Grafana, Prometheus, Kiali authentication with AzureAD and istio internal load balancer

1
votes

I’m deploying istio in azure kubernetes services (AKS) and I have the following question:

Is it possible to deploy istio using an internal load balancer. Looks like it is deployed in Azure with a public load balancer by default. What do I need to change to make it use an internal load balancer?

1
azureprometheusgrafanaistio
why do you have 2 individual questions in a single post? they are not even connected in any fashion4c74356b41

1 Answers

0
votes

To answer the second question :

It is possible to add AKS annotation for an internal load balancer according to AKS documentation:

To create an internal load balancer, create a service manifest named internal-lb.yaml with the service type LoadBalancer and the azure-load-balancer-internal annotation as shown in the following example:

apiVersion: v1
kind: Service
metadata:
  name: internal-app
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: internal-app

So You can set this annotation by using helm with the following --set:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set gateways.istio-ingressgateway.serviceAnnotations.'service\.beta\.kubernetes\.io/azure-load-balancer-internal'="true" > aks-istio.yaml

As mentioned in comment You should stick to One question per post as advised here. So I suggest creating second post with other question.

Hope it helps.

Update:

For istioctl You can do the following:

  1. Generate manifest file for Your istio deployment for this example I used demo profile.
istioctl manifest generate --set profile=demo > istio.yaml
  1. Modify the istio.yaml and search for text for type: LoadBalancer.
---


apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
  labels:
    app: istio-ingressgateway
    release: istio
    istio: ingressgateway
spec:
  type: LoadBalancer
  selector:
    app: istio-ingressgateway
  ports:

Add the annotation for the internal load balancer like this:

---


apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  labels:
    app: istio-ingressgateway
    release: istio
    istio: ingressgateway
spec:
  type: LoadBalancer
  selector:
    app: istio-ingressgateway
  ports:
  1. After saving changes deploy modified istio.yaml to Your K8s cluster using:
kubectl apply -f istio.yaml

After that You can verify if annotation is present in istio-ingressgateway service.

$ kubectl get svc istio-ingressgateway -n istio-system -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.beta.kubernetes.io/azure-load-balancer-internal":"true"},"labels":{"app":"istio-ingressgateway","istio":"ingressgateway","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"selector":{"app":"istio-ingressgateway"},"type":"LoadBalancer"}}
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  creationTimestamp: "2020-01-27T13:51:07Z"

Hope it helps.