This repo contains an operator for syncing Cloud Map data into Istio by pushing ServiceEntry CRDs to the Kube API server.
- Create an AWS IAM identity with read access to AWS Cloud Map for the operator to use.
- Create a Kubernetes secret with the Access Key ID and Secret Access Key of the identity you just created in the namespace you want to deploy the Istio Cloud Map Operator:
apiVersion: v1
kind: Secret
metadata:
name: aws-credz
namespace: istio-system
type: Opaque
data:
access-key-id: <base64-encoded-IAM-access-key-id>
secret-access-key: <base64-encoded-IAM-secret-access-key>
- Edit the aws-config config map in
kubernetes/deployment.yaml
to choose the AWS Cloud Map region to sync with. - Deploy the Istio Cloud Map Operator:
$ kubectl apply -f kubernetes/rbac.yaml -f kubernetes/deployment.yaml
- Verify that your ServiceEntries have been populated with the information in Cloud Map; there should be one ServiceEntry for every service in Cloud Map:
$ kubectl get serviceentries
NAME CREATED AT
cloudmap-dev.null.demo.tetrate.io 17h
cloudmap-test-server.cloudmap.tetrate.io 17h
$ kubectl get serviceentries cloudmap-test-server.cloudmap.tetrate.io -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cloudmap-test-server.cloudmap.tetrate.io
namespace: default
spec:
addresses:
- 172.31.37.168
endpoints:
- address: 172.31.37.168
ports:
http: 80
https: 443
hosts:
- test-server.cloudmap.tetrate.io
ports:
- name: http
number: 80
protocol: HTTP
- name: https
number: 443
protocol: HTTPS
resolution: STATIC
Note: If you need to be able to resolve your services via DNS (as opposed to making the requests to a random IP and setting the Host header), either enable DNS propagation in your VPC peering configuration or install the Istio CoreDNS plugin.
Build with the makefile by:
make deps # only needs to be done once
make # or `make build`
Run with
make run
And produce docker containers via:
make docker-build
make docker-push
You can override the hub and tag using the CONTAINER_REGISTRY
and CONTAINER_TAG
environment variables:
env CONTAINER_REGISTRY=gcr.io/tetratelabs CONTAINER_TAG=v0.1 \
make docker-push
Alternatively, just use go
:
dep ensure
go build -o istio-cloud-map github.com/tetratelabs/istio-cloud-map/cmd/istio-cloud-map
To run locally:
make run
# or
make docker-run
or via go:
go build -o istio-cloud-map github.com/tetratelabs/istio-cloud-map/cmd/istio-cloud-map
./istio-cloud-map serve --kube-config ~/.kube/config
In particular the controller needs its --kube-config
flag set to talk to the remote API server. If no flag is set, the controller assumes it is deployed into a Kubernetes cluster and attempts to contact the API server directly.