Step by Step Deployment of OpenSource ISTIO with helm on GKE Project(Part-I)

I am going to post a series articles covering different fuctionility of istio service mesh and the way we should adopt it after through understanding of it’s components , capability and it’s compexity.

What is ISTIO

Istio is a Kubernetes-native solution that was initially released by Lyft and a large number of major technology companies have chosen to back it as their service mesh of choice. Google, IBM, and Microsoft rely on Istio as the default service mesh that is offered in their respective Kubernetes cloud services. Istio along with some other a set of community projects like Kiali and Jaeger are providing capability that encodes communication logic for microservices-based application architectures. Service mesh support will enable to inject a sidecar proxy into the pods which will intercept all the network communication between microservices. This will allow developer to get many features i.e Load Balancing, Service to Service authentication, A/B Testing, Canary Deployment, Rate Limiting,Circuit Breaking,End to end Encryption etc. for development lifecycle with no or few code changing for the base service code.

Istio was intitially built by Google, IBM and Lyft. It is now part of the Cloud Native Computing Foundation (CNCF).It has become almost synonymous to a platform along with Kubernetes on which other application is running.It can be extend to the VM based workloads also, making it ideal platform for hybrid cloud platform.

It addressed many of the operational overheads to Connect, to secure, to control, and to observe services.In this post I will cover the deployment of OpenSource Istio on Kubernetes platform. I will use GKE as a base Kubernetes platform.

Istio Architecture

Key Control Plane Components are :

Pilot: Control Plane to configure and push service communication policies

Mixer: Policy enforcement with flexible plugin model for providers for a policy

Citadel: Service to service Authentication and Authorization using mutual TLS with build in intentity and credential management.

Key Data Plane Component:

Envoy Proxy: Originally built at Lyft, Envoy is a high performance C++ distributed proxy.

Now let’s jump into and do some hands-on to test and understand some usecases using Istio. I will be setting up the platform in GKE.

Setting up a GKE cluster in a project with default VPC

In Cloud Shell set the environment variables

export CLUSTER_NAME=cluster1
export CLUSTER_ZONE=us-west1-b
export CLUSTER_VERSION=latest

Create A GKE Cluster in a default VPC projects:

gcloud container clusters create $CLUSTER_NAME --zone $CLUSTER_ZONE --num-nodes 4 --machine-type "n1-standard-2" --enable-ip-alias --image-type "COS"--cluster-version=$CLUSTER_VERSION --enable-stackdriver-kubernetes --scopes "gke-default","compute-rw" --enable-autoscaling --min-nodes 4 --max-nodes 8 --enable-basic-auth

This command creates a cluster in a single zone, with 4 nodes, that can scale up to 8 nodes. The nodes are in the default VPC network and with StackDriver Monitoring is enabled.

Configure kubectl command line access:

export PROJECT=$(gcloud config get-value project)
gcloud container clusters get-credentials $CLUSTER_NAME --zone $CLUSTER_ZONE --project $PROJECT

To grant admin permissions in the cluster to the current gcloud user:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)

Deploy Helm

Download and install the helm binary:

wget https://storage.googleapis.com/kubernetes-helm/helm-v2.9.0-linux-amd64.tar.gz

Unzip the file to your local system:

tar zxfv helm-v2.9.0-linux-amd64.tar.gz 
sudo chmod +x linux-amd64/helm && sudo mv linux-amd64/helm /usr/bin/helm

Grant Helm the cluster-admin role in your cluster:

kubectl create clusterrolebinding user-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account) 
kubectl create serviceaccount tiller --namespace kube-system 
kubectl create clusterrolebinding tiller-admin-binding --clusterrole=cluster-admin --serviceaccount=kube-system:tiller

Instantiate tiller pod for helm

helm init --service-account=tiller --upgrade
helm repo update

Test helm deployment

helm version

Deploy Open Source Istio on GKE

export WORK_DIR=$HOME/ISTIO
export ISTIO_VERSION=1.2.2
mkdir $WORK_DIR
cd $WORK_DIR
curl -L https://git.io/getLatestIstio | ISTIO_VERSION=$ISTIO_VERSION sh -
cd ./istio-*
export PATH=$PWD/bin:$PATH

Create the istio-system namespace for the Istio control plane components:

kubectl create namespace istio-system

Install the Istio Custom Resource Definitions (CRDs) using Helm:

helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -

Check that all 23 Istio CRDs were committed:

kubectl get crds -n istio-system | grep 'istio.io\|certmanager.k8s.io' | wc -l

Install Istio with the demo configuration profile:

helm template install/kubernetes/helm/istio --values install/kubernetes/helm/istio/values-istio-demo.yaml --name istio --namespace istio-system | kubectl apply -f -

While the default configuration profile is recommended for production deployments, the demo configuration profile is designed to showcase Istio functionality with modest resource requirements. It is suitable to run the Bookinfo application and associated tasks.

Ensure the following Kubernetes services and pods are deployed: istio-citadel, istio-galley, istio-pilot, istio-ingressgateway, istio-policy, istio-sidecar-injector, and istio-telemetry. You’ll also see other deployed services.

kubectl get service -n istio-system
kubectl get pods -n istio-system

Verify istioctl works:

istioctl version

Deploy the Bookinfo application as Sample Use-case

It comprise of many micro-services components.The microservices are:

• productpage: calls the details and reviews microservices to populate the page.
• details: contains book information.
• reviews: contains book reviews. It also calls the ratings microservice.
• ratings: contains book ranking information that accompanies a book review.

There are 3 versions of the reviews microservice:

• Reviews v1 doesn’t call the ratings service.
• Reviews v2 calls the ratings service, and displays each rating as 1–5 black stars.
• Reviews v3 calls the ratings service, and displays each rating as 1–5 red stars.

Use the following command to inject the proxy sidecar along with each application Pod that is deployed:

kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)

Automatic sidecar injection can be enabled by labeling the namespace hosting the application with istio-injection=enabled, using a command like:

kubectl label namespace default istio-injection=enabled

Enable external access using an Istio Ingress Gateway

Configure the ingress gateway for the application, which exposes an external IP you will use later:

kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

Confirm that the application has been deployed correctly, review services, pods, and the ingress gateway:

kubectl get services

Review running application pods:

kubectl get pods

Note: See how each pod has two containers? That’s the application container and the Istio proxy sidecar.

Confirm that the Bookinfo application is running by sending a curl request to it from some pod, within the cluster, for example from ratings:

kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"

Output will looks as below:

<title>Simple Bookstore App</title>

Confirm the ingress gateway has been created:

kubectl get gateway

Get the external IP address of the ingress gateway:

kubectl get svc istio-ingressgateway -n istio-system

Check that the Bookinfo app is running by sending a curl request to it from outside the cluster:

export GATEWAY_URL=[EXTERNAL-IP]
curl -I http://${GATEWAY_URL}/productpage

The output will look like below:

HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 4183
server: istio-envoy
date: Mon, 27 Apr 2020 15:46:31 GMT
x-envoy-upstream-service-time: 1119

Point your browser to http://[$GATEWAY_URL]/productpage to see the BookInfo web page. Don’t forget to replace [$GATEWAY_URL] with your working external IP address.

Refresh the page several times.

Notice how you see three different versions of reviews, since we have not yet used Istio to control the version routing.

There are three different book review services being called in a round-robin style:

• no stars
• black stars
• red stars

Switching among the three is normal Kubernetes routing/balancing behavior.