Install Istio on EKS cluster using Terraform and Helm

6
votes

I'm new to Terraform and Helm world! I need to set up Istio on the AWS EKS cluster. I'm trying to install Istio on top of EKS cluster using Terraform and Helm as a provider: Below is the terraform code for the same:

resource "kubernetes_namespace" "istio-system" {
  metadata {
    annotations = {
      name = "istio-namespace"
    }

    labels = {
      mylabel = "label-value"
    }

    name = "istio-namespace"
  }
}

resource "helm_release" "istio_base" {
  name       = "istio-base"
  chart      = "./manifests/charts/base"
  namespace  = "istio-system"
}

resource "helm_release" "istiod" {
  name       = "istiod"
  chart      = "./manifests/charts/istio-control/istio-discovery"
  namespace  = "istio-system"
}

resource "helm_release" "istio-ingress" {
  name       = "istio-ingress"
  chart      = "./manifests/charts/gateways/istio-ingress"
  namespace  = "istio-system"
}

resource "helm_release" "istio-egress" {
  name       = "istio-ingress"
  chart      = "./manifests/charts/gateways/istio-egress"
  namespace  = "istio-system"
}

Can someone help me to answer my few queries:

  1. Do I need a service account for Istio and helm both to install Istio on the EKS cluster?

  2. Do I need to create a specific IAM role to install Istio on the EKS cluster?

  3. What are some security checks I need to take care of to install Istio on the EKS cluster?

  4. Let's say in the future I need to change some default value provided by helm chart How can I change those values? Let's say changing memory from 3072Mi to 4000Mi

  5. How can I enable mTLS using helm chart in Istio?

  6. Installing add-on for example Kiali using helm chart?

1
kubernetesterraformkubernetes-helmistioamazon-eks
not how your helm chart is like it will auto-create service account inside Kubernetes also.Harsh Manvar
For anybody using this, you'll need to fix the typo name = "istio-ingress" to name = "istio-egress" in resource "helm_release" "istio-egress"mellow-yellow

1 Answers

5
votes

yes, you have to create the IAM role also if you want to create it for workers you can also create the IAM for the same.

resource "aws_iam_role" "eksproject-cluster" {
  name = "terraform-eks-eksproject-cluster"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

https://github.com/prabhatpankaj/eks-terraform-istio

but if you are an admin of EKS it's not required to create the IAM you can directly setup the istio

helm template istio-1.1.4/install/kubernetes/helm/istio --name istio --namespace istio-system  --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true --set kiali.dashboard.secretName=kiali --set kiali.dashboard.usernameKey=username --set kiali.dashboard.passphraseKey=passphrase | kubectl apply -f -

Let's say in the future I need to change some default value provided by helm chart How can I change those values? Let's say changing memory from 3072Mi to 4000Mi

you can use the helm for the same

update the value into values.yaml and run command

helm upragde istio -f values.yaml

How can I enable mTLS using helm chart in Istio?

for mTLS between services or at the namespace level, you might have to configure the other YAMLs or you edit the chart apply those new YAML as part of helm.

spec:
  mtls:
    mode: STRICT

Installing add-on for example Kali using helm chart?

it's already part of helm

helm template istio-1.1.4/install/kubernetes/helm/istio --name istio --namespace istio-system  --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true --set kiali.dashboard.secretName=kiali --set kiali.dashboard.usernameKey=username --set kiali.dashboard.passphraseKey=passphrase | kubectl apply -f -

--set kiali.enabled=true overriding the default value in command.