When you install Anthos Service Mesh, you specify the Anthos Service Mesh configuration
profile, which enables the Supported default features listed on the
Supported features page. The
Anthos Service Mesh configuration profiles, asm.yaml
and asm-onprem.yaml
, are
located in the install/kubernetes/operator/profiles
subdirectory within the
Anthos Service Mesh installation's root directory. The configuration profiles
define and configure the features that are installed with Anthos Service Mesh.
You can override the ASM configuration profile and enable
Supported optional features individually on the command line by using
--set values
. Alternatively, if you have many features to enable or the
feature has numerous settings, you can create an
IstioControlPlane
custom resource definition file. You pass the file to istioctl
using the -f
option. For more information, see
Customizing the configuration.
When you enable optional features:
Make sure the feature that you enable is supported.
Specify the applicable configuration profile for your platform:
- For Google Kubernetes Engine, use
--set profile=asm
- For Anthos clusters on VMware, use
--set profile=asm-onprem
- For Google Kubernetes Engine, use
Command-line options to enable optional features
The following table provides the command-line options to enable optional and supported features.
Feature | Command line options |
---|---|
mTLS STRICT mode |
--set values.global.mtls.enabled=true |
Prometheus | --set values.prometheus.enabled=true |
Grafana (which requires Prometheus) |
--set values.prometheus.enabled=true \
|
Direct Envoy to stdout | --set
values.global.proxy.accessLogFile="/dev/stdout" For more information, see Enable Envoy's access logging. |
Stackdriver tracing | --set values.tracing.enabled=true \ --set
values.global.proxy.tracer="stackdriver" |
Egress via egress gateways |
--set values.gateways.istio-egressgateway.enabled=true
For more information, see Gateway. |
Examples
The commands to install Anthos Service Mesh on GKE use the following environment variables:
Set your Google Cloud project ID:
export PROJECT_ID=
YOUR_PROJECT_ID
Set the project number:
export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)")
Set the cluster name.
export CLUSTER_NAME=YOUR_CLUSTER_NAME
Set the
CLUSTER_LOCATION
to either your cluster zone or cluster region.export CLUSTER_LOCATION=YOUR_ZONE_OR_REGION
Set the workload pool.
export WORKLOAD_POOL=${PROJECT_ID}.svc.id.goog
Set the mesh ID, which is required for metrics to get displayed on the Anthos Service Mesh pages in the Google Cloud console:
export MESH_ID="proj-${PROJECT_NUMBER}"
Enable the egress gateway
To install Anthos Service Mesh in PERMISSIVE
mutual TLS
(mTLS) authentication mode and enable the egress gateway:
GKE
istioctl manifest apply --set profile=asm \ --set values.global.trustDomain=${WORKLOAD_POOL} \ --set values.global.sds.token.aud=${WORKLOAD_POOL} \ --set values.nodeagent.env.GKE_CLUSTER_URL=https://container.googleapis.com/v1/projects/${PROJECT_ID}/locations/${CLUSTER_LOCATION}/clusters/${CLUSTER_NAME} \ --set values.global.meshID=${MESH_ID} \ --set values.global.proxy.env.GCP_METADATA="${PROJECT_ID}|${PROJECT_NUMBER}|${CLUSTER_NAME}|${CLUSTER_LOCATION}" \ --set values.gateways.istio-egressgateway.enabled=true
GKE on-prem
istioctl manifest apply --set profile=asm-onprem} \ --set values.gateways.istio-egressgateway.enabled=true
Enable STRICT
mTLS mode
To install Anthos Service Mesh in STRICT
mTLS mode:
GKE
istioctl manifest apply --set profile=asm \ --set values.global.trustDomain=${WORKLOAD_POOL} \ --set values.global.sds.token.aud=${WORKLOAD_POOL} \ --set values.nodeagent.env.GKE_CLUSTER_URL=https://container.googleapis.com/v1/projects/${PROJECT_ID}/locations/${CLUSTER_LOCATION}/clusters/${CLUSTER_NAME} \ --set values.global.meshID=${MESH_ID} \ --set values.global.proxy.env.GCP_METADATA="${PROJECT_ID}|${PROJECT_NUMBER}|${CLUSTER_NAME}|${CLUSTER_LOCATION}" \ --set values.global.mtls.enabled=true
GKE on-prem
istioctl manifest apply --set profile=asm-onprem \ --set values.global.mtls.enabled=true
Enable an internal load balancer
For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for Anthos clusters on VMware. For information on configuring Anthos clusters on VMware, see Setting up your load balancer for Anthos clusters on VMware.
Copy the following text to a file and save it as
ilb.yaml
:apiVersion: install.istio.io/v1alpha2 kind: IstioControlPlane spec: values: gateways: istio-ingressgateway: serviceAnnotations: cloud.google.com/load-balancer-type: internal ports: - name: status-port port: 15020 - name: http2 port: 80 - name: https port: 443
Specify the file on the command line:
istioctl manifest apply --set profile=asm \ --set values.global.trustDomain=${WORKLOAD_POOL} \ --set values.global.sds.token.aud=${WORKLOAD_POOL} \ --set values.nodeagent.env.GKE_CLUSTER_URL=https://container.googleapis.com/v1/projects/${PROJECT_ID}/locations/${CLUSTER_LOCATION}/clusters/${CLUSTER_NAME} \ --set values.global.meshID=${MESH_ID} \ --set values.global.proxy.env.GCP_METADATA="${PROJECT_ID}|${PROJECT_NUMBER}|${CLUSTER_NAME}|${CLUSTER_LOCATION}" \ -f ilb.yaml