Technology Preview - Istio Service Mesh Application

About this task

The Istio Service Mesh application Technology Preview is integrated into StarlingX as a system application.

Istio provides traffic management, observability as well as security as a Kubernetes service mesh. For more information, see https://istio.io/.

StarlingX includes istio-operator container to manage the life cycle management of the Istio components.

The following Istio components are enabled when applying the Istio system application:

  • Istio data plane - Envoy - Kubernetes side-car proxy

  • Istio control plane - Istiod - service discovery, configuration and certificate management

  • Istio gateway - Traffic management of ingress and egress L4-L7 traffic

  • Istio-cni - Kubernetes CNI plugin

The Kiali (https://kiali.io/) management console for Istio is also integrated with StarlingX in the Istio system application. It provides management functions and visualizations to the service mesh operation. Metrics and tracing functionalities are not supported at this time.

Procedure

You can install Istio and Kiali on StarlingX from the command line.

  1. Locate the Istio tarball in /usr/local/share/applications/helm.

    For example:

    /usr/local/share/applications/helm/istio-<version>.tgz
    
  2. Upload the application.

    ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/istio-<version>.tgz
    
  3. Apply the application.

    ~(keystone_admin)]$ system application-apply istio
    
  4. Monitor the application status.

    ~(keystone_admin)]$ watch -n 5 system application-list
    

    OR

    ~(keystone_admin)]$ watch kubectl get pods -n istio-system
    
  5. Setup network attachment definition.

    cat > istio-cni-nad.yaml <<EOF
    apiVersion: "k8s.cni.cncf.io/v1"
    kind: NetworkAttachmentDefinition
    metadata:
     name: istio-cni
    EOF
    kubectl apply -f istio-cni-nad.yaml
    

    CNI is managed by Multus. The NetworkAttachmentDefinition is required in the application namespace in order to invoke the istio-cni plugin.

  6. Enable side car for a particular namespace.

    kubectl label namespace <namespace> istio-injection=enabled
    

    When the istio-injection=enabled label on a namespace is set and the injection webhook is enabled, any new pods that are created in that namespace will automatically have a sidecar added to them.

Results

At this point, you may have launched services in the above namespace.

When the user application is deployed, the sidecar container istio-proxy is injected into the user application pod:

Events:

Type    Reason     Age   From               Message
----    ------     ----  ----               -------
...
Normal  Created    10s   kubelet            Created container <user app>
Normal  Started    10s   kubelet            Started container <user app>
...
Normal  Created    9s    kubelet            Created container istio-proxy
Normal  Started    8s    kubelet            Started container istio-proxy

The istio-proxy sidecar extracts telemetry of all ingress and egress traffic of the user application that can be monitored and available for display in Kiali, and it mediates all ingress and egress traffic of the user application by enforcing policy decisions.

Use Kiali

After the Istio application has been installed, you can launch the Kiali management console in a browser.

  1. Get the port of Kiali service.

    ~(keystone_admin)]$ kubectl get svc -n istio-system kiali -o jsonpath='{.spec.ports[?(@.name=="http")].nodePort}'
    
  2. Launch Kiali on a browser.

    http:<oam-floating-ip>:<kiali_port>/kiali
    
  3. Get the login token.

    ~(keystone_admin)]$ kubectl get secret -n istio-system $(kubectl get sa kiali -n istio-system -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -d
    
  4. Login to Kiali.

    Enter the token from the previous step and press Login.

Remove Istio application

You can remove the Istio application from StarlingX.

  1. Remove pods and their resources.

    ~(keystone_admin)]$ system application-remove istio
    
  2. Delete the application.

    ~(keystone_admin)]$ system application-delete istio
    
  3. Delete Istio CNI Network Attachment Definition.

    ~(keystone_admin)]$ kubectl delete -f istio-cni-nad.yaml