Enabling optional features

When you install Anthos Service Mesh, you specify the Anthos Service Mesh configuration profile, which enables the Supported default features listed on the Supported features page. The Anthos Service Mesh configuration profiles, asm.yaml and asm-onprem.yaml, are located in the install/kubernetes/operator/profiles subdirectory within the Anthos Service Mesh installation's root directory. The configuration profiles define and configure the features that are installed with Anthos Service Mesh.

You can override the ASM configuration profile and enable Supported optional features individually on the command line by using --set values. Alternatively, if you have many features to enable or the feature has numerous settings, you can create an IstioControlPlane custom resource definition file. You pass the file to istioctl using the -f option. For more information, see Customizing the configuration.

When you enable optional features:

  • Make sure the feature that you enable is supported.

  • Specify the applicable configuration profile for your platform:

    • For Google Kubernetes Engine, use --set profile=asm
    • For GKE on VMware, use --set profile=asm-onprem

Command-line options to enable optional features

The following table provides the command-line options to enable optional and supported features.

Feature Command line options
mTLS STRICT mode --set values.global.mtls.enabled=true
Prometheus --set values.prometheus.enabled=true
Grafana (which requires Prometheus) --set values.prometheus.enabled=true \
--set values.grafana.enabled=true
Direct Envoy to stdout --set values.global.proxy.accessLogFile="/dev/stdout"
For more information, see Enable Envoy's access logging.
Stackdriver tracing --set values.tracing.enabled=true \
--set values.global.proxy.tracer="stackdriver"
Egress via egress gateways --set values.gateways.istio-egressgateway.enabled=true
For more information, see Gateway.

Examples

The commands to install Anthos Service Mesh on GKE use the following environment variables:

  • Set your Google Cloud project ID:

    export PROJECT_ID=YOUR_PROJECT_ID

  • Set the project number:

    export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)")

  • Set the cluster name. 

    export CLUSTER_NAME=YOUR_CLUSTER_NAME

  • Set the CLUSTER_LOCATION to either your cluster zone or cluster region. 

    export CLUSTER_LOCATION=YOUR_ZONE_OR_REGION

  • Set the workload pool. 

    export WORKLOAD_POOL=${PROJECT_ID}.svc.id.goog

  • Set the mesh ID, which is required for metrics to get displayed on the Anthos Service Mesh pages in the Google Cloud console: 

    export MESH_ID="proj-${PROJECT_NUMBER}"

Enable the egress gateway

To install Anthos Service Mesh in PERMISSIVE mutual TLS (mTLS) authentication mode and enable the egress gateway:

GKE

istioctl manifest apply --set profile=asm \
--set values.global.trustDomain=${WORKLOAD_POOL} \
--set values.global.sds.token.aud=${WORKLOAD_POOL} \
--set values.nodeagent.env.GKE_CLUSTER_URL=https://container.googleapis.com/v1/projects/${PROJECT_ID}/locations/${CLUSTER_LOCATION}/clusters/${CLUSTER_NAME} \
--set values.global.meshID=${MESH_ID} \
--set values.global.proxy.env.GCP_METADATA="${PROJECT_ID}|${PROJECT_NUMBER}|${CLUSTER_NAME}|${CLUSTER_LOCATION}" \
--set values.gateways.istio-egressgateway.enabled=true

GKE on-prem

istioctl manifest apply --set profile=asm-onprem} \
--set values.gateways.istio-egressgateway.enabled=true

Enable STRICT mTLS mode

To install Anthos Service Mesh in STRICT mTLS mode:

GKE

istioctl manifest apply --set profile=asm \
--set values.global.trustDomain=${WORKLOAD_POOL} \
--set values.global.sds.token.aud=${WORKLOAD_POOL} \
--set values.nodeagent.env.GKE_CLUSTER_URL=https://container.googleapis.com/v1/projects/${PROJECT_ID}/locations/${CLUSTER_LOCATION}/clusters/${CLUSTER_NAME} \
--set values.global.meshID=${MESH_ID} \
--set values.global.proxy.env.GCP_METADATA="${PROJECT_ID}|${PROJECT_NUMBER}|${CLUSTER_NAME}|${CLUSTER_LOCATION}" \
--set values.global.mtls.enabled=true

GKE on-prem

istioctl manifest apply --set profile=asm-onprem \
--set values.global.mtls.enabled=true

Enable an internal load balancer

For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for GKE on VMware. For information on configuring GKE on VMware, see Setting up your load balancer for GKE on VMware.

  1. Copy the following text to a file and save it as ilb.yaml:

    apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
    gateways:
      istio-ingressgateway:
        serviceAnnotations:
          cloud.google.com/load-balancer-type: internal
        ports:
          - name: status-port
            port: 15020
          - name: http2
            port: 80
          - name: https
            port: 443

  2. Specify the file on the command line:

    istioctl manifest apply --set profile=asm \
--set values.global.trustDomain=${WORKLOAD_POOL} \
--set values.global.sds.token.aud=${WORKLOAD_POOL} \
--set values.nodeagent.env.GKE_CLUSTER_URL=https://container.googleapis.com/v1/projects/${PROJECT_ID}/locations/${CLUSTER_LOCATION}/clusters/${CLUSTER_NAME} \
--set values.global.meshID=${MESH_ID} \
--set values.global.proxy.env.GCP_METADATA="${PROJECT_ID}|${PROJECT_NUMBER}|${CLUSTER_NAME}|${CLUSTER_LOCATION}" \
-f ilb.yaml