Installing Istio on VMware Tanzu Kubernetes Cluster

Source -> RedHat Documentation

What is Istio?

Istio is an open source project that aims to manage service mesh in microservices architecture. This is one of the most popular service mesh solution and used widely by several leading organisations.

Tanzu Service Mesh is a SaaS solution from VMware to manage service mesh. Tanzu Service Mesh internally uses Istio for the same.

Istio Installation Steps using istioctl

Login to TKG cluster and view the nodes

Ensure that you have enough resources on the nodes to install istio. Also, It’s better to have more than one worker nodes in a cluster.

$ k get nodes
NAME                                    STATUS   ROLES                  AGE   VERSION
demo-cluster-control-plane-758tp    Ready    control-plane,master   22d   v1.20.5+vmware.1
demo-cluster-control-plane-8qhvz    Ready    control-plane,master   22d   v1.20.5+vmware.1
demo-cluster-control-plane-kbrbn    Ready    control-plane,master   22d   v1.20.5+vmware.1
demo-cluster-md-0-7b749d645-6z2fc   Ready    <none>                 22d   v1.20.5+vmware.1
demo-cluster-md-0-7b749d645-ddcr7   Ready    <none>                 22d   v1.20.5+vmware.1
demo-cluster-md-0-7b749d645-n2dz9   Ready    <none>                 22d   v1.20.5+vmware.1

Minimum resource requirement for better performance, go with 16GB RAM and 4 CPU.

Installation Pre-requirements

#1: Download istioctl on a node from where you are connecting to TKG cluster.

$  curl -L https://istio.io/downloadIstio | sh -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   102  100   102    0     0    254      0 --:--:-- --:--:-- --:--:--   253
100  4549  100  4549    0     0   8285      0 --:--:-- --:--:-- --:--:--  8285

Downloading istio-1.11.2 from https://github.com/istio/istio/releases/download/1.11.2/istio-1.11.2-linux-amd64.tar.gz ...

Istio 1.11.2 Download Complete!

Istio has been successfully downloaded into the istio-1.11.2 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /root/dinesh/istio-1.11.2/bin directory to your environment path variable with:
         export PATH="$PATH:/root/dinesh/istio-1.11.2/bin"

Begin the Istio pre-installation check by running:
         istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/

Note: Below command will download the latest version of istio. In case you are looking for specific version, run the below command.
$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.8 TARGET_ARCH=x86_64 sh –

#2: Go to the folder and verify the downloaded artifacts

$ cd istio-1.11.2
$ ls -l
total 40
drwxr-x---  2 root root  4096 Aug 31 23:52 bin
-rw-r--r--  1 root root 11348 Aug 31 23:52 LICENSE
drwxr-xr-x  5 root root  4096 Aug 31 23:52 manifests
-rw-r-----  1 root root   854 Aug 31 23:52 manifest.yaml
-rw-r--r--  1 root root  5866 Aug 31 23:52 README.md
drwxr-xr-x 20 root root  4096 Aug 31 23:52 samples
drwxr-xr-x  3 root root  4096 Aug 31 23:52 tools

#3: Add the “istioctl” to your current PATH.

$ export PATH=$PWD/bin:$PATH
$ echo $PATH
/root/dinesh/istio-1.11.2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

#4: Validate if you can run istioctl by using below command

$ istioctl version
no running Istio pods in “istio-system”
1.11.2

#5: Finalize on the istio profile that you want to install. To list the istio profile, run the below command.

$ istioctl profile list
Istio configuration profiles:
    default
    demo
    empty
    external
    minimal
    openshift
    preview
    remote

In this post, i will be using demo profile for istio installation. If you want to see the different between profiles, you can run below command

To see the difference between default and demo profile. 
$ istioctl profile diff default demo

#6: Great, So, now you are ready to install the istio on a TKG cluster.

Install Istio

#1: Run the below command to install istio.

$ istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
Thank you for installing Istio 1.11.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/kWULBRjUv7hHci7T6

#2: Validate the installation. See the resource deployed in “istio-system” namespace.

$ k get pods -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
istio-egressgateway-6c9486d667-sck76    1/1     Running   0          4m8s
istio-ingressgateway-556bd8b675-wrf6v   1/1     Running   0          4m8s
istiod-96b47b576-rpm9p                  1/1     Running   0          4m22s
#List the services in istio-system namespace
$ k get svc -n istio-system
NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)                                                                      AGE
istio-egressgateway    ClusterIP      100.65.109.226   <none>           80/TCP,443/TCP                                                               13m
istio-ingressgateway   LoadBalancer   100.71.210.191   172.168.21.111   15021:31140/TCP,80:31811/TCP,443:31985/TCP,31400:31467/TCP,15443:31330/TCP   13m
istiod                 ClusterIP      100.66.45.186    <none>           15010/TCP,15012/TCP,443/TCP,15014/TCP                                        13m

Post Install Steps

We have completed the installation steps but istio will not inject the sidecar proxies unless we label the namespace.

#1. Labelling the namespace

$ k label namespace default istio-injection=enabled
namespace/default labeled

#2. Validate the label in default namespace.

$ k describe ns default
Name:         default
Labels:       istio-injection=enabled
Annotations:  <none>
Status:       Active

No resource quota.

No LimitRange resource.

Deploy Sample application for Testing our setup

#1. Deploy a sample nginx image

$ k run nginx --image nginx --expose  --port 80
service/nginx created
pod/nginx created

#2. Now, see the number of containers in a nginx pod. You will see two pods (one for nginx and one for envoy side car)

$ k get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   2/2     Running   0          53s

So, nginx is now running. But, to open this for external access, We need to create ingress gateway and virtual service resource. Save the content to a yaml file.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: nginx-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: HTTP
      protocol: TCP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx
spec:
  hosts:
  - "*"
  gateways:
  - nginx-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: nginx
        port:
          number: 80

#3: Apply the yaml file in same namespace where application is deployed. in my case, default namespace.

$  k apply -f gw-vs.yml
gateway.networking.istio.io/nginx-gateway created
virtualservice.networking.istio.io/nginx created

#4: Validate the gateway and virtual service resource.

$ k get vs,gw
NAME                                       GATEWAYS            HOSTS   AGE
virtualservice.networking.istio.io/nginx   ["nginx-gateway"]   ["*"]   114s

NAME                                        AGE
gateway.networking.istio.io/nginx-gateway   114s

#5: Access the nginx app using browser.

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')

$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

$ echo "$GATEWAY_URL"

Paste above output in web browser and you will see the nginx page.

Deploying Istio Addons

Istio also provide several addons e.g. kiali for dashboard, jaeger for tracing and prometheus & grafana for monitoring purpose. You can see the yaml files in your istio folder.

$ ls -l samples/addons/
total 284
drwxr-xr-x 2 root root   4096 Aug 31 23:52 extras
-rw-r--r-- 1 root root 245502 Aug 31 23:52 grafana.yaml
-rw-r--r-- 1 root root   2533 Aug 31 23:52 jaeger.yaml
-rw-r--r-- 1 root root  11008 Aug 31 23:52 kiali.yaml
-rw-r--r-- 1 root root  13633 Aug 31 23:52 prometheus.yaml
-rw-r--r-- 1 root root   5194 Aug 31 23:52 README.md

$ ls -l samples/addons/extras/
total 40
-rw-r--r-- 1 root root  1517 Aug 31 23:52 prometheus-operator.yaml
-rw-r--r-- 1 root root 15681 Aug 31 23:52 prometheus_vm_tls.yaml
-rw-r--r-- 1 root root 14679 Aug 31 23:52 prometheus_vm.yaml
-rw-r--r-- 1 root root  1096 Aug 31 23:52 zipkin.yaml
root@mcds:~/dinesh/istio-1.11.2#

I will install kiali for demo purpose here but you can apply other yaml files in your TKG cluster. Also Remember, TKG provides you a prometheus instance and you might want to use that.

Install Kiali

Apply the manifest file for installing kiali. Note: This will be installed on istio-system namespace.

$ k apply -f samples/addons/kiali.yaml
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
role.rbac.authorization.k8s.io/kiali-controlplane created
rolebinding.rbac.authorization.k8s.io/kiali-controlplane created
service/kiali created
deployment.apps/kiali created

Note: By default, kiali service will be created of type ClusterIP, update the service type to NodePort or LoadBalancer to access it from outside. In my case, i did via NodePort.

Access the dashboard

You can install other addons and they will be really helpful to manage the services.

That’s all in this post. I will explain more in detail about istio in later posts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s