Version 1.11

Plan an installation

This page provides information to help you plan a new installation of Anthos Service Mesh.

Customize the control plane

The features that Anthos Service Mesh supports differ between platforms. We recommend that you review the Supported features to learn which features are supported on your platform. Some features are enabled by default, and others you can optionally enable by creating an IstioOperator overlay file. When you run asmcli install, you can customize the control plane by specifying the --custom_overlay option with the overlay file. As a best practice, we recommend that you save the overlay files in your version control system.

The anthos-service-mesh package in GitHub contain many overlay files. These files contain common customizations to the default configuration. You can use these files as they are, or you can make additional changes to them as needed. Some of the files are required to enable optional Anthos Service Mesh features. The anthos-service-mesh package is downloaded when you run asmcli to validate your project and cluster.

When you install Anthos Service Mesh using asmcli install, you can specify one or more overlay files with the --option or --custom_overlay. If you don't need to make any changes to the files in the anthos-service-mesh repository, you can use --option, and the script fetches the file from GitHub for you. Otherwise, you can make changes to the overlay file, and then use the --custom_overlay option to pass it to the asmcli.

Choose a Certificate Authority

You can use Anthos Service Mesh certificate authority (Mesh CA) or Istio CA as the certificate authority (CA) for issuing mutual TLS (mTLS) certificates.

Unless you require a custom CA, such as HashiCorp Vault, we recommend that you use Mesh CA for the following reasons:

  • Mesh CA is a highly reliable and scalable service that is optimized for dynamically scaled workloads on Google Cloud.
  • With Mesh CA, Google manages the security and availability of the CA backend.
  • Mesh CA lets you rely on a single root of trust across clusters.

Certificates from Mesh CA include the following data about your application's services:

  • The Google Cloud project ID
  • The GKE namespace
  • The GKE service account name

Prepare gateway configuration

Anthos Service Mesh gives you the option to deploy and manage gateways as part of your service mesh. A gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections. Gateways are Envoy proxies that provide you with fine-grained control over traffic entering and leaving the mesh.

By default, asmcli doesn't install the istio-ingressgateway. We recommend that you deploy and manage the control plane and gateways separately. For more information, see Installing and upgrading gateways. If you need the default istio-ingressgateway installed with the in-cluster control plane, include the --option legacy-default-ingressgateway argument.

What's next?