Basic setup for istio sidecar auto injection

To enable auto sidecar injection on specific namespace,
you only need label the namespace with `istio-injection=enabled`, e.g.:
    kubectl label namespace default istio-injection=enabled

For details please refer:
    https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection

Change-Id: I2059aa0be2ab3f4f942342850d286281c5f940d4
Signed-off-by: QiLiang <liangqi1@huawei.com>

diff --git a/src/vagrant/kubeadm_istio/istio/deploy.sh b/src/vagrant/kubeadm_istio/istio/deploy.sh
index 051497c..3dd1426 100755 (executable)
--- a/src/vagrant/kubeadm_istio/istio/deploy.sh
+++ b/src/vagrant/kubeadm_istio/istio/deploy.sh
@@ -37,15 +37,30 @@ source ~/.bashrc
 
 kubectl apply -f install/kubernetes/istio.yaml
 
+# Install the sidecar injection configmap
+./install/kubernetes/webhook-create-signed-cert.sh \
+    --service istio-sidecar-injector \
+    --namespace istio-system \
+    --secret sidecar-injector-certs
+kubectl apply -f install/kubernetes/istio-sidecar-injector-configmap-release.yaml
+
+# Install the sidecar injector webhook
+cat install/kubernetes/istio-sidecar-injector.yaml | \
+     ./install/kubernetes/webhook-patch-ca-bundle.sh > \
+     install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml
+kubectl apply -f install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml
+kubectl -n istio-system get deployment -listio=sidecar-injector
+
 # Validate the installation
 kubectl get svc -n istio-system
 kubectl get pods -n istio-system
+kubectl get namespace -L istio-injection
 
-r="0"
-while [ $r -ne "4" ]
+r="1"
+while [ $r -ne "0" ]
 do
    kubectl get pods -n istio-system
-   r=$(kubectl get pods -n istio-system | grep Running | wc -l)
+   r=$(kubectl get pods -n istio-system | egrep -v 'NAME|Running' | wc -l)
    sleep 60
 done
 

diff --git a/src/vagrant/kubeadm_istio/master_setup.sh b/src/vagrant/kubeadm_istio/master_setup.sh
index b181582..f308244 100644 (file)
--- a/src/vagrant/kubeadm_istio/master_setup.sh
+++ b/src/vagrant/kubeadm_istio/master_setup.sh
@@ -2,9 +2,32 @@
 
 set -ex
 
+ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota"
+KUBE_APISERVER_CONF="/etc/kubernetes/manifests/kube-apiserver.yaml"
+
 sudo kubeadm init --apiserver-advertise-address=192.168.1.10  --service-cidr=10.96.0.0/16 --pod-network-cidr=10.32.0.0/12 --token 8c5adc.1cec8dbf339093f0
 mkdir ~/.kube
 sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config
 sudo chown $(id -u):$(id -g) $HOME/.kube/config
 
 kubectl apply -f http://git.io/weave-kube-1.6
+
+# Enable mutating webhook admission controller
+# kube-apiserver will be automatically restarted by kubelet when its manifest file update.
+# https://istio.io/docs/setup/kubernetes/sidecar-injection.html
+sudo sed -i "s/admission-control=.*/admission-control=$ADMISSION_CONTROL/g" $KUBE_APISERVER_CONF
+
+set +e
+# wait for kube-apiserver restart
+r="1"
+while [ $r -ne "0" ]
+do
+   sleep 2
+   kubectl version > /dev/null
+   r=$?
+done
+set -e
+
+# check if admissionregistration.k8s.io/v1beta1 API is enabled
+kubectl api-versions | grep admissionregistration
+