Introduction
The Part 1 of the article will demonstrate how to install Istio using the Istio operator .The Banzai Cloud Istio operator automates the installation, upgrade, and operation of the Istio service mesh on Kubernetes. The operator defines convenient high-level abstractions that enable popular use-cases for controlling, managing and securing microservices.Instead of manually installing, upgrading, and uninstalling Istio in a production environment, you can instead let the Istio operator manage the installation for you
While installing Istio using istio operator we will not be able to get the Istio addons like Kiali, Prometheus ,grafana etc. These are available as addons while installing Istio in the normal way as detailed in the Istio official site.
https://istio.io/latest/docs/setup/getting-started/
Istio is an open source service mesh platform that provides a way to control how microservices share data with one another.Istio is designed to run on a variety of environments:on-premise,cloud-hosted,in Kubernetes containers,in services running on virtual machines and more.Istio provides load balancing,A/B testing,canary rollouts,rate limiting,access control,end-to-end authentication.
Istio is divided into two planes.
- Data plane is composed of a set of proxies which are deployed as sidecars.These proxies mediate and control all the network communication between microservices.
- Control plane manages and configures the proxies to route traffic.
Components of Istio
Envoy :
- Mediates all inbound and outbound traffic
- They are the only components that interact with data plane traffic
Istiod:
- Provides service discovery,configuration and certification management.
- Acts as Certificate Authority and generates certificates to allow secure mTLS communication.
- Istiod is responsible for the conversion of high level routing rules that control traffic behavior into Envoy-specific configurations.
Installation
Download the latest istioctl and add the istioctl client to your path.
curl -sL https://istio.io/downloadIstioctl|sh-
export PATH=$PATH:$HOME/istioctl/bin
Step — 1 Deploy the istio operator
istioctl operator init
This will install the istio operator in our machine. A namespace called istio-operator will be created and the necessary resources are installed.
kubectl get all -n istio-operator
Step — 2 Create a namespace istio-system
kubectl create namespace istio-system
Istio can be installed using configuration profiles, to install a demo configuration the following command can be used.
kubectl apply -f - <<EOFapiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:namespace: istio-systemname: example-istiocontrolplanespec:profile: demoEOF
The profiles provide customization of the Istio control plane and of the sidecars for the Istio data plane.
kubectl get svc -n istio-system
Step — 3 Side Car injection
Create a namespace for your application.
kubectl create namespace myapp
To enable automatic side car injection for our namespace,we use the following command. This will instruct Istio to automatically inject Envoy proxy when we deploy our application later in the same.
kubectl label namespace myapp istio-injection=enabled
Deploy your application in the same namespace and ensure that it is up and running.
After deploying the application,we can see that Istio has added a sidecar for every pod created.
kubectl get pods -n myapp
As seen here, 2 containers are created for each pod, One for the application and another one for proxy.
Use kubectl describe pod service-a-7cd6ff587f-9vk2f -n myapp
to view the containers created.(Use the name of your pod and namespace here)
Step — 4 Access the application from the internet
We have deployed the application , to make it accessible from the outside world , an Istio ingress gateway must be created.You use a gateway to manage inbound and outbound traffic for your mesh, letting you specify which traffic you want to enter or leave the mesh. Traffic routing for ingress traffic is configured using Istio routing rules, exactly in the same way as for internal service requests.A virtual service is then bound to the gateway to control the forwarding of traffic arriving at a particular host or gateway port.
- An ingress gateway describes a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections.
- Server describes the properties of the proxy on a given load balancer port.
- Port describes the properties of a specific port of a service
This is a sample gateway.yaml .
kubectl apply gateway.yaml -n my-app
A virtual service and a gateway is created in our namespace.
kubectl get gateways -n my-app
kubectl get virtualservices -n my-app
kubectl get svc -n istio-system
The above command lists the running services in your istio-system namespace. istio-system namespace contains all the services and deployments for istio.
It has a service called istio ingress gateway . Using the external ip and port of the service application can be accessed from the browser.
Conclusion
We have now successfully enabled Istio for our application , we will see how to implement addons like Kiali , Prometheus in the upcoming parts.