copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2024-09-20 |
kubernetes, envoy, sidecar, mesh, bookinfo, istio |
containers |
{{site.data.keyword.attribute-definition-list}}
{: #istio-qs}
Get started with the managed Istio add-on in {{site.data.keyword.containerlong}}. In this set of steps, you deploy the BookInfo sample app to practice using several of Istio's service mesh capabilities. {: shortdesc}
Before you begin, review the Istio add-on change log for version information.
{: #istio-qs-1}
Set up the managed Istio add-on in your cluster. {: shortdesc}
-
Enable the
istio
add-on.ibmcloud ks cluster addon enable istio --cluster <cluster_name_or_ID>
{: pre}
-
Verify that the managed Istio add-on has a status of
Addon Ready
. Note that it can take a few minutes for the add-on to be ready.ibmcloud ks cluster addon ls --cluster <cluster_name_or_ID>
{: pre}
Example output
Name Version Health State Health Status istio 1.23 normal Addon Ready
{: screen}
-
You can also check out the individual components of the add-on to ensure that the Istio pods are deployed.
kubectl get pods -n istio-system
{: pre}
kubectl get svc -n istio-system
{: pre}
For more information about Istio in {{site.data.keyword.containerlong_notm}}, see About the managed Istio add-on.
{: #istio-qs-2}
The BookInfo sample application includes a basic Istio configuration so that you can try out Istio's capabilities immediately. {: shortdesc}
The four BookInfo microservices include:
productpage
calls thedetails
andreviews
microservices to populate the page.details
contains book information.ratings
contains book ranking information that accompanies a book review.reviews
contains book reviews and calls theratings
microservice. Thereviews
microservice has multiple versions:v1
does not call theratings
microservice.v2
calls theratings
microservice and displays ratings as 1 to 5 black stars.v3
calls theratings
microservice and displays ratings as 1 to 5 red stars.
The BookInfo app is also already exposed on a public IP address by an Istio Gateway. To see the BookInfo architecture, check out the Istio documentation{: external}.
-
Install BookInfo in your cluster.
-
Download the latest Istio package, which includes the configuration files for the BookInfo app.
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.23.1 sh -
{: pre}
-
Navigate to the Istio package directory.
cd istio-1.23.1
{: pre}
-
Linux and macOS users: Add the
istioctl
client to yourPATH
system variable.export PATH=$PWD/bin:$PATH
{: pre}
-
Label the
default
namespace for automatic sidecar injection. Any new pods that are deployed todefault
are now automatically created with Envoy proxy sidecar containers.kubectl label namespace default istio-injection=enabled
{: pre}
-
Deploy the BookInfo application, gateway, and destination rules.
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml
{: pre}
-
Ensure that the BookInfo microservices pods are
Running
.kubectl get pods
{: pre}
NAME READY STATUS RESTARTS AGE details-v1-6865b9b99d-7v9h8 2/2 Running 0 2m productpage-v1-f8c8fb8-tbsz9 2/2 Running 0 2m ratings-v1-77f657f55d-png6j 2/2 Running 0 2m reviews-v1-6b7f6db5c5-fdmbq 2/2 Running 0 2m reviews-v2-7ff5966b99-zflkv 2/2 Running 0 2m reviews-v3-5df889bcff-nlmjp 2/2 Running 0 2m
{: screen}
-
-
Get the public address for the
istio-ingressgateway
load balancer that exposes BookInfo.-
Classic clusters
-
Set the Istio ingress IP address as an environment variable.
export INGRESS_IP=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
{: pre}
-
Set the Istio ingress port as an environment variable.
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
{: pre}
-
Create a
GATEWAY_URL
environment variable that uses the Istio ingress host and port.export GATEWAY_URL=$INGRESS_IP:$INGRESS_PORT
{: pre}
-
-
VPC clusters: Create a
GATEWAY_URL
environment variable that uses the Istio ingress hostname.export GATEWAY_URL=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
{: pre}
-
-
Curl the
GATEWAY_URL
variable to check that the BookInfo app is running. A200
response means that the BookInfo app is running properly with Istio.curl -o /dev/null -s -w "%{http_code}\n" http://${GATEWAY_URL}/productpage
{: pre}
-
View the BookInfo web page in a browser.
Mac OS or Linux
open http://$GATEWAY_URL/productpage
{: pre}
Windows
start http://$GATEWAY_URL/productpage
{: pre}
-
Try refreshing the page several times. Different versions of the reviews section round-robin through no stars (
v1
ofreviews
), black stars (v2
), and red stars (v3
).
