In this tutorial, you install Anthos Service Mesh 1.9.5-asm.2 using a
install_asm, on a new Google Kubernetes Engine (GKE)
cluster. This tutorial walks you through:
- configuring your Google Cloud project
- creating a GKE cluster with the minimum number of vCPUs required by Anthos Service Mesh
- installing Anthos Service Mesh with an in-cluster control plane
- deploying a sample application so that you can view telemetry data on the Anthos Service Mesh dashboards in the Google Cloud Console.
This tutorial uses the following billable components of Google Cloud:
When you finish this quickstart, you can avoid continued billing by deleting the cluster. For more information, see Clean up.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the Kubernetes Engine API.
- Make a note of your project ID.
Although Anthos Service Mesh requires other APIs, the
install_asm script enables
them for you. To keep billing costs down, the
install_asm script doesn't
enable the Anthos API. There are some minor differences in the
Cloud Console when the Anthos API is enabled. To learn
more about these differences, see
Anthos and Anthos Service Mesh UI differences.
Install required tools
You can run the script on Cloud Shell or on your local machine running Linux. Cloud Shell pre-installs all the required tools. Note that macOS isn't supported because it comes with an old version of bash.
Cloud Shell provisions a g1-small Compute Engine virtual machine (VM) running a Debian-based Linux operating system. The advantages to using Cloud Shell are:
Cloud Shell includes
kpt, and the other command-line tools that you need.
Your Cloud Shell $HOME directory has 5GB persistent storage space.
You have your choice of text editors:
Code editor, which you access by clicking edit at the top of the Cloud Shell window.
Emacs, Vim, or Nano, which you access from the command line in Cloud Shell.
To use Cloud Shell:
- Go to the Cloud Console.
- Select your Cloud project.
Click the Activate Cloud Shell button at the top of the Cloud Console window.
A Cloud Shell session opens inside a new frame at the bottom of the Cloud Console and displays a command-line prompt.
Local Linux computer
Make sure you have the following tools installed:
Authenticate with the Cloud SDK:
gcloud auth login
Update the components:
gcloud components update
Make sure that
gitis in your path so that
kptcan find it.
Create a GKE cluster
Run the following command to create the cluster with the minimum number of vCPUs required by Anthos Service Mesh. In the command, replace the placeholders with the following information:
- CLUSTER_NAME : the name of your cluster. The name can
contain only lowercase alphanumerics and
-, must start with a letter and end with an alphanumeric, and must be no longer than 40 characters.
- PROJECT_ID: the project ID that the cluster will be created in.
- CLUSTER_LOCATION the
zone for the cluster, such as
gcloud container clusters create CLUSTER_NAME \ --project=PROJECT_ID \ --zone=CLUSTER_LOCATION \ --machine-type=e2-standard-4 \ --num-nodes=2
- CLUSTER_NAME : the name of your cluster. The name can contain only lowercase alphanumerics and
Get authentication credentials to interact with the cluster. This command also sets the current context for
kubectlto the cluster.
gcloud container clusters get-credentials CLUSTER_NAME \ --project=PROJECT_ID \ --zone=CLUSTER_LOCATION
Download the ASM installation script
Download the version of the script that installs Anthos Service Mesh 1.9.5 to the current working directory:
curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9 > install_asm
Download the SHA-256 of the file to the current working directory:
curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.9.sha256 > install_asm.sha256
With both files in the same directory, verify the download:
sha256sum -c --ignore-missing install_asm.sha256
If the verification is successful, the command outputs:
For compatibility, the
install_asm.sha256file includes the checksum twice to allow any version of the script to be renamed to
install_asm. If you get an error that
--ignore-missingdoes not exist, rerun the previous command without the
Make the script executable:
chmod +x install_asm
Install Anthos Service Mesh
install_asm script with the following options to install Anthos Service Mesh
on the cluster that you created previously. If you haven't closed this page
since you created the cluster, the placeholders have the values that you entered
gcloud container clusters create command.
./install_asm \ --project_id PROJECT_ID \ --cluster_name CLUSTER_NAME \ --cluster_location CLUSTER_LOCATION \ --mode install \ --output_dir ./asm-downloads \ --enable_all
It can take several minutes for the
install_asm script to finish. The
script outputs informational messages so you can follow its progress.
The command runs
install_asm with the following options:
--mode install: runs the script for a new installation and enables Anthos Service Mesh certificate authority (Mesh CA), which is the default certificate authority (CA) for installs.
--output_dir ./asm-downloads: the directory where the script downloads the files from the
anthos-service-meshrepository, and where it downloads and extracts the Anthos Service Mesh installation file, which contains
istioctl, samples, and manifests.
--enable-registration: allows the script to register the cluster to the project that the cluster is in.
--enable_all: allows the script to enable the required Google APIs, set Identity and Access Management permissions, and make the required updates to your cluster, which includes enabling GKE Workload Identity.
Deploy the Online Boutique sample
Download the sample using
kpt pkg get \ https://github.com/GoogleCloudPlatform/microservices-demo.git/release \ online-boutique
Create a namespace for the application:
kubectl create namespace demo
Enable automatic sidecar injection (auto-injection). Use the following command to locate the label on the
istiodservice, which contains the revision label value to use in later steps.
kubectl -n istio-system get pods -l app=istiod --show-labels
The output looks similar to the following:
NAME READY STATUS RESTARTS AGE LABELS istiod-asm-195-2-5788d57586-bljj4 1/1 Running 0 23h app=istiod,istio.io/rev=asm-195-2,istio=istiod,pod-template-hash=5788d57586 istiod-asm-195-2-5788d57586-vsklm 1/1 Running 1 23h app=istiod,istio.io/rev=asm-195-2,istio=istiod,pod-template-hash=5788d57586
In the output, under the
LABELScolumn, note the value of the
istiodrevision label, which follows the prefix
istio.io/rev=. In this example, the value is
Apply the revision label to the namespace. In the following command, REVISION is the value of the
istiodrevision label that you noted in the previous step.
kubectl label namespace demo istio-injection- istio.io/rev=REVISION --overwrite
You can ignore the message
"istio-injection not found"in the output. That means that the namespace didn't previously have the
istio-injectionlabel, which you should expect in new installations of Anthos Service Mesh or new deployments. Because auto-injection fails if a namespace has both the
istio-injectionand the revision label, all
kubectl labelcommands in the Anthos Service Mesh documentation include removing the
Deploy the sample to the cluster:
kubectl apply -n demo -f online-boutique
Get the external IP address of the ingress gateway:
kubectl get service istio-ingressgateway -n istio-system
The output is similar to:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.19.247.233 18.104.22.168 80:31380/TCP,443:31390/TCP,31400:31400/TCP 27m
In this example, the IP address of the ingress gateway is
Visit the application on your browser to confirm installation:
View the Service Mesh dashboards
After you have workloads deployed on your cluster with the sidecar proxies injected, you can explore the Anthos Service Mesh pages in the Cloud Console to see all of the observability features that Anthos Service Mesh offers. Note that it takes about one or two minutes for telemetry data to be displayed in the Cloud Console after you deploy workloads.
Access to Anthos Service Mesh in the Cloud Console is controlled by Identity and Access Management (IAM). To access the Anthos Service Mesh pages, a Project Owner must grant users the Project Editor or Viewer role, or the more restrictive roles described in Controlling access to Anthos Service Mesh in the Cloud Console.
In the Google Cloud Console, go to Anthos Service Mesh.
Select the Cloud project from the drop-down list on the menu bar.
If you have more than one service mesh, select the mesh from the Service Mesh drop-down list.
To learn more, see Exploring Anthos Service Mesh in the Cloud Console.
If you want to prevent additional charges, delete the cluster:
gcloud container clusters delete CLUSTER_NAME \ --project=PROJECT_ID \ --zone=CLUSTER_LOCATION
If you want to keep your cluster and remove the Online Boutique sample:
kubectl delete namespaces demo
Learn more about:
- Cluster requirements
install_asmscript's options and flags
- Deploying Services
gcloudcommands used in this tutorial