Skip to content

Latest commit

 

History

History
411 lines (401 loc) · 17.7 KB

README.md

File metadata and controls

411 lines (401 loc) · 17.7 KB
Raw

Deploy Istio

arch!

Istio is a "Service Mesh" for manage comunication between Microservices inside Kubernetes Core concept of Istio is

  • Secure : mTLS between Envoy proxy
  • Connect : Canary deployment,Retry policy,Circuit breaker
  • Observe : Monitor How traffic is flowing,connection,Response time and Tracing
  • Control : Authentication between pod

The main module in Control plane(Istiod) is

  • Pilot : Configuration discovery(Automate inject Envoy proxy to pod), Traffic routing Eg. Canary deployment
  • Citadel : Certificates management generates certificates to allow secure mTLS communication between Envoy proxy
  • Gallary : Configuration(translate Istio CRDs communicate with Envoy proxy)

Ref: https://istio.io/latest/docs/ops/deployment/architecture

Table of contents

Prerequisites

  1. Kubernetes cluster or Kubernetes local development with kind with ingress-nginx.
  2. Kubernetes client kubectl
  3. Curl, for testing the examples (backend applications).

Step 1 - Check Kubernetes cluster

kubectl get node
NAME                  STATUS     ROLES                  AGE   VERSION
istio-control-plane   Ready      control-plane,master   14s   v1.23.0

Step 2 - Install istio CLI

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.13.1 TARGET_ARCH=x86_64 sh -
cd istio-1.13.1
export PATH=$PWD/bin:$PATH

This demo we're using Istio version 1.13.1

Step 3 - Check istio CLI version

istioctl version

The output looks similar to the following:

no running Istio pods in "istio-system"
1.13.1

Getting Started : https://istio.io/latest/docs/setup/getting-started/#download

Step 4 - Check compatability with target cluster

istioctl x precheck

The output looks similar to the following:

✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
  To get started, check out https://istio.io/latest/docs/setup/getting-started/

istioctl commands reference : https://istio.io/latest/docs/reference/commands/istioctl/

Step 5 - Check Available istio profile

istioctl profile list

The output looks similar to the following:

    default
    demo
    empty
    external
    minimal
    openshift
    preview
    remote

Notes:Istio profile

Step 6 - Install istio

istioctl install --set profile=default

Note : Default This profile is recommended for Production
The output looks similar to the following:

This will install the Istio 1.13.1 default profile with ["Istio core" "Istiod" "Ingress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete
Making this installation the default for injection and validation.

Thank you for installing Istio 1.13.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/pzWZpAvMVBecaQ9h9

Step 7 - Verify installation

istioctl verify-install

The output looks similar to the following:

1 Istio control planes detected, checking --revision "default" only
✔ ClusterRole: istiod-istio-system.istio-system checked successfully
✔ ClusterRole: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-istio-system.istio-system checked successfully
✔ ServiceAccount: istio-reader-service-account.istio-system checked successfully
✔ Role: istiod-istio-system.istio-system checked successfully
✔ RoleBinding: istiod-istio-system.istio-system checked successfully
✔ ServiceAccount: istiod-service-account.istio-system checked successfully
✔ CustomResourceDefinition: wasmplugins.extensions.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: destinationrules.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: envoyfilters.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: gateways.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: proxyconfigs.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: serviceentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: sidecars.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: virtualservices.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadgroups.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: authorizationpolicies.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: peerauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: requestauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: telemetries.telemetry.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: istiooperators.install.istio.io.istio-system checked successfully
✔ HorizontalPodAutoscaler: istiod.istio-system checked successfully
✔ ClusterRole: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ConfigMap: istio.istio-system checked successfully
✔ Deployment: istiod.istio-system checked successfully
✔ ConfigMap: istio-sidecar-injector.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-sidecar-injector.istio-system checked successfully
✔ PodDisruptionBudget: istiod.istio-system checked successfully
✔ ClusterRole: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ Role: istiod.istio-system checked successfully
✔ RoleBinding: istiod.istio-system checked successfully
✔ Service: istiod.istio-system checked successfully
✔ ServiceAccount: istiod.istio-system checked successfully
✔ EnvoyFilter: stats-filter-1.11.istio-system checked successfully
✔ EnvoyFilter: tcp-stats-filter-1.11.istio-system checked successfully
✔ EnvoyFilter: stats-filter-1.12.istio-system checked successfully
✔ EnvoyFilter: tcp-stats-filter-1.12.istio-system checked successfully
✔ EnvoyFilter: stats-filter-1.13.istio-system checked successfully
✔ EnvoyFilter: tcp-stats-filter-1.13.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istio-validator-istio-system.istio-system checked successfully
✔ HorizontalPodAutoscaler: istio-ingressgateway.istio-system checked successfully
✔ Deployment: istio-ingressgateway.istio-system checked successfully
✔ PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully
✔ Role: istio-ingressgateway-sds.istio-system checked successfully
✔ RoleBinding: istio-ingressgateway-sds.istio-system checked successfully
✔ Service: istio-ingressgateway.istio-system checked successfully
✔ ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully
Checked 15 custom resource definitions
Checked 2 Istio Deployments
✔ Istio is installed and verified successfully

