Skip to content

Commit

Permalink
operator sailoperator (3.0.0-nightly-2023-11-02)
Browse files Browse the repository at this point in the history
  • Loading branch information
@maistra-bot
maistra-bot authored Nov 2, 2023
1 parent 55dd9a0 commit 5f9a76b
Show file tree
Hide file tree
Showing 21 changed files with 9,267 additions and 0 deletions.
154 changes: 154 additions & 0 deletions operators/sailoperator/3.0.0-nightly-2023-11-02/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
# About the Sail Operator

The Sail Operator is based on the open source Istio project. The Sail implementation pulls its code from the upstream Istio main repository with no changes to the codebase.

## Prerequisites

You have deployed a cluster on OpenShift Container Platform 4.13 or later.

You are logged in to the OpenShift Container Platform web console as a user with the `cluster-admin` role.

You have access to the OpenShift CLI (oc).

## Installing the Sail Operator

1. Navigate to the OperatorHub.

2. Click **Operator** -> **Operator Hub**.

3. Search on Sail.

4. Locate the Sail Operator, and click to select it.

5. When the prompt that discusses the community operator appears, click **Continue**.

6. Verify the Sail Operator is version 3.0, and click **Install**.

7. Use the default installation settings presented, and click **Install** to continue.

8. Click **Operators** -> **Installed Operators** to verify that the Sail Operator is installed. `Succeeded` should appear in the **Status** column.

## Deploying Istio

1. Create the project where Istio is going to be deployed:

```sh
$ oc new-project istio-system
```

1. In the OpenShift web console, select `istio-system` in the **Project** drop-down menu.

1. Click the Sail Operator.

1. Click **Istio**.

1. Click **Create Istio**.

1. Accept the defaults and click **Create**. This creates the Istio control plane.

1. Click **Workloads** -> **Pods**. Verify that the pods were created. `Running` should appear in the **Status** column. If the pods were successfully created, then Istio is installed and ready for use. For more information, see the upstream [Istio documentation](https://istio.io/latest/docs/setup/platform-setup/openshift/).

## Customizing Istio configuration

The `values` field of the `Istio` custom resource definition, which was created when the control plane was deployed, can be used to customize Istio configuration using Istio's `Helm` configuration values. When you create this resource using the OpenShift Container Platform web console, it is pre-populated with configuration settings to enable Istio to run on OpenShift.
To view or modify the `Istio` resource from the OpenShift Container Platform web console:
1. Click **Operators** -> **Installed Operators**.
1. Click **Istio** in the **Provided APIs** column.
1. Click `Istio` instance, "istio-sample" by default, in the **Name** column.
1. Click **YAML** to view the `Istio` configuration and make modifications.
For a list of available configuration for the `values` field, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for:

- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values)
- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values)
- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values)
- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values)
- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values)

## Installing the Bookinfo Application

You can use the `bookinfo` example application to explore service mesh features. Using the `bookinfo` application, you can easily confirm that requests from a web browser pass through the mesh and reach the application.

The `bookinfo` application displays information about a book, similar to a single catalog entry of an online book store. The application displays a page that describes the book, lists book details (ISBN, number of pages, and other information), and book reviews.

The `bookinfo` application is exposed through the mesh, and the mesh configuration determines how the microservices comprising the application are used to serve requests. The review information comes from one of three services: `reviews-v1`, `reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without defining the `reviews` virtual service, then the mesh uses a round robin rule to route requests to a service.

By deploying the `reviews` virtual service, you can specify a different behavior. For example, you can specify that if a user logs into the `bookinfo` application, then the mesh routes requests to the `reviews-v2` service, and the application displays reviews with black stars. If a user does not log into the `bookinfo` application, then the mesh routes requests to the `reviews-v3` service, and the application displays reviews with red stars.

For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation.

After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you will need to create and configure a gateway** for the `bookinfo` application to be accessible outside the cluster.

## Creating and Configuring Gateways

The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not part of the control plane. As a security best-practice, Ingress and Egress Gateways should be deployed in a different namespace than the namespace that contains the control plane.

You can deploy gateways using either the Gateway API or Gateway Injection methods.

### Option 1: Istio Gateway Injection

Gateway Injection uses the same mechanisms as Istio sidecar injection to create a gateway from a `Deployment` resource that is paired with a `Service` resource that can be made accessible from outside the cluster. For more information, see [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway).

To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](../config/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed:

1. Create the `istio-ingressgateway` deployment and service:

```sh
$ oc apply -f -n <app-namespace> ingress-gateway.yaml
```

2. Configure the `bookinfo` application with the new gateway:

```sh
$ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
```

3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally:

```sh
$ oc expose service istio-ingressgateway
```

4. Finally, obtain the gateway host name and the URL of the product page:

```sh
$ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}')
$ echo http://$HOST/productpage
```

Verify that the `productpage` is accessible from a web browser.

### Option 2: Kubernetes Gateway API

Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page.
As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are not available by default and must be enabled to be used. This can be done with the command:
```sh
$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.8.0" | oc apply -f -; }
```
To configure `bookinfo` with a gateway using `Gateway API`:
1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource:
```sh
$ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
```
2. Retrieve the host, port and gateway URL:
```sh
$ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}')
$ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
```
3. Obtain the `productpage` URL and check that you can visit it from a browser:
```sh
$ echo "http://${GATEWAY_URL}/productpage"
```
216 changes: 216 additions & 0 deletions ...tors/sailoperator/3.0.0-nightly-2023-11-02/manifests/extensions.istio.io_wasmplugins.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,216 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
creationTimestamp: null
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: wasmplugins.extensions.istio.io
spec:
group: extensions.istio.io
names:
categories:
- istio-io
- extensions-istio-io
kind: WasmPlugin
listKind: WasmPluginList
plural: wasmplugins
singular: wasmplugin
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
description: 'Extend the functionality provided by the Istio proxy through
WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
properties:
failStrategy:
description: Specifies the failure behavior for the plugin due to
fatal errors.
enum:
- FAIL_CLOSE
- FAIL_OPEN
type: string
imagePullPolicy:
description: The pull behaviour to be applied when fetching Wasm module
by either OCI image or http/https.
enum:
- UNSPECIFIED_POLICY
- IfNotPresent
- Always
type: string
imagePullSecret:
description: Credentials to use for OCI image pulling.
maxLength: 253
minLength: 1
type: string
match:
description: Specifies the criteria to determine which traffic is
passed to WasmPlugin.
items:
properties:
mode:
description: Criteria for selecting traffic by their direction.
enum:
- UNDEFINED
- CLIENT
- SERVER
- CLIENT_AND_SERVER
type: string
ports:
description: Criteria for selecting traffic by their destination
port.
items:
properties:
number:
maximum: 65535
minimum: 1
type: integer
required:
- number
type: object
type: array
x-kubernetes-list-map-keys:
- number
x-kubernetes-list-type: map
type: object
type: array
phase:
description: Determines where in the filter chain this `WasmPlugin`
is to be injected.
enum:
- UNSPECIFIED_PHASE
- AUTHN
- AUTHZ
- STATS
type: string
pluginConfig:
description: The configuration that will be passed on to the plugin.
type: object
x-kubernetes-preserve-unknown-fields: true
pluginName:
description: The plugin name to be used in the Envoy configuration
(used to be called `rootID`).
maxLength: 256
minLength: 1
type: string
priority:
description: Determines ordering of `WasmPlugins` in the same `phase`.
nullable: true
type: integer
selector:
description: Criteria used to select the specific set of pods/VMs
on which this plugin configuration should be applied.
properties:
matchLabels:
additionalProperties:
type: string
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
type: object
type: object
sha256:
description: SHA256 checksum that will be used to verify Wasm module
or OCI container.
pattern: (^$|^[a-f0-9]{64}$)
type: string
targetRef:
properties:
group:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
type: object
type:
description: Specifies the type of Wasm Extension to be used.
enum:
- UNSPECIFIED_PLUGIN_TYPE
- HTTP
- NETWORK
type: string
url:
description: URL of a Wasm module or OCI container.
minLength: 1
type: string
x-kubernetes-validations:
- message: url must have schema one of [http, https, file, oci]
rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'',
''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) &&
url(''http://'' +self).getScheme() in ['''', ''http'', ''https'',
''oci'', ''file''])'
verificationKey:
type: string
vmConfig:
description: Configuration for a Wasm VM.
properties:
env:
description: Specifies environment variables to be injected to
this VM.
items:
properties:
name:
description: Name of the environment variable.
maxLength: 256
minLength: 1
type: string
value:
description: Value for the environment variable.
maxLength: 2048
type: string
valueFrom:
description: Source for the environment variable's value.
enum:
- INLINE
- HOST
type: string
required:
- name
type: object
x-kubernetes-validations:
- message: value may only be set when valueFrom is INLINE
rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST''
|| !has(self.value)'
maxItems: 256
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- url
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
25 changes: 25 additions & 0 deletions ...perator/3.0.0-nightly-2023-11-02/manifests/istio-operator-metrics-service_v1_service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: sailoperator
app.kubernetes.io/instance: istio-operator-metrics-service
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: service
app.kubernetes.io/part-of: sailoperator
control-plane: istio-operator
name: istio-operator-metrics-service
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/created-by: sailoperator
app.kubernetes.io/part-of: sailoperator
control-plane: istio-operator
status:
loadBalancer: {}
Loading

0 comments on commit 5f9a76b

Please sign in to comment.