Istio is an open source service mesh framework that employs traffic management, security, resiliency and observability during service to service communication. The framework itself is platform agnostic, it means you could also use it with non-Kubernetes services or for that matter, even monolithic applications. Some of the core features offered by Istio are service discovery, routing, load balancing, health check, authentication, authorisation and observability. These features are transparently inducted during service to service invocations.
The above mentioned features can also be installed using client libraries written in popular programming languages. Then why do we need a service mesh framework? Well for one, there exists a tight coupling between service infrastructure and client library code and also some libraries are bundled with specific features while others are not. There is not one uniform solution to handle all aspects of service to service communication. Also if you are using more than one library then handling their upgrades can be a big task. Istio on the hand, offers all the enterprise grade network and security features through its proxy sidecar pattern for your applications or services as one holistic solution.
Anthos Service Mesh (ASM) uses Istio as a base framework. It offers a fully tested and supported Istio runtime. The Anthos service mesh offers tools and best practices for your service infrastructure enabling you to deploy it on Anthos GKE in Google Cloud or on-prem.
Some of the features offered by Anthos Service Mesh:
- Provides layer 7 traffic control and management
- Provides canary and blue-green style of deployments
- Provides load balancing and resiliency features like circuit breaker
- Maintains service registry to ease service lookup via proxy sidecar
- Allows you to view mesh traffic insights in the form of logging and monitoring via Google Cloud
- Allows you to trace your service in the mesh (helps in debugging)
- Allows you to define health check benchmark for your service in the form of SLO
- Allows client authentication and in-transit data encryption in the form of mutual TLS
- Allows client authorisation in the form of access control
The article assumes you have basic knowledge of configuring Google Cloud project with enough privileges to setup resources and fair understanding of Google Kubernetes Engine (GKE) service.
Set up a GKE cluster
Create a GKE cluster
You will create a 3 node cluster on a default network.
gcloud config set compute/zone ${CLUSTER_ZONE} gcloud beta container clusters create ${CLUSTER_NAME} \ --machine-type=n1-standard-4 \ --num-nodes=3 \ --workload-pool=${WORKLOAD_POOL} \ --subnetwork=default \ --release-channel=regular
The commands or code depicted in this article may have mention of environment variables. You can replace it with appropriate values.
Register the cluster
Once the cluster is created, you will have to register it with Google Cloud using Connect for Anthos. This makes sure that your cluster now becomes part of Anthos ecosystem and can be centrally managed through a unified interface. With Connect for Anthos, you can even register an on-prem or other cloud provider cluster.
You will need to create a service account with gkehub.connect role.
gcloud iam service-accounts create connect-sa
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member="serviceAccount:connect-sa@${PROJECT_ID}.iam.gserviceaccount.com" --role="roles/gkehub.connect"
Download the service account JSON key file that will be used to register the cluster.
gcloud iam service-accounts keys create connect-sa-key.json --iam-account=connect-sa@${PROJECT_ID}.iam.gserviceaccount.com
You will use the above created JSON key to register the cluster.
gcloud container hub memberships register ${CLUSTER_NAME}-connect \ --gke-cluster=${CLUSTER_ZONE}/${CLUSTER_NAME} \ --service-account-key-file=./connect-sa-key.json
Upon cluster registration, you will see gke-connect-agent deployment in the gke-connect namespace. The said agent connects your cluster to Google.
Prepare to install ASM
As a first step, initialize your project with meshconfig API to create service account that allows Istio components to securely access your project’s data and resources.
curl --request POST \ --header "Authorization: Bearer $(gcloud auth print-access-token)" \ --data '' \ https://meshconfig.googleapis.com/v1alpha1/projects/${PROJECT_ID}:initialize
Download the installation and signature files and verify the signature.
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.6.11-asm.1-linux-amd64.tar.gz
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.6.11-asm.1-linux-amd64.tar.gz.1.sig
openssl dgst -verify /dev/stdin -signature istio-1.6.11-asm.1-linux-amd64.tar.gz.1.sig istio-1.6.11-asm.1-linux-amd64.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
-----END PUBLIC KEY-----
EOF
Extract the tar file and change to installation directory.
tar xzf istio-1.6.11-asm.1-linux-amd64.tar.gz
cd istio-1.6.11-asm.1
You can now use istioctl and asmctl tools to install and verify asm respectively. Make sure to add the /bin directory to the PATH environment so that it becomes easy for you to operate the said tools.
export PATH=$PWD/bin:$PATH
As part of installation process, you will have to specify istio-operator.yaml as an input to the istioctl install command. The said file is required to enable the mesh telemetry and security features. You will download the istio-operator.yaml file as part of asm packages using kpt – a packaging toolkit from Kubernetes. The packages will also contain other resource configuration files that can be updated to provide the relevant project and cluster information.
Install kpt toolkit and then using the same, download the asm packages in a separate directory.
sudo apt-get install google-cloud-sdk-kpt
mkdir ${CLUSTER_NAME}
cd ${CLUSTER_NAME}
kpt pkg get https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages@1.6.8-asm.9 asm
Update the resource configuration file with the current project and cluster information. These configurations will be referenced in the istio-operator.yaml file.
kpt cfg set asm gcloud.container.cluster ${CLUSTER_NAME} kpt cfg set asm gcloud.project.environProjectNumber ${PROJECT_NUMBER} kpt cfg set asm gcloud.core.project ${PROJECT_ID} kpt cfg set asm gcloud.compute.location ${CLUSTER_ZONE} kpt cfg set asm anthos.servicemesh.profile asm-gcp
kpt is an open source tool from Google that allows you to package and publish or fetch/update Kubernetes configuration or manifests files. This allows for cleaner separation between configuration and operations performed on these configurations.
Install Anthos Service Mesh
You will use istioctl tool to install ASM. You will pass istio-operator.yaml file (downloaded in the previous step) to the said tool.
istioctl install -f asm/cluster/istio-operator.yaml
Once the installation is complete, check the istio workloads in the istio-system namespace.
kubectl get pod -n istio-system
You can use asmctl tool to validate the installation. The said tool can be used to validate your existing configurations in your project, cluster and workloads. It can also verify the validity of tls certificates.
asmctl validate
The core component of ASM is the sidecar proxy that provides security, reliability and observability to the networked services. The sidecar proxy is nothing but a sidecar container (one of the Kubernetes design pattern) injected transparently along side your primary container (application).
The sidecar proxy container injection can be enabled by setting the istio-injection label on the namespace of your choice.
kubectl label namespace default istio-injection=enabled --overwrite
You can now deploy your application workloads (pods) and you should see one extra sidecar proxy container with each primary container.