Step 8 - Check istio pod status

kubectl get pod -n istio-system

The output looks similar to the following:

NAME                                    READY   STATUS    RESTARTS   AGE
istio-ingressgateway-66ff9c7b6f-f4p6n   1/1     Running   0          16m
istiod-7656645d8c-wrqfq                 1/1     Running   0          21m

Step 9 - Verify Istio version

istioctl version

The output looks similar to the following:

client version: 1.13.1
control plane version: 1.13.1
data plane version: 1.13.1 (1 proxies)

Step 10 - Get an overview of your mesh

istioctl proxy-status

The output looks similar to the following:

NAME                                                   CLUSTER        CDS        LDS        EDS        RDS          ISTIOD                      VERSION
istio-ingressgateway-66ff9c7b6f-f4p6n.istio-system     Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-7656645d8c-wrqfq     1.13.1

If a proxy is missing from this list it means that it is not currently connected to a Istiod instance so will not be receiving any configuration.

SYNCED means that Envoy has acknowledged the last configuration Istiod has sent to it.
NOT SENT means that Istiod hasn’t sent anything to Envoy. This usually is because Istiod has nothing to send.
STALE means that Istiod has sent an update to Envoy but has not received an acknowledgement. This usually indicates a networking issue between Envoy and Istiod or a bug with Istio itself.

Step 11 - Deploy an example application to default namespace and Installing the Sidecar

booking!

  1. Switch to default namespace
kns default
  1. Deploy example application on default namespace
cd istio-1.13.1
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

The output looks similar to the following:

service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
  1. Check status of pod as you can see all of pod is only 1 container
kubectl get pod

The output looks similar to the following:

NAME                                    READY   STATUS    RESTARTS   AGE
...
details-v1-5498c86cf5-vgwdw             1/1     Running   0          4m43s
productpage-v1-65b75f6885-9c2tj         1/1     Running   0          4m43s
ratings-v1-b477cf6cf-bvrlq              1/1     Running   0          4m43s
reviews-v1-79d546878f-prctw             1/1     Running   0          4m43s
reviews-v2-548c57f459-69989             1/1     Running   0          4m43s
reviews-v3-6dd79655b9-gwp8q             1/1     Running   0          4m43s
  1. Check anything wrong
istioctl analyze

The output looks similar to the following: It say this namespace not enabled for istio injection let do follow suggestion

Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection.
  1. Install the SideCar(Envoy) to default namespace
kubectl label namespace default istio-injection=enabled
kubectl delete pod --all -n default

The output looks similar to the following:

namespace/default labeled
pod "details-v1-5498c86cf5-6sgd7" deleted
pod "productpage-v1-65b75f6885-xmv2w" deleted
pod "ratings-v1-b477cf6cf-k6f7c" deleted
pod "reviews-v1-79d546878f-nk972" deleted
pod "reviews-v2-548c57f459-w9dvq" deleted
pod "reviews-v3-6dd79655b9-t8mcw" deleted

