-
Notifications
You must be signed in to change notification settings - Fork 539
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
operator sailoperator (3.0.0-nightly-2023-10-18)
- Loading branch information
1 parent
3ff8000
commit 86cbc9b
Showing
21 changed files
with
9,173 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# About the Sail Operator | ||
|
||
The Sail Operator is based on the open source Istio project. The Sail implementation pulls its code from the upstream Istio main repository with no changes to the codebase. | ||
|
||
## Prerequisites | ||
|
||
You have deployed a cluster on OpenShift Container Platform 4.13 or later. | ||
|
||
You are logged in to the OpenShift Container Platform web console as a user with the `cluster-admin` role. | ||
|
||
You have access to the OpenShift CLI (oc). | ||
|
||
## Installing the Sail Operator | ||
|
||
1. Navigate to the OperatorHub. | ||
|
||
2. Click **Operator** -> **Operator Hub**. | ||
|
||
3. Search on Sail. | ||
|
||
4. Locate the Sail Operator, and click to select it. | ||
|
||
5. When the prompt that discusses the community operator appears, click **Continue**. | ||
|
||
6. Verify the Sail Operator is version 3.0, and click **Install**. | ||
|
||
7. Use the default installation settings presented, and click **Install** to continue. | ||
|
||
8. Click **Operators** -> **Installed Operators** to verify that the Sail Operator is installed. `Succeeded` should appear in the **Status** column. | ||
|
||
## Deploying Istio | ||
|
||
1. Create the project where Istio is going to be deployed: | ||
|
||
```sh | ||
$ oc new-project istio-system | ||
``` | ||
|
||
1. In the OpenShift web console, select `istio-system` in the **Project** drop-down menu. | ||
|
||
1. Click the Sail Operator. | ||
|
||
1. Click **Istio**. | ||
|
||
1. Click **Create Istio**. | ||
|
||
1. Accept the defaults and click **Create**. This creates the Istio control plane. | ||
|
||
1. Click **Workloads** -> **Pods**. Verify that the pods were created. `Running` should appear in the **Status** column. If the pods were successfully created, then Istio is installed and ready for use. For more information, see the upstream [Istio documentation](https://istio.io/latest/docs/setup/platform-setup/openshift/). | ||
|
||
## Customizing Istio configuration | ||
|
||
The `values` field of the `Istio` custom resource definition, which was created when the control plane was deployed, can be used to customize Istio configuration using Istio's `Helm` configuration values. When you create this resource using the OpenShift Container Platform web console, it is pre-populated with configuration settings to enable Istio to run on OpenShift. | ||
To view or modify the `Istio` resource from the OpenShift Container Platform web console: | ||
1. Click **Operators** -> **Installed Operators**. | ||
1. Click **Istio** in the **Provided APIs** column. | ||
1. Click `Istio` instance, "istio-sample" by default, in the **Name** column. | ||
1. Click **YAML** to view the `Istio` configuration and make modifications. | ||
For a list of available configuration for the `values` field, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for: | ||
|
||
- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values) | ||
- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values) | ||
- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values) | ||
- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values) | ||
- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values) | ||
|
||
## Installing the Bookinfo Application | ||
|
||
You can use the `bookinfo` example application to explore service mesh features. Using the `bookinfo` application, you can easily confirm that requests from a web browser pass through the mesh and reach the application. | ||
|
||
The `bookinfo` application displays information about a book, similar to a single catalog entry of an online book store. The application displays a page that describes the book, lists book details (ISBN, number of pages, and other information), and book reviews. | ||
|
||
The `bookinfo` application is exposed through the mesh, and the mesh configuration determines how the microservices comprising the application are used to serve requests. The review information comes from one of three services: `reviews-v1`, `reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without defining the `reviews` virtual service, then the mesh uses a round robin rule to route requests to a service. | ||
