diff --git a/contents/istio/README.md b/contents/istio/README.md index fe35fd9d..92808c7a 100644 --- a/contents/istio/README.md +++ b/contents/istio/README.md @@ -1,5 +1,12 @@ # [Istio](https://istio.io/) +An Istio service mesh is logically split into a **data plane** and a **control plane**. + +- The **data plane** is composed of a set of intelligent proxies ([Envoy](https://www.envoyproxy.io/)) deployed as sidecars. These proxies mediate and control all network communication between microservices. They also collect and report telemetry on all mesh traffic. +- The **control plane** manages and configures the proxies to route traffic. + +![](https://istio.io/latest/docs/ops/deployment/architecture/arch.svg) + *A service mesh is a dedicated infrastructure layer that you can add to your applications. It allows you to transparently add capabilities like observability, traffic management, and security, without adding them to your own code. The term “service mesh” describes both the type of software you use to implement this pattern, and the security or network domain that is created when you use that software.* @@ -7,142 +14,268 @@ Istio uses [Envoy](https://www.envoyproxy.io/), *AN OPEN SOURCE EDGE AND SERVICE PROXY, DESIGNED FOR CLOUD-NATIVE APPLICATIONS*, proxy as its data plane. ## [Getting Started](https://istio.io/latest/docs/setup/getting-started/) -**If you test on your local cluster, pleasee use docker-desktop (or minikube).** (Not confirmed on a kind cluster) +### Prepare Kubernetes Cluster -### [Install Istio](https://istio.io/latest/docs/setup/getting-started/#bookinfo) - -``` -curl -L https://istio.io/downloadIstio | sh - -cd istio-1.12.2 -export PATH=$PWD/bin:$PATH -istioctl install --set profile=demo -y -``` +**If you test on your local cluster, pleasee use docker-desktop, minikube, or kind.** -
Result +kind cluster: ``` -✔ Istio core installed -✔ Istiod installed -✔ Egress gateways installed -✔ Ingress gateways installed -✔ Installation complete Making this installation the default for injection and validation. - -Thank you for installing Istio 1.12. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/FegQbc9UvePd4Z9z7 +kind create cluster --config=kind-config.yaml ``` -
+### [Install Istio](https://istio.io/latest/docs/setup/getting-started/#bookinfo) -Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later: +1. Install `istioctl` (you can skip this step if you already installed `istioctl`) -``` -kubectl label namespace default istio-injection=enabled -``` + ``` + curl -L https://istio.io/downloadIstio | sh - + export PATH="$PATH:/Users/m.naka/repos/nakamasato/kubernetes-training/contents/istio/istio-1.18.2/bin" + ``` -### [Deploy the sample application](https://istio.io/latest/docs/setup/getting-started/#bookinfo) + Check istioctl version -Deploy sample app. + ``` + istioctl version + no ready Istio pods in "istio-system" + 1.18.2 + ``` -``` -kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -``` +1. Install istio -Envoy sider is added to all pods. + ``` + istioctl install --set profile=demo -y + ``` -``` -kubectl get po -NAME READY STATUS RESTARTS AGE -details-v1-79f774bdb9-ctf75 2/2 Running 0 28s -productpage-v1-6b746f74dc-7zgpg 2/2 Running 0 28s -ratings-v1-b6994bb9-rw74b 2/2 Running 0 28s -reviews-v1-545db77b95-t6gkl 2/2 Running 0 28s -reviews-v2-7bf8c9648f-n9tmq 2/2 Running 0 28s -reviews-v3-84779c7bbc-tmzlr 2/2 Running 0 28s -``` +
Result -Verify app is running. + ``` + ✔ Istio core installed + ✔ Istiod installed + ✔ Ingress gateways installed + ✔ Egress gateways installed + ✔ Installation complete + Making this installation the default for injection and validation. + ``` -``` -kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o ".*" +
