diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index bd2121c060..e05f6f82a3 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -6,7 +6,6 @@ ARG USER_GID=$USER_UID ARG HELM_VERSION=3.3.1 ARG KUBECTL_VERSION=1.22.4 -ARG ISTIOCTL_VERSION=1.8.1 RUN : INSTALL APT REQUIREMENTS \ && export DEBIAN_FRONTEND=noninteractive \ @@ -32,12 +31,7 @@ RUN : INSTALL HELM BINARY \ && curl -fsSLO https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \ && chmod +x ./kubectl \ && mv ./kubectl /usr/local/bin/kubectl \ - && kubectl version --client \ - && : INSTALL ISTIOCTl BINARY \ - && curl -fsSLO https://github.com/istio/istio/releases/download/${ISTIOCTL_VERSION}/istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && tar -xzof istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin istioctl \ - && rm istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && chmod +x /usr/local/bin/istioctl + && kubectl version --client RUN : INSTALL GEM REQUIREMENTS \ && gem install \ diff --git a/Dockerfile b/Dockerfile index af8ab3e56f..5bf8a08ccb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,6 @@ ARG USER_GID=$USER_UID ARG HELM_VERSION=3.3.1 ARG KUBECTL_VERSION=1.22.4 -ARG ISTIOCTL_VERSION=1.8.1 ENV EPICLI_DOCKER_SHARED_DIR=/shared @@ -26,12 +25,7 @@ RUN : INSTALL APT REQUIREMENTS \ && curl -fsSLO https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \ && chmod +x ./kubectl \ && mv ./kubectl /usr/local/bin/kubectl \ - && kubectl version --client \ - && : INSTALL ISTIOCTL BINARY \ - && curl -fsSLO https://github.com/istio/istio/releases/download/${ISTIOCTL_VERSION}/istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && tar -xzof istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin istioctl \ - && rm istioctl-${ISTIOCTL_VERSION}-linux-amd64.tar.gz \ - && chmod +x /usr/local/bin/istioctl \ + && kubectl version --client \ && : INSTALL GEM REQUIREMENTS \ && gem install \ diff --git a/ansible/playbooks/roles/applications/tasks/applications/istio/deploy-istio-operator.yml b/ansible/playbooks/roles/applications/tasks/applications/istio/deploy-istio-operator.yml deleted file mode 100644 index 05d513a5a5..0000000000 --- a/ansible/playbooks/roles/applications/tasks/applications/istio/deploy-istio-operator.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Decide if internal docker registry will be used - set_fact: - use_epiphany_image_registry: >- - {{ (not _k8s_as_cloud_service) and _use_local_image_registry }} - vars: - # Be extra paranoid - _k8s_as_cloud_service: >- - {{ k8s_as_cloud_service | bool }} - # Enable by default - _use_local_image_registry: >- - {{ (data.use_local_image_registry is undefined) or (data.use_local_image_registry | bool) }} - -- name: Init istio operator - command: istioctl operator init {{ _init_args | join(' ') }} - vars: - _common_args: - - --istioNamespace={{ data.namespaces.istio }} - - --operatorNamespace={{ data.namespaces.operator }} - - --watchedNamespaces={{ data.namespaces.watched | join(',') }} - _hub_arg: --hub={{ image_registry_address }}/istio - _init_args: >- - {{ _common_args + [ _hub_arg ] if (use_epiphany_image_registry) else - _common_args }} diff --git a/ansible/playbooks/roles/applications/tasks/applications/istio/main.yml b/ansible/playbooks/roles/applications/tasks/applications/istio/main.yml deleted file mode 100644 index 14ae5f6a0a..0000000000 --- a/ansible/playbooks/roles/applications/tasks/applications/istio/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Deploy Istio operator - include_tasks: deploy-istio-operator.yml - -- name: Deploy Istio - include_tasks: deploy-k8s-app.yml - vars: - app_dir_name: "{{ data.name }}" diff --git a/ansible/playbooks/roles/applications/templates/istio/00-namespace.yml.j2 b/ansible/playbooks/roles/applications/templates/istio/00-namespace.yml.j2 deleted file mode 100644 index fe8220374a..0000000000 --- a/ansible/playbooks/roles/applications/templates/istio/00-namespace.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ -{% for namespace in data.namespaces.watched %} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ namespace }} -{% endfor %} -{% if data.namespaces.istio not in data.namespaces.watched %} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ data.namespaces.istio }} -{% endif %} diff --git a/ansible/playbooks/roles/applications/templates/istio/01-profile.yml.j2 b/ansible/playbooks/roles/applications/templates/istio/01-profile.yml.j2 deleted file mode 100644 index 76e5728253..0000000000 --- a/ansible/playbooks/roles/applications/templates/istio/01-profile.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: {{ data.namespaces.watched[0] }} - name: {{ data.istio_spec.name }} -spec: - profile: {{ data.istio_spec.profile }} -{% if use_epiphany_image_registry %} - hub: {{ image_registry_address }}/istio -{% endif %} - values: - global: - istioNamespace: {{ data.namespaces.istio }} diff --git a/ansible/playbooks/roles/preflight/defaults/main.yml b/ansible/playbooks/roles/preflight/defaults/main.yml index 129df20b77..fba5d9f83c 100644 --- a/ansible/playbooks/roles/preflight/defaults/main.yml +++ b/ansible/playbooks/roles/preflight/defaults/main.yml @@ -17,7 +17,6 @@ supported_oses: unsupported_apps: x86_64: [] aarch64: - - istio - pgbouncer - pgpool diff --git a/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt b/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt index ec19ff95d2..2f384fb0f0 100644 --- a/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt +++ b/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.x86_64.txt @@ -205,10 +205,6 @@ registry:2 # applications bitnami/pgpool:4.2.4 bitnami/pgbouncer:1.16.0 -# istio -istio/pilot:1.8.1 -istio/proxyv2:1.8.1 -istio/operator:1.8.1 epiphanyplatform/keycloak:14.0.0 rabbitmq:3.8.9 # K8s diff --git a/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt b/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt index 930cb9b87b..bd5f2dca66 100644 --- a/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt +++ b/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.x86_64.txt @@ -203,10 +203,6 @@ registry:2 # applications bitnami/pgpool:4.2.4 bitnami/pgbouncer:1.16.0 -# istio -istio/pilot:1.8.1 -istio/proxyv2:1.8.1 -istio/operator:1.8.1 epiphanyplatform/keycloak:14.0.0 rabbitmq:3.8.9 # K8s diff --git a/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt b/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt index 12b1da7a6f..44e8c0db06 100644 --- a/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt +++ b/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-20.04/requirements.x86_64.txt @@ -240,10 +240,7 @@ registry:2 # applications bitnami/pgpool:4.2.4 bitnami/pgbouncer:1.16.0 -# istio -istio/pilot:1.8.1 -istio/proxyv2:1.8.1 -istio/operator:1.8.1 + epiphanyplatform/keycloak:14.0.0 rabbitmq:3.8.9 # K8s diff --git a/docs/home/ARM.md b/docs/home/ARM.md index 6c26cba273..c53945efd7 100644 --- a/docs/home/ARM.md +++ b/docs/home/ARM.md @@ -46,7 +46,6 @@ Besides making sure that the selected providers, operating systems, components a | auth-service | :heavy_check_mark: | | pgpool | :x: | | pgbouncer | :x: | -| istio | :x: | ***Notes*** diff --git a/docs/home/COMPONENTS.md b/docs/home/COMPONENTS.md index 68520484cc..8e564009d3 100644 --- a/docs/home/COMPONENTS.md +++ b/docs/home/COMPONENTS.md @@ -39,7 +39,6 @@ Note that versions are default versions and can be changed in certain cases thro | Pgpool | 4.2.4 | https://www.pgpool.net/ | [License](https://www.pgpool.net/mediawiki/index.php/pgpool-II_License) | | Alertmanager | 0.23.0 | https://github.com/prometheus/alertmanager | [Apache License 2.0](https://github.com/prometheus/alertmanager/blob/master/LICENSE) | | Apache2 | 2.4.29 | https://httpd.apache.org/ | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | -| Istio | 1.8.1 | https://github.com/istio/istio | [Apache License 2.0](https://github.com/istio/istio/blob/master/LICENSE) | ## Epicli binary dependencies diff --git a/docs/home/SECURITY.md b/docs/home/SECURITY.md index 66ec421967..8673216209 100644 --- a/docs/home/SECURITY.md +++ b/docs/home/SECURITY.md @@ -129,11 +129,11 @@ different values. The list does not include ports that are bound to the loopback - 80 - deb/rpm package repository (httpd is stopped at the end of installation) - 5000 - Docker image registry - + ### Connection protocols and ciphers used by components in Epiphany Below you can find list of cipersuites and protocols used for communication set in Epiphany on per component basis. This -doesn't contain information about potentially deprecated components: Apache Ignite, Istio. +doesn't contain information about potentially deprecated components: Apache Ignite,. 