...
- helm_release: v3.8.2
- kubernetes_release: v1.23.8
- istio_release: 1.14.1
- Cert-Manager: 1.5.4
- Strimzi-Operator: 0.30.0
More information
Istio Best Practices:
https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prod/namespaces/
Install Istio
Source: https://istio.io/latest/docs/setup/install/helm/
...
Configure the Helm repository:
Code Block $ helm repo add istio https://istio-release.storage.googleapis.com/charts $ helm repo update
Create a namespace for "mesh-level" configurations
Code Block $ kubectl create namespace istio-configCreate a namespace istio-system for Istio components:
Code Block $ kubectl create namespace istio-system
Install the Istio Base chart which contains cluster-wide resources used by the Istio control plane:
Code Block $ helm upgrade -i istio-base istio/base -n istio-system --version 1.14.1
Install the Istio Discovery chart which deploys the istiod service:
(enable the variable to enforce the (sidecar) proxy startup before the container start)
| Code Block |
|---|
$ helm upgrade -i istiod istio/istiod -n istio-system --version 1.14.1 --wait --set global.proxy.holdApplicationUntilProxyStarts=true --set meshConfig.rootNamespace=istio-config |
Add an EnvoyFilter for HTTP header case
When handling HTTP/1.1, Envoy will normalize the header keys to be all lowercase.
While this is compliant with the HTTP/1.1 spec, in practice this can result in issues when migrating existing systems that might rely on specific header casing.
In our case a problem was detected in the SDC client implementation, thich relies on uppercase header values.
To solve this problem in general we add a EnvoyFilter to keep the uppercase header in the istio-config namespace to apply for all namespaces.
Create a EnvoyFilter file (e.g. envoyfilter-case.yaml)
Code Block apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: header-casing namespace: istio-confiig spec: configPatches: - applyTo: CLUSTER match: context: ANY patch: operation: MERGE value: typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions use_downstream_protocol_config: http_protocol_options: header_key_format: stateful_formatter: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig - applyTo: NETWORK_FILTER match: listener: filterChain: filter: name: envoy.filters.network.http_connection_manager patch: operation: MERGE value: typed_config: '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager http_protocol_options: header_key_format: stateful_formatter: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfigApply the change to Istio
Code Block $ kubectl apply -f envoyfilter-case.yaml
Istio Ingress Gateway
Create a namespace istio-ingress for the Istio Ingress gateway and enable istio-injection:
Code Block $ kubectl create namespace istio-ingress $ kubectl label namespace istio-ingress istio-injection=enabled
Install the Istio Gateway chart:
Code Block $ helm upgrade -i istio-ingressgateway istio/gateway -n istio-ingress --version 1.14.1 --wait
...