{"id":19796606,"url":"https://github.com/drabo/istio","last_synced_at":"2025-05-01T03:31:00.536Z","repository":{"id":112837647,"uuid":"194864188","full_name":"drabo/istio","owner":"drabo","description":"How to install Istio on a Minkube Kubernetes local cluster","archived":false,"fork":false,"pushed_at":"2024-04-25T09:54:40.000Z","size":22,"stargazers_count":5,"open_issues_count":0,"forks_count":4,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-04-06T08:13:45.147Z","etag":null,"topics":["cluster","ingress","istio","kubernetes","minikube","nginx","reverse-proxy"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/drabo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-07-02T13:02:31.000Z","updated_at":"2024-11-29T14:32:14.000Z","dependencies_parsed_at":"2023-05-31T10:45:31.030Z","dependency_job_id":null,"html_url":"https://github.com/drabo/istio","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drabo%2Fistio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drabo%2Fistio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drabo%2Fistio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drabo%2Fistio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/drabo","download_url":"https://codeload.github.com/drabo/istio/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251817934,"owners_count":21648835,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cluster","ingress","istio","kubernetes","minikube","nginx","reverse-proxy"],"created_at":"2024-11-12T07:20:35.913Z","updated_at":"2025-05-01T03:31:00.278Z","avatar_url":"https://github.com/drabo.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Install Istio on a Minkube Kubernetes local cluster #\n\nIn the following document you will find several terms like:\n\n- Kubernetes cluster\n- Minikube cluster\n- Kubernetes local cluster\n- Cluster\n\nAll these terms refer to the same thing that is the Kubernetes cluster containing one node hosted on a local VirtualBox VM, created and managed with the CLI tool called Minikube.\n\n## Preparation ##\n\n### Virtual Machine resources ###\n\nIstio running on Minikube will need additional resources on top of what is instaled by default with `minikube start` (2CPU and 4GB RAM).\n\nIstio recommends on their [site](https://istio.io/docs/setup/kubernetes/platform-setup/minikube/) a cluster with 4CPU and 16GB RAM but I managed to install it on a Minikube cluster with **2CPU and 8GB RAM** and it worked with one sample application as seen below.\n\nAs your Minikube cluster will grow then you will surely need more resources.\n\n## Installation ##\n\n### Download latest Istio package ###\n\nThe following command will download and unpack Istio:\n\n```shell\ncurl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.2.4 sh -\n```\n\nIstio documentation: https://istio.io/docs/setup/kubernetes/\n\nThe directory contains several directories. You will use scripts from *install* and *samples*.\n\n```shell\ncd istio-1.2.4\n\n$ ls -lA\ntotal 33\ndrwxr-xr-x+ 1 bond None     0 Jun 19 00:46 bin\ndrwxr-xr-x+ 1 bond None     0 Jun 19 00:46 install\n-rw-r--r--  1 bond None   602 Jun 19 00:46 istio.VERSION\n-rw-r--r--  1 bond None 11343 Jun 19 00:46 LICENSE\n-rw-r--r--  1 bond None  6220 Jun 19 00:46 README.md\ndrwxr-xr-x+ 1 bond None     0 Jun 19 00:46 samples\ndrwxr-xr-x+ 1 bond None     0 Jun 19 00:46 tools\n```\n\n### Create dedicated namespace for Istio ###\n\n```shell\nkubectl create namespace istio-system\n```\n\n### Install Istio components ###\n\n```shell\nkubectl apply -f install/kubernetes/istio-demo.yaml\n```\n\n### Checks to be made ###\n\nCheck that CRDs are deployed.\nThey should be either 23 or 28 if cert-manager is enabled.\n\n```shell\nkubectl get crds | grep 'istio.io\\|certmanager.k8s.io' | wc -l\n```\n\nCheck Istio services:\n\n```shell\nkubectl -n istio-system get svc\n```\n\nCheck Istio pods:\n\n```shell\nkubectl -n istio-system get pods\n```\n\n## Application deployment ##\n\nYou may use a demo application provided by Istio or you may deploy your own application.\n\n### Deploy demo application ###\n\nThe application is called **httpbin** and is provided in the directory samples.