Version 1.11

Anthos Service Mesh quickstart for GKE

In this tutorial, you install Anthos Service Mesh 1.11.2-asm.17 using a Google-provided tool, asmcli, on a new Google Kubernetes Engine (GKE) cluster. This tutorial walks you through:

  1. Configuring your Google Cloud project.
  2. Creating a GKE cluster with the minimum number of vCPUs required by Anthos Service Mesh.
  3. Installing Anthos Service Mesh with an in-cluster control plane.
  4. Deploying a sample application so that you can view telemetry data on the Anthos Service Mesh dashboards in the Google Cloud Console.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this quickstart, you can avoid continued billing by deleting the cluster. For more information, see Clean up.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Kubernetes Engine API.

    Enable the API

  5. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  7. Enable the Kubernetes Engine API.

    Enable the API

  8. Make a note of your project ID.

Although Anthos Service Mesh requires other APIs, asmcli enables them for you. To keep billing costs down, the asmcli script doesn't enable the Anthos API. There are some minor differences in the Cloud Console when the Anthos API is enabled. To learn more about these differences, see Anthos and Anthos Service Mesh UI differences.

Install required tools

You can run the tool on Cloud Shell or on your local machine running Linux. Cloud Shell pre-installs all the required tools. Note that macOS isn't supported because it comes with an old version of bash.

Cloud Shell

Cloud Shell provisions a g1-small Compute Engine virtual machine (VM) running a Debian-based Linux operating system. The advantages to using Cloud Shell are:

  • Cloud Shell includes gcloud, kubectl, kpt, and the other command-line tools that you need.

  • Your Cloud Shell $HOME directory has 5GB persistent storage space.

  • You have your choice of text editors:

    • Code editor, which you access by clicking at the top of the Cloud Shell window.

    • Emacs, Vim, or Nano, which you access from the command line in Cloud Shell.

To use Cloud Shell:

  1. Go to the Cloud Console.
  2. Select your Cloud project.
  3. Click the Activate Cloud Shell button at the top of the Cloud Console window.

    Google Cloud Platform console

    A Cloud Shell session opens inside a new frame at the bottom of the Cloud Console and displays a command-line prompt.

    Cloud Shell session

Local Linux computer

  1. Make sure you have the following tools installed:

    • The Cloud SDK (the gcloud command-line tool)
    • The standard command-line tools: awk, curl, grep, sed, and tr
    • git
    • kpt
    • kubectl
    • jq
  2. Authenticate with the Cloud SDK:

    gcloud auth login
    
  3. Update the components:

    gcloud components update
    
  4. Make sure that git is in your path so that kpt can find it.

Create a GKE cluster

  1. Run the following command to create the cluster with the minimum number of vCPUs required by Anthos Service Mesh. In the command, replace the placeholders with the following information:

    • CLUSTER_NAME : the name of your cluster. The name can contain only lowercase alphanumerics and -, must start with a letter and end with an alphanumeric, and must be no longer than 40 characters.
    • PROJECT_ID: the project ID that the cluster will be created in.
    • CLUSTER_LOCATION the zone for the cluster, such as us-central1-a.
    gcloud container clusters create CLUSTER_NAME  \
        --project=PROJECT_ID \
        --zone=CLUSTER_LOCATION  \
        --machine-type=e2-standard-4 \
        --num-nodes=2 \
        --workload-pool=PROJECT_ID.svc.id.goog
    
  2. Get authentication credentials to interact with the cluster.

    gcloud container clusters get-credentials CLUSTER_NAME  \
        --project=PROJECT_ID \
        --zone=CLUSTER_LOCATION 
    
  3. Set the current context for kubectl to the cluster.

    kubectl config set-context CLUSTER_NAME 
    

Download asmcli

This section describes how to download the asmcli.

  1. Download the version that installs Anthos Service Mesh 1.11.2 to the current working directory:

    curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.11 > asmcli
    
  2. Make the script executable:

    chmod +x asmcli
    

Install Anthos Service Mesh

Run the asmcli tool with the following options to install Anthos Service Mesh on the cluster that you created previously. If you haven't closed this page since you created the cluster, the placeholders have the values that you entered for the gcloud container clusters create command.

