istio deployment

#Download the release

Download the Istio release which includes installation files, samples, and the istioctl command line utility.

- Go to the Istio release page to download the installation file corresponding to your OS. Alternatively, on a macOS or Linux system, you can run the following command to download and extract the latest release automatically:

$ curl -L https://istio.io/downloadIstio | sh -

- Move to the Istio package directory. For example, if the package is istio-1.4.0:

$ cd istio-1.4.0

The installation directory contains:

- Installation YAML files for Kubernetes in install/kubernetes
  - Sample applications in samples/
  - The istioctl client binary in the bin/ directory. istioctl is used when manually injecting Envoy as a sidecar proxy.

- Add the istioctl client to your path, on a macOS or Linux system:

$export PATH=$PWD/bin:$PATH

- You can optionally enable the auto-completion option when working with a bash or ZSH console.

If you are using bash, the istioctl auto-completion file is located in the tools directory. To use it, copy the istioctl.bash file to your home directory, then add the following line to source the istioctl tab completion file from your .bashrc file:

source ~/istioctl.bash

#Install Istio(DEMO)

These instructions assume you are new to Istio, providing streamlined instruction to install Istio’s built-in demo configuration profile. This installation lets you quickly get started evaluating Istio. If you are already familiar with Istio or interested in installing other configuration profiles or a more advanced deployment model, follow the installing with istioctl instructions instead.

Install the demo profile

istioctl manifest apply --set profile=demo
    
Verify the installation by ensuring the following Kubernetes services are deployed and verify they all have an appropriate CLUSTER-IP except the jaeger-agent service:

kubectl get svc -n istio-system
    
Also ensure corresponding Kubernetes pods are deployed and have a STATUS of Running:

kubectl get pods -n istio-system
    
##Uninstall

The uninstall deletes the RBAC permissions, the istio-system namespace, and all resources hierarchically under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.

$ istioctl manifest generate --set profile=demo | kubectl delete -f -

#Install Istio

Follow this guide to install and configure an Istio mesh for in-depth evaluation or production use

Using these instructions, you can select any one of Istio’s built-in configuration profiles and then further customize the configuration for your specific needs.

##Install Istio using the default profile

The simplest option is to install the default Istio configuration profile using the following command:

```
istioctl manifest apply --set profile=default
#enable security on top of the default profile
istioctl manifest apply --set profile=default --set values.global.mtls.enabled=true --set values.global.controlPlaneSecurityEnabled=true
```

You can display the names of Istio configuration profiles that are accessible to istioctl by using this command:

istioctl profile list
    
You can view the configuration settings of a profile using

istioctl profile dump demo
    
To view a subset of the entire configuration, you can use the --config-path flag

istioctl profile dump --config-path trafficManagement.components.pilot demo
    
Show differences in profiles

```
$ istioctl profile dump default > 1.yaml
$ istioctl profile dump demo > 2.yaml
$ istioctl profile diff 1.yaml 2.yaml
```

Generate a manifest before installation

```
istioctl manifest generate > $HOME/generated-manifest.yaml
kubectl apply -f $HOME/generated-manifest.yaml
```

##Verify a successful installation

You can check if the Istio installation succeeded using the verify-install command which compares the installation on your cluster to a manifest you specify.

If you didn’t generate your manifest prior to deployment, run the following command to generate it now:

istioctl manifest generate <your original installation options> > $HOME/generated-manifest.yaml
    istioctl manifest generate --set profile=default --set values.global.mtls.enabled=true --set values.global.controlPlaneSecurityEnabled=true > generated-manifest.yaml
    
Then run the following verify-install command to see if the installation was successful:

istioctl verify-install -f $HOME/generated-manifest.yaml
    istioctl verify-install -f generated-manifest.yaml

##Customizing the configuration

In addition to installing any of Istio’s built-in configuration profiles, istioctl manifest provides a complete API for customizing the configuration.

https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/

The configuration parameters in this API can be set individually using --set options on the command line. For example, to enable the security feature in a default configuration profile, use this command:

istioctl manifest apply --set values.global.mtls.enabled=true --set values.global.controlPlaneSecurityEnabled=true
     
Alternatively, the IstioControlPlane configuration can be specified in a YAML file and passed to istioctl using the -f option:

istioctl manifest apply -f samples/operator/pilot-k8s.yaml

#Visualizing Your Mesh

##Create a secret

Create a secret in your Istio namespace with the credentials that you use to authenticate to Kiali.

