Implementation for Isto-SDS and Simplified Istio/istiod
This is the 'default' install, creating an istiod and ingress deployment in istio-system.
The install can be done in a fresh cluster, or in a cluster where istio is already setup - the install is not interfering with the normal istio install.
- Cluster-wide settings - require cluster admin, grant broad permissions. This step needs to be repeated on each release, all instances of the control plane will use the same CRDs.
kubectl apply -k github.com/costinm/istiod/kustomize/cluster
# Customize the mutating webhook to select which workloads/namespaces will be selected.
# Default is namespaces with istio-env=istiod label.
kubectl apply -k github.com/costinm/istiod/kustomize/autoinject
- Install istiod
kubectl apply -k github.com/costinm/istiod/kustomize/istiod
- Install an ingress gateway
kubectl apply -k github.com/costinm/istiod/kustomize/isto-ingress
This installs istiod, knative, 2 namespaces running fortio servers and client - one with secure and one insecure. More tests and scenarios will be added. This is intended to be used in the 'stability/perf/scale' clusters.
Note: These steps must be run after Istiod is in a 'Running' state. Istiod patches the mutatingwebhook resource to add CA credentials. Without those credentials, Kubernetes will refuse to create pods that run through the webhook. If you installed the workloads too early, you may need to delete stuck replicasests in order for them to start trying to create pods again.
- Cluster-wide settings - requires cluster-admin
kubectl apply -k github.com/costinm/istiod/test/all-cluster
- Everything else
kubectl apply -k github.com/costinm/istiod/test/all
-
Galley validation not yet integrated
-
SDS code change to read from a file if secure JWT are not available WIP