Version 1.9

Anthos Service Mesh quickstart for GKE

In this tutorial, you install Anthos Service Mesh 1.9.5-asm.2 using a Google-provided script, install_asm, on a new Google Kubernetes Engine (GKE) cluster. This tutorial walks you through:

  1. configuring your Google Cloud project
  2. creating a GKE cluster with the minimum number of vCPUs required by Anthos Service Mesh
  3. installing Anthos Service Mesh with an in-cluster control plane
  4. deploying a sample application so that you can view telemetry data on the Anthos Service Mesh dashboards in the Google Cloud Console.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this quickstart, you can avoid continued billing by deleting the cluster. For more information, see Clean up.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Kubernetes Engine API.

    Enable the API

  5. Make a note of your project ID.

Although Anthos Service Mesh requires other APIs, the install_asm script enables them for you. To keep billing costs down, the install_asm script doesn't enable the Anthos API. There are some minor differences in the Cloud Console when the Anthos API is enabled. To learn more about these differences, see Anthos and Anthos Service Mesh UI differences.

Install required tools

You can run the script on Cloud Shell or on your local machine running Linux. Cloud Shell pre-installs all the required tools. Note that macOS isn't supported because it comes with an old version of bash.

Cloud Shell

Cloud Shell provisions a g1-small Compute Engine virtual machine (VM) running a Debian-based Linux operating system. The advantages to using Cloud Shell are:

  • Cloud Shell includes gcloud, kubectl, kpt, and the other command-line tools that you need.

  • Your Cloud Shell $HOME directory has 5GB persistent storage space.

  • You have your choice of text editors:

    • Code editor, which you access by clicking at the top of the Cloud Shell window.

    • Emacs, Vim, or Nano, which you access from the command line in Cloud Shell.

To use Cloud Shell:

  1. Go to the Cloud Console.
  2. Select your Cloud project.
  3. Click the Activate Cloud Shell button at the top of the Cloud Console window.

    Google Cloud Platform console

    A Cloud Shell session opens inside a new frame at the bottom of the Cloud Console and displays a command-line prompt.

    Cloud Shell session

Local Linux computer

  1. Make sure you have the following tools installed:

    • The Cloud SDK (the gcloud command-line tool)
    • The standard command-line tools: awk, curl, grep, sed, sha256sum, and tr
    • git
    • kpt
    • kubectl
    • jq
  2. Authenticate with the Cloud SDK:

    gcloud auth login
    
  3. Update the components:

    gcloud components update
    
  4. Make sure that git is in your path so that kpt can find it.

Create a GKE cluster

  1. Run the following command to create the cluster with the minimum number of vCPUs required by Anthos Service Mesh. In the command, replace the placeholders with the following information:

    • CLUSTER_NAME : the name of your cluster. The name can contain only lowercase alphanumerics and -, must start with a letter and end with an alphanumeric, and must be no longer than 40 characters.
    • PROJECT_ID: the project ID that the cluster will be created in.
    • CLUSTER_LOCATION the zone for the cluster, such as us-central1-a.
    gcloud container clusters create CLUSTER_NAME  \
        --project=PROJECT_ID \
        --zone=CLUSTER_LOCATION  \
        --machine-type=e2-standard-4 \
        --num-nodes=2
    
  2. Get authentication credentials to interact with the cluster. This command also sets the current context for kubectl to the cluster.

    gcloud container clusters get-credentials CLUSTER_NAME  \
        --project=PROJECT_ID \
        --zone=CLUSTER_LOCATION 
    

Download the ASM installation script

  1. Download the version of the script that installs Anthos Service Mesh 1.9.5 to the current working directory:

    curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9 > install_asm
    
  2. Download the SHA-256 of the file to the current working directory:

    curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9.sha256 > install_asm.sha256
    
  3. With both files in the same directory, verify the download:

    sha256sum -c --ignore-missing install_asm.sha256
    

    If the verification is successful, the command outputs: install_asm: OK

    For compatibility, the install_asm.sha256 file includes the checksum twice to allow any version of the script to be renamed to install_asm. If you get an error that --ignore-missing does not exist, rerun the previous command without the --ignore-missing flag.

  4. Make the script executable:

    chmod +x install_asm
    

Install Anthos Service Mesh

Run the install_asm script with the following options to install Anthos Service Mesh on the cluster that you created previously. If you haven't closed this page since you created the cluster, the placeholders have the values that you entered for the gcloud container clusters create command.

