack contains installation of Istio Ambient as well as supporting observability tooling so traffic, metrics, and traces can be observed + +Istio Ambient Mesh Docs: https://istio.io/latest/docs/ambient/overview/ + + + +## Modules +- istio-base + - installs istio ambient and no additional observability tooling +- observability + - grafana - provides UI for tracing & prometheus metrics + - tempo - collects traces for grafana + - prometheus - required for kiali to display data + - opentelemetry - used to collect traces from istio and forward to tempo + +## Installation + +# Install base istio with no observability + +`idpbuilder create -p https://github.com/cnoe-io/stacks//isto-ambient/istio-base` + +Uses istio's helmcharts to create an example istio ConfigMap, however the istio argo Application is set to ignore differences for this ConfigMap object, allowing users to adjust configuration here if needed for testing + +# Install istio along with observability components + +`idpbuilder create -p https://github.com/cnoe-io/stacks//isto-ambient/istio-base -p https://github.com/cnoe-io/stacks//isto-ambient/observability` + + +# Observability UIs + +Kiali: https://kiali.cnoe.localtest.me:8443/ + +Grafana: https://grafana.cnoe.localtest.me:8443/ + +Path based routing using idpbuilder's `--use-path-routing` flag is not required and has not been tested + +Path based routing and other traffic shaping can be setup using istio - gateway and application examples coming soon \ No newline at end of file diff --git a/istio-ambient/istio-base/istio.yaml b/istio-ambient/istio-base/istio.yaml new file mode 100644 index 0000000..3be95a6 --- /dev/null +++ b/istio-ambient/istio-base/istio.yaml @@ -0,0 +1,68 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: 'istio-system' + namespace: argocd +spec: + ignoreDifferences: + # Allow users to modify mesh config if needed for testing + - kind: ConfigMap + group: "" + name: istio + jsonPointers: + - /data + # Kind issue + - kind: ValidatingWebhookConfiguration + group: "admissionregistration.k8s.io" + jsonPointers: + - /webhooks + project: default + sources: + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + helm: + valuesObject: + profile: ambient + chart: cni + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + helm: + valuesObject: + profile: ambient + chart: base + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + chart: ztunnel + helm: + valuesObject: + profile: ambient + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + chart: istiod + helm: + valuesObject: + profile: ambient + meshConfig: + defaultProviders: + metrics: + - prometheus + enableTracing: true + extensionProviders: + - name: otel + opentelemetry: + port: 4317 + service: otel-opentelemetry-collector.observability.svc.cluster.local + resource_detectors: + environment: {} + # Add Gateway API CRDs + - repoURL: 'https://github.com/kubernetes-sigs/gateway-api/' + targetRevision: v1.2.1 + path: ./config/crd + destination: + server: "https://kubernetes.default.svc" + namespace: istio-system + syncPolicy: + automated: + prune: true + syncOptions: + - CreateNamespace=true diff --git a/istio-ambient/observability/grafana.yaml b/istio-ambient/observability/grafana.yaml new file mode 100644 index 0000000..e1acc07 --- /dev/null +++ b/istio-ambient/observability/grafana.yaml @@ -0,0 +1,71 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: grafana + namespace: argocd +spec: + destination: + namespace: observability + server: "https://kubernetes.default.svc" + sources: + - repoURL: 'https://grafana.github.io/helm-charts' + targetRevision: 1.10.3 + helm: + values: | + fullnameOverride: tempo + service: + type: ClusterIP + chart: tempo + - repoURL: 'https://grafana.github.io/helm-charts' + targetRevision: 8.5.1 + helm: + values: | + env: + GF_AUTH_ANONYMOUS_ENABLED: true + GF_AUTH_ANONYMOUS_ORG_ROLE: 'Admin' + GF_AUTH_DISABLE_LOGIN_FORM: true + + datasources: + datasources.yaml: + apiVersion: 1 + + datasources: + - name: Tempo + type: tempo + access: proxy + orgId: 1 + url: http://tempo:3100 + basicAuth: false + isDefault: true + version: 1 + editable: false + apiVersion: 1 + uid: tempo + - name: Prometheus + type: prometheus + access: proxy + # Access mode - proxy (server in the UI) or direct (browser in the UI). + url: http://prometheus-server.observability.svc + jsonData: + httpMethod: POST + manageAlerts: true + prometheusType: Prometheus + prometheusVersion: 2.55.0 + cacheLevel: 'High' + disableRecordingRules: false + incrementalQueryOverlapWindow: 10m + chart: grafana + - repoURL: cnoe://grafana + targetRevision: HEAD + # with path set to '.' and cnoe://manifests. we are wanting ArgoCD to sync from the ./manifests directory. + path: "." + project: default + syncPolicy: + managedNamespaceMetadata: + labels: + istio.io/dataplane-mode: 'ambient' + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/istio-ambient/observability/grafana/ingress.yaml b/istio-ambient/observability/grafana/ingress.yaml new file mode 100644 index 0000000..098244f --- /dev/null +++ b/istio-ambient/observability/grafana/ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana-ingress +spec: + ingressClassName: nginx + rules: + - host: grafana.cnoe.localtest.me + http: + paths: + - backend: + service: + name: grafana + port: + number: 80 + path: / + pathType: Prefix diff --git a/istio-ambient/observability/istio-kiali.yaml b/istio-ambient/observability/istio-kiali.yaml new file mode 100644 index 0000000..6de603c --- /dev/null +++ b/istio-ambient/observability/istio-kiali.yaml @@ -0,0 +1,40 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: 'istio-kiali' + namespace: argocd +spec: + project: default + destination: + server: "https://kubernetes.default.svc" + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + sources: + - repoURL: cnoe://kiali + targetRevision: HEAD + path: "." + - repoURL: 'https://kiali.org/helm-charts' + targetRevision: v2.0.0 + path: 'kiali/kiali-operator' + helm: + valuesObject: + cr: + create: 'true' + namespace: 'istio-system' + spec: + auth: + strategy: 'anonymous' + external_services: + prometheus: + url: "http://prometheus-server.observability.svc" + grafana: + enabled: true + internal_url: 'http://tempo-grafana.observability.svc' + # Public facing URL of Grafana + external_url: 'https://tracing.cnoe.localtest.me:8443/' + chart: kiali-operator diff --git a/istio-ambient/observability/kiali/ingress.yaml b/istio-ambient/observability/kiali/ingress.yaml new file mode 100644 index 0000000..ed42de9 --- /dev/null +++ b/istio-ambient/observability/kiali/ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kiali-ingress +spec: + ingressClassName: nginx + rules: + - host: kiali.cnoe.localtest.me + http: + paths: + - backend: + service: + name: kiali + port: + number: 20001 + path: / + pathType: Prefix diff --git a/istio-ambient/observability/opentelemetry.yaml b/istio-ambient/observability/opentelemetry.yaml new file mode 100644 index 0000000..7b9e31f --- /dev/null +++ b/istio-ambient/observability/opentelemetry.yaml @@ -0,0 +1,62 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: otel + namespace: argocd +spec: + destination: + namespace: observability + server: "https://kubernetes.default.svc" + sources: + - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts' + targetRevision: 0.73.0 + helm: + valuesObject: + mode: deployment + config: + exporters: + logging: + loglevel: debug + otlp: + endpoint: tempo.observability.svc:4317 + tls: + insecure: true + extensions: + # The health_check extension is mandatory for this chart. + # Without the health_check extension the collector will fail the readiness and liveliness probes. + # The health_check extension can be modified, but should never be removed. + health_check: {} + receivers: + otlp: + protocols: + grpc: + endpoint: ${env:MY_POD_IP}:4317 + http: + endpoint: ${env:MY_POD_IP}:4318 + service: + extensions: + - health_check + pipelines: + metrics: + receivers: + - otlp + logs: + receivers: [otlp] + exporters: [logging] + traces: + receivers: + - otlp + exporters: + - logging + - otlp + chart: opentelemetry-collector + project: default + syncPolicy: + managedNamespaceMetadata: + labels: + istio.io/dataplane-mode: 'ambient' + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/istio-ambient/observability/prometheus.yaml b/istio-ambient/observability/prometheus.yaml new file mode 100644 index 0000000..9ff84c6 --- /dev/null +++ b/istio-ambient/observability/prometheus.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prometheus + namespace: argocd +spec: + destination: + namespace: observability + server: "https://kubernetes.default.svc" + sources: + - repoURL: 'https://prometheus-community.github.io/helm-charts' + targetRevision: 25.28.0 + chart: prometheus + project: default + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true