Enabling optional features

When you install Anthos Service Mesh, you specify the Anthos Service Mesh configuration profile, which enables the Supported default features listed on the Supported features page. The Anthos Service Mesh configuration profiles, asm.yaml and asm-onprem.yaml, are located in the install/kubernetes/operator/profiles subdirectory within the Anthos Service Mesh installation's root directory. The configuration profiles define and configure the features that are installed with Anthos Service Mesh.

You can override the ASM configuration profile and enable Supported optional features by using the IstioOperator API. The configuration parameters in this API can be set individually using --set values on the command line.

Alternatively, if you have many features to enable or the feature has numerous settings, you can specify the IstioOperatorconfiguration in a YAML file. You pass the file to istioctl using the -f command-line option. The options specified with --set values correspond to the yaml. For example, the command line options to enable Grafana are:

--set values.prometheus.enabled=true \
--set values.grafana.enabled=true

The corresponding yaml is:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  addonComponents:
    prometheus:
      enabled: true
    grafana:
      enabled: true

For more information, see Customizing the configuration.

When you enable optional features:

  • Make sure the feature that you enable is supported.

  • Specify the applicable configuration profile for your platform:

    • For Google Kubernetes Engine, use --set profile=asm
    • For Anthos GKE on-prem, use --set profile=asm-onprem

Command-line options to enable optional features

The following table provides the command-line options to enable optional and supported features.

Feature Command line options
mTLS STRICT mode --set values.global.mtls.enabled=true
Prometheus --set values.prometheus.enabled=true
Grafana (which requires Prometheus) --set values.prometheus.enabled=true \
--set values.grafana.enabled=true
Direct Envoy to stdout --set values.global.proxy.accessLogFile="/dev/stdout"
For more information, see Enable Envoy's access logging.
Stackdriver tracing --set values.tracing.enabled=true \
--set values.global.proxy.tracer="stackdriver"
Egress via egress gateways --set values.gateways.istio-egressgateway.enabled=true
For more information, see Gateway.
GKE: Istio Container Network Interface (CNI) --set values.components.cni.enabled=true \
--set values.components.cni.namespace=kube-system \
--set values.cni.cniBinDir=/home/kubernetes/bin
You also need to enable a network policy.
GKE on-prem: Istio Container Network Interface (CNI) --set values.components.cni.enabled=true \
--set values.components.cni.namespace=kube-system \
--set values.cni.cniBinDir=/opt/cni/bin \
--set values.cni.excludeNamespaces=gke-system
You also need to enable a network policy.
GKE on-prem: Kiali --set values.kiali.enabled=true
You also need to set up authentication as described in Create a secret.

Examples

The commands to install Anthos Service Mesh on GKE use the following environment variables:

  • Set your Cloud project ID:

    export PROJECT_ID=YOUR_PROJECT_ID
  • Set the project number:

    export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)")
  • Set the cluster name.

    export CLUSTER_NAME=YOUR_CLUSTER_NAME

  • Set the CLUSTER_LOCATION to either your cluster zone or cluster region.

    export CLUSTER_LOCATION=YOUR_ZONE_OR_REGION

  • Set the workload pool.

    export WORKLOAD_POOL=${PROJECT_ID}.svc.id.goog

  • Set the mesh ID, which is required for metrics to get displayed on the Anthos Service Mesh pages in the Cloud Console:

    export MESH_ID="proj-${PROJECT_NUMBER}"

Enable the egress gateway

To install Anthos Service Mesh in PERMISSIVE mutual TLS (mTLS) authentication mode and enable the egress gateway:

GKE

istioctl manifest apply --set profile=asm \
-f asm/cluster/istio-operator.yaml \
--set values.gateways.istio-egressgateway.enabled=true

GKE on-prem

istioctl manifest apply --set profile=asm-onprem} \
--set values.gateways.istio-egressgateway.enabled=true

Enable STRICT mTLS mode

To install Anthos Service Mesh in STRICT mTLS mode:

GKE

istioctl manifest apply --set profile=asm \
-f asm/cluster/istio-operator.yaml \
--set values.global.mtls.enabled=true

GKE on-prem

istioctl manifest apply --set profile=asm-onprem \
--set values.global.mtls.enabled=true

Enable an internal load balancer

For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for GKE on-prem. For information on configuring GKE on-prem, see Setting up your load balancer for GKE on-prem.

  1. Copy the following text to a file and save it as ilb.yaml:

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      profile: empty
      components:
        ingressGateways:
          - name: istio-ingressgateway
            enabled: true
            k8s:
              serviceAnnotations:
                cloud.google.com/load-balancer-type: "internal"
              ports:
                - name: status-port
                  port: 15020
                - name: http2
                  port: 80
                - name: https
                  port: 443
    
  2. Specify the file on the command line:

    istioctl manifest apply --set profile=asm \
    -f asm/cluster/istio-operator.yaml \
    -f ilb.yaml