When you install Anthos Service Mesh, you specify a configuration profile. The configuration profiles are YAML files that define and configure the features that are installed with Anthos Service Mesh. The following profiles are provided with Anthos Service Mesh:
asm-gcp
: Use this profile if all of your GKE clusters are in the same project. When you install Anthos Service Mesh with this profile, the following features are enabled:Mesh telemetry, which provides data to the Anthos Service Mesh dashboards in the Google Cloud console.
The other Supported default features listed on the Supported features page for the
asm-gcp
configuration profile.
asm-gcp-multiproject
: Use this profile if your GKE cluster is in a Shared Virtual Private Cloud, and you want to add clusters from different projects to Anthos Service Mesh. When you install Anthos Service Mesh using theasm-gcp-multiproject
profile:The Anthos Service Mesh dashboards in the Google Cloud console currently aren't available. However, you can still view logs in Cloud Logging and metrics in Cloud Monitoring for each project.
The Supported default features listed on the Supported features page for the
asm-gcp-multiproject
configuration profile are enabled.
asm-multicloud
: Use this profile for clusters on other supported environments: Anthos clusters on VMware, Anthos clusters on AWS, Amazon Elastic Kubernetes Service (Amazon EKS), and Microsoft Azure Kubernetes Service (Microsoft AKS). When you install Anthos Service Mesh using theasm-multicloud.yaml
profile, this enables Supported default features listed on the Supported features page for theasm-multicloud
configuration profile.
The profiles are located in the manifests/profiles
subdirectory within the
Anthos Service Mesh installation's root directory.
You can override the configuration profile and enable Supported optional
features by using the
IstioOperator
API. You specify the IstioOperator
configuration in a YAML file, for example,
feature.yaml
. (The name of the YAML file doesn't matter.)
Although you can modify the configuration by making changes in the profile or
by specifying configuration parameters on the command-line by using the --set
option, we recommend that you use an IstioOperator
configuration YAML file
so that you can store the file in your version-control system along with your
other resource configuration files. You can specify multiple files on the
command line when enabling optional features.
Examples
To enable a feature when you are installing or upgrading Anthos Service Mesh, you must include both the profile and the YAML file for the feature you want to enable. These examples assume that you have completed all the steps in the install or upgrade guide that you are following up to the point where you install Anthos Service Mesh.
Enable an egress gateway
This example shows how to enable an egress gateway on Anthos clusters on VMware.
Copy the following YAML to
feature.yaml
and save the file:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: egressGateways: - name: istio-egressgateway enabled: true
To install Anthos Service Mesh on Anthos clusters on VMware, in the following command line, replace
REVISION
with the exact Anthos Service Mesh version that you are installing, such as:asm-1614-2
istioctl install \ --set profile=asm-multicloud \ --set revision=REVISION \ -f feature.yaml
Enable tracing
This example shows how to enable Cloud Trace on GKE.
For installations and upgrades on GKE, you have to
prepare istio-operator.yaml
,
which contains information about your project and cluster. When you
configure istio-operator.yaml
, you set the profile that you want to use,
either asm-gcp
or asm-gcp-multiproject
. Because the profile is
configured in istio-operator.yaml
, you don't need to specify the profile on
the command line in this case, although you might want to specify it for
clarity.
Copy the following YAML to
feature.yaml
and save the file:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: enableTracing: true values: global: proxy: tracer: stackdriver
To install Anthos Service Mesh on GKE, in the following command line:
- Replace
PROFILE
with the profile that you are using, either:asm-gcp
orasm-gcp-multiproject
- Replace
REVISION
with the exact Anthos Service Mesh version that you are installing, such as:asm-1614-2
istioctl install \ -f asm/cluster/istio-operator.yaml \ --set profile=PROFILE \ --set revision=REVISION \ -f feature.yaml
- Replace
YAML for optional features
The following sections provide the YAML to enable optional and supported
features. When enabling an optional feature, you must include both the profile
and the YAML file for the feature you want to enable on the command line. For
GKE, the profile is configured in istio-operator.yaml
.
mTLS STRICT
mode
The global.mtls.enabled
configuration has been removed to avoid issues with
upgrades and to provide a more flexible installation. To enable STRICT
mTLS,
configure a
peer authentication policy
instead.
Direct Envoy to stdout
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: accessLogFile: "/dev/stdout"
For more information, see Enable Envoy's access logging.
Cloud Trace
For installations on GKE, you can enable Cloud Trace. For detailed pricing information, refer to the Cloud Trace pricing page.
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: enableTracing: true values: global: proxy: tracer: stackdriver
The default sampling rate is 1%, but you can override the default by specifying
a traceSampling
value. The value must be in the range of 0.0 to 100.0 with a
precision of 0.01. For example, to trace 5 requests out of every 10,000, use
0.05.
The following example shows a sampling rate of 100% (which you would only do for demo or troubleshooting purposes).
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: enableTracing: true values: pilot: traceSampling: 100 global: proxy: tracer: stackdriver
Trace context propagation
Although the sidecar proxies can automatically send trace spans, they need some hints to tie together the entire trace. Applications need to propagate the appropriate HTTP headers so that when the proxies send span information, the spans can be correlated correctly into a single trace.
To do this, an application needs to collect and propagate the following headers from the incoming request to any outgoing requests:
- x-request-id
- x-b3-traceid
- x-b3-spanid
- x-b3-parentspanid
- x-b3-sampled
- x-b3-flags
- x-ot-span-context
- x-cloud-trace-context
- traceparent
- grpc-trace-bin
For examples propagating the headers, see Trace context propagation.
Egress via egress gateways
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: egressGateways: - name: istio-egressgateway enabled: true
For more information, see Egress Gateways.
Istio Container Network Interface
How you enable the Istio Container Network Interface (CNI) depends on the environment that Anthos Service Mesh is installed on. You also need to enable a network policy.
Enable CNI on GKE
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: cni: enabled: true namespace: kube-system values: cni: cniBinDir: /home/kubernetes/bin excludeNamespaces: - istio-system - kube-system
Enable CNI on Anthos clusters on VMware
For Anthos clusters on VMware, add gke-system
to
excludeNamespaces
and values.cni.cniBinDir
.
is /opt/cni/bin
:
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: cni: enabled: true namespace: kube-system values: cni: cniBinDir: /opt/cni/bin excludeNamespaces: - istio-system - kube-system - gke-system
Enable an internal load balancer
For installations on GKE, you can enable an
internal load balancer for the Istio ingress gateway. In the following
YAML, replace PROFILE
with the profile that
you're using, either asm-gcp
or asm-gcp-multiproject
.
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: profile: PROFILE components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: serviceAnnotations: cloud.google.com/load-balancer-type: "internal" service: ports: - name: status-port port: 15020 - name: http2 port: 80 - name: https port: 443
External certificate management on the ingress gateway
For information on enabling external certificate management on the ingress gateway using Envoy SDS, see Secure Gateways.