This topic shows you how to install Anthos Service Mesh, which comes preinstalled with an Ingress Gateway. With Anthos Service Mesh, you can configure a Kubernetes Ingress resource for your Deployments if you need an Ingress controller. This topic provides an example that shows you how to configure a sample Deployment and Ingress resource.
Before you begin
Before you start using Anthos clusters on AWS, make sure you have performed the following tasks:
- Complete the Prerequisites.
- Install a management service.
- Create a user cluster.
If your user clusters have restricted outbound access to the internet, allow access to the following container repository domains:
docker.io
quay.io
If you do not want to allow outbound access to these domains, see Installing without Prometheus and Kiali.
Use
kubectl config use context
to switch context to your user cluster:kubectl config use-context CLUSTER_NAME
Set up your environment
You need the following tools on the machine you want to install Anthos Service Mesh from. Note that you can install Anthos Service Mesh only on a user cluster, not an admin cluster.
- The
curl
command-line tool. - The Cloud SDK (the
gcloud
command-line tool).
After installing the Cloud SDK:
Authenticate with the Cloud SDK:
gcloud auth login
Update the components:
gcloud components update
Install
kubectl
:gcloud components install kubectl
If you want to deploy and test your installation with the Online Boutique sample application, install
kpt
:gcloud components install kpt
Switch context to your user cluster:
kubectl config use-context CLUSTER_NAME
Grant cluster admin permissions to your user account (your Google Cloud login email address). You need these permissions to create the necessary role based access control (RBAC) rules for Anthos Service Mesh:
kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=USER_ACCOUNT
Downloading the installation file
Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.7.3-asm.6-linux-amd64.tar.gz
Download the signature file and use
openssl
to verify the signature:curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.7.3-asm.6-linux-amd64.tar.gz.1.sig openssl dgst -verify - -signature istio-1.7.3-asm.6-linux-amd64.tar.gz.1.sig istio-1.7.3-asm.6-linux-amd64.tar.gz <<'EOF' -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF
The expected output is:
Verified OK
Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
tar xzf istio-1.7.3-asm.6-linux-amd64.tar.gz
The command creates an installation directory in your current working directory named
istio-1.7.3-asm.6
. Theistio-1.7.3-asm.6/bin
directory contains theistioctl
command-line tool that you use to install Anthos Service Mesh.Ensure that you're in the Anthos Service Mesh installation's root directory.
cd istio-1.7.3-asm.6
For convenience, add the
/bin
directory to your PATH:export PATH=$PWD/bin:$PATH
Create the istio-system
namespace
Create a namespace called istio-system for the control plane components:
kubectl create namespace istio-system
Configure the validating webhook
When you install Anthos Service Mesh, you set a revision label on istiod
. You
need to set the same revision on the validating webhook.
Copy the following YAML to a file called istiod-service.yaml
:
apiVersion: v1
kind: Service
metadata:
name: istiod
namespace: istio-system
labels:
istio.io/rev: asm-173-6
app: istiod
istio: pilot
release: istio
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
istio.io/rev: asm-173-6
Installing Anthos Service Mesh
This section explains how to install Anthos Service Mesh on your user cluster, which
enables the Supported default features listed on the
Supported features page for the
asm-multicloud
profile. You can choose to enable Ingress for the public subnet
or the private subnet.
Public
Install Anthos Service Mesh:
istioctl install \ --set profile=asm-multicloud \ --set revision=asm-173-6
The
--set revision
argument adds a revision label in the formatistio.io/rev=asm-173-6
toistiod
. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particularistiod
revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label onistiod
.Configure the validating webhook so that it can locate the
istiod
service with the revision label:kubectl apply -f istiod-service.yaml
This command creates a service entry that lets the validating webhook automatically check configurations before they are applied.
Private
In the following, you add the
service.beta.kubernetes.io/aws-load-balancer-internal
annotation to all
services that Anthos Service Mesh creates. When this annotation is present,
Anthos clusters on AWS creates private Ingress services.
Save the following YAML to a file called
istio-operator-internal-lb.yaml
:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - enabled: true k8s: serviceAnnotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true"
Install Anthos Service Mesh:
istioctl install \ --set profile=asm-multicloud \ --set revision=asm-173-6 \ -f istio-operator-internal-lb.yaml
The
--set revision
argument adds a revision label in the formatistio.io/rev=asm-173-6
toistiod
. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particularistiod
revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label onistiod
.Configure the validating webhook so that it can locate the
istiod
service with the revision label:kubectl apply -f istiod-service.yaml
This command creates a service entry that lets the validating webhook automatically check configurations before they are applied.
