Install SMM with the SMM Operator chart

SMM Operator is a Kubernetes operator to deploy and manage Service Mesh Manager. In this chart the CRD is not managed by the operator, and we expect CI/CD tools to take care of updating CRD.

In case you have your own cluster deployed and are authorized to fetch images from the Cisco provided repositories, then you can rely on BasicAuth(url, username, password) for authentication required to pull images.

You can get a Username and Password by signing up for the Free tier version of Service Mesh Manager.

Prerequisites

Helm version 3.7 or newer.

Steps

  1. Create two namespaces, one for smm-operator (called smm-registry-access), and one for cert-manager:

    kubectl create ns smm-registry-access
    kubectl create ns cert-manager
    

    (The smm-registry-access namespace is used because smm-operator should be in the same namespace as the imagepullsecrets-controller.)

  2. Run the following helm commands. Replace <your-username> and <your-password> with the ones shown on your Service Mesh Manager download page.

    export HELM_EXPERIMENTAL_OCI=1
    echo <your-password> | helm registry login registry.eticloud.io -u '<your-username>' --password-stdin
    
    helm pull oci://registry.eticloud.io/smm-charts/smm-operator --version 1.11.0
    
    helm install \
      --namespace=smm-registry-access \
      --set "global.ecr.enabled=false" \
      --set "global.basicAuth.username=<your-username>" \
      --set "global.basicAuth.password=<your-password>" \
      smm-operator \
      oci://registry.eticloud.io/smm-charts/smm-operator --version 1.11.0
    
  3. Install Service Mesh Manager by creating a ControlPlane resource. We recommend that you start with the following ControlPlane resource. This CR assumes that you are using docker-registry authentication, and the secrets referenced in the .spec.registryAccess is used to pull smm-operator image and sync across other namespaces created by the smm-operator chart.

    Replace <cluster-name> with the name of your cluster. The cluster name format must comply with the RFC 1123 DNS subdomain/label format (alphanumeric string without “_” or “.” characters). Otherwise, you get an error message starting with: Reconciler error: cannot determine cluster name controller=controlplane, controllerGroup=smm.cisco.com, controllerKind=ControlPlane

    kubectl apply -f - << EOF
    apiVersion: smm.cisco.com/v1alpha1
    kind: ControlPlane
    metadata:
      name: smm
    spec:
      clusterName: <cluster-name>
      certManager:
        enabled: true
        namespace: cert-manager
      clusterRegistry:
        enabled: true
        namespace: cluster-registry
      log: {}
      meshManager:
        enabled: true
        istio:
          enabled: true
          istioCRRef:
            name: cp-v115x
            namespace: istio-system
          operators:
            namespace: smm-system
        namespace: smm-system
      nodeExporter:
        enabled: true
        namespace: smm-system
        psp:
          enabled: false
        rbac:
          enabled: true
      oneEye: {}
      registryAccess:
        enabled: true
        imagePullSecretsController: {}
        namespace: smm-registry-access
        pullSecrets:
          - name: smm-registry.eticloud.io-pull-secret
            namespace: smm-registry-access
      repositoryOverride:
        host: registry.eticloud.io
        prefix: smm
      role: active
      smm:
        als:
          enabled: true
          log: {}
        application:
          enabled: true
          log: {}
        auth:
          mode: impersonation
        certManager:
          enabled: true
        enabled: true
        federationGateway:
          enabled: true
          name: smm
          service:
            enabled: true
            name: smm-federation-gateway
            port: 80
        federationGatewayOperator:
          enabled: true
        impersonation:
          enabled: true
        istio:
          revision: cp-v115x.istio-system
        leo:
          enabled: true
          log: {}
        log: {}
        namespace: smm-system
        prometheus:
          enabled: true
          replicas: 1
        prometheusOperator: {}
        releaseName: smm
        role: active
        sre:
          enabled: true
        useIstioResources: true
    EOF
    

Uninstalling the chart

To uninstall/delete the ControlPlane resource and smm-operator release, run:

kubectl delete controlplanes.smm.cisco.com smm
helm uninstall --namespace=smm-registry-access smm-operator

Chart configuration

The following table lists the configurable parameters of the Service Mesh Manager chart and their default values.

Parameter Description Default
operator.image.repository Operator container image repository registry.eticloud.io/smm/smm-operator
operator.image.tag Operator container image tag Same as chart version
operator.image.pullPolicy Operator container image pull policy IfNotPresent
operator.resources CPU/Memory resource requests/limits (YAML) Memory: 256Mi, CPU: 200m
prometheusMetrics.enabled If true, use direct access for Prometheus metrics false
prometheusMetrics.authProxy.enabled If true, use auth proxy for Prometheus metrics true
prometheusMetrics.authProxy.image.repository Auth proxy container image repository gcr.io/kubebuilder/kube-rbac-proxy
prometheusMetrics.authProxy.image.tag Auth proxy container image tag v0.5.0
prometheusMetrics.authProxy.image.pullPolicy Auth proxy container image pull policy IfNotPresent
rbac.enabled Create rbac service account and roles true
rbac.psp.enabled Create pod security policy and binding false
ecr.enabled Should SMM Operator Chart handle the ECR login procedure true
ecr.accessKeyID Access Key ID to be used for ECR logins Empty
ecr.secretAccessKey Secret Access Key to be used for ECR logins Empty