./asmcli install \
  --project_id PROJECT_ID \
  --cluster_name CLUSTER_NAME \
  --cluster_location CLUSTER_LOCATION \
  --fleet_id FLEET_PROJECT_ID \
  --output_dir DIR_PATH \
  --option legacy-default-ingressgateway \
  --enable_all
  • --project_id, --cluster_name, and --cluster_location Specify the project ID that the cluster is in, the cluster name, and either the cluster zone or region.
  • --fleet_id The project ID of the fleet host project. If you don't include this option, asmcli uses the project that the cluster was created in when registering the cluster.
  • --output_dir Include this option to specify a directory where asmcli downloads the anthos-service-mesh package and extracts the installation file, which contains istioctl, samples, and manifests. Otherwise asmcli downloads the files to a tmp directory. You can specify either a relative path or a full path. The environment variable $PWD doesn't work here.
  • --option legacy-default-ingressgateway Installs an ingress gateway used to manage inbound traffic to applications running on your service mesh. asmcli does not install an ingress gateway by default, therefore, we must include this flag for the purposes of this quickstart guide. For more information, see Install gateways.
  • --enable_all Allows the script to:
    • Grant required IAM permissions.
    • Enable the required Google APIs.
    • Set a label on the cluster that identifies the mesh.
    • Register the cluster to the fleet if it isn't already registered.

    It can take several minutes for the asmcli tool to finish. The tool outputs informational messages so you can follow its progress.

    Deploy the Online Boutique sample

    1. Download the sample using kpt:

      kpt pkg get \
      https://github.com/GoogleCloudPlatform/microservices-demo.git/release \
      online-boutique
      
    2. Create a namespace for the application:

      kubectl create namespace demo
      
    3. Enable automatic sidecar injection (auto-injection). Use the following command to locate the label on the istiod service, which contains the revision label value to use in later steps.

      kubectl -n istio-system get pods -l app=istiod --show-labels
      

      The output looks similar to the following:

      NAME                                READY   STATUS    RESTARTS   AGE   LABELS
      istiod-asm-1112-17-5788d57586-bljj4   1/1     Running   0          23h   app=istiod,istio.io/rev=asm-1112-17,istio=istiod,pod-template-hash=5788d57586
      istiod-asm-1112-17-5788d57586-vsklm   1/1     Running   1          23h   app=istiod,istio.io/rev=asm-1112-17,istio=istiod,pod-template-hash=5788d57586
      

      In the output, under the LABELS column, note the value of the istiod revision label, which follows the prefix istio.io/rev=. In this example, the value is asm-1112-17.

    4. Apply the revision label to the namespace. In the following command, REVISION is the value of the istiod revision label that you noted in the previous step.

      kubectl label namespace demo istio-injection- istio.io/rev=REVISION --overwrite
      

      You can ignore the message "istio-injection not found" in the output. That means that the namespace didn't previously have the istio-injection label, which you should expect in new installations of Anthos Service Mesh or new deployments. Because auto-injection fails if a namespace has both the istio-injection and the revision label, all kubectl label commands in the Anthos Service Mesh documentation include removing the istio-injection label.

    5. Deploy the sample to the cluster:

      kubectl apply -n demo -f online-boutique
      
    6. Get the external IP address of the ingress gateway:

      kubectl get service istio-ingressgateway -n istio-system
      

      The output is similar to:

      NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
      istio-ingressgateway   LoadBalancer   10.19.247.233   35.239.7.64   80:31380/TCP,443:31390/TCP,31400:31400/TCP   27m

      In this example, the IP address of the ingress gateway is 35.239.7.64.

    7. Visit the application on your browser to confirm installation:

      http://EXTERNAL_IP/
      

    View the Service Mesh dashboards

    After you have workloads deployed on your cluster with the sidecar proxies injected, you can explore the Anthos Service Mesh pages in the Cloud Console to see all of the observability features that Anthos Service Mesh offers. Note that it takes about one or two minutes for telemetry data to be displayed in the Cloud Console after you deploy workloads.

    Access to Anthos Service Mesh in the Cloud Console is controlled by Identity and Access Management (IAM). To access the Anthos Service Mesh pages, a Project Owner must grant users the Project Editor or Viewer role, or the more restrictive roles described in Controlling access to Anthos Service Mesh in the Cloud Console.

    1. In the Google Cloud Console, go to Anthos Service Mesh.

      Go to Anthos Service Mesh

    2. Select the Cloud project from the drop-down list on the menu bar.

    3. If you have more than one service mesh, select the mesh from the Service Mesh drop-down list.

    To learn more, see Exploring Anthos Service Mesh in the Cloud Console.

    Clean up

    Before cleaning up, if you are interested in learning more about mutual TLS, see Anthos Service Mesh by example: mTLS.

    • If you want to prevent additional charges, delete the cluster:

      gcloud container clusters delete  CLUSTER_NAME  \
          --project=PROJECT_ID \
          --zone=CLUSTER_LOCATION 
      
    • If you want to keep your cluster and remove the Online Boutique sample:

      kubectl delete namespaces demo
      

    What's next

    Learn more about: