A new version of Anthos clusters on AWS (GKE on AWS) was released on December 17. See the release notes for more information.

Enabling ingress with Anthos Service Mesh

This topic shows you how to install Anthos Service Mesh, which comes preinstalled with an Ingress Gateway. With Anthos Service Mesh, you can configure a Kubernetes Ingress resource for your Deployments if you need an Ingress controller. This topic provides an example that shows you how to configure a sample Deployment and Ingress resource.

Before you begin

Before you start using Anthos clusters on AWS, make sure you have performed the following tasks:

  • Install a management service.
  • Create a user cluster.

  • If your user clusters have restricted outbound access to the internet, allow access to the following container repository domains:

    • docker.io
    • quay.io

    If you do not want to allow outbound access to these domains, see Installing without Prometheus and Kiali.

  • Use kubectl config use context to switch context to your user cluster:

    kubectl config use-context CLUSTER_NAME

Set up your environment

You need the following tools on the machine you want to install Anthos Service Mesh from. Note that you can install Anthos Service Mesh only on a user cluster, not an admin cluster.

  • The curl command-line tool.
  • The Cloud SDK (the gcloud command-line tool).

After installing the Cloud SDK:

  1. Authenticate with the Cloud SDK:

    gcloud auth login

  2. Update the components:

    gcloud components update

  3. Install kubectl:

    gcloud components install kubectl

  4. If you want to deploy and test your installation with the Online Boutique sample application, install kpt:

    gcloud components install kpt

  5. Switch context to your user cluster:

    kubectl config use-context CLUSTER_NAME

  6. Grant cluster admin permissions to your user account (your Google Cloud login email address). You need these permissions to create the necessary role based access control (RBAC) rules for Anthos Service Mesh:

    kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole=cluster-admin \
  --user=USER_ACCOUNT

Downloading the installation file

  1. Download the Anthos Service Mesh installation file to your current working directory:

    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.7.3-asm.6-linux-amd64.tar.gz

  2. Download the signature file and use openssl to verify the signature:

    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.7.3-asm.6-linux-amd64.tar.gz.1.sig
openssl dgst -verify - -signature istio-1.7.3-asm.6-linux-amd64.tar.gz.1.sig istio-1.7.3-asm.6-linux-amd64.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
-----END PUBLIC KEY-----
EOF

    The expected output is: Verified OK

  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:

    tar xzf istio-1.7.3-asm.6-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.7.3-asm.6. The istio-1.7.3-asm.6/bin directory contains the istioctl command-line tool that you use to install Anthos Service Mesh.

  4. Ensure that you're in the Anthos Service Mesh installation's root directory.

    cd istio-1.7.3-asm.6

  5. For convenience, add the /bin directory to your PATH:

    export PATH=$PWD/bin:$PATH

Create the istio-system namespace

Create a namespace called istio-system for the control plane components:

kubectl create namespace istio-system

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

Copy the following YAML to a file called istiod-service.yaml:

apiVersion: v1
kind: Service
metadata:
  name: istiod
  namespace: istio-system
  labels:
    istio.io/rev: asm-173-6
    app: istiod
    istio: pilot
    release: istio
spec:
  ports:
    - port: 15010
      name: grpc-xds # plaintext
      protocol: TCP
    - port: 15012
      name: https-dns # mTLS with k8s-signed cert
      protocol: TCP
    - port: 443
      name: https-webhook # validation and injection
      targetPort: 15017
      protocol: TCP
    - port: 15014
      name: http-monitoring # prometheus stats
      protocol: TCP
  selector:
    app: istiod
    istio.io/rev: asm-173-6

Installing Anthos Service Mesh

This section explains how to install Anthos Service Mesh on your user cluster, which enables the Supported default features listed on the Supported features page for the asm-multicloud profile. You can choose to enable Ingress for the public subnet or the private subnet.

Public

  1. Install Anthos Service Mesh:

    istioctl install \
  --set profile=asm-multicloud \
  --set revision=asm-173-6

    The --set revision argument adds a revision label in the format istio.io/rev=asm-173-6 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  2. Configure the validating webhook so that it can locate the istiod service with the revision label:

    kubectl apply -f istiod-service.yaml

    This command creates a service entry that lets the validating webhook automatically check configurations before they are applied.

Private

In the following, you add the service.beta.kubernetes.io/aws-load-balancer-internal annotation to all services that Anthos Service Mesh creates. When this annotation is present, Anthos clusters on AWS creates private Ingress services.

  1. Save the following YAML to a file called istio-operator-internal-lb.yaml:

    apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    ingressGateways:
    - enabled: true
      k8s:
        serviceAnnotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: "true"

  2. Install Anthos Service Mesh:

    istioctl install \
 --set profile=asm-multicloud \
 --set revision=asm-173-6 \
 -f istio-operator-internal-lb.yaml

    The --set revision argument adds a revision label in the format istio.io/rev=asm-173-6 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  3. Configure the validating webhook so that it can locate the istiod service with the revision label:

    kubectl apply -f istiod-service.yaml

    This command creates a service entry that lets the validating webhook automatically check configurations before they are applied.

Installing without Prometheus and Kiali

By default in Anthos Service Mesh 1.7 and earlier, Anthos Service Mesh installs Prometheus and Kiali from their original package repositories at docker.io and quay.io. If you don't want to install these tools or allow connections to these repositories, pass -set addonComponents.prometheus.enabled=false and --set addonComponents.kiali.enabled=false to istioctl install. For example, use the following command to exclude Prometheus and Kiali from the public subnet installation installation.

  istioctl install \
    --set profile=asm-multicloud \
    --set addonComponents.prometheus.enabled=false \
    --set addonComponents.kiali.enabled=false \
    --revision=asm-173-6

Check the control plane components

Check that the control plane pods in istio-system are up:

kubectl get pod -n istio-system

Expected output is similar to the following:

NAME                                      READY   STATUS      RESTARTS   AGE
istio-ingressgateway-74cc894bfd-786rg     1/1     Running     0          7m19s
istiod-78cdbbbdb-d7tps                    1/1     Running     0          7m36s
promsd-576b8db4d6-lqf64                   2/2     Running     1          7m19s

Creating your service mesh

You have now installed the Anthos Service Mesh control plane with the preinstalled Ingress Gateway. If you only need ingress functionality using an Ingress controller, you are ready to install applications on your cluster. See the next section, Creating an example Deployment, which shows how to do configure an Ingress resource.

If you want to take advantage of all the features that Anthos Service Mesh provides, continue with the next phase of the installation, Injecting sidecar proxies in the Anthos Service Mesh documentation. The communication between the sidecar proxies and the Anthos Service Mesh control plane creates the service mesh for your workloads.

Creating an example Deployment

In this section, you install a sample application and create an Ingress endpoint for it.

  1. Create a Deployment of hello-app and a ClusterIP for the deployment. Copy the following YAML into a file named hello-app.yaml.

    apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: hello-app
  name: hello-app
spec:
  selector:
    matchLabels:
      app: hello-app
  replicas: 3
  template:
    metadata:
      labels:
        app: hello-app
    spec:
      containers:
      - name: hello
        image: "gcr.io/google-samples/hello-app:2.0"
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hello-app
  name: hello-app
spec:
  type: ClusterIP
  selector:
    app: hello-app
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080

  2. Apply the YAML to your cluster with kubectl apply.

    env HTTP_PROXY=http://localhost:8118 \
  kubectl apply -f hello-app.yaml

  3. Create a Kubernetes Ingress for the sample application. Copy the following YAML into a file named hello-app-ingress.yaml

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio
  labels:
    app: hello-app
  name: hello-app
spec:
  rules:
  - host:
    http:
      paths:
      - backend:
          serviceName: hello-app
          servicePort: 8080

  4. Create the Ingress by applying the configuration with kubectl apply.

    env HTTP_PROXY=http://localhost:8118 \
  kubectl apply -f hello-app-ingress.yaml

  5. Check the status of your gateway with kubectl get svc.

    env HTTP_PROXY=http://localhost:8118 \
  kubectl get ingress hello-app

    The ADDRESS field should have an ELB domain name. If the ADDRESS remains pending, confirm your VPC and Subnet labeling.

  6. You can check the Ingress gateway URL by composing the host and port. To get your gateway URL, perform the following commands:

    export INGRESS_URL=$(env HTTP_PROXY=http://localhost:8118 \
kubectl get ingress hello-app -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
echo "Your hello-app ingress URL is: http://"$INGRESS_URL

    The last command prints the endpoint of your Ingress.

  7. If you created a public Ingress, you can view the hello-app default web page in curl by visiting http://$INGRESS_URL/.

    curl $INGRESS_URL/

Cleaning up

You remove the hello-app components with kubectl delete.

env HTTP_PROXY=http://localhost:8118 \
  kubectl delete -f hello-app.yaml &&\
  kubectl delete -f hello-app-ingress.yaml

If you would like to remove Anthos Service Mesh, see Uninstalling Anthos Service Mesh.

What's next

Learn more about: