Grafana、Prometheus、Kiali 身份验证与 AzureAD 和 istio 内部负载均衡器

Question

I'm deploying istio in azure kubernetes services (AKS) and I have the following question:

Is it possible to deploy istio using an internal load balancer. Looks like it is deployed in Azure with a public load balancer by default. What do I need to change to make it use an internal load balancer?

Answer 1

To answer the second question :

It is possible to add AKS annotation for an internal load balancer according to AKS documentation :

To create an internal load balancer, create a service manifest named internal-lb.yaml with the service type LoadBalancer and the azure-load-balancer-internal annotation as shown in the following example:

 apiVersion: v1 kind: Service metadata: name: internal-app annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" spec: type: LoadBalancer ports: - port: 80 selector: app: internal-app

So You can set this annotation by using helm with the following --set:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true" > aks-istio.yaml

---

As mentioned in comment You should stick to One question per post as advised here . So I suggest creating second post with other question.

Hope it helps.

---

Update:

For istioctl You can do the following:

1. Generate manifest file for Your istio deployment for this example I used demo profile.

istioctl manifest generate --set profile=demo > istio.yaml

2. Modify the istio.yaml and search for text for type: LoadBalancer .

---


apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
  labels:
    app: istio-ingressgateway
    release: istio
    istio: ingressgateway
spec:
  type: LoadBalancer
  selector:
    app: istio-ingressgateway
  ports:

Add the annotation for the internal load balancer like this:

---


apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  labels:
    app: istio-ingressgateway
    release: istio
    istio: ingressgateway
spec:
  type: LoadBalancer
  selector:
    app: istio-ingressgateway
  ports:

3. After saving changes deploy modified istio.yaml to Your K8s cluster using:

kubectl apply -f istio.yaml

After that You can verify if annotation is present in istio-ingressgateway service .

$ kubectl get svc istio-ingressgateway -n istio-system -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.beta.kubernetes.io/azure-load-balancer-internal":"true"},"labels":{"app":"istio-ingressgateway","istio":"ingressgateway","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"selector":{"app":"istio-ingressgateway"},"type":"LoadBalancer"}}
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  creationTimestamp: "2020-01-27T13:51:07Z"

Hope it helps.