1. OS services: diff --git a/docs/home/howto/ISTIO.md b/docs/home/howto/ISTIO.md deleted file mode 100644 index d5ba0a5c52..0000000000 --- a/docs/home/howto/ISTIO.md +++ /dev/null @@ -1,115 +0,0 @@ -## Istio - -Open source platform which allows you to run service mesh for distributed microservice architecture. It allows to connect, manage and run secure connections between microservices and brings lots of features such as load balancing, monitoring and service-to-service authentication without any changes in service code. Read more about Istio [here](https://istio.io/latest/docs/concepts/what-is-istio/). - -### Installing Istio - -Istio in Epiphany is provided as K8s application. By default, it is not installed. To deploy it you need to add "configuration/applications" document to your configuration yaml file, similar to the example below (`enabled` flag must be set as `true`): - -Istio is installed using Istio Operator. Operator is a software extension to the Kubernetes API which has a deep knowledge how Istio deployments should look like and how to react if any problem appears. It is also very easy to make upgrades and automate tasks that would normally be executed by user/admin. - -```yaml ---- -kind: configuration/applications -version: 0.8.0 -title: "Kubernetes Applications Config" -provider: aws -name: default -specification: - applications: - ... - -## --- istio --- - - - name: istio - enabled: true - use_local_image_registry: true - namespaces: - operator: istio-operator # namespace where operator will be deployed - watched: # list of namespaces which operator will watch - - istio-system - istio: istio-system # namespace where Istio control plane will be deployed - istio_spec: - profile: default # Check all possibilites https://istio.io/latest/docs/setup/additional-setup/config-profiles/ - name: istiocontrolplane - -``` - -Using this configuration file, controller will detect Istio Operator resource in first of watched namespaces and will install Istio components corresponding to the specified profile (default). Using the default profile, Istio control plane and Istio ingress gateway will be deployed in istio-system namespace. - -### How to set up service mesh for an application - -The default Istio installation uses automcatic sidecar injection. You need to label the namespace where application will be hosted: - -```bash -kubectl label namespace default istio-injection=enabled -``` - -Once the proper namespaces are labeled and Istio is deployed, you can deploy your applications or restart existing ones. - -You may need to make an application accessible from outside of your Kubernetes cluster. An Istio Gateway which was deployed using default profile is used for this purpose. Define the ingress gateway deploying gateway and virtual service specification. The gateway specification describes the L4-L6 properties of a load balancer and the virtual service specification describes the L7 properties of a load balancer. - -Example of the gateway and virtual service specification (You have to adapt the entire specification to the application): - -[Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/): - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: httpbin-gateway -spec: - selector: - istio: ingressgateway # use Istio default gateway implementation - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "httpbin.example.com" -``` - -[Virtual Service](https://istio.io/latest/docs/reference/config/networking/virtual-service/): - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: httpbin -spec: - hosts: - - "httpbin.example.com" - gateways: - - httpbin-gateway - http: - - match: - - uri: - prefix: /status - - uri: - prefix: /delay - route: - - destination: - port: - number: 8000 - host: httpbin -``` - -:warning: Pay attention to the network policies in your cluster if a CNI plugin is used that supports them (such as Calico or Canal). In this case, you should set up secure network policies for inter-microservice communication and communication between Envoy proxy and Istio control plane in your application's namespace. You can also just apply the following `NetworkPolicy`: - -```yaml -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - namespace: - name: allow-istio-communication -spec: - podSelector: {} - egress: - - {} - ingress: - - {} - policyTypes: - - Egress - - Ingress -``` diff --git a/docs/home/howto/KUBERNETES.md b/docs/home/howto/KUBERNETES.md index 7868d9e34f..c3d3d452b1 100644 --- a/docs/home/howto/KUBERNETES.md +++ b/docs/home/howto/KUBERNETES.md @@ -37,7 +37,6 @@ Currently, Epiphany provides the following predefined applications which may be - auth-service (Keycloak) - pgpool - pgbouncer -- istio All of them have [default configuration](https://github.com/epiphany-platform/epiphany/blob/develop/schema/common/defaults/configuration/applications.yml). diff --git a/docs/home/howto/UPGRADE.md b/docs/home/howto/UPGRADE.md index df25107313..9e387611d0 100644 --- a/docs/home/howto/UPGRADE.md +++ b/docs/home/howto/UPGRADE.md @@ -328,39 +328,6 @@ Before K8s version upgrade make sure that deprecated API versions are not used: - [v1.21](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md) - [v1.22](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md) -### Upgrade - ---- -**NOTE** - -If the K8s cluster that is going to be upgraded has the Istio control plane application deployed, issues can occur. The -default [profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/) we currently support for -installing Istio only deploy a single replica for the control services with a `PodDisruptionBudgets` value of 0. This -will result in the following error while draining pods during an upgrade: - -```shell -Cannot evict pod as it would violate the pods disruption budget. -``` - -As we currently don't support any kind of advanced configuration of the Istio control plane components outside the -default profiles, we need to scale up all components manually before the upgrade. This can be done with the following -command: - -```shell -kubectl scale deploy -n istio-system --replicas=2 --all -``` - -After the upgrade, the deployments can be scaled down to the original capacity: - -```shell -kubectl scale deploy -n istio-system --replicas=1 --all -``` - -**Note: The ```istio-system``` namespace value is the default value and should be set to whatever is being used in the -Istio application configuration.** - ---- - ## PostgreSQL upgrade --- diff --git a/schema/common/defaults/configuration/applications.yml b/schema/common/defaults/configuration/applications.yml index 2c97d74029..8456d5661e 100644 --- a/schema/common/defaults/configuration/applications.yml +++ b/schema/common/defaults/configuration/applications.yml @@ -151,17 +151,3 @@ specification: RESERVE_POOL_SIZE: 25 POOL_MODE: session CLIENT_IDLE_TIMEOUT: 0 - -## --- istio --- - - - name: istio - enabled: false - use_local_image_registry: true - namespaces: - operator: istio-operator # namespace where operator will be deployed - watched: # list of namespaces which operator will watch - - istio-system - istio: istio-system # namespace where istio control plane will be deployed - istio_spec: - profile: default # Check all possibilities https://istio.io/latest/docs/setup/additional-setup/config-profiles/ - name: istiocontrolplane diff --git a/schema/common/defaults/configuration/image-registry.yml b/schema/common/defaults/configuration/image-registry.yml index e79ab198ac..7cb98c3958 100644 --- a/schema/common/defaults/configuration/image-registry.yml +++ b/schema/common/defaults/configuration/image-registry.yml @@ -17,12 +17,6 @@ specification: file_name: dashboard-v2.3.1.tar - name: "kubernetesui/metrics-scraper:v1.0.7" file_name: metrics-scraper-v1.0.7.tar - - name: "istio/proxyv2:1.8.1" - file_name: proxyv2-1.8.1.tar - - name: "istio/pilot:1.8.1" - file_name: pilot-1.8.1.tar - - name: "istio/operator:1.8.1" - file_name: operator-1.8.1.tar # postgres - name: bitnami/pgpool:4.2.4 file_name: pgpool-4.2.4.tar diff --git a/schema/common/validation/configuration/applications.yml b/schema/common/validation/configuration/applications.yml index 958a8399f1..4867cad707 100644 --- a/schema/common/validation/configuration/applications.yml +++ b/schema/common/validation/configuration/applications.yml @@ -324,12 +324,3 @@ properties: type: array items: - type: string - istio: - type: string - istio_spec: - type: object - properties: - profile: - type: string - name: - type: string