\n\n#### Create namespace httpbin ####\n\nIstio does not create a dedicated namespace for it but you will do this:\n\n```shell\nkubectl create namespace httpbin\n```\n\n#### Apply istio-injection label to namespace httpbin ####\n\nApply `istio-injection` label to the new namespace in order to make Istio aware that it should manage the traffic of the applications residing into this namespace:\n\n```shell\nkubectl label namespace httpbin istio-injection=enabled\n```\n\n#### Deploy the httpbin application ####\n\nDeploy the application into the dedicated namespace:\n\n```shell\nkubectl -n httpbin apply -f samples/httpbin/httpbin.yaml\n```\n\n#### Check the service created ####\n\n```shell\n$ kubectl -n httpbin describe svc/httpbin\n\nName:              httpbin\nNamespace:         httpbin\nLabels:            app=httpbin\nAnnotations:       kubectl.kubernetes.io/last-applied-configuration:\n                     {\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"httpbin\"},\"name\":\"httpbin\",\"namespace\":\"httpbin\"},\"spec\"...\nSelector:          app=httpbin\nType:              ClusterIP\nIP:                10.109.227.242\nPort:              http  8000/TCP\nTargetPort:        80/TCP\nEndpoints:         172.17.0.33:80\nSession Affinity:  None\nEvents:            \u003cnone\u003e\n```\n\nYou may observe first 2 lines with the service name and the namespace. These 2 items will be modified into the script that creates the Istio gateway and virtual service (see next).\n\n#### Modify the gateway and virtual service script ####\n\nThe file [httpbin-gateway.yaml](httpbin-gateway.yaml) from samples should be modified to reflect the deployment into *httpbin* namespace and to use a local domain name for the application.\n\nThe destination.host is composed as follows: `servicename.namespace.svc.cluster.local`\n\nIn our case it will be **httpbin.httpbin.svc.cluster.local**.\n\nThe suffix `.svc.cluster.local` may be skipped as the cluster should resolve it but it is safer to put it there.\n\n#### Deploy the gateway and virtual service ####\n\nApply the changes from [`httpbin-gateway.yaml`](httpbin-gateway.yaml):\n\n```shell\nkubectl apply -f httpbin-gateway.yaml\n```\n\n### Check demo application ###\n\nThe application may be checked with a CLI tool or with a browser.\n\n#### Check httpbin application with CLI tool ####\n\n```shell\n$ curl -I -HHost:httpbin.local http://cluster:31380\n\nHTTP/1.1 200 OK\nserver: istio-envoy\ndate: Fri, 21 Jun 2019 01:03:16 GMT\ncontent-type: text/html; charset=utf-8\ncontent-length: 9593\naccess-control-allow-origin: *\naccess-control-allow-credentials: true\nx-envoy-upstream-service-time: 30\n```\n\nYou may observe in the command that we use:\n\n- header: `Host` with the value `httpbin.local`\n  - **httpbin.local** is the value in the local domain that we used as host for our application in the script [`httpbin-gateway.yaml`](httpbin-gateway.yaml). This may be replaced with the domain name used for the application (e.g. httpbin.sample.com) in the real life.\n- protocol: http\n  - we use HTTP in this example for simplicity\n- host: cluster\n  - this is the name of Minikube cluster that is added to /etc/hosts with the following command:\n\n    ```shell\n    echo -e \"\\n\"$(minikube ip)\" cluster\" | sudo tee -a /etc/hosts\n    ```\n\n- port: 31380\n  - this is the port exposed by Istio for HTTP as seen below the node port for *http2*:\n\n    ```shell\n    $ kubectl -n istio-system describe svc/istio-ingressgateway|grep NodePort\n\n    NodePort:                 status-port  31377/TCP\n    NodePort:                 http2  31380/TCP\n    NodePort:                 https  31390/TCP\n    NodePort:                 tcp  31400/TCP\n    NodePort:                 https-kiali  30737/TCP\n    NodePort:                 https-prometheus  32649/TCP\n    NodePort:                 https-grafana  32058/TCP\n    NodePort:                 https-tracing  32597/TCP\n    NodePort:                 tls  32722/TCP\n    ```\n\nThe application *httpbin* is able to reply also with other HTTP status codes.\nExamples below:\n\n```shell\n$ curl -I -HHost:httpbin.local http://cluster:31380/status/301\n\nHTTP/1.1 301 Moved Permanently\nserver: istio-envoy\ndate: Fri, 21 Jun 2019 01:28:44 GMT\nlocation: /redirect/1\naccess-control-allow-origin: *\naccess-control-allow-credentials: true\ncontent-length: 0\nx-envoy-upstream-service-time: 2\n```\n\n```shell\n$ curl -I -HHost:httpbin.local http://cluster:31380/status/404\n\nHTTP/1.1 404 Not Found\nserver: istio-envoy\ndate: Fri, 21 Jun 2019 01:28:52 GMT\ncontent-type: text/html; charset=utf-8\naccess-control-allow-origin: *\naccess-control-allow-credentials: true\ncontent-length: 0\nx-envoy-upstream-service-time: 2\n```\n\n#### Check httpbin application with browser ####\n\nIn order to check the application with a browser you need to send also the header *Host*.\nIn order to do this you need to install an extension/addon to your browser.\n\nYou may use the extension/addon `ModHeader` that is available for Chrome and Firefox and also other browsers using these engines (e.g. Vivaldi, Opera, Brave).\n\nIn ModHeader you should set the header `Host` with the value `httpbin.local` and access the page [http://cluster:31380](http://cluster:31380).\n\nIstio documentation: https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/\n\n## Reverse proxy ##\n\nIn order to make an easier way to access the web application, we may create a reverse proxy to work together with the Istio gateway. In this way you won't need to forward headers using browser extension/addon as described above.\n\nWith the script [reverse-proxy.yaml](reverse-proxy.yaml) you will create the reverse proxy components:\n\n- an Nginx configured to forward all HTTP traffic addressed to any application `*.local` towards Istio HTTP service. The Nginx will forward also the header *Host* that is necessary in Istio to route the traffic to the proper application.\n- a service and an ingress that will collect all HTTP trafic to `*.local`\n\nIn reverse-proxy.yaml you may want to modify the version of Nginx to the latest or according to your needs.\n\n```shell\n$ kubectl apply -f reverse-proxy.yaml\n\nnamespace/reverse-proxy created\nconfigmap/nginx-conf created\ndeployment.extensions/reverse-proxy created\nservice/nginx-service created\ningress.extensions/nginx-ingress created\n```\n\nMake sure you add `httpbin.local` in your /etc/hosts\n\n```shell\necho -e \"\\n\"$(minikube ip)\" httpbin.local\" | sudo tee -a /etc/hosts\n```\n\nNow you are able to access the application *httpbin* in browser: http://httpbin.local\n\n## Install Istio with istioctl ##\n\n### Copy istioctl to a dir in PATH ###\n\nYou will find it in `istio-1.x.y/bin/`\n\nThe destination path may be `/usr/local/bin/istioctl`\n\n### Auto completion ###\n\nCopy `istio-1.x.y/tools/istioctl.bash` in a location like `$HOME/.local/bin/istioctl.bash`\n\nAdd in .bashrc the line:\n\n```shell\nsource $HOME/.local/bin/istioctl.bash\n```\n\n### List available installation profiles ###\n\n```shell\n$ istioctl profile list\nIstio configuration profiles:\n    default\n    demo\n    empty\n    minimal\n    openshift\n    preview\n    remote\n```\n\n### Get profile details ###\n\n```shell\nistioctl profile dump default\n```\n\n### Install profile default ###\n\n```shell\nistioctl install --set profile=default\n```\n\nMore details at:\n\n\u003chttps://istio.io/latest/docs/setup/install/istioctl/\u003e\n\n## Upgrade Istio with istioctl ##\n\nDownload the `istioctl` target version for the upgrade from https://github.com/istio/istio/releases\n\n\u003eThe installed Istio version is no more than one minor version less than the upgrade version. For example, 1.6.0 or higher is required before you start the upgrade process to 1.7.x.\n\nThe upgrade commands should be run using the new version of `istioctl`.\n\nCheck current installation:\n\n```shell\n$ istioctl x precheck \n✔ No issues found when checking the cluster. Istio is safe to install or upgrade!\n  To get started, check out https://istio.io/latest/docs/setup/getting-started/\n```\n\n\u003eTraffic disruption may occur during the upgrade process. To minimize the disruption, ensure that at least two replicas of `istiod` are running. Also, ensure that `PodDisruptionBudgets` are configured with a minimum availability of 1.\n\nThe **in-place upgrade**\n\nYou need to provide in command line the same `set` parameters provided at installation.\nIf in the installation process was used `--set profile=default` then it should be used also in the upgrade.\n\n```shell\n$ istioctl upgrade --set profile=default\nThis will install the Istio 1.15.0 default profile with [\"Istio core\" \"Istiod\" \"Ingress gateways\"] components into the cluster. Proceed? (y/N) y\n✔ Istio core installed    \n✔ Istiod installed         \n✔ Ingress gateways installed\n✔ Installation complete\nMaking this installation the default for injection and validation.\n```\n\nMore about the upgrade CLI parameters on https://istio.io/latest/docs/reference/commands/istioctl/#istioctl-upgrade\n\nCheck after upgrade:\n\n```shell\n$ istioctl verify-install\n1 Istio control planes detected, checking --revision \"default\" only\n✔ ClusterRole: istiod-istio-system.istio-system checked successfully\n✔ ClusterRole: istio-reader-istio-system.istio-system checked successfully\n✔ ClusterRoleBinding: istio-reader-istio-system.istio-system checked successfully\n✔ ClusterRoleBinding: istiod-istio-system.istio-system checked successfully\n✔ ServiceAccount: istio-reader-service-account.istio-system checked successfully\n✔ Role: istiod-istio-system.istio-system checked successfully\n✔ RoleBinding: istiod-istio-system.istio-system checked successfully\n✔ ServiceAccount: istiod-service-account.istio-system checked successfully\n✔ CustomResourceDefinition: wasmplugins.extensions.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: destinationrules.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: envoyfilters.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: gateways.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: proxyconfigs.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: serviceentries.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: sidecars.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: virtualservices.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: workloadentries.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: workloadgroups.networking.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: authorizationpolicies.security.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: peerauthentications.security.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: requestauthentications.security.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: telemetries.telemetry.istio.io.istio-system checked successfully\n✔ CustomResourceDefinition: istiooperators.install.istio.io.istio-system checked successfully\n✔ HorizontalPodAutoscaler: istiod.istio-system checked successfully\n✔ ClusterRole: istiod-clusterrole-istio-system.istio-system checked successfully\n✔ ClusterRole: istiod-gateway-controller-istio-system.istio-system checked successfully\n✔ ClusterRoleBinding: istiod-clusterrole-istio-system.istio-system checked successfully\n✔ ClusterRoleBinding: istiod-gateway-controller-istio-system.istio-system checked successfully\n✔ ConfigMap: istio.istio-system checked successfully\n✔ Deployment: istiod.istio-system checked successfully\n✔ ConfigMap: istio-sidecar-injector.istio-system checked successfully\n✔ MutatingWebhookConfiguration: istio-sidecar-injector.istio-system checked successfully\n✔ PodDisruptionBudget: istiod.istio-system checked successfully\n✔ ClusterRole: istio-reader-clusterrole-istio-system.istio-system checked successfully\n✔ ClusterRoleBinding: istio-reader-clusterrole-istio-system.istio-system checked successfully\n✔ Role: istiod.istio-system checked successfully\n✔ RoleBinding: istiod.istio-system checked successfully\n✔ Service: istiod.istio-system checked successfully\n✔ ServiceAccount: istiod.istio-system checked successfully\n✔ EnvoyFilter: stats-filter-1.13.istio-system checked successfully\n✔ EnvoyFilter: tcp-stats-filter-1.13.istio-system checked successfully\n✔ EnvoyFilter: stats-filter-1.14.istio-system checked successfully\n✔ EnvoyFilter: tcp-stats-filter-1.14.istio-system checked successfully\n✔ EnvoyFilter: stats-filter-1.15.istio-system checked successfully\n✔ EnvoyFilter: tcp-stats-filter-1.15.istio-system checked successfully\n✔ ValidatingWebhookConfiguration: istio-validator-istio-system.istio-system checked successfully\n✔ HorizontalPodAutoscaler: istio-ingressgateway.istio-system checked successfully\n✔ Deployment: istio-ingressgateway.istio-system checked successfully\n✔ PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully\n✔ Role: istio-ingressgateway-sds.istio-system checked successfully\n✔ RoleBinding: istio-ingressgateway-sds.istio-system checked successfully\n✔ Service: istio-ingressgateway.istio-system checked successfully\n✔ ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully\nChecked 15 custom resource definitions\nChecked 2 Istio Deployments\n✔ Istio is installed and verified successfully\n```\n\nMore about `in-place upgrade` on https://istio.io/latest/docs/setup/upgrade/in-place/\n\nThere is also the `canary upgrade` option: https://istio.io/latest/docs/setup/upgrade/canary/\n\n## Uninstall Istio ##\n\n```shell\nistioctl x uninstall --purge\n```\n\n```shell\nkubectl delete namespace istio-system\n```\n\n## Istio for ARM64 ##\n\nStarting with Istio version 1.15 (9-aug-2022) there are ARM64 images provided by Istio:\n\nCheck https://hub.docker.com/r/istio/proxyv2/tags\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrabo%2Fistio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdrabo%2Fistio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrabo%2Fistio/lists"}