diff --git a/common/istio-1-18/README.md b/common/istio-1-18/README.md index 6506c37a29..022f025464 100644 --- a/common/istio-1-18/README.md +++ b/common/istio-1-18/README.md @@ -27,13 +27,12 @@ old version is `X1.Y1.Z1`: CustomResource used to describe the Istio Control Plane: $ cd $ISTIO_NEW - $ istioctl profile dump demo > profile.yaml + $ istioctl profile dump default > profile.yaml --- **NOTE** - `istioctl` comes with a bunch of [predefined - profiles](https://istio.io/v1.9/docs/setup/additional-setup/config-profiles/) + `istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/) (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default. --- @@ -62,31 +61,13 @@ old version is `X1.Y1.Z1`: detect default settings. Ensure you have a target cluster ready before running the above commands. We set this flag because `istioctl manifest generate` generates manifest files with resources that are no longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220 - + --- -5. Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. - See https://github.com/istio/istio/issues/12602 and https://github.com/istio/istio/issues/24000 - - Until now we have used two patches: - - `common/istio-1-16/istio-install/base/patches/remove-pdb.yaml` - - `common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml` - - The above patches do not work with kustomize v3.2.0 as it doesn't have the appropriate - openapi schemas for the policy/v1 API version resources. This is fixed in kustomize v4+. - See https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 and - https://github.com/kubernetes-sigs/kustomize/issues/4495 - - A temporary workaround is to use the following instructions to manually delete the PodDisruptionBudget resources with `yq`: - - $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "cluster-local-gateway") | not)' common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml - $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istio-ingressgateway") | not)' common/istio-1-16/istio-install/base/install.yaml - $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istiod") | not)' common/istio-1-16/istio-install/base/install.yaml - --- **NOTE** - NOTE: Make sure to remove a redundant {} at the end of the `common/istio-1-16/istio-install/base/install.yaml` and `common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml` files. + NOTE: Make sure to remove a redundant {} at the end of the `common/istio-1-18/istio-install/base/install.yaml` and `common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml` files. --- @@ -94,11 +75,10 @@ old version is `X1.Y1.Z1`: ### Changes to the upstream IstioOperator profile -Changes to Istio's upstream profile `demo` are the following: +Changes to Istio's upstream profile `default` are the following: -- Add a `cluster-local-gateway` component for KFServing. -- Disable the EgressGateway component. We don\'t use it and it adds - unnecessary complexity. +- Add a `cluster-local-gateway` component for Kserve. +- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity. Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml) file. @@ -118,3 +98,4 @@ The Istio kustomizations make the following changes: - Configure TCP KeepAlives. - Disable tracing as it causes DNS breakdown. See: https://github.com/istio/istio/issues/29898 +- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane diff --git a/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml index b01420e648..00d9d84f0e 100644 --- a/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml +++ b/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml @@ -12,7 +12,5 @@ resources: - gateway-authorizationpolicy.yaml - gateway.yaml -# Disable this patch until we upgrade to kustomize to v4+ -# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056 -# patchesStrategicMerge: -# - patches/remove-pdb.yaml +patchesStrategicMerge: +- patches/remove-pdb.yaml diff --git a/common/istio-1-18/istio-install/base/kustomization.yaml b/common/istio-1-18/istio-install/base/kustomization.yaml index 647755c6a2..760d81fbc5 100644 --- a/common/istio-1-18/istio-install/base/kustomization.yaml +++ b/common/istio-1-18/istio-install/base/kustomization.yaml @@ -14,7 +14,5 @@ patchesStrategicMerge: - patches/service.yaml - patches/istio-configmap-disable-tracing.yaml - patches/disable-debugging.yaml -# Disable this patch until we upgrade to kustomize to v4+ -# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056 -# - patches/remove-pdb.yaml +- patches/remove-pdb.yaml diff --git a/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml index 2b3f43dd1d..a46a251f6d 100644 --- a/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml +++ b/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml @@ -15,3 +15,4 @@ spec: - name: discovery env: - name: ENABLE_DEBUG_ON_HTTP + value: false diff --git a/common/istio-1-18/profile-overlay.yaml b/common/istio-1-18/profile-overlay.yaml index c06c9f2d5b..51564ba020 100644 --- a/common/istio-1-18/profile-overlay.yaml +++ b/common/istio-1-18/profile-overlay.yaml @@ -8,7 +8,7 @@ spec: probes: 3 components: ingressGateways: - # Cluster-local gateway for KFServing + # Cluster-local gateway for KServe - enabled: true name: cluster-local-gateway # https://github.com/istio/istio/issues/19263#issuecomment-615833092