|
||
By deploying the `reviews` virtual service, you can specify a different behavior. For example, you can specify that if a user logs into the `bookinfo` application, then the mesh routes requests to the `reviews-v2` service, and the application displays reviews with black stars. If a user does not log into the `bookinfo` application, then the mesh routes requests to the `reviews-v3` service, and the application displays reviews with red stars. | ||
|
||
For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation. | ||
|
||
## Gateway Configuration | ||
|
||
The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not part of the control plane. As a security best-practice, Ingress and Egress Gateways should be deployed in a different namespace than the namespace that contains the control plane. | ||
|
||
You can deploy gateways using either the Gateway API or Gateway Injection methods. Both are well documented in the Istio documentation. | ||
|
||
- To use Gateway API, follow the instructions in the [Getting Started with Istio and Kubernetes Gateway API](https://preliminary.istio.io/latest/docs/setup/additional-setup/getting-started/) page. | ||
- To use Gateway Injection, use the `Helm` method described in the [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway) page. |
216 changes: 216 additions & 0 deletions
216
...tors/sailoperator/3.0.0-nightly-2023-10-18/manifests/extensions.istio.io_wasmplugins.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,216 @@ | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
helm.sh/resource-policy: keep | ||
creationTimestamp: null | ||
labels: | ||
app: istio-pilot | ||
chart: istio | ||
heritage: Tiller | ||
release: istio | ||
name: wasmplugins.extensions.istio.io | ||
spec: | ||
group: extensions.istio.io | ||
names: | ||
categories: | ||
- istio-io | ||
- extensions-istio-io | ||
kind: WasmPlugin | ||
listKind: WasmPluginList | ||
plural: wasmplugins | ||
singular: wasmplugin | ||
scope: Namespaced | ||
versions: | ||
- additionalPrinterColumns: | ||
- description: 'CreationTimestamp is a timestamp representing the server time | ||
when this object was created. It is not guaranteed to be set in happens-before | ||
order across separate operations. Clients may not set this value. It is represented | ||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for | ||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' | ||
jsonPath: .metadata.creationTimestamp | ||
name: Age | ||
type: date | ||
name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
properties: | ||
spec: | ||
description: 'Extend the functionality provided by the Istio proxy through | ||
WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' | ||
properties: | ||
failStrategy: | ||
description: Specifies the failure behavior for the plugin due to | ||
fatal errors. | ||
enum: | ||
- FAIL_CLOSE | ||
- FAIL_OPEN | ||
type: string | ||
imagePullPolicy: | ||
description: The pull behaviour to be applied when fetching Wasm module | ||
by either OCI image or http/https. | ||
enum: | ||
- UNSPECIFIED_POLICY | ||
- IfNotPresent | ||
- Always | ||
type: string | ||
imagePullSecret: | ||
description: Credentials to use for OCI image pulling. | ||
maxLength: 253 | ||
minLength: 1 | ||
type: string | ||
match: | ||
description: Specifies the criteria to determine which traffic is | ||
passed to WasmPlugin. | ||
items: | ||
properties: | ||
mode: | ||
description: Criteria for selecting traffic by their direction. | ||
enum: | ||
- UNDEFINED | ||
- CLIENT | ||
- SERVER | ||
- CLIENT_AND_SERVER | ||
type: string | ||
ports: | ||
description: Criteria for selecting traffic by their destination | ||
port. | ||
items: | ||
properties: | ||
number: | ||
maximum: 65535 | ||
minimum: 1 | ||
type: integer | ||
required: | ||
- number | ||
type: object | ||
type: array | ||
x-kubernetes-list-map-keys: | ||
- number | ||
x-kubernetes-list-type: map | ||
type: object | ||
type: array | ||
phase: | ||
description: Determines where in the filter chain this `WasmPlugin` | ||
is to be injected. | ||
enum: | ||
- UNSPECIFIED_PHASE | ||
- AUTHN | ||
- AUTHZ | ||
- STATS | ||
type: string | ||
pluginConfig: | ||
description: The configuration that will be passed on to the plugin. | ||
