In this tutorial, you install Anthos Service Mesh 1.10.6-asm.2 using a
Google-provided script, install_asm
, on a new Google Kubernetes Engine (GKE)
cluster. This tutorial walks you through:
- configuring your Google Cloud project
- creating a GKE cluster with the minimum number of vCPUs required by Anthos Service Mesh
- installing Anthos Service Mesh with an in-cluster control plane
- deploying a sample application so that you can view telemetry data on the Anthos Service Mesh dashboards in the Google Cloud console.
Costs
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
When you finish this quickstart, you can avoid continued billing by deleting the cluster. For more information, see Clean up.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine API.
- Make a note of your project ID.
Although Anthos Service Mesh requires other APIs, the install_asm
script enables
them for you. To keep billing costs down, the install_asm
script doesn't
enable the GKE Enterprise API. There are some minor differences in the
Google Cloud console when the GKE Enterprise API is enabled. To learn
more about these differences, see
GKE Enterprise and Anthos Service Mesh UI differences.
Install required tools
You can run the script on Cloud Shell or on your local machine running Linux. Cloud Shell pre-installs all the required tools. Note that macOS isn't supported because it comes with an old version of bash.
Cloud Shell
Cloud Shell provisions a g1-small Compute Engine virtual machine (VM) running a Debian-based Linux operating system. The advantages to using Cloud Shell are:
Cloud Shell includes
gcloud
,kubectl
,kpt
, and the other command-line tools that you need.Your Cloud Shell $HOME directory has 5GB persistent storage space.
You have your choice of text editors:
Code editor, which you access by clicking edit at the top of the Cloud Shell window.
Emacs, Vim, or Nano, which you access from the command line in Cloud Shell.
To use Cloud Shell:
- Go to the Google Cloud console.
- Select your Google Cloud project.
Click the Activate Cloud Shell button at the top of the Google Cloud console window.
A Cloud Shell session opens inside a new frame at the bottom of the Google Cloud console and displays a command-line prompt.
Local Linux computer
Make sure you have the following tools installed:
- The Google Cloud CLI
- The standard command-line tools:
awk
,curl
,grep
,sed
, andtr
- git
- kpt
- kubectl
- jq
Authenticate with the gcloud CLI:
gcloud auth login
Update the components:
gcloud components update
Make sure that
git
is in your path so thatkpt
can find it.
Create a GKE cluster
Run the following command to create the cluster with the minimum number of vCPUs required by Anthos Service Mesh. In the command, replace the placeholders with the following information:
- CLUSTER_NAME : the name of your cluster. The name can
contain only lowercase alphanumerics and
-
, must start with a letter and end with an alphanumeric, and must be no longer than 40 characters. - PROJECT_ID: the project ID that the cluster will be created in.
- CLUSTER_LOCATION the
zone for the cluster, such as
us-central1-a
.
gcloud container clusters create CLUSTER_NAME \ --project=PROJECT_ID \ --zone=CLUSTER_LOCATION \ --machine-type=e2-standard-4 \ --num-nodes=2 \ --workload-pool=PROJECT_ID.svc.id.goog
- CLUSTER_NAME : the name of your cluster. The name can
contain only lowercase alphanumerics and
Get authentication credentials to interact with the cluster. This command also sets the current context for
kubectl
to the cluster.gcloud container clusters get-credentials CLUSTER_NAME \ --project=PROJECT_ID \ --zone=CLUSTER_LOCATION
Download the ASM installation script
Download the version of the script that installs Anthos Service Mesh 1.10.6 to the current working directory:
curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_1.10 > install_asm
Make the script executable:
chmod +x install_asm
Install Anthos Service Mesh
Run the install_asm
script with the following options to install Anthos Service Mesh
on the cluster that you created previously. If you haven't closed this page
since you created the cluster, the placeholders have the values that you entered
for the gcloud container clusters create
command.
./install_asm \
--project_id PROJECT_ID \
--cluster_name CLUSTER_NAME \
--cluster_location CLUSTER_LOCATION \
--mode install \
--output_dir ./asm-downloads \
--enable_all
It can take several minutes for the install_asm
script to finish. The
script outputs informational messages so you can follow its progress.
The command runs install_asm
with the following options:
--mode install
: runs the script for a new installation and enables Anthos Service Mesh certificate authority (Mesh CA), which is the default certificate authority (CA) for installs.--output_dir ./asm-downloads
: the directory where the script downloads the files from theanthos-service-mesh
repository, and where it downloads and extracts the Anthos Service Mesh installation file, which containsistioctl
, samples, and manifests.--enable-registration
: allows the script to register the cluster to the project that the cluster is in.--enable_all
: allows the script to enable the required Google APIs, set Identity and Access Management permissions, and make the required updates to your cluster, which includes enabling GKE Workload Identity.
Deploy the Online Boutique sample
Download the sample using
kpt
:kpt pkg get \ https://github.com/GoogleCloudPlatform/microservices-demo.git/release \ online-boutique
Create a namespace for the application:
kubectl create namespace demo
Enable automatic sidecar injection (auto-injection). Use the following command to locate the label on the
istiod
service, which contains the revision label value to use in later steps.kubectl -n istio-system get pods -l app=istiod --show-labels
The output looks similar to the following:
NAME READY STATUS RESTARTS AGE LABELS istiod-asm-1106-2-5788d57586-bljj4 1/1 Running 0 23h app=istiod,istio.io/rev=asm-1106-2,istio=istiod,pod-template-hash=5788d57586 istiod-asm-1106-2-5788d57586-vsklm 1/1 Running 1 23h app=istiod,istio.io/rev=asm-1106-2,istio=istiod,pod-template-hash=5788d57586
In the output, under the
LABELS
column, note the value of theistiod
revision label, which follows the prefixistio.io/rev=
. In this example, the value isasm-1106-2
.Apply the revision label to the namespace. In the following command, REVISION is the value of the
istiod
revision label that you noted in the previous step.kubectl label namespace demo istio-injection- istio.io/rev=REVISION --overwrite
You can ignore the message
"istio-injection not found"
in the output. That means that the namespace didn't previously have theistio-injection
label, which you should expect in new installations of Anthos Service Mesh or new deployments. Because auto-injection fails if a namespace has both theistio-injection
and the revision label, allkubectl label
commands in the Anthos Service Mesh documentation include removing theistio-injection
label.Deploy the sample to the cluster:
kubectl apply -n demo -f online-boutique
Get the external IP address of the ingress gateway:
kubectl get service istio-ingressgateway -n istio-system
The output is similar to:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.19.247.233 35.239.7.64 80:31380/TCP,443:31390/TCP,31400:31400/TCP 27m
In this example, the IP address of the ingress gateway is
35.239.7.64
.Visit the application on your browser to confirm installation:
http://EXTERNAL_IP/
View the Service Mesh dashboards
After you have workloads deployed on your cluster with the sidecar proxies injected, you can explore the Anthos Service Mesh pages in the Google Cloud console to see all of the observability features that Anthos Service Mesh offers. Note that it takes about one or two minutes for telemetry data to be displayed in the Google Cloud console after you deploy workloads.
Access to Anthos Service Mesh in the Google Cloud console is controlled by Identity and Access Management (IAM). To access the Anthos Service Mesh pages, a Project Owner must grant users the Project Editor or Viewer role, or the more restrictive roles described in Controlling access to Anthos Service Mesh in the Google Cloud console.
In the Google Cloud console, go to Anthos Service Mesh.
Select the Google Cloud project from the drop-down list on the menu bar.
If you have more than one service mesh, select the mesh from the Service Mesh drop-down list.
To learn more, see Exploring Anthos Service Mesh in the Google Cloud console.
Clean up
Before cleaning up, if you are interested in learning more about mutual TLS, see Anthos Service Mesh by example: mTLS.
If you want to prevent additional charges, delete the cluster:
gcloud container clusters delete CLUSTER_NAME \ --project=PROJECT_ID \ --zone=CLUSTER_LOCATION
If you want to keep your cluster and remove the Online Boutique sample:
kubectl delete namespaces demo
What's next
Learn more about:
- Cluster requirements
- The
install_asm
script's options and flags - Deploying Services
- The
gcloud
commands used in this tutorial