I'm new to Terraform. I need to set up Istio on the AWS EKS cluster. I thought of using Istio-Operator along with Terraform to do the same.
Below is the shell script to install Istio on EKS using Istio-Operator:
install-istio.sh
# Download and install the Istio istioctl client binary
# Specify the Istio version that will be leveraged throughout these instructions
ISTIO_VERSION=1.7.3
curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istioctl-$ISTIO_VERSION-linux-amd64.tar.gz" | tar xz
sudo mv ./istioctl /usr/local/bin/istioctl
sudo chmod +x /usr/local/bin/istioctl
# Install the Istio Operator on EKS
istioctl operator init
# The Istio Operator is installed into the istio-operator namespace. Query the namespace.
kubectl get all -n istio-operator
# Install Istio components
istioctl profile dump default
# Create the istio-system namespace and deploy the Istio Operator Spec to that namespace.
kubectl create ns istio-system
kubectl apply -f istio-operator.yaml
# Validate the Istio installation
kubectl get all -n istio-system
Below is the istio-operator.yaml file used by install-istio.sh
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
Below is the main.tf file which executes the script
resource "null_resource" "install_istio" {
provisioner "local-exec" {
command = "/bin/bash install-istio.sh"
}
}
I request you to help me with few queries:
Thank you very much for your time. Appreciate all your help!
I believe you will encounter problems if using a local-exec provisioner like this.
Terraform does not play nice with resources it cannot reconcile. Especially when it comes to CRDs. Also, every time you will run terraform apply, you will run istioctl init over and over, which is probably not what you want.
What you can do, is to
mkdir -p istio-operator
istio-operator dump > istio-operator/manifests.yaml
istio-operator/kustomization.yaml file with#istio-operator/kustomization.yaml
resources:
- manifests.yaml
kustomization provider# terraform.tf
terraform {
required_providers {
kustomization = {
source = "kbst/kustomization"
version = "0.4.3"
}
}
}
provider "kustomization" {
// See online documentation on how to configure this
}
istio-operator with the terraform kustomization provider# istio-operator.tf
data "kustomization" "istio_operator" {
path = "./istio-operator"
}
resource "kustomization_resource" "istio_operator" {
for_each = data.kustomization.istio_operator.ids
manifest = data.kustomization.istio_operator.manifests[each.value]
}
IstioOperator manifest in istio/manifest.yaml# istio/manifest.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
...
istio/kustomization.yaml with# istio/kustomization.yaml
resources:
- manifest.yaml
IstioOperator with a second kustomization resource using terraform.# istio.tf
data "kustomization" "istio" {
path = "./istio"
}
resource "kustomization_resource" "istio" {
for_each = data.kustomization.istio.ids
manifest = data.kustomization.istio.manifests[each.value]
depends_on = [kustomization_resource.istio_operator]
}
I would recommend putting this whole thing in a separate folder, such as this
/home
/project
/terraform
/istio
terraform.tf
istio_operator.tf
istio.tf
/istio
kustomization.yaml
manifest.yaml
/istio-operator
kustomization.yaml
manifest.yaml