./install_asm \
  --project_id PROJECT_ID \
  --cluster_name CLUSTER_NAME  \
  --cluster_location CLUSTER_LOCATION  \
  --mode install \
  --output_dir ./asm-downloads \
  --enable_all

It can take several minutes for the install_asm script to finish. The script outputs informational messages so you can follow its progress.

The command runs install_asm with the following options:

  • --mode install: runs the script for a new installation and enables Anthos Service Mesh certificate authority (Mesh CA), which is the default certificate authority (CA) for installs.
  • --output_dir ./asm-downloads: the directory where the script downloads the files from the anthos-service-mesh repository, and where it downloads and extracts the Anthos Service Mesh installation file, which contains istioctl, samples, and manifests.
  • --enable-registration: allows the script to register the cluster to the project that the cluster is in.
  • --enable_all: allows the script to enable the required Google APIs, set Identity and Access Management permissions, and make the required updates to your cluster, which includes enabling GKE Workload Identity.

Deploy the Online Boutique sample

  1. Download the sample using kpt:

    kpt pkg get \
    https://github.com/GoogleCloudPlatform/microservices-demo.git/release \
    online-boutique
    
  2. Create a namespace for the application:

    kubectl create namespace demo
    
  3. Enable automatic sidecar injection (auto-injection). Use the following command to locate the label on the istiod service, which contains the revision label value to use in later steps.

    kubectl -n istio-system get pods -l app=istiod --show-labels
    

    The output looks similar to the following:

    NAME                                READY   STATUS    RESTARTS   AGE   LABELS
    istiod-asm-195-2-5788d57586-bljj4   1/1     Running   0          23h   app=istiod,istio.io/rev=asm-195-2,istio=istiod,pod-template-hash=5788d57586
    istiod-asm-195-2-5788d57586-vsklm   1/1     Running   1          23h   app=istiod,istio.io/rev=asm-195-2,istio=istiod,pod-template-hash=5788d57586
    

    In the output, under the LABELS column, note the value of the istiod revision label, which follows the prefix istio.io/rev=. In this example, the value is asm-195-2.

  4. Apply the revision label to the namespace. In the following command, REVISION is the value of the istiod revision label that you noted in the previous step.

    kubectl label namespace demo istio-injection- istio.io/rev=REVISION --overwrite
    

    You can ignore the message "istio-injection not found" in the output. That means that the namespace didn't previously have the istio-injection label, which you should expect in new installations of Anthos Service Mesh or new deployments. Because auto-injection fails if a namespace has both the istio-injection and the revision label, all kubectl label commands in the Anthos Service Mesh documentation include removing the istio-injection label.

  5. Deploy the sample to the cluster:

    kubectl apply -n demo -f online-boutique
    
  6. Get the external IP address of the ingress gateway:

    kubectl get service istio-ingressgateway -n istio-system
    

    The output is similar to:

    NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
    istio-ingressgateway   LoadBalancer   10.19.247.233   35.239.7.64   80:31380/TCP,443:31390/TCP,31400:31400/TCP   27m

    In this example, the IP address of the ingress gateway is 35.239.7.64.

  7. Visit the application on your browser to confirm installation:

    http://EXTERNAL_IP/
    

View the Service Mesh dashboards

After you have workloads deployed on your cluster with the sidecar proxies injected, you can explore the Anthos Service Mesh pages in the Cloud Console to see all of the observability features that Anthos Service Mesh offers. Note that it takes about one or two minutes for telemetry data to be displayed in the Cloud Console after you deploy workloads.

Access to Anthos Service Mesh in the Cloud Console is controlled by Identity and Access Management (IAM). To access the Anthos Service Mesh pages, a Project Owner must grant users the Project Editor or Viewer role, or the more restrictive roles described in Controlling access to Anthos Service Mesh in the Cloud Console.

  1. In the Google Cloud Console, go to Anthos Service Mesh.

    Go to Anthos Service Mesh

  2. Select the Cloud project from the drop-down list on the menu bar.

  3. If you have more than one service mesh, select the mesh from the Service Mesh drop-down list.

To learn more, see Exploring Anthos Service Mesh in the Cloud Console.

Clean up

Before cleaning up, if you are interested in learning more about mutual TLS, see Anthos Service Mesh by example: mTLS.

  • If you want to prevent additional charges, delete the cluster:

    gcloud container clusters delete  CLUSTER_NAME  \
        --project=PROJECT_ID \
        --zone=CLUSTER_LOCATION 
    
  • If you want to keep your cluster and remove the Online Boutique sample:

    kubectl delete namespaces demo
    

What's next

Learn more about: