8

I'm new to Terraform and Helm world! I need to set up Istio on the AWS EKS cluster. I'm trying to install Istio on top of EKS cluster using Terraform and Helm as a provider: Below is the terraform code for the same:

resource "kubernetes_namespace" "istio-system" {
  metadata {
    annotations = {
      name = "istio-namespace"
    }

    labels = {
      mylabel = "label-value"
    }

    name = "istio-namespace"
  }
}

resource "helm_release" "istio_base" {
  name       = "istio-base"
  chart      = "./manifests/charts/base"
  namespace  = "istio-system"
}

resource "helm_release" "istiod" {
  name       = "istiod"
  chart      = "./manifests/charts/istio-control/istio-discovery"
  namespace  = "istio-system"
}

resource "helm_release" "istio-ingress" {
  name       = "istio-ingress"
  chart      = "./manifests/charts/gateways/istio-ingress"
  namespace  = "istio-system"
}

resource "helm_release" "istio-egress" {
  name       = "istio-ingress"
  chart      = "./manifests/charts/gateways/istio-egress"
  namespace  = "istio-system"
}

Can someone help me to answer my few queries:

  1. Do I need a service account for Istio and helm both to install Istio on the EKS cluster?

  2. Do I need to create a specific IAM role to install Istio on the EKS cluster?

  3. What are some security checks I need to take care of to install Istio on the EKS cluster?

  4. Let's say in the future I need to change some default value provided by helm chart How can I change those values? Let's say changing memory from 3072Mi to 4000Mi

  5. How can I enable mTLS using helm chart in Istio?

  6. Installing add-on for example Kiali using helm chart?

Software Engineer
  • 15,457
  • 7
  • 74
  • 102
Sweta Sharma
  • 2,404
  • 4
  • 21
  • 36
  • 1
    not how your helm chart is like it will auto-create service account inside Kubernetes also. – Harsh Manvar Apr 12 '21 at 12:05
  • For anybody using this, you'll need to fix the typo `name = "istio-ingress"` to `name = "istio-egress"` in `resource "helm_release" "istio-egress"` – mellow-yellow Jun 21 '21 at 16:04

1 Answers1

6

yes, you have to create the IAM role also if you want to create it for workers you can also create the IAM for the same.

resource "aws_iam_role" "eksproject-cluster" {
  name = "terraform-eks-eksproject-cluster"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

https://github.com/prabhatpankaj/eks-terraform-istio

but if you are an admin of EKS it's not required to create the IAM you can directly setup the istio

helm template istio-1.1.4/install/kubernetes/helm/istio --name istio --namespace istio-system  --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true --set kiali.dashboard.secretName=kiali --set kiali.dashboard.usernameKey=username --set kiali.dashboard.passphraseKey=passphrase | kubectl apply -f -

Let's say in the future I need to change some default value provided by helm chart How can I change those values? Let's say changing memory from 3072Mi to 4000Mi

you can use the helm for the same

update the value into values.yaml and run command

helm upragde istio -f values.yaml

How can I enable mTLS using helm chart in Istio?

for mTLS between services or at the namespace level, you might have to configure the other YAMLs or you edit the chart apply those new YAML as part of helm.

spec:
  mtls:
    mode: STRICT

Installing add-on for example Kali using helm chart?

it's already part of helm

helm template istio-1.1.4/install/kubernetes/helm/istio --name istio --namespace istio-system  --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true --set kiali.dashboard.secretName=kiali --set kiali.dashboard.usernameKey=username --set kiali.dashboard.passphraseKey=passphrase | kubectl apply -f -

--set kiali.enabled=true overriding the default value in command.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • Thanks so much, Harsh for your answer. I'm curious to know how we can change some default values provided by the helm chart? – Sweta Sharma Apr 12 '21 at 12:45
  • you can --set as show in example or update the file with name `values.yaml` . for example `--set grafana.enabled=true` you can do it like this way or update in file values.yaml and run the helm command to setup everything. – Harsh Manvar Apr 12 '21 at 12:46
  • Thanks for your reply. How can I do the same using Terraform and Helm? I need to automate those settings. I don't want to always go to the command prompt and set those settings. What are some changes I need to make to my terraform script. – Sweta Sharma Apr 12 '21 at 12:51
  • either can fix and edit the `values.yaml` file storing all the configuration and run the simple `helm` command `helm install istio -f values.yaml` it will work. – Harsh Manvar Apr 12 '21 at 13:20
  • terraform side might not be changes required maybe you can use remote or local exec to run the command of helm and install and run the whole setup. – Harsh Manvar Apr 12 '21 at 13:37
  • Thanks Harsh! I'm curious to know how we can override the values.yml file in the helm chart after there are packaged? – Sweta Sharma Apr 12 '21 at 14:03
  • for that you have to use the `--set` command mentioned early it will override the value set in `values.yaml` with TF you might can save the value in environment variable and use it in command. `helm install istio --set $GRAFANA -f values.yaml` so here it will override one specific value form file where GRFANA mean `grafana.enabled=true` – Harsh Manvar Apr 12 '21 at 14:28
  • 1
    Thanks so much Harsh for your answer! – Sweta Sharma Apr 12 '21 at 15:02
  • 1
    @SwetaSharma, granted you may be waiting for other answers, but you surely know that the best thank you is to accept the answer. – anastaciu Apr 12 '21 at 21:11
  • @HarshManvar In order to override the values.yml file can we feed it a new YAML file rather than using the --set command? – Sweta Sharma Apr 13 '21 at 03:58
  • 1
    @SwetaSharma yes you can for sure in that case command will be something like `helm install istio -f new-path.yaml` – Harsh Manvar Apr 13 '21 at 04:10
  • 1
    thankyou @anastaciu & Sweta Sharma. hope to resolve the question do let me know if any other. – Harsh Manvar Apr 13 '21 at 04:23
  • @HarshManvar In the script above Do I need to install Helm using Terraform or the helm_release will do that? – Sweta Sharma Apr 13 '21 at 07:33
  • @SwetaSharma you have to cinfigure you host with helm client i am not sure what you mean install helm using Terraform. : curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash – Harsh Manvar Apr 13 '21 at 08:37
  • 1
    https://github.com/prabhatpankaj/eks-terraform-istio#install-helm – Harsh Manvar Apr 13 '21 at 08:37
  • 1
    @Harsh Manvar shouldn't you answer all questions instead of cherry picking one, and making this into a chat? – suren Apr 13 '21 at 10:38
  • @suren if you feel it, you can post your answer and help her better with the well-described answer I don't have any issue, apart from that if I am wrong or my suggestion wrong at any place sorry for that. – Harsh Manvar Apr 13 '21 at 10:56
  • question updated i never know mTLS & resources and all never read that however updated the answer. – Harsh Manvar Apr 13 '21 at 11:04