Anthos Service Mesh 1.6

Enabling optional features

When you install Anthos Service Mesh, you specify a configuration profile. The configuration profiles are YAML files that define and configure the features that are installed with Anthos Service Mesh. The following profiles are provided with Anthos Service Mesh:

  • asm-gcp: Use this profile if all of your GKE on Google Cloud clusters are in the same project. When you install Anthos Service Mesh with this profile, the following features are enabled:

  • asm-gcp-multiproject: Use this profile if your GKE on Google Cloud cluster is in a Shared Virtual Private Cloud, and you want to add clusters from different projects to Anthos Service Mesh. When you install Anthos Service Mesh using the asm-gcp-multiproject profile:

    • The Anthos Service Mesh dashboards in the Cloud Console currently aren't available. However, you can still view logs in Cloud Logging and metrics in Cloud Monitoring for each project.

    • The Supported default features listed on the Supported features page for the asm-gcp-multiproject configuration profile are enabled.

  • asm-multicloud: Use this profile for clusters on other supported environments: GKE on-prem, GKE on AWS, Amazon Elastic Kubernetes Service (Amazon EKS), and Microsoft Azure Kubernetes Service (Microsoft AKS). When you install Anthos Service Mesh using the asm-multicloud.yaml profile, this enables Supported default features listed on the Supported features page for the asm-multicloud configuration profile.

The profiles are located in the manifests/profiles subdirectory within the Anthos Service Mesh installation's root directory.

You can override the configuration profile and enable Supported optional features by using the IstioOperator API. You specify the IstioOperatorconfiguration in a YAML file, for example, feature.yaml. (The name of the YAML file doesn't matter.)

Although you can modify the configuration by making changes in the profile or by specifying configuration parameters on the command-line by using the --set option, we recommend that you use an IstioOperator configuration YAML file so that you can store the file in your version-control system along with your other resource configuration files. You can specify multiple files on the command line when enabling optional features.

Examples

To enable a feature when you are installing or upgrading Anthos Service Mesh, you must include both the profile and the YAML file for the feature you want to enable.

Enable an egress gateway

This example shows how to enable an egress gateway on GKE on-prem.

  1. Copy the following YAML to feature.yaml and save the file:

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      components:
        egressGateways:
          - name: istio-egressgateway
            enabled: true
  2. To install Anthos Service Mesh on GKE on-prem, use the following command line:

    istioctl install \
      --set profile=asm-multicloud \
      -f feature.yaml

Enable tracing

This example shows how to enable Cloud Trace on GKE on Google Cloud.

For installations and upgrades on GKE on Google Cloud, you have to prepare istio-operator.yaml, which contains information about your project and cluster. When you configure istio-operator.yaml, you set the profile that you want to use, either asm-gcp or asm-gcp-multiproject. Because the profile is configured in istio-operator.yaml, you don't need to specify the profile on the command line in this case, although you might want to specify it for clarity.

  1. Copy the following YAML to feature.yaml and save the file:

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      meshConfig:
        enableTracing: true
      values:
        global:
           proxy:
             tracer: stackdriver
  2. To install Anthos Service Mesh on GKE on Google Cloud, use the following command line:

    istioctl install \
     -f asm/cluster/istio-operator.yaml \
     -f feature.yaml

YAML for optional features

The following sections provide the YAML to enable optional and supported features. When enabling an optional feature, you must include both the profile and the YAML file for the feature you want to enable on the command line. For GKE on Google Cloud, the profile is configured in istio-operator.yaml.

mTLS STRICT mode

The global.mtls.enabled configuration has been removed to avoid issues with upgrades and to provide a more flexible installation. To enable STRICT mTLS, configure a peer authentication policy instead.

Direct Envoy to stdout

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    accessLogFile: "/dev/stdout"

For more information, see Enable Envoy’s access logging.

Cloud Trace

For installations on GKE on Google Cloud, you can enable Cloud Trace. For detailed pricing information, refer to the Cloud Trace pricing page.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    enableTracing: true
  values:
    global:
       proxy:
         tracer: stackdriver

The default sampling rate is 1%, but you can override the default by specifying a traceSampling value. The value must be in the range of 0.0 to 100.0 with a precision of 0.01. For example, to trace 5 requests out of every 10,000, use 0.05.

The following example shows a sampling rate of 100% (which you would only do for demo or troubleshooting purposes).

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    enableTracing: true
  values:
    pilot:
      traceSampling: 100
    global:
       proxy:
         tracer: stackdriver

Trace context propagation

Although the sidecar proxies can automatically send trace spans, they need some hints to tie together the entire trace. Applications need to propagate the appropriate HTTP headers so that when the proxies send span information, the spans can be correlated correctly into a single trace.

To do this, an application needs to collect and propagate the following headers from the incoming request to any outgoing requests:

  • x-request-id
  • x-b3-traceid
  • x-b3-spanid
  • x-b3-parentspanid
  • x-b3-sampled
  • x-b3-flags
  • x-ot-span-context
  • x-cloud-trace-context
  • traceparent
  • grpc-trace-bin

For examples propagating the headers, see Trace context propagation.

Egress via egress gateways

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    egressGateways:
      - name: istio-egressgateway
        enabled: true

For more information, see Egress Gateways.

Istio Container Network Interface

How you enable the Istio Container Network Interface (CNI) depends on the environment that Anthos Service Mesh is installed on. You also need to enable a network policy.

Enable CNI on GKE on Google Cloud

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    cni:
      enabled: true
      namespace: kube-system
  values:
    cni:
      cniBinDir: /home/kubernetes/bin
      excludeNamespaces:
        - istio-system
        - kube-system

Enable CNI on GKE on-prem

For GKE on-prem, add gke-system to excludeNamespaces and values.cni.cniBinDir. is /opt/cni/bin:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    cni:
      enabled: true
      namespace: kube-system
  values:
    cni:
      cniBinDir: /opt/cni/bin
      excludeNamespaces:
        - istio-system
        - kube-system
        - gke-system

Enable an internal load balancer

For installations on GKE on Google Cloud, you can enable an internal load balancer for the Istio ingress gateway. In the following YAML, replace PROFILE with the profile that you're using, either asm-gcp or asm-gcp-multiproject.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: PROFILE
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          serviceAnnotations:
            cloud.google.com/load-balancer-type: "internal"
          service:
            ports:
              - name: status-port
                port: 15020
              - name: http2
                port: 80
              - name: https
                port: 443

External certificate management on the ingress gateway

For information on enabling external certificate management on the ingress gateway using Envoy SDS, see Secure Gateways.