From 9da013d949501c5e48ec20d965b193698d2e6d7e Mon Sep 17 00:00:00 2001 From: John Pease Date: Mon, 16 Dec 2024 10:57:56 -0500 Subject: [PATCH 1/5] feat: add istio-ambient stack adds istio ambient stack with additional observability component Signed-off-by: John Pease --- istio-ambient/README.md | 32 +++++++++ istio-ambient/istio-base/istio.yaml | 64 +++++++++++++++++ istio-ambient/observability/grafana.yaml | 71 +++++++++++++++++++ .../observability/grafana/ingress.yaml | 17 +++++ istio-ambient/observability/istio-kiali.yaml | 40 +++++++++++ .../observability/kiali/ingress.yaml | 17 +++++ .../observability/opentelemetry.yaml | 62 ++++++++++++++++ istio-ambient/observability/prometheus.yaml | 20 ++++++ 8 files changed, 323 insertions(+) create mode 100644 istio-ambient/README.md create mode 100644 istio-ambient/istio-base/istio.yaml create mode 100644 istio-ambient/observability/grafana.yaml create mode 100644 istio-ambient/observability/grafana/ingress.yaml create mode 100644 istio-ambient/observability/istio-kiali.yaml create mode 100644 istio-ambient/observability/kiali/ingress.yaml create mode 100644 istio-ambient/observability/opentelemetry.yaml create mode 100644 istio-ambient/observability/prometheus.yaml diff --git a/istio-ambient/README.md b/istio-ambient/README.md new file mode 100644 index 0000000..9643091 --- /dev/null +++ b/istio-ambient/README.md @@ -0,0 +1,32 @@ +# Istio-Ambient Stack + +This stack contains installation of Istio Ambient as well as supporting observability tooling so traffic, metrics, and traces can be observed + + +## Modules +- istio-base + - installs istio ambient and no additional observability tooling +- observability + - grafana - provides UI for tracing & prometheus metrics + - tempo - collects traces for grafana + - prometheus - required for kiali to display data + - opentelemetry - used to collect traces from istio and forward to tempo + +## Installation + +# Install base istio with no observability + +`idpbuilder create -p https://github.com/cnoe-io/stacks//isto-ambient/istio-base` + +# Install istio along with observability components + +`idpbuilder create -p https://github.com/cnoe-io/stacks//isto-ambient/istio-base -p https://github.com/cnoe-io/stacks//isto-ambient/observability` + + +# Observability UIs + +Kiali: https://kiali.cnoe.localtest.me:8443/ + +Grafana: https://grafana.cnoe.localtest.me:8443/ + +# Example Gateway and Application coming soon \ No newline at end of file diff --git a/istio-ambient/istio-base/istio.yaml b/istio-ambient/istio-base/istio.yaml new file mode 100644 index 0000000..ee51734 --- /dev/null +++ b/istio-ambient/istio-base/istio.yaml @@ -0,0 +1,64 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: 'istio-system' + namespace: argocd +spec: + project: default + sources: + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + helm: + parameters: + - name: 'profile' + value: 'ambient' + chart: cni + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + helm: + parameters: + - name: 'profile' + value: 'ambient' + chart: base + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + chart: ztunnel + helm: + parameters: + - name: 'profile' + value: 'ambient' + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.24.1 + chart: istiod + helm: + parameters: + - name: 'profile' + value: 'ambient' + # Tracing Config + valuesObject: + meshConfig: + defaultProviders: + metrics: + - prometheus + enableTracing: true + extensionProviders: + - name: otel + opentelemetry: + port: 4317 + service: otel-opentelemetry-collector.observability.svc.cluster.local + resource_detectors: + environment: {} + # Add Gateway API CRDs + - repoURL: 'https://github.com/kubernetes-sigs/gateway-api/' + targetRevision: v1.2.1 + path: ./config/crd + destination: + server: "https://kubernetes.default.svc" + namespace: istio-system + syncPolicy: + automated: + prune: true + # Turned off, validating webhook shows out of sync when setup in idpbuilder + selfHeal: false + syncOptions: + - CreateNamespace=true diff --git a/istio-ambient/observability/grafana.yaml b/istio-ambient/observability/grafana.yaml new file mode 100644 index 0000000..e1acc07 --- /dev/null +++ b/istio-ambient/observability/grafana.yaml @@ -0,0 +1,71 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: grafana + namespace: argocd +spec: + destination: + namespace: observability + server: "https://kubernetes.default.svc" + sources: + - repoURL: 'https://grafana.github.io/helm-charts' + targetRevision: 1.10.3 + helm: + values: | + fullnameOverride: tempo + service: + type: ClusterIP + chart: tempo + - repoURL: 'https://grafana.github.io/helm-charts' + targetRevision: 8.5.1 + helm: + values: | + env: + GF_AUTH_ANONYMOUS_ENABLED: true + GF_AUTH_ANONYMOUS_ORG_ROLE: 'Admin' + GF_AUTH_DISABLE_LOGIN_FORM: true + + datasources: + datasources.yaml: + apiVersion: 1 + + datasources: + - name: Tempo + type: tempo + access: proxy + orgId: 1 + url: http://tempo:3100 + basicAuth: false + isDefault: true + version: 1 + editable: false + apiVersion: 1 + uid: tempo + - name: Prometheus + type: prometheus + access: proxy + # Access mode - proxy (server in the UI) or direct (browser in the UI). + url: http://prometheus-server.observability.svc + jsonData: + httpMethod: POST + manageAlerts: true + prometheusType: Prometheus + prometheusVersion: 2.55.0 + cacheLevel: 'High' + disableRecordingRules: false + incrementalQueryOverlapWindow: 10m + chart: grafana + - repoURL: cnoe://grafana + targetRevision: HEAD + # with path set to '.' and cnoe://manifests. we are wanting ArgoCD to sync from the ./manifests directory. + path: "." + project: default + syncPolicy: + managedNamespaceMetadata: + labels: + istio.io/dataplane-mode: 'ambient' + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/istio-ambient/observability/grafana/ingress.yaml b/istio-ambient/observability/grafana/ingress.yaml new file mode 100644 index 0000000..098244f --- /dev/null +++ b/istio-ambient/observability/grafana/ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana-ingress +spec: + ingressClassName: nginx + rules: + - host: grafana.cnoe.localtest.me + http: + paths: + - backend: + service: + name: grafana + port: + number: 80 + path: / + pathType: Prefix diff --git a/istio-ambient/observability/istio-kiali.yaml b/istio-ambient/observability/istio-kiali.yaml new file mode 100644 index 0000000..6de603c --- /dev/null +++ b/istio-ambient/observability/istio-kiali.yaml @@ -0,0 +1,40 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: 'istio-kiali' + namespace: argocd +spec: + project: default + destination: + server: "https://kubernetes.default.svc" + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + sources: + - repoURL: cnoe://kiali + targetRevision: HEAD + path: "." + - repoURL: 'https://kiali.org/helm-charts' + targetRevision: v2.0.0 + path: 'kiali/kiali-operator' + helm: + valuesObject: + cr: + create: 'true' + namespace: 'istio-system' + spec: + auth: + strategy: 'anonymous' + external_services: + prometheus: + url: "http://prometheus-server.observability.svc" + grafana: + enabled: true + internal_url: 'http://tempo-grafana.observability.svc' + # Public facing URL of Grafana + external_url: 'https://tracing.cnoe.localtest.me:8443/' + chart: kiali-operator diff --git a/istio-ambient/observability/kiali/ingress.yaml b/istio-ambient/observability/kiali/ingress.yaml new file mode 100644 index 0000000..ed42de9 --- /dev/null +++ b/istio-ambient/observability/kiali/ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kiali-ingress +spec: + ingressClassName: nginx + rules: + - host: kiali.cnoe.localtest.me + http: + paths: + - backend: + service: + name: kiali + port: + number: 20001 + path: / + pathType: Prefix diff --git a/istio-ambient/observability/opentelemetry.yaml b/istio-ambient/observability/opentelemetry.yaml new file mode 100644 index 0000000..7b9e31f --- /dev/null +++ b/istio-ambient/observability/opentelemetry.yaml @@ -0,0 +1,62 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: otel + namespace: argocd +spec: + destination: + namespace: observability + server: "https://kubernetes.default.svc" + sources: + - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts' + targetRevision: 0.73.0 + helm: + valuesObject: + mode: deployment + config: + exporters: + logging: + loglevel: debug + otlp: + endpoint: tempo.observability.svc:4317 + tls: + insecure: true + extensions: + # The health_check extension is mandatory for this chart. + # Without the health_check extension the collector will fail the readiness and liveliness probes. + # The health_check extension can be modified, but should never be removed. + health_check: {} + receivers: + otlp: + protocols: + grpc: + endpoint: ${env:MY_POD_IP}:4317 + http: + endpoint: ${env:MY_POD_IP}:4318 + service: + extensions: + - health_check + pipelines: + metrics: + receivers: + - otlp + logs: + receivers: [otlp] + exporters: [logging] + traces: + receivers: + - otlp + exporters: + - logging + - otlp + chart: opentelemetry-collector + project: default + syncPolicy: + managedNamespaceMetadata: + labels: + istio.io/dataplane-mode: 'ambient' + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/istio-ambient/observability/prometheus.yaml b/istio-ambient/observability/prometheus.yaml new file mode 100644 index 0000000..9ff84c6 --- /dev/null +++ b/istio-ambient/observability/prometheus.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prometheus + namespace: argocd +spec: + destination: + namespace: observability + server: "https://kubernetes.default.svc" + sources: + - repoURL: 'https://prometheus-community.github.io/helm-charts' + targetRevision: 25.28.0 + chart: prometheus + project: default + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true From aeb9caaeb81ae633a5cf48006c28a04fa7d6c52e Mon Sep 17 00:00:00 2001 From: John Pease Date: Mon, 16 Dec 2024 11:55:31 -0500 Subject: [PATCH 2/5] fix: ignoredifferences and use values for consistency additionally updated docs to add a note on the built in path-based routing feature Signed-off-by: John Pease --- istio-ambient/README.md | 4 +++- istio-ambient/istio-base/istio.yaml | 27 ++++++++++++--------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/istio-ambient/README.md b/istio-ambient/README.md index 9643091..1d1397b 100644 --- a/istio-ambient/README.md +++ b/istio-ambient/README.md @@ -29,4 +29,6 @@ Kiali: https://kiali.cnoe.localtest.me:8443/ Grafana: https://grafana.cnoe.localtest.me:8443/ -# Example Gateway and Application coming soon \ No newline at end of file +Path based routing using idpbuilder's `--use-path-routing` flag is not required and has not been tested + +Path based routing and other traffic shaping can be setup using istio - gateway and application examples coming soon \ No newline at end of file diff --git a/istio-ambient/istio-base/istio.yaml b/istio-ambient/istio-base/istio.yaml index ee51734..db978b6 100644 --- a/istio-ambient/istio-base/istio.yaml +++ b/istio-ambient/istio-base/istio.yaml @@ -4,38 +4,37 @@ metadata: name: 'istio-system' namespace: argocd spec: + ignoreDifferences: + - kind: ValidatingWebhookConfiguration + group: "admissionregistration.k8s.io" + jsonPointers: + - /webhooks project: default sources: - repoURL: 'https://istio-release.storage.googleapis.com/charts' targetRevision: 1.24.1 helm: - parameters: - - name: 'profile' - value: 'ambient' + valuesObject: + profile: ambient chart: cni - repoURL: 'https://istio-release.storage.googleapis.com/charts' targetRevision: 1.24.1 helm: - parameters: - - name: 'profile' - value: 'ambient' + valuesObject: + profile: ambient chart: base - repoURL: 'https://istio-release.storage.googleapis.com/charts' targetRevision: 1.24.1 chart: ztunnel helm: - parameters: - - name: 'profile' - value: 'ambient' + valuesObject: + profile: ambient - repoURL: 'https://istio-release.storage.googleapis.com/charts' targetRevision: 1.24.1 chart: istiod helm: - parameters: - - name: 'profile' - value: 'ambient' - # Tracing Config valuesObject: + profile: ambient meshConfig: defaultProviders: metrics: @@ -58,7 +57,5 @@ spec: syncPolicy: automated: prune: true - # Turned off, validating webhook shows out of sync when setup in idpbuilder - selfHeal: false syncOptions: - CreateNamespace=true From 9bb456596710bd4c73b56372c662b16aba9aeac6 Mon Sep 17 00:00:00 2001 From: John Pease Date: Tue, 17 Dec 2024 12:13:24 -0500 Subject: [PATCH 3/5] feat: allow istio configmap to be customized by users Signed-off-by: John Pease --- istio-ambient/istio-base/istio.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/istio-ambient/istio-base/istio.yaml b/istio-ambient/istio-base/istio.yaml index db978b6..3be95a6 100644 --- a/istio-ambient/istio-base/istio.yaml +++ b/istio-ambient/istio-base/istio.yaml @@ -5,6 +5,13 @@ metadata: namespace: argocd spec: ignoreDifferences: + # Allow users to modify mesh config if needed for testing + - kind: ConfigMap + group: "" + name: istio + jsonPointers: + - /data + # Kind issue - kind: ValidatingWebhookConfiguration group: "admissionregistration.k8s.io" jsonPointers: From 27d37b08298fe81ce28773d3a94b5600d0ea2395 Mon Sep 17 00:00:00 2001 From: John Pease Date: Tue, 17 Dec 2024 12:19:27 -0500 Subject: [PATCH 4/5] feat: update info about istio ConfigMap in docs Signed-off-by: John Pease --- istio-ambient/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/istio-ambient/README.md b/istio-ambient/README.md index 1d1397b..3501499 100644 --- a/istio-ambient/README.md +++ b/istio-ambient/README.md @@ -18,6 +18,8 @@ This stack contains installation of Istio Ambient as well as supporting observab `idpbuilder create -p https://github.com/cnoe-io/stacks//isto-ambient/istio-base` +Uses istio's helmcharts to create an example istio ConfigMap, however the istio argo Application is set to ignore differences for this ConfigMap object, allowing users to adjust configuration here if needed for testing + # Install istio along with observability components `idpbuilder create -p https://github.com/cnoe-io/stacks//isto-ambient/istio-base -p https://github.com/cnoe-io/stacks//isto-ambient/observability` From 64d808820b1ce16f44572a366d3cc6e7514e7acb Mon Sep 17 00:00:00 2001 From: John Pease Date: Tue, 17 Dec 2024 12:41:22 -0500 Subject: [PATCH 5/5] fix: add link to istios docs Signed-off-by: John Pease --- istio-ambient/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/istio-ambient/README.md b/istio-ambient/README.md index 3501499..e4ac749 100644 --- a/istio-ambient/README.md +++ b/istio-ambient/README.md @@ -2,6 +2,9 @@ This stack contains installation of Istio Ambient as well as supporting observability tooling so traffic, metrics, and traces can be observed +Istio Ambient Mesh Docs: https://istio.io/latest/docs/ambient/overview/ + + ## Modules - istio-base