SaFi Bank Space : Istio Installation

Prerequisites Steps for GKE:

An automatically created firewall rule does not open port 15017. This is needed by the Pilot discovery validation webhook.

gcloud compute firewall-rules list --filter="name~gke-${CLUSTER_NAME}-[0-9a-z]*-master"
gcloud compute firewall-rules update <firewall-rule-name> --allow tcp:10250,tcp:443,tcp:15017

Grant cluster administrator (admin) permissions to the current user. To create the necessary RBAC rules for Istio, the current user requires admin permissions.

kubectl create clusterrolebinding cluster-admin-binding \
    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account)

Resources should have app label in order to Kiali dashboard to work
Note: If you are planning to use mTLS for POD to POD (Service to Service) communication, need to install istio-csr for automated certificate management.
References
- https://istio.io/latest/docs/setup/platform-setup/gke/
- https://github.com/cert-manager/istio-csr (Needed only if we are planning to use mTLS)

Installation Methods:

Standalone(Single Cluster and Single Network without HA):

helm repo add istio https://istio-release.storage.googleapis.com/charts
kubectl create namespace istio-system
helm install istio-base istio/base -n istio-system
helm install istiod istio/istiod -n istio-system --wait
kubectl create namespace istio-ingressgateway
kubectl label namespace istio-ingressgateway istio-injection=enabled
helm install istio-ingressgateway istio/gateway -n istio-ingress --wait
helm status istiod -n istio-system

Reference:
- https://istio.io/latest/docs/setup/install/helm/