For Uninstall the Sidecar(Envoy) from default namespace using command :

kubectl label namespace default istio-injection-
kubectl delete pod --all -n default

Installing the Sidecar : https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/
6. Let check our pod again as you can see all of pod have 2 containers that indicate they have sidcars injected to each one of them.

kubectl get pod

The output looks similar to the following:

NAME                              READY   STATUS    RESTARTS   AGE
details-v1-5498c86cf5-6sgd7       2/2     Running   0          6m16s
productpage-v1-65b75f6885-m8mcf   2/2     Running   0          6m16s
ratings-v1-b477cf6cf-k6f7c        2/2     Running   0          6m16s
reviews-v1-79d546878f-nk972       2/2     Running   0          6m16s
reviews-v2-548c57f459-w9dvq       2/2     Running   0          6m16s
reviews-v3-6dd79655b9-t8mcw       2/2     Running   0          6m15s
  1. Check anything wrong again
istioctl analyze

The output looks similar to the following:

✔ No validation issues found when analyzing namespace: default.
  1. Get an overview of your mesh follow Step 9 again
istioctl proxy-status

The output looks similar to the following:

NAME                                                   CLUSTER        CDS        LDS        EDS        RDS          ISTIOD                      VERSION
details-v1-5498c86cf5-6sgd7.default                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       istiod-7656645d8c-wrqfq     1.13.1
istio-ingressgateway-66ff9c7b6f-f4p6n.istio-system     Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-7656645d8c-wrqfq     1.13.1
productpage-v1-65b75f6885-m8mcf.default                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       istiod-7656645d8c-wrqfq     1.13.1
ratings-v1-b477cf6cf-k6f7c.default                     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       istiod-7656645d8c-wrqfq     1.13.1
reviews-v1-79d546878f-nk972.default                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       istiod-7656645d8c-wrqfq     1.13.1
reviews-v2-548c57f459-w9dvq.default                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       istiod-7656645d8c-wrqfq     1.13.1
reviews-v3-6dd79655b9-t8mcw.default                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       istiod-7656645d8c-wrqfq     1.13.1

Step 12 - Create ingress rule and genarate some more traffic

  1. Create ingress rule for route traffic to example application
cat <<EOF |kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bookinfo
  namespace: default
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: "/productpage"
        backend:
          service:
            name: productpage
            port:
              number: 9080
  - http:
      paths:
      - pathType: Prefix
        path: "/static"
        backend:
          service:
            name: productpage
            port:
              number: 9080
EOF
  1. Generate traffic
while sleep 0.1;do curl localhost/productpage &> /dev/null; done

Step 13 - Install Addons

  1. Install Prometheus & Grafana for Istio
cd istio-1.13.1
kubectl apply -f samples/addons/prometheus.yaml
kubectl apply -f samples/addons/grafana.yaml

kubectl rollout status deploy/grafana -n istio-system
kubectl rollout status deploy/prometheus -n istio-system

The output looks similar to the following:

deployment "grafana" successfully rolled out
deployment "prometheus" successfully rolled out
  1. Install kiali
kubectl apply -f  samples/addons/kiali.yaml

kubectl rollout status deploy/kiali -n istio-system

The output looks similar to the following:

deployment "kiali" successfully rolled out
  1. Install jaeger
kubectl apply -f  samples/addons/jaeger.yaml

kubectl rollout status deploy/jaeger -n istio-system

The output looks similar to the following:

deployment "jaeger" successfully rolled out

Step 14 - Seting port-forward to view dashboard

  1. port-forward Grafana
istioctl dashboard grafana

The output looks similar to the following:

http://localhost:3000

grafana!

  1. port-forward Kiali
istioctl dashboard kiali

The output looks similar to the following:

http://localhost:20001/kiali

kaiali! 3. Jaeger

istioctl dashboard jaeger

The output looks similar to the following:

http://localhost:16686

jaeger!

Reference