Installing without Prometheus and Kiali
By default in Anthos Service Mesh 1.7 and earlier, Anthos Service Mesh installs
Prometheus and
Kiali from their original package repositories
at docker.io
and quay.io
. If you don't want to install these tools or
allow connections to these repositories, pass
-set addonComponents.prometheus.enabled=false
and
--set addonComponents.kiali.enabled=false
to istioctl install
. For example,
use the following command to exclude Prometheus and Kiali from
the public subnet installation installation.
istioctl install \
--set profile=asm-multicloud \
--set addonComponents.prometheus.enabled=false \
--set addonComponents.kiali.enabled=false \
--revision=asm-173-6
Check the control plane components
Check that the control plane pods in istio-system
are up:
kubectl get pod -n istio-system
Expected output is similar to the following:
NAME READY STATUS RESTARTS AGE istio-ingressgateway-74cc894bfd-786rg 1/1 Running 0 7m19s istiod-78cdbbbdb-d7tps 1/1 Running 0 7m36s promsd-576b8db4d6-lqf64 2/2 Running 1 7m19s
Creating your service mesh
You have now installed the Anthos Service Mesh control plane with the preinstalled Ingress Gateway. If you only need ingress functionality using an Ingress controller, you are ready to install applications on your cluster. See the next section, Creating an example Deployment, which shows how to do configure an Ingress resource.
If you want to take advantage of all the features that Anthos Service Mesh provides, continue with the next phase of the installation, Injecting sidecar proxies in the Anthos Service Mesh documentation. The communication between the sidecar proxies and the Anthos Service Mesh control plane creates the service mesh for your workloads.
Creating an example Deployment
In this section, you install a sample application and create an Ingress endpoint for it.
Create a Deployment of
hello-app
and a ClusterIP for the deployment. Copy the following YAML into a file namedhello-app.yaml
.apiVersion: apps/v1 kind: Deployment metadata: labels: app: hello-app name: hello-app spec: selector: matchLabels: app: hello-app replicas: 3 template: metadata: labels: app: hello-app spec: containers: - name: hello image: "gcr.io/google-samples/hello-app:2.0" --- apiVersion: v1 kind: Service metadata: labels: app: hello-app name: hello-app spec: type: ClusterIP selector: app: hello-app ports: - protocol: TCP port: 8080 targetPort: 8080
Apply the YAML to your cluster with
kubectl apply
.env HTTP_PROXY=http://localhost:8118 \ kubectl apply -f hello-app.yaml
Create a Kubernetes Ingress for the sample application. Copy the following YAML into a file named
hello-app-ingress.yaml
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: istio labels: app: hello-app name: hello-app spec: rules: - host: http: paths: - backend: serviceName: hello-app servicePort: 8080
Create the Ingress by applying the configuration with
kubectl apply
.env HTTP_PROXY=http://localhost:8118 \ kubectl apply -f hello-app-ingress.yaml
Check the status of your gateway with
kubectl get svc
.env HTTP_PROXY=http://localhost:8118 \ kubectl get ingress hello-app
The
ADDRESS
field should have an ELB domain name. If theADDRESS
remainspending
, confirm your VPC and Subnet labeling.You can check the Ingress gateway URL by composing the host and port. To get your gateway URL, perform the following commands:
export INGRESS_URL=$(env HTTP_PROXY=http://localhost:8118 \ kubectl get ingress hello-app -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') echo "Your hello-app ingress URL is: http://"$INGRESS_URL
The last command prints the endpoint of your Ingress.
If you created a public Ingress, you can view the
hello-app
default web page incurl
by visitinghttp://$INGRESS_URL/
.curl $INGRESS_URL/
Cleaning up
You remove the hello-app
components with kubectl delete
.
env HTTP_PROXY=http://localhost:8118 \
kubectl delete -f hello-app.yaml &&\
kubectl delete -f hello-app-ingress.yaml
If you would like to remove Anthos Service Mesh, see Uninstalling Anthos Service Mesh.
What's next
Learn more about: