How To Install and Configure an Istio Service Mesh

Posted on by Liquid Web | Updated:
Reading Time: 6 minutes

What is a Service Mesh?

A service mesh is a layer that aids the interaction between services or microservices. It helps control the flow of incidental information between services using a logic built into the service mesh. The mesh itself utilizes what’s called a sidecar proxy to share that data over the network.

What is a Sidecar Proxy?

A sidecar proxy is a function that is attached to every service or microservice. The sidecar process expands the service’s functionality as it shifts supplementary tasks like communication, monitoring, and security away from the service’s primary job. This allows sidecars to simplify the application’s maintenance while communicating with other services in the mesh control plane.

What is a Control Plane?

A control plane is the part of the network where specific processes occur, like routing mesh traffic. A service mesh is split into two planes:

  • Data Plane - The data plane (or forwarding plane) employs a logic-based proxy called Envoy that is deployed as a sidecar. It is designed to negotiate and control the communications between microservices. It also gathers and reports on all the mesh traffic telemetry.
  • Control Plane - The control plane sits above the data plane and configures and manages the proxy’s behavior.

What is Istio?

Istio is a modern service mesh networking layer that provides a transparent and language-independent method to quickly and flexibly automate application network functions. Its primary function is to support how microservices communicate and share data. With teams from both Google and IMB and the Envoy team at Lyft, this project was created and shared on GitHub as an open-source software solution. Istio is used by many well-known companies, including eBay, Lowes, Spotify, Walmart, Yahoo, and the U.S. Air Force.

How Does Istio Work?

Istio manages the communications and interactions between microservices. Istio is composed of two main components:

  • Envoy - Envoy is the advanced performance sidecar proxy used to facilitate all the inbound and outbound service traffic in the service mesh. Envoy primarily interacts with the data plane traffic.
  • Istiod - This component converts high-level routing patterns into Envoy-specific formats, transmitting them to the other sidecars in the mesh.

How To Install minikube

Prerequisites

In this tutorial, we will be using minikube.

The following steps require us to have a Kubernetes-based cluster up and running utilizing one of the following versions of Kubernetes: 1.17, 1.18, 1.19, 1.20. Other supported platforms like MicroK8s, minikube, and Kops are outlined in the alternate platform setup instructions.

For the Secret Discovery Service (SDS) to operate correctly in minikube, some extra configurations are required. For the latest flags, always review the API server reference information.

Step 1.

Install the latest version of minikube.

Step 2.

Install the latest version of the minikube hypervisor driver for your specific operating system (Linux, macOS, or Windows). We will be using the Linux version.

Run the following commands as a user with elevated privileges.

Binary (amd64 / x86_64)

adminuser@host:~# curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
adminuser@host:~# install minikube-linux-amd64 /usr/local/bin/minikube

Debian/Ubuntu

adminuser@host:~# curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube_latest_amd64.deb
adminuser@host:~# dpkg -i minikube_latest_amd64.deb

RedHat/CentOS RPM

adminuser@host:~# curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-latest.x86_64.rpm
adminuser@host:~# rpm -ivh minikube-latest.x86_64.rpm

Step 3.

Start the cluster.

adminuser@host:~# minikube start

Step 4.

Set the minikube hypervisor driver type (if we are not using the default driver). For example, if we set up a KVM hypervisor, set the driver type in the minikube configuration file using this command.

adminuser@host:~# minikube config set driver kvm2

Step 5.

Start minikube using 4 CPUs and 16384 MB of memory. In our example, we are using version 1.20.0 of Kubernetes. Users can modify the variant of Kubernetes to any version supported by Istio. This can be accomplished using the --kubernetes-version value in the following command.

adminuser@host:~# minikube start --memory=16384 --cpus=4 --kubernetes-version=v1.20.0
Note:
Depending on the platform and hypervisor selected, minimum memory requirements may vary. Here, we are using the recommended requirements of 16384 MB to run Istio with the project example we are using called Bookinfo. Various errors (VM lockups, network instability, kubectl failures, etc.) may occur if not enough allocated RAM is available.

Install Istio

Step 1. Download Istio

Download and extract the latest Istio version automatically.

adminuser@host:~# curl -L https://istio.io/downloadIstio | sh -
Note:
Users can also manually download the alternate installation files for your OS version.

The above command downloads and installs the latest version of Istio. Users can download a specific or alternate version using the following syntax variable with the curl command.

adminuser@host:~# curl -L https://istio.io/downloadIstio | ISTIO_VERSION=x.x.x TARGET_ARCH=x86_64 sh -

Step 2. Change Directories

Use the cd command to get into the directory where Istio is extracted.

adminuser@host:~# cd istio-1.8.4

This directory contains application samples and the istioctl client binary (in the /bin folder).