First, define the credentials you want to use as the Kiali username and passphrase:

$ KIALI_USERNAME=$(read -p 'Kiali Username: ' uval && echo -n $uval | base64)
    $ KIALI_PASSPHRASE=$(read -sp 'Kiali Passphrase: ' pval && echo -n $pval | base64)
    
To create a secret, run the following commands:

$ NAMESPACE=istio-system
    $ kubectl create namespace $NAMESPACE
    
    
```
$ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: kiali
  namespace: $NAMESPACE
  labels:
    app: kiali
type: Opaque
data:
  username: $KIALI_USERNAME
  passphrase: $KIALI_PASSPHRASE
EOF
```

##Install via istioctl

Once you create the Kiali secret, follow the install instructions to install Kiali via istioctl. For example:

istioctl manifest apply --set values.kiali.enabled=true
    
This task does not discuss Jaeger and Grafana. If you already installed them in your cluster and you want to see how Kiali integrates with them, you must pass additional arguments to the istioctl command, for example:

```
istioctl manifest apply \
    --set values.kiali.enabled=true \
    --set "values.kiali.dashboard.jaegerURL=http://jaeger-query:16686" \
    --set "values.kiali.dashboard.grafanaURL=http://grafana:3000"
```

Once you install Istio and Kiali, deploy the Bookinfo sample application.

##Generating a service graph

To verify the service is running in your cluster, run the following command:

kubectl -n istio-system get svc kiali
     
To determine the Bookinfo URL, follow the instructions to determine the Bookinfo ingress GATEWAY_URL. https://istio.io/docs/examples/bookinfo/#determine-the-ingress-ip-and-port

To open the Kiali UI, execute the following command in your Kubernetes environment:

istioctl dashboard kiali
    
access dashboard locally

kubectl --kubeconfig ./admin-idc.conf proxy -p 8080
    istioctl dashboard kiali
    
To log into the Kiali UI, go to the Kiali login screen and enter the username and passphrase stored in the Kiali secret.

kubectl get secret -n istio-system kiali -o=jsonpath='{.data.username}' | base64 -d
    kubectl get secret -n istio-system kiali -o=jsonpath='{.data.passphrase}' | base64 -d

View the overview of your mesh in the Overview page that appears immediately after you log in. The Overview page displays all the namespaces that have services in your mesh. The following screenshot shows a similar page:

http://localhost:60015/
    
To view a summary of metrics, select any node or edge in the graph to display its metric details in the summary details panel on the right.

To view your service mesh using different graph types, select a graph type from the Graph Type drop down menu. There are several graph types to choose from: App, Versioned App, Workload, Service.

The App graph type aggregates all versions of an app into a single graph node. The following example shows a single reviews node representing the three versions of the reviews app.

##Cleanup

If you are not planning any follow-up tasks, remove the Bookinfo sample application and Kiali from your cluster.

To remove the Bookinfo application, refer to the Bookinfo cleanup instructions.

To remove Kiali from a Kubernetes environment, remove all components with the app=kiali label:

kubectl delete all,secrets,sa,configmaps,deployments,ingresses,clusterroles,clusterrolebindings,customresourcedefinitions --selector=app=kiali -n istio-system

#Deploy Application
    
With Istio installed, you can now deploy your own application or one of the sample applications provided with the installation.

**The application must use either the HTTP/1.1 or HTTP/2.0 protocols for all its HTTP traffic; HTTP/1.0 is not supported.**

When you deploy your application using `kubectl apply`, the Istio sidecar injector will automatically inject Envoy containers into your application pods if they are started in namespaces labeled with `istio-injection=enabled`:

```
$ kubectl label namespace <namespace> istio-injection=enabled
$ kubectl create -n <namespace> -f <your-app-spec>.yaml
```

In namespaces `without` the `istio-injection` label, you can use `istioctl kube-inject` to manually inject Envoy containers in your application pods before deploying them:

istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -

##Bookinfo Application

###Start the application services

Change directory to the root of the Istio installation.

The default Istio installation uses automatic sidecar injection. Label the namespace that will host the application with istio-injection=enabled:

$ kubectl label namespace default istio-injection=enabled

If you use OpenShift, make sure to give appropriate permissions to service accounts on the namespace as described in OpenShift setup page.
Deploy your application using the kubectl command:

$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

If you disabled automatic sidecar injection during installation and rely on manual sidecar injection, use the istioctl kube-inject command to modify the bookinfo.yaml file before deploying your application.

$ kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)

The command launches all four services shown in the bookinfo application architecture diagram. All 3 versions of the reviews service, v1, v2, and v3, are started.

In a realistic deployment, new versions of a microservice are deployed over time instead of deploying all versions simultaneously.
Confirm all services and pods are correctly defined and running:

$ kubectl get services
    $ kubectl get pods
    
To confirm that the Bookinfo application is running, send a request to it by a curl command from some pod, for example from ratings:

$ kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"

###Determine the ingress IP and port

Now that the Bookinfo services are up and running, you need to make the application accessible from outside of your Kubernetes cluster, e.g., from a browser. An Istio Gateway is used for this purpose.

Define the ingress gateway for the application:

$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

Confirm the gateway has been created:

$ kubectl get gateway
    NAME               AGE
    bookinfo-gateway   32s

Follow next instructions**Determining the ingress IP and ports** to set the INGRESS_HOST and INGRESS_PORT variables for accessing the gateway. Return here, when they are set.

Set GATEWAY_URL:

$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
    
    
###Determining the ingress IP and ports

see https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports

Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

$ kubectl get svc istio-ingressgateway -n istio-system
    NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                      AGE
    istio-ingressgateway   LoadBalancer   172.21.109.129   130.211.10.121  80:31380/TCP,443:31390/TCP,31400:31400/TCP   17h

If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.

Choose the instructions corresponding to your environment:

external load balancer

export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
    $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
    $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
    
node port

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
    export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
    export INGRESS_HOST=app-dev-01
   
export GATEWAY_URL
    
    export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

###Confirm the app is accessible from outside the cluster

To confirm that the Bookinfo application is accessible from outside the cluster, run the following curl command:

$ curl -s http://${GATEWAY_URL}/productpage | grep -o "<title>.*</title>"

You can also point your browser to http://$GATEWAY_URL/productpage to view the Bookinfo web page. If you refresh the page several times, you should see different versions of reviews shown in productpage, presented in a round robin style (red stars, black stars, no stars), since we haven’t yet used Istio to control the version routing.

###Apply default destination rules

Before you can use Istio to control the Bookinfo version routing, you need to define the available versions, called subsets, in destination rules.

Run the following command to create default destination rules for the Bookinfo services:

If you did not enable mutual TLS, execute this command:

$ kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml

If you did enable mutual TLS, execute this command:

$ kubectl apply -f samples/bookinfo/networking/destination-rule-all-mtls.yaml

Wait a few seconds for the destination rules to propagate.

You can display the destination rules with the following command:

$ kubectl get destinationrules -o yaml

###Cleanup

When you’re finished experimenting with the Bookinfo sample, uninstall and clean it up using the following instructions:

Delete the routing rules and terminate the application pods

$ samples/bookinfo/platform/kube/cleanup.sh

Confirm shutdown

$ kubectl get virtualservices   #-- there should be no virtual services
    $ kubectl get destinationrules  #-- there should be no destination rules
    $ kubectl get gateway           #-- there should be no gateway
    $ kubectl get pods              #-- the Bookinfo pods should be deleted

#Configuration

view istio configuration

kubectl get configmap istio -n istio-system -o yaml
    
you can run the following command to change on config key

kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: REGISTRY_ONLY/mode: ALLOW_ANY/g' | kubectl replace -n istio-system -f -
    
    
##Finally config

```
istioctl manifest apply --set profile=default --set values.global.mtls.enabled=true --set values.global.controlPlaneSecurityEnabled=true --set values.global.proxy.accessLogFile="/dev/stdout" --set values.kiali.enabled=true
```

##Enable Envoy’s access logging

Edit the istio configuration map:

istioctl manifest apply --set values.global.proxy.accessLogFile="/dev/stdout"
    istioctl manifest apply --set profile=default --set values.global.mtls.enabled=true --set values.global.controlPlaneSecurityEnabled=true --set values.global.proxy.accessLogFile="/dev/stdout"
    
You can also choose between JSON and text by setting accessLogEncoding to JSON or TEXT.

You may also want to customize the format of the access log by editing accessLogFormat.

Navigation

Recent Posts

Friend Links