Plan an installation
This page provides information to help you plan a new installation of Anthos Service Mesh.
Customize the control plane
The features that Anthos Service Mesh supports differ between platforms. We recommend
that you review the Supported features to
learn which features are supported on your platform. Some features are enabled
by default, and others you can optionally enable by creating an
IstioOperator overlay file.
When you run
asmcli install, you can customize the control plane by specifying
option with the overlay file. As a best practice, we recommend that you save
the overlay files in your version control system.
package in GitHub contains many overlay files. These files contain common
customizations to the default configuration. You can use these files as they
are, or you can make additional changes to them as needed. Some of the files
are required to
enable optional Anthos Service Mesh features.
anthos-service-mesh package is downloaded when you run
validate your project and cluster.
When you install Anthos Service Mesh using
asmcli install, you
can specify one or more overlay files with the
If you don't need to make any changes to the files in the
repository, you can use
--option, and the script fetches the file from GitHub
for you. Otherwise, you can make changes to the overlay file, and then use the
--custom_overlay option to pass it to the
Choose a Certificate Authority
Depending on your use case, platform, and control plane type (in-cluster or managed), you can choose one of the following as the certificate authority (CA) for issuing mutual TLS (mTLS) certificates:
This section provides high-level information about each of these CA options and their use cases.
Unless you require a custom CA, we recommend that you use Mesh CA for the following reasons:
- Mesh CA is a highly reliable and scalable service that is optimized for dynamically scaled workloads.
- With Mesh CA, Google manages the security and availability of the CA backend.
- Mesh CA lets you rely on a single root of trust across clusters.
Certificates from Mesh CA include the following data about your application's services:
- The Google Cloud project ID
- The GKE namespace
- The GKE service account name
In addition to Mesh CA, you can configure Anthos Service Mesh to use Certificate Authority Service. This guide provides you an opportunity to integrate with CA Service, which is recommended for the following use cases:
- If you need different certificate authorities to sign workload certificates on different clusters.
- If you want to use
istiodCustom CA plugin certificates.
- If you need to back your signing keys in a managed HSM.
- If you are in a highly regulated industry and are subject to compliance.
- If you want to chain up your Anthos Service Mesh CA to a custom enterprise root certificate to sign workload certificates.
The cost of Mesh CA is included in the Anthos Service Mesh pricing. The CA Service isn't included in the base Anthos Service Mesh price and is charged separately. Additionally, CA Service comes with an explicit SLA, but the Mesh CA does not.
For this integration, all workloads in Anthos Service Mesh are granted IAM roles:
privateca.template(required if using a certificate template)
We recommend that you use Istio CA if you meet the following criteria:
- Your mesh already uses Istio CA and you do not require the benefits enabled by Mesh CA or CA Service.
- You require a custom root CA.
- You have off-Google Cloud workloads where a Google Cloud-managed CA service is not acceptable.
Prepare gateway configuration
Anthos Service Mesh gives you the option to deploy and manage gateways as part of your service mesh. A gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections. Gateways are Envoy proxies that provide you with fine-grained control over traffic entering and leaving the mesh.
asmcli doesn't install the
recommend that you deploy and manage the control plane and gateways separately.
For more information, see
Installing and upgrading gateways. If you need the
istio-ingressgateway installed with the in-cluster control plane,
--option legacy-default-ingressgateway argument.