Step 3. Add Path

Add the istioctl client to our path.

adminuser@host:~# export PATH=$PWD/bin:$PATH

Step 4. Configure Profile

Configure the demonstration profile.

adminuser@host:~# istioctl install --set profile=demo -y
 ✔ Istio core installed
 ✔ Istiod installed
 ✔ Egress gateways installed
 ✔ Ingress gateways installed
 ✔ Installation complete

Step 5. Add Designation

Add a namespace designation. This information tells Istio where to automatically insert the Envoy sidecar proxies when we deploy our application. The namespace name is a vital part of this process.

adminuser@host:~# kubectl label namespace lwdefault istio-injection=enabled
namespace/lwdefault labeled

Step 6. Deploy Application

Deploy the default Bookinfo sample application.

adminuser@host:~# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
 service/details created
 serviceaccount/bookinfo-details created
 deployment.apps/details-v1 created
 service/ratings created
 serviceaccount/bookinfo-ratings created
 deployment.apps/ratings-v1 created
 service/reviews created
 serviceaccount/bookinfo-reviews created
 deployment.apps/reviews-v1 created
 deployment.apps/reviews-v2 created
 deployment.apps/reviews-v3 created
 service/productpage created
 serviceaccount/bookinfo-productpage created
 deployment.apps/productpage-v1 created

Now, the default application will begin building pods. As each pod becomes available, the Istio sidecar will be installed alongside it. To view pod info, run the following commands.

adminuser@host:~# kubectl get services
NAME        TYPE       CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
details     ClusterIP  10.1.0.212   <none>        9080/TCP    25s
kubernetes  ClusterIP  10.1.0.1     <none>         443/TCP    20m
Productpage ClusterIP  10.1.0.57    <none>        9080/TCP    25s
ratings     ClusterIP  10.1.0.33    <none>        9080/TCP    25s
reviews     ClusterIP  10.1.0.28    <none>        9080/TCP    25s
adminuser@host:~# kubectl get pods
NAME	                           READY   STATUS    RESTARTS   AGE
details-v1-558b8b4b76-2llld      2/2     Running   	0          	2m24s
productpage-v1-6987489c74-lpkgl  2/2     Running   	0          	2m24s
ratings-v1-7dc98c7588-vzftc      2/2     Running   	0          	2m24s
reviews-v1-7f99cc4496-gdxfn      2/2     Running   	0          	2m24s
reviews-v2-7d79d5bd5d-8zzqd      2/2     Running   	0          	2m24s
reviews-v3-7dbcdcbc56-m8dph      2/2     Running   	0          	2m24s

Continue running the kubectl get pods command until all pods report as READY 2/2 and STATUS Running before moving onto the next step.

Step 7. Verify Service

Run the following command to check and see if the default app is running inside the cluster. It should be serving HTML pages by checking for the page title in the response.

adminuser@host:~# kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"

Allow External Traffic

The Bookinfo application is now deployed but is inaccessible from the outside world. To enable external access, we need to establish an Istio Ingress Gateway. This step charts a path to a route at the edge of your mesh. Now we will associate the default application with the gateway for Istio.

$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created

Next, to ensure that there are not any issues with the configuration, run this command.

$ istioctl analyze
✔ No validation issues found when analyzing namespace: default.

Identify the Ingress IP and Ports

Use the following commands to set the INGRESS_HOST and INGRESS_PORT settings to access the gateway.

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

To ensure a port was effectively set for each environment variable, run these commands.

$ echo "$INGRESS_PORT"
32194

$ echo "$SECURE_INGRESS_PORT"
31632

Next, set the IP address for Ingress.

$ export INGRESS_HOST=$(minikube ip)

To verify the IP address was assigned successfully to the environment variable, run this command.

$ echo "$INGRESS_HOST"
192.168.4.102

Now, run this command in a new terminal window. This starts a minikube tunnel that routes traffic to the Istio Ingress Gateway.

$ minikube tunnel

Next, we can set the GATEWAY_URL variable.

$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

To ensure a port and IP address were assigned successfully to the environment variable, run this command.

$ echo "$GATEWAY_URL"
192.168.99.100:32194

Confirm External Access

Now we can confirm that the default Bookinfo app is externally accessible by visiting the product page in a browser. Run this command to recall the external IP address of the Bookinfo application.

$ echo "http://$GATEWAY_URL/productpage"

Finally, we paste the output from the earlier command into our web browser to confirm the product page displays correctly.

Conclusion

Because most major micro-service architectures use hundreds or thousands of services and microservices, a dependable service mesh is mandatory. Istio meets this need as it reliably controls the flow of peripheral data between these services.

Istio, Kubernetes, or other modern platforms work great on server clusters. Contact us today to talk to a Managed Hosting Advisor to learn more.

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article