type: object | ||
x-kubernetes-preserve-unknown-fields: true | ||
pluginName: | ||
description: The plugin name to be used in the Envoy configuration | ||
(used to be called `rootID`). | ||
maxLength: 256 | ||
minLength: 1 | ||
type: string | ||
priority: | ||
description: Determines ordering of `WasmPlugins` in the same `phase`. | ||
nullable: true | ||
type: integer | ||
selector: | ||
description: Criteria used to select the specific set of pods/VMs | ||
on which this plugin configuration should be applied. | ||
properties: | ||
matchLabels: | ||
additionalProperties: | ||
type: string | ||
description: One or more labels that indicate a specific set of | ||
pods/VMs on which a policy should be applied. | ||
type: object | ||
type: object | ||
sha256: | ||
description: SHA256 checksum that will be used to verify Wasm module | ||
or OCI container. | ||
pattern: (^$|^[a-f0-9]{64}$) | ||
type: string | ||
targetRef: | ||
properties: | ||
group: | ||
type: string | ||
kind: | ||
type: string | ||
name: | ||
type: string | ||
namespace: | ||
type: string | ||
type: object | ||
type: | ||
description: Specifies the type of Wasm Extension to be used. | ||
enum: | ||
- UNSPECIFIED_PLUGIN_TYPE | ||
- HTTP | ||
- NETWORK | ||
type: string | ||
url: | ||
description: URL of a Wasm module or OCI container. | ||
minLength: 1 | ||
type: string | ||
x-kubernetes-validations: | ||
- message: url must have schema one of [http, https, file, oci] | ||
rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', | ||
''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && | ||
url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', | ||
''oci'', ''file''])' | ||
verificationKey: | ||
type: string | ||
vmConfig: | ||
description: Configuration for a Wasm VM. | ||
properties: | ||
env: | ||
description: Specifies environment variables to be injected to | ||
this VM. | ||
items: | ||
properties: | ||
name: | ||
description: Name of the environment variable. | ||
maxLength: 256 | ||
minLength: 1 | ||
type: string | ||
value: | ||
description: Value for the environment variable. | ||
maxLength: 2048 | ||
type: string | ||
valueFrom: | ||
description: Source for the environment variable's value. | ||
enum: | ||
- INLINE | ||
- HOST | ||
type: string | ||
required: | ||
- name | ||
type: object | ||
x-kubernetes-validations: | ||
- message: value may only be set when valueFrom is INLINE | ||
rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' | ||
|| !has(self.value)' | ||
maxItems: 256 | ||
type: array | ||
x-kubernetes-list-map-keys: | ||
- name | ||
x-kubernetes-list-type: map | ||
type: object | ||
required: | ||
- url | ||
type: object | ||
status: | ||
type: object | ||
x-kubernetes-preserve-unknown-fields: true | ||
required: | ||
- spec | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} | ||
status: | ||
acceptedNames: | ||
kind: "" | ||
plural: "" | ||
conditions: null | ||
storedVersions: null |
25 changes: 25 additions & 0 deletions
25
...perator/3.0.0-nightly-2023-10-18/manifests/istio-operator-metrics-service_v1_service.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
creationTimestamp: null | ||
labels: | ||
app.kubernetes.io/component: kube-rbac-proxy | ||
app.kubernetes.io/created-by: sailoperator | ||
app.kubernetes.io/instance: istio-operator-metrics-service | ||
app.kubernetes.io/managed-by: kustomize | ||
app.kubernetes.io/name: service | ||
app.kubernetes.io/part-of: sailoperator | ||
control-plane: istio-operator | ||
name: istio-operator-metrics-service | ||
spec: | ||
ports: | ||
- name: https | ||
port: 8443 | ||
protocol: TCP | ||
targetPort: https | ||
selector: | ||
app.kubernetes.io/created-by: sailoperator | ||
app.kubernetes.io/part-of: sailoperator | ||
control-plane: istio-operator | ||
status: | ||
loadBalancer: {} |
17 changes: 17 additions & 0 deletions
17
...nightly-2023-10-18/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
creationTimestamp: null | ||
labels: | ||
app.kubernetes.io/component: kube-rbac-proxy | ||
app.kubernetes.io/created-by: sailoperator | ||
app.kubernetes.io/instance: metrics-reader | ||
app.kubernetes.io/managed-by: kustomize | ||
app.kubernetes.io/name: clusterrole | ||
app.kubernetes.io/part-of: sailoperator | ||
name: metrics-reader | ||
rules: | ||
- nonResourceURLs: | ||
- /metrics | ||
verbs: | ||
- get |
Oops, something went wrong.