For more information about how routing works in Istio, see Understanding what happened.
{: #istio-qs-3}
To simulate a release of an app, you can perform a phased rollout v3
of the reviews
microservice of BookInfo.
{: shortdesc}
After you finish testing your app and are ready to start directing live traffic to it, you can perform rollouts gradually through Istio. For example, you can first release v3
to 10% of the users, then to 20% of users, and so on.
-
Configure a virtual service to distribute 0% of traffic to
v1
, 90% of traffic tov2
, and 10% of traffic tov3
ofreviews
.apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 weight: 0 - destination: host: reviews subset: v2 weight: 90 - destination: host: reviews subset: v3 weight: 10
{: pre}
kubectl apply -f <filename>.yaml
{: pre}
-
View the BookInfo web page in a browser by running
open http://$GATEWAY_URL/productpage
on Mac OS or Linux or by runningstart http://$GATEWAY_URL/productpage
on Windows. -
Try refreshing the page several times. Notice that the page with no stars (
v1
) is no longer shown, and that a majority of page refreshes show the black stars (v2
). Only rarely is the page with red stars (v3
) shown. -
Change the traffic distribution so that all traffic is sent only to
v3
. Note that in a real scenario, you might slowly roll out your version changes by changing the traffic distribution first to 80:20, then 70:30, and so on, until all traffic is routed to only the latest version.-
Edit the configuration file for the
reviews
virtual service.kubectl edit VirtualService reviews
{: pre}
-
Change the
weight
ofv2
to0
and theweight
ofv3
to100
. -
Save and close the file.
-
-
Try refreshing the BookInfo page several times. Notice that the page with black stars (
v2
) is no longer shown, and only the page with red stars (v3
) shown. -
If you have envoy access logs enabled: Verify that in the time since you changed the YAML file for the reviews
VirtualService
, no logs exist for requests tov2
.kubectl logs -l app=reviews,version=v2 -c istio-proxy
{: pre}
{: #istio-qs-4}
Use one of the {{site.data.keyword.mon_short}} predefined Istio dashboards to monitor your BookInfo microservices. {: shortdesc}
To deploy monitoring agents to your cluster, complete the following steps.
-
Provision an instance of {{site.data.keyword.mon_full_notm}}{: external}.
-
In the Monitoring console{: external}, click Open Dashboard for the instance that you provisioned.
-
In the {{site.data.keyword.mon_short}} UI, click Add new dashboard.
-
Search for
Istio
and select one of the {{site.data.keyword.mon_short}} predefined Istio dashboards.
For more information about referencing metrics and dashboards, monitoring Istio internal components, and monitoring Istio A/B deployments and canary deployments, check out the How to monitor Istio, the Kubernetes service mesh{: external} blog post.
{: #mtls-qs}
Enable encryption for workloads in a namespace to achieve mutual TLS (mTLS) inside the cluster. Traffic that is routed by Envoy among pods in the cluster is encrypted with TLS. The certificate management for mTLS is handled by Istio. For more information, see the Istio mTLS documentation{: external}. {: shortdesc}
-
Create an authentication policy file that is named
default.yaml
. This policy is namespace-scoped and configures workloads in the service mesh to accept only encrypted requests with TLS. Note that notargets
specifications are included because the policy applies to all services in the mesh in this namespace.apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" spec: mtls: mode: STRICT
{: codeblock}
-
Apply the authentication policy to a namespace.
kubectl apply -f default.yaml -n <namespace>
{: pre}
-
Create a destination rule file that is named
destination-mtls.yaml
. This policy configures service mesh workloads in a namespace to send traffic by using TLS. Note that thehost: *.local
wildcard applies this destination rule to all services in the mesh.apiVersion: "networking.istio.io/v1beta1" kind: "DestinationRule" metadata: name: "destination-mtls" spec: host: "*.local" trafficPolicy: tls: mode: ISTIO_MUTUAL
{: codeblock}
-
Apply the destination rule.
kubectl apply -f destination-mtls.yaml -n <namespace>
{: pre}
-
If you want to achieve mTLS for service mesh workloads in other namespaces, repeat these steps each namespace.
Destination rules are also used for non-authentication reasons, such as routing traffic to different versions of a service. Any destination rule that you create for a service must also contain the same TLS block that is set to mode: ISTIO_MUTUAL
. This block prevents the rule from overriding the mesh-wide mTLS settings that you configured in this section.
{: note}