You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Background

After the SM PoC (Guilin) we are focussing in deploying SM in Kohn using Istio as SM framework in ONAP.
Target picture is described in SECCOM page:
ONAP Next Generation Security & Logging Architecture


Cluster Preparation

During the setup of the K8S Cluster the Istio resources need to be dinstalled.
As basis in Kohn we use the following platform versions:

  • helm_release: v3.8.2
  • kubernetes_release: v1.23.8
  • istio_release: 1.14.1

Install Istio

Source: https://istio.io/latest/docs/setup/install/helm/

Istio basics

  1. Configure the Helm repository:

    $ helm repo add istio https://istio-release.storage.googleapis.com/charts
$ helm repo update

  2. Create a namespace istio-system for Istio components:

    $ kubectl create namespace istio-system

  3. Install the Istio Base chart which contains cluster-wide resources used by the Istio control plane:

    $ helm upgrade istio-base istio/base -n istio-system --version 1.14.1


  4. Install the Istio Discovery chart which deploys the istiod service:
    (enable the variable to enforce the (sidecar) proxy startup before the container start)

    $ helm upgrade istiod istio/istiod -n istio-system --version 1.14.1 --wait --set global.proxy.holdApplicationUntilProxyStarts=true


Istio Ingress Gateway

  1. Create a namespace istio-ingress for the Istio Ingress gateway and enable istio-injection:

    $ kubectl create namespace istio-ingress
$ kubectl label namespace istio-ingress istio-injection=enabled

  2. Install the Istio Gateway chart:

    $ helm upgrade istio-ingress istio/gateway -n istio-ingress --version 1.14.1 --wait

Install Jaeger/Kiali


Configure ONAP charts

Global values used for ServiceMesh and Ingress setup can be found in

The following variable settings are used for enabling ServiceMesh as well as Istio Ingress:

#ingress virtualhost based configuration
global:
  ingress:
    enabled: true
    virtualhost:
      baseurl: "simpledemo.onap.org"
    # All http requests via ingress will be redirected
    config:
      ssl: "redirect"
    # you can set an own Secret containing a certificate
    #  tls:
    #    secret: 'my-ingress-cert'
    # optional: Namespace of the Istio IngressGateway
    namespace: istio-ingress
...
  serviceMesh:
    enabled: true
    tls: true
    # be aware that linkerd is not well tested
    engine: "istio" # valid value: istio or linkerd
  aafEnabled: false
  cmpv2Enabled: false
  tlsEnabled: false
  msbEnabled: false



Install ONAP


  1. Label namespace for Istio sidecar injection:

    $ kubectl label namespace onap istio-injection=enabled --overwrite=true
  • No labels