Overview
Anthos Service Mesh Google-managed control plane is a Google Cloud managed service that you only need to configure, while Google handles its reliability, upgrades, scaling and security for you in a backward-compatible manner. This guide explains how to set up or migrate applications to Google-managed control plane in a single or multi-cluster configuration.
You can use a single Google-managed control plane for multiple GKE clusters in a single Google Cloud project.
To learn about the supported features and limitations of Anthos Service Mesh managed control plane, see Anthos Service Mesh Google-managed control plane supported features.
Prerequisites
This guide assumes that you have:
- A Cloud project.
- A Cloud Billing account.
- Reviewed the list of Google-managed control plane supported features and limitations.
- Installation script,
kpt
, and other tools specified in Installing the required tools. - One or more clusters with GKE 1.16 to 1.20 installed, in one of these available regions:
- asia-east1
- asia-southeast1
- europe-north1
- europe-west1
- europe-west4
- us-central1
- us-east1
- us-east4
- us-west1
- us-west2
- us-west3
- us-west4
- Your clusters must have Workload Identity enabled.
If Workload Identity isn't enabled, you can enable it by using the following command:
gcloud container clusters update CLUSTER_NAME --zone LOCATION \
--workload-pool=PROJECT_ID.svc.id.goog
Download the installation script
Download the version of the script that installs Anthos Service Mesh 1.9.3 to the current working directory:
curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9 > install_asm
Download the SHA-256 of the file to the current working directory:
curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9.sha256 > install_asm.sha256
With both files in the same directory, verify the download:
sha256sum -c --ignore-missing install_asm.sha256
If the verification is successful, the command outputs:
install_asm: OK
For compatibility, the preceding command includes the--ignore-missing
flag to allow any version of the script to be renamed toinstall_asm
.Make the script executable:
chmod +x install_asm
Configure each cluster
Use the following steps to configure the Google-managed control plane for each cluster in your mesh.
Get cluster credentials
Retrieve the appropriate credentials. The following command will also point the
kubectl
context to the target cluster.
gcloud container clusters get-credentials CLUSTER_NAME \
--zone LOCATION \
--project PROJECT_ID
Apply the Google-managed control plane
Run the installation script for each cluster that will use the Google-managed control plane:
./install_asm --mode install --managed -p PROJECT_ID \
-l LOCATION -n CLUSTER_NAME -v \
--output_dir CLUSTER_NAME --enable-all
The script will download to the specified --output_dir
all the files for
configuring the managed control plane, installing an Istio Gateway, along with
the istioctl tool and sample applications.
Install Istio Gateways (optional)
Optionally, you can install one or more Istio Gateways in your cluster to handle typical ingress traffic, by using the following steps:
Choose one of these two options to set up the namespace where you will deploy the gateway in later steps.
- Enable the namespace for injection:
kubectl label namespace GATEWAY_NAMESPACE istio-injection- istio.io/rev=asm-managed --overwrite
OR
- Enable injection only for the gateway pod, but not all pods in the
namespace. This command removes all injection labels and later you will enable
injection on the pod itself:
kubectl label namespace GATEWAY_NAMESPACE istio-injection- istio.io/rev-
- Enable the namespace for injection:
Create a Deployment and Service for the gateway, by using the following minimal example:
apiVersion: v1 kind: Service metadata: name: istio-ingressgateway namespace: GATEWAY_NAMESPACE spec: type: LoadBalancer selector: istio: ingressgateway ports: - port: 80 name: http - port: 443 name: https --- apiVersion: apps/v1 kind: Deployment metadata: name: istio-ingressgateway namespace: GATEWAY_NAMESPACE spec: selector: matchLabels: istio: ingressgateway template: metadata: annotations: # This is required to tell Anthos Service Mesh to inject the gateway with the # required configuration. inject.istio.io/templates: gateway labels: istio: ingressgateway istio.io/rev: asm-managed # This is required only if the namespace is not labeled. spec: containers: - name: istio-proxy image: auto # The image will automatically update each time the pod starts. --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-ingressgateway-sds namespace: `GATEWAY_NAMESPACE` rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: istio-ingressgateway-sds namespace: `GATEWAY_NAMESPACE` roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istio-ingressgateway-sds subjects: - kind: ServiceAccount name: default
After you create the deployment, verify that the new services are working correctly:
kubectl get pod,service -n GATEWAY_NAMESPACE
Verify the output similar to the following:
NAME READY STATUS RESTARTS AGE pod/istio-ingressgateway-856b7c77-bdb77 1/1 Running 0 3s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/istio-ingressgateway LoadBalancer 10.24.5.129 34.82.157.6 80:31904/TCP 3s
Configure endpoint discovery (only for multi-cluster installations)
Anthos Service Mesh managed control plane supports a single-project, single-network, multi-primary configuration, with the difference that the control plane is not installed in the cluster. A multi-primary configuration means that each cluster is configured with secrets to all other clusters, which allows each cluster to discover endpoints from all the other clusters.
Before you continue, you should have already run the install script on each cluster as described in the previous steps. There is no need to indicate that a cluster is a primary cluster, this is the default behavior.
For every cluster, enable endpoints discovery by running the following commands
once for every other cluster i=1..N
in the mesh:
For every cluster, ensure the kubectl config context points to the current cluster:
export CTX=gke_PROJECT_ID_LOCATION_CLUSTER_NAME
Enable endpoints discovery by running the following commands once for every other cluster i=1..N in the mesh:
export CTX_i=gke_PROJECT_ID_LOCATION_i_CLUSTER_NAME_i
./bin/istioctl x create-remote-secret --context=${CTX_i} --name=CLUSTER_NAME_i | \ kubectl apply -f - --context=${CTX}
Verify the secret has been created by running the command:
kubectl get secret istio-remote-secret-CLUSTER_NAME_i -n istio-system
Verify the expected output:
NAME TYPE DATA AGE istio-remote-secret-CLUSTER_NAME_i Opaque 1 44s
If the current cluster is added to an existing multi-cluster mesh, let all the other clusters discover its endpoints by creating a secret corresponding to the current cluster in all the other clusters:
./bin/istioctl x create-remote-secret --context=${CTX} --name=CLUSTER_NAME | \ kubectl apply -f - --context=${CTX_i}
In addition, you can verify the secret for the other cluster also:
kubectl get secret istio-remote-secret-CLUSTER_NAME -n istio-system --context -CTX_i
Verify the expected output:
NAME TYPE DATA AGE istio-remote-secret-CLUSTER_NAME Opaque 1 44s
For more details and an example with two clusters, see enable endpoint discovery.
Deploy applications
Before you deploy applications, remove any previous istio-injection
labels
from their namespaces, and set the istio.io/rev:asm-managed
label instead:
kubectl label namespace NAMESPACE istio-injection- istio.io/rev=asm-managed --overwrite
At this point, you have successfully configured Anthos Service Mesh managed control plane. You are now ready to deploy your applications or you can deploy the Bookinfo sample application.
If you deploy an application in a multi-cluster setup, replicate the Kubernetes and control plane configuration in all clusters, unless you plan to limit that particular config to a subset of clusters. The configuration applied to a particular cluster is the source of truth for that cluster. In addition, if the cluster also runs Anthos Service Mesh 1.7, 1.8 or higher with Mesh CA in other namespaces, verify the application can communicate with the other applications controlled by the customer-managed control plane.
Verify control plane metrics
To verify that your configuration works correctly:
In the Cloud Console, view the control plane metrics:
Choose your workspace and add a custom query using the following parameters:
- Resource type: Kubernetes Container
- Metric: Proxy Clients
- Filter:
container_name="cr-asm-managed"
- Group By: revision label and proxy_version label
- Aggregator sum
- Period: 1 minute
When you run Anthos Service Mesh with both a Google-managed and a customer-managed control plane, you can tell the metrics apart by their container name. For example, managed metrics have
container_name="cr-asm-managed"
, while unmanaged metrics havecontainer_name="discovery"
. To display metrics from both, remove the Filter oncontainer_name="cr-asm-managed"
.Verify the control plane version and proxy version by inspecting the following fields in Metrics Explorer:
- The revision field indicates the control plane version.
- The proxy_version field indicates the
proxy_version
. - The value field indicates the number of connected proxies.
Migrate applications to Google-managed control plane
The Anthos Service Mesh Google-managed control plane only supports migration from Anthos Service Mesh 1.9 that uses Mesh CA.
To migrate to Google-managed control plane, perform the following steps:
Run the script as indicated in the Install the control plane section.
Replace the current namespace label with the
istio.io/rev:asm-managed
label:kubectl label namespace NAMESPACE istio-injection- istio.io/rev=asm-managed \ --overwrite
Perform a rolling upgrade of deployments in the namespace:
kubectl rollout restart deployment -n NAMESPACE
Test your application to verify that the workloads function correctly.
If you have workloads in other namespaces, repeat the previous steps for each namespace.
If you deployed the application in a multi-cluster setup, replicate the Kubernetes and Istio configuration in all clusters, unless there is a desire to limit that configuration to a subset of clusters only. The configuration applied to a particular cluster is the source of truth for that cluster.
Check that the metrics appear as expected by following the steps in Verify control plane metrics.
A cluster can have a mix of revisions, for example Anthos Service Mesh 1.7 and 1.8, and customer-managed Anthos Service Mesh together. You can mix namespaces using different Anthos Service Mesh control plane revisions indefinitely.
If you are satisfied that your application works as expected, you can remove the
in-cluster istiod
after you switch all namespaces to the customer-managed
control plane, or keep them as a backup - istiod
will automatically scale down
to use fewer resources. To remove, skip to Delete old control plane.
If you encounter problems, you can identify and resolve them by using the information in Resolving managed control plane issues and if necessary, roll back to the previous version.
Delete old control plane
After you install and confirm that all namespaces use the Google-managed control plane, you can delete the old control plane.
kubectl delete Service,Deployment,HorizontalPodAutoscaler,PodDisruptionBudget istiod -n istio-system --ignore-not-found=true
If you used istioctl kube-inject
instead of automatic injection, or if
you installed additional gateways, check the metrics for the control plane,
and verify that the number of connected endpoints is zero.
Roll back
Perform the following steps if you need to roll back to the previous control plane version:
Update workloads to be injected with the previous version of the control plane. In the following command, the revision value
asm-191-1
is used only as an example. Replace the example value with the revision label of your previous control plane.kubectl label namespace NAMESPACE istio-injection- istio.io/rev=asm-191-1 --overwrite
Restart the Pods to trigger re-injection so the proxies have the previous version:
kubectl rollout restart deployment -n NAMESPACE
The managed control plane will automatically scale to zero and not use any resource when not in use. The mutating webhooks and provisioning will remain and do not affect cluster behavior.
The gateway is now set to the asm-managed
revision. To roll back, re-run
the Anthos Service Mesh install command, which will re-deploy gateway pointing back
to your customer-managed control plane:
kubectl -n istio-system rollout undo deploy istio-ingressgateway
Expect this output on success:
deployment.apps/istio-ingressgateway rolled back
Uninstall
Google-managed control plane will auto-scale to zero when no namespaces are using it, therefore no uninstallation is required.
Troubleshooting
To identify and resolve problems when using managed control plane, see Resolving managed control plane issues.