What is Istio?
Istio is an open source project that aims to manage service mesh in microservices architecture. This is one of the most popular service mesh solution and used widely by several leading organisations.
Tanzu Service Mesh is a SaaS solution from VMware to manage service mesh. Tanzu Service Mesh internally uses Istio for the same.
Istio Installation Steps using istioctl
Login to TKG cluster and view the nodes
Ensure that you have enough resources on the nodes to install istio. Also, It’s better to have more than one worker nodes in a cluster.
$ k get nodes
NAME STATUS ROLES AGE VERSION
demo-cluster-control-plane-758tp Ready control-plane,master 22d v1.20.5+vmware.1
demo-cluster-control-plane-8qhvz Ready control-plane,master 22d v1.20.5+vmware.1
demo-cluster-control-plane-kbrbn Ready control-plane,master 22d v1.20.5+vmware.1
demo-cluster-md-0-7b749d645-6z2fc Ready <none> 22d v1.20.5+vmware.1
demo-cluster-md-0-7b749d645-ddcr7 Ready <none> 22d v1.20.5+vmware.1
demo-cluster-md-0-7b749d645-n2dz9 Ready <none> 22d v1.20.5+vmware.1
Minimum resource requirement for better performance, go with 16GB RAM and 4 CPU.
Installation Pre-requirements
#1: Download istioctl on a node from where you are connecting to TKG cluster.
$ curl -L https://istio.io/downloadIstio | sh -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 102 100 102 0 0 254 0 --:--:-- --:--:-- --:--:-- 253
100 4549 100 4549 0 0 8285 0 --:--:-- --:--:-- --:--:-- 8285
Downloading istio-1.11.2 from https://github.com/istio/istio/releases/download/1.11.2/istio-1.11.2-linux-amd64.tar.gz ...
Istio 1.11.2 Download Complete!
Istio has been successfully downloaded into the istio-1.11.2 folder on your system.
Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.
To configure the istioctl client tool for your workstation,
add the /root/dinesh/istio-1.11.2/bin directory to your environment path variable with:
export PATH="$PATH:/root/dinesh/istio-1.11.2/bin"
Begin the Istio pre-installation check by running:
istioctl x precheck
Need more information? Visit https://istio.io/latest/docs/setup/install/Note: Below command will download the latest version of istio. In case you are looking for specific version, run the below command.
$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.8 TARGET_ARCH=x86_64 sh –
#2: Go to the folder and verify the downloaded artifacts
$ cd istio-1.11.2
$ ls -l
total 40
drwxr-x--- 2 root root 4096 Aug 31 23:52 bin
-rw-r--r-- 1 root root 11348 Aug 31 23:52 LICENSE
drwxr-xr-x 5 root root 4096 Aug 31 23:52 manifests
-rw-r----- 1 root root 854 Aug 31 23:52 manifest.yaml
-rw-r--r-- 1 root root 5866 Aug 31 23:52 README.md
drwxr-xr-x 20 root root 4096 Aug 31 23:52 samples
drwxr-xr-x 3 root root 4096 Aug 31 23:52 tools#3: Add the “istioctl” to your current PATH.
$ export PATH=$PWD/bin:$PATH
$ echo $PATH
/root/dinesh/istio-1.11.2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin#4: Validate if you can run istioctl by using below command
$ istioctl version
no running Istio pods in “istio-system”
1.11.2
#5: Finalize on the istio profile that you want to install. To list the istio profile, run the below command.
$ istioctl profile list
Istio configuration profiles:
default
demo
empty
external
minimal
openshift
preview
remoteIn this post, i will be using demo profile for istio installation. If you want to see the different between profiles, you can run below command
To see the difference between default and demo profile.
$ istioctl profile diff default demo#6: Great, So, now you are ready to install the istio on a TKG cluster.
Install Istio
#1: Run the below command to install istio.
$ istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/kWULBRjUv7hHci7T6#2: Validate the installation. See the resource deployed in “istio-system” namespace.
$ k get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-6c9486d667-sck76 1/1 Running 0 4m8s
istio-ingressgateway-556bd8b675-wrf6v 1/1 Running 0 4m8s
istiod-96b47b576-rpm9p 1/1 Running 0 4m22s#List the services in istio-system namespace
$ k get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 100.65.109.226 <none> 80/TCP,443/TCP 13m
istio-ingressgateway LoadBalancer 100.71.210.191 172.168.21.111 15021:31140/TCP,80:31811/TCP,443:31985/TCP,31400:31467/TCP,15443:31330/TCP 13m
istiod ClusterIP 100.66.45.186 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 13mPost Install Steps
We have completed the installation steps but istio will not inject the sidecar proxies unless we label the namespace.
#1. Labelling the namespace
$ k label namespace default istio-injection=enabled
namespace/default labeled#2. Validate the label in default namespace.
$ k describe ns default
Name: default
Labels: istio-injection=enabled
Annotations: <none>
Status: Active
No resource quota.
No LimitRange resource.Deploy Sample application for Testing our setup
#1. Deploy a sample nginx image
$ k run nginx --image nginx --expose --port 80
service/nginx created
pod/nginx created#2. Now, see the number of containers in a nginx pod. You will see two pods (one for nginx and one for envoy side car)
$ k get pods
NAME READY STATUS RESTARTS AGE
nginx 2/2 Running 0 53sSo, nginx is now running. But, to open this for external access, We need to create ingress gateway and virtual service resource. Save the content to a yaml file.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: nginx-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: HTTP
protocol: TCP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx
spec:
hosts:
- "*"
gateways:
- nginx-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: nginx
port:
number: 80#3: Apply the yaml file in same namespace where application is deployed. in my case, default namespace.
$ k apply -f gw-vs.yml
gateway.networking.istio.io/nginx-gateway created
virtualservice.networking.istio.io/nginx created#4: Validate the gateway and virtual service resource.
$ k get vs,gw
NAME GATEWAYS HOSTS AGE
virtualservice.networking.istio.io/nginx ["nginx-gateway"] ["*"] 114s
NAME AGE
gateway.networking.istio.io/nginx-gateway 114s#5: Access the nginx app using browser.
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
$ echo "$GATEWAY_URL"
Paste above output in web browser and you will see the nginx page.Deploying Istio Addons
Istio also provide several addons e.g. kiali for dashboard, jaeger for tracing and prometheus & grafana for monitoring purpose. You can see the yaml files in your istio folder.
$ ls -l samples/addons/
total 284
drwxr-xr-x 2 root root 4096 Aug 31 23:52 extras
-rw-r--r-- 1 root root 245502 Aug 31 23:52 grafana.yaml
-rw-r--r-- 1 root root 2533 Aug 31 23:52 jaeger.yaml
-rw-r--r-- 1 root root 11008 Aug 31 23:52 kiali.yaml
-rw-r--r-- 1 root root 13633 Aug 31 23:52 prometheus.yaml
-rw-r--r-- 1 root root 5194 Aug 31 23:52 README.md
$ ls -l samples/addons/extras/
total 40
-rw-r--r-- 1 root root 1517 Aug 31 23:52 prometheus-operator.yaml
-rw-r--r-- 1 root root 15681 Aug 31 23:52 prometheus_vm_tls.yaml
-rw-r--r-- 1 root root 14679 Aug 31 23:52 prometheus_vm.yaml
-rw-r--r-- 1 root root 1096 Aug 31 23:52 zipkin.yaml
root@mcds:~/dinesh/istio-1.11.2#
I will install kiali for demo purpose here but you can apply other yaml files in your TKG cluster. Also Remember, TKG provides you a prometheus instance and you might want to use that.
Install Kiali
Apply the manifest file for installing kiali. Note: This will be installed on istio-system namespace.
$ k apply -f samples/addons/kiali.yaml
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
role.rbac.authorization.k8s.io/kiali-controlplane created
rolebinding.rbac.authorization.k8s.io/kiali-controlplane created
service/kiali created
deployment.apps/kiali createdNote: By default, kiali service will be created of type ClusterIP, update the service type to NodePort or LoadBalancer to access it from outside. In my case, i did via NodePort.
Access the dashboard
You can install other addons and they will be really helpful to manage the services.
That’s all in this post. I will explain more in detail about istio in later posts.
Modern Apps Platform Learning 