-Simple Bookstore App -``` + `istio-egressgateway`, `istio-ingressgateway`, and `istiod` are deployed in `istio-system` namespace: -### [Open the app to outside traffic](https://istio.io/latest/docs/setup/getting-started/#ip) + ``` + kubectl get po -n istio-system + NAME READY STATUS RESTARTS AGE + istio-egressgateway-6c4796c98-4q45f 1/1 Running 0 2m48s + istio-ingressgateway-d94b4444b-v4tbq 1/1 Running 0 2m48s + istiod-85669db8fd-5lz4s 1/1 Running 0 2m58s + ``` -Istio Gateway -``` -kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml -``` +1. Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later: -Check -``` -istioctl analyze -✔ No validation issues found when analyzing namespace: default. -``` + ``` + kubectl label namespace default istio-injection=enabled + ``` -Check ingress gateway + Check labels -``` -kubectl get svc istio-ingressgateway -n istio-system -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -istio-ingressgateway LoadBalancer 10.103.34.38 localhost 15021:31476/TCP,80:31411/TCP,443:32714/TCP,31400:30467/TCP,15443:30550/TCP 44m -``` + ``` + kubectl get ns default --show-labels + NAME STATUS AGE LABELS + default Active 4m57s istio-injection=enabled,kubernetes.io/metadata.name=default + ``` -Set ingress ip and ports: - -``` -export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') -export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') -export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') -``` - -Docker for Desktop: - -``` -export INGRESS_HOST=127.0.0.1 -``` - -Check - -``` -echo "$GATEWAY_URL" -127.0.0.1:80 -``` - -``` -echo "http://$GATEWAY_URL/productpage" -http://127.0.0.1:80/productpage -``` - -Open http://127.0.0.1:80/productpage on your browser: +### [Deploy the sample application](https://istio.io/latest/docs/setup/getting-started/#bookinfo) -![](docs/sample-app.png) +1. Deploy sample app + + ``` + kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.18/samples/bookinfo/platform/kube/bookinfo.yaml + ``` + + Deployed resources: + + 1. `Deployment`: `details-v1`, `ratings-v1`, `reviews-v1`, `reviews-v2`, `reviews-v3`, `productpage-v1` + 1. `Service`: `details`, `ratings`, `reviews`, `productpage` + 1. `ServiceAccount`: `bookinfo-details`, `bookinfo-ratings`, `bookinfo-reviews`, `bookinfo-productpage` + +
+ + ``` + service/details created + serviceaccount/bookinfo-details created + deployment.apps/details-v1 created + service/ratings created + serviceaccount/bookinfo-ratings created + deployment.apps/ratings-v1 created + service/reviews created + serviceaccount/bookinfo-reviews created + deployment.apps/reviews-v1 created + deployment.apps/reviews-v2 created + deployment.apps/reviews-v3 created + service/productpage created + serviceaccount/bookinfo-productpage created + deployment.apps/productpage-v1 created + ``` + +
+ + Envoy sider is added to all pods (2 containers are running in each pod). + + ``` + kubectl get po + NAME READY STATUS RESTARTS AGE + details-v1-79f774bdb9-ctf75 2/2 Running 0 28s + productpage-v1-6b746f74dc-7zgpg 2/2 Running 0 28s + ratings-v1-b6994bb9-rw74b 2/2 Running 0 28s + reviews-v1-545db77b95-t6gkl 2/2 Running 0 28s + reviews-v2-7bf8c9648f-n9tmq 2/2 Running 0 28s + reviews-v3-84779c7bbc-tmzlr 2/2 Running 0 28s + ``` + + + + **If you deploy to another namespace, Envoy sidecar container will not be injected.** + +1. Verify app is running. + + ``` + kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o ".*" + + Simple Bookstore App + ``` + +### [Open the app to outside traffic](https://istio.io/latest/docs/setup/getting-started/#ip) (Gateway & VirtualService) + +1. Istio Gateway (`Gateway` and `VirtualService`) + + ``` + kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.18/samples/bookinfo/networking/bookinfo-gateway.yaml + ``` + +
yaml details + + + ```yaml + apiVersion: networking.istio.io/v1alpha3 + kind: Gateway + metadata: + name: bookinfo-gateway + spec: + # The selector matches the ingress gateway pod labels. + # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + --- + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: bookinfo + spec: + hosts: + - "*" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 + ``` + + +
+ +1. Check + ``` + istioctl analyze + ✔ No validation issues found when analyzing namespace: default. + ``` + +1. Check ingress gateway + + ``` + kubectl get svc istio-ingressgateway -n istio-system + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + istio-ingressgateway LoadBalancer 10.103.34.38 localhost 15021:31476/TCP,80:31411/TCP,443:32714/TCP,31400:30467/TCP,15443:30550/TCP 44m + ``` + +1. Set ingress ip and ports: + + Most platforms: + + ``` + export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') + export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') + ``` + + Docker Desktop or Kind: + + ``` + export INGRESS_HOST=127.0.0.1 + ``` + + ``` + export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT + ``` + + Check + + ``` + echo "$GATEWAY_URL" + 127.0.0.1:80 + ``` + +1. Open http://127.0.0.1:80/productpage on your browser: + + ![](docs/sample-app.png) ### [View the dashboard](https://istio.io/latest/docs/setup/getting-started/#dashboard) -Install [kiali](https://istio.io/latest/docs/ops/integrations/kiali/) dashboard +1. Install [kiali](https://istio.io/latest/docs/ops/integrations/kiali/) dashboard -``` -kubectl apply -f samples/addons -kubectl rollout status deployment/kiali -n istio-system -``` + ``` + for f in https://raw.githubusercontent.com/istio/istio/release-1.18/samples/addons/{grafana,jaeger,kiali,loki,prometheus}.yaml; do kubectl apply -f $f; done + kubectl rollout status deployment/kiali -n istio-system + ``` -Open dashboard +1. Open dashboard -``` -istioctl dashboard kiali -``` + ``` + istioctl dashboard kiali + ``` -The traffic is visualized in the graph. + The traffic is visualized in the graph. -![](docs/kiali.png) + ![](docs/kiali.png) ### Cleanup -``` -kubectl delete -f samples/addons -istioctl manifest generate --set profile=demo | kubectl delete --ignore-not-found=true -f - +```bash +for f in https://raw.githubusercontent.com/istio/istio/release-1.18/samples/addons/{grafana,jaeger,kiali,loki,prometheus}.yaml; do kubectl delete -f $f; done # delete kilia +kubectl delete -f https://raw.githubusercontent.com/istio/istio/release-1.18/samples/bookinfo/networking/bookinfo-gateway.yaml # delete gateway +kubectl delete -f kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.18/samples/bookinfo/platform/kube/bookinfo.yaml # delete application +istioctl manifest generate --set profile=demo | kubectl delete --ignore-not-found=true -f - # delete istio istioctl tag remove default ``` @@ -150,3 +283,7 @@ istioctl tag remove default kubectl delete namespace istio-system kubectl label namespace default istio-injection- ``` + +## Ref + +1. [How to install kind and istio ingress controller](https://medium.com/@s4l1h/how-to-install-kind-and-istio-ingress-controller-3b510834c762) diff --git a/contents/istio/docs/kiali.png b/contents/istio/docs/kiali.png index a456bc2f..4d87722f 100644 Binary files a/contents/istio/docs/kiali.png and b/contents/istio/docs/kiali.png differ diff --git a/contents/istio/kind-config.yaml b/contents/istio/kind-config.yaml new file mode 100644 index 00000000..89ded6b2 --- /dev/null +++ b/contents/istio/kind-config.yaml @@ -0,0 +1,17 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP diff --git a/readme.yml b/readme.yml index 4db597eb..e08fe554 100644 --- a/readme.yml +++ b/readme.yml @@ -64,7 +64,7 @@ versions: repoUrl: https://github.com/open-policy-agent/conftest category: CI/CD - name: Istio - version: 1.12.2 + version: 1.18.2 repoUrl: https://github.com/istio/istio category: Service Proxy, Discovery, and, Mesh - name: Postgres Operator