-red){kind=icon}
This module deploys the Red Hat OpenShift Service Mesh v3 by configuring Istio and IstioCNI resources through Istio Sail operator, allows to configure the Istio Pilot deployment, to configure two or more Istio controlplanes in the same cluster by setting up Service Mesh discovery selectors and sidecar injection, to deploy and configure Istio ingress and egress gateways for Istio dataplanes. You can also control placement of the gateways on the desired cluster's worker nodes to support, for example, a double DMZ architecture.
For more details about the Red Hat OpenShift Service Mesh, see Red Hat OpenShift Service Mesh 3.0 and Installing Red Hat OpenShift Service Mesh
The submodule modules/sm-istio supports configuring Service Mesh discovery selectors, to configure each Istio controlplane workloads discovery attributes.
For more details about Service Mesh discovery selectors, see Scoping the Service Mesh with discovery selectors
The submodule modules/sm-istio supports configuring Service Mesh sidecar injection, to configure each Istio controlplane to inject with sidecar proxies the workloads according to specific attributes
This module supports sidecar inject at namespace level in this moment, following the rules below:
| IstioRevision name | Enabled label & value | Disabled value |
|---|---|---|
| default | istio-injection=enabled | istio-injection=disabled |
not default - i.e. my-mesh-1 |
istio.io/rev=my-mesh-1 | istio-injection=disabled |
For more details about Service Mesh sidecar injection, see Sidecar injection
For more details about excluding single workload from the Service Mesh, see Exclude a workload from the mesh
By appropriately configuring the controlplanes discovery selectors and sidecar injection properties with multiple instances of modules/sm-istio this module allows to deploy multiple controlplanes on the sidecar, each one discovering the appropriate workloads and injecting the related sidecars.
The submodule modules/sm-istio-ingress and modules/sm-istio-egress, through allows to deploy ingress and egress istio gateways into the cluster through the Gateway injection. Gateway injection relies upon the same mechanism as sidecar injection to inject the Envoy proxy into gateway pods. To install a gateway using gateway injection, you create a Kubernetes Deployment object and an associated Kubernetes Service object in a namespace that is visible to the Istio control plane. When creating the Deployment object you label and annotate it so that the Istio control plane injects a proxy, and the proxy is configured as a gateway. After installing the gateway, you configure it to control ingress and egress traffic using the Istio Gateway and VirtualService resources.
For more details about Gateway injection, see Gateways and About gateway injection
terraform {
required_version = ">= 1.9.0"
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
version = "X.Y.Z" # Lock into a provider version that satisfies the module constraints
}
}
}
locals {
region = "us-south"
}
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXX" # replace with apikey value
region = local.region
}
provider "helm" {
kubernetes = {
host = data.ibm_container_cluster_config.cluster_config.host
token = data.ibm_container_cluster_config.cluster_config.token
cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
}
}
provider "kubernetes" {
host = data.ibm_container_cluster_config.cluster_config.host
token = data.ibm_container_cluster_config.cluster_config.token
cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
}
data "ibm_container_cluster_config" "cluster_config" {
cluster_name_id = var.cluster_id
resource_group_id = var.resource_group_id
endpoint_type = "default"
}
# deploy servicemesh operator
module "service_mesh_operator" {
source = "terraform-ibm-modules/ocp-service-mesh/ibm"
version = "X.Y.Z"
cluster_id = var.cluster_id
develop_mode = var.develop_mode
cluster_config_endpoint_type = var.cluster_config_endpoint_type
}
# deploy servicemesh controlplane with istio resource
module "deploy_istio" {
depends_on = [module.service_mesh_operator]
source = "terraform-ibm-modules/ocp-service-mesh/ibm//modules/sm-istio"
version = "X.Y.Z"
name = "default"
namespace = "istio-system"
create_namespace = true
cluster_config_file_path = data.ibm_container_cluster_config.cluster_config.config_file_path
}
# deploy servicemesh cni with istiocni resource
module "deploy_istio_cni" {
depends_on = [module.service_mesh_operator]
source = "terraform-ibm-modules/ocp-service-mesh/ibm//modules/sm-istio-cni"
version = "X.Y.Z"
namespace = "istio-system-cni"
create_namespace = true
}
# wait for istio components to complete deployment and start
resource "time_sleep" "wait_istio" {
depends_on = [module.deploy_istio, module.deploy_istio_cni]
create_duration = "300s"
destroy_duration = "60s"
}
# deploy standard ingress gateway
module "basic_workload_ingress" {
depends_on = [time_sleep.wait_istio]
source = "terraform-ibm-modules/ocp-service-mesh/ibm//modules/sm-istio-ingress"
version = "X.Y.Z"
name = "basic-ingress"
namespace = "basic-ingress"
create_namespace = true
force_dataplane_update = true
ingress_loadbalancer_type = "alb"
ingress_service_type = "LoadBalancer"
ingress_ip_type = "public"
istio_mesh_enrollment = "default"
ingress_selectors = {
"istio" : "ingress-gateway",
}
ingress_ports = [
{
"name" : "http2"
"port" : "80"
"targetPort" : "8000"
"proto" : "TCP"
}
]
cluster_config_file_path = data.ibm_container_cluster_config.cluster_config.config_file_path
}
# deploy standard egress gateway
module "default_workload_egress" {
depends_on = [time_sleep.wait_istio]
source = "terraform-ibm-modules/ocp-service-mesh/ibm//modules/sm-istio-egress"
version = "X.Y.Z"
name = "basic-egress"
namespace = "basic-egress"
create_namespace = false
force_dataplane_update = true
istio_mesh_enrollment = "default"
egress_selectors = {
"istio" : "egress-gateway",
}
egress_ports = [
{
"name" : "http2"
"port" : "80"
"targetPort" : "8000"
"proto" : "TCP"
},
{
"name" : "https"
"port" : "443"
"targetPort" : "443"
"proto" : "TCP"
}
]
cluster_config_file_path = data.ibm_container_cluster_config.cluster_config.config_file_path
}You need the following permissions to run this module.
- IAM Services
- Kubernetes service
Viewerplatform accessManagerservice access
- Kubernetes service
For more information about the access you need to run Terraform IBM modules, see IBM Cloud IAM roles.
| Name | Version |
|---|---|
| terraform | >= 1.9.0 |
| helm | >= 3.0.0, <4.0.0 |
| ibm | >= 1.59.0, < 2.0.0 |
| null | >= 3.2.1, < 4.0.0 |
| time | >= 0.9.1, < 1.0.0 |
No modules.
| Name | Type |
|---|---|
| helm_release.service_mesh_operator | resource |
| null_resource.undeploy_servicemesh | resource |
| time_sleep.wait_operators | resource |
| ibm_container_cluster_config.cluster_config | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_config_endpoint_type | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | string |
"default" |
no |
| cluster_id | Id of the target IBM Cloud OpenShift Cluster | string |
n/a | yes |
| develop_mode | If true raise time waited for operator deployment and undeployment to allow to debug the cluster | bool |
false |
no |
| resource_group_id | The ID of the resource group for the OpenShift Cluster. | string |
n/a | yes |
No outputs.
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.