This assumes you have a mechanism to provision an IP/ELB for services of type LoadBalancer
. If you're in AWS, use the AWS cloud provider. If you're on bare metal or a hypervisor, consider using MetalLB or KubeVIP.
If you're unsure, after your Istio controlplane is created, look at kubectl get svc -n istio-system
. If they are stuck in Pending, there is an issue.
For Istio to route with Rancher, you need to install Cert-Manager and create your certificate. For this example, it'll use a self-signed cert:
- Install cert-manager:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
- Create
cattle-system
namespace:
kubectl create ns cattle-system
- Create cluster-issuer:
kubectl apply -f cert-manager/cluster-issuer.yaml
-
Update
cert-manager/certificate.yaml
with your Rancher hostname. -
Create certificate:
kubectl apply -f cert-manager/certificate.yaml
Now, you'll need to install Istio and install the istio operator. You'll need istioctl
, which you can download (here)[https://github.com/istio/istio/releases] (NOTE: You might need expand the Assets list. Make sure you download istioctl and not istio.)
Once you have downloaded istioctl and added to your path, do the following:
- Install istio operator:
istioctl operator init
-
Update the
istio/gateway.yaml
/istio/virtual-service.yaml
with your Rancher hostname. -
Create the Istio controlplane:
kubectl apply -f istio/controlplane.yaml
- Wait for Istio pods to come online (wait for ingressgateway and istiod):
watch kubectl get pods -n istio-system
- Create gateway:
kubectl apply -f istio/gateway.yaml
- Create virtual service:
kubectl apply -f istio/virtual-service.yaml
When you install Rancher, since the TLS certificate should already exist, use the flag --set ingress.tls.source=secret
.