Istio Service Mesh in Kubernetes and Auto Injecting It in the Kubernetes Pod as Side Car Container | Part-II
In this series Part-I, we have seen what is Service Mesh and how it works and all, today we will see how to install service mesh and enable default plugin,
Before we start, few prerequisites,
- Docker Desktop
- Local Kubernetes Cluster (can be enabled via Docker Desktop)
Let’s get started,
- First we need to download istioctl, it is command line tool, used to manage Istio, in the Kubernetes cluster. To download go to https://github.com/istio/istio/releases/tag/1.13.3 link and download the package according to your OS. I am using an Windows system, so I will show accordingly.
Unzip this package, this package will contain istioctl tool, along with manifest files required to install and also few examples,
Contents of this package will look like below,
2. Now lets go to the unzipped package, go to the bin folder, there you can find the istioctl cmdlet, let’s open command prompt in this folder and install the istio with demo profile, by default below profiles are available,
a>default
b>demo
c>empty
d>external
e>minimal
f>openshift
g>preview
h>remote
You can check each profile’s manifest file to understand more about each profile, you can get the details at istio-1.13.3\manifests\profiles folder.
For our purpose we will install the demo profile, run the below command in the bin folder,
istioctl install --set profile=demo -y
Now istio is installed, you can see a new namespace called istio-system has been created,
3. Now our istio is installed, lets installed few addons, such as Kiali, Prometheus, Grafana, Jager.
You can use Grafana to monitor the health of Istio and of applications within the service mesh.
Kiali is an observability console for Istio with service mesh configuration and validation capabilities. It helps you understand the structure and health of your service mesh by monitoring traffic flow to infer the topology and report errors.
Jaeger is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems.
Prometheus is an open source monitoring system and time series database. You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh.
Below is the location, where addons manifest are kept,
So we will install them all together by running the below command,
kubectl apply -f samples/addons
Wait for sometime to get the deployments created successfully.
Let’s check whether dashboards are up now go to bin folder to access istioctl and run below command,
istioctl dashboard kiali
It will open a new link in the browser with Kiali dashboard,
Similarly you can try this out for Grafana as well,
In Grafana let’s check the current automatically created dashboards,
So it is working now.
But there is a problem, as this addons are not yet correctly exposed so you can not access it without istioctl commands. (i.e. istioctl dashboard grafana)
So whenever we are running these commands, a proxy service is basically forwarding our request to the container via correct port.
4. Now we will expose this addons correctly, so while testing our istio, we will expose it over https, let’s start, so there are few prerequisites, we need to create certificates for https communication.
Create a new folder named certs under the package folder,
In this folder we will create, all the self signed certificates, we will also need openssl, if you do not have please get it installed. openssl will be used to create the certificates,
Run below commands one by one,( Please change the names according to your need, for me I am providing organization name “Arka Inc” and DNS as “arkainc.test.dev” ) and provide the correct location where certs will be kept, for us we will use certs folder that we have just created.
Now we have certificates which are required, now we need to create a Kubernetes secret from this certificate to use, to do that please run the below command,
kubectl create -n istio-system secret tls telemetry-gw-cert --key=C:/Users/sinha/Downloads/istio-1.13.3-win/istio-1.13.3/certs/tls.key --cert=C:/Users/sinha/Downloads/istio-1.13.3-win/istio-1.13.3/certs/tls.crt
Now we need to expose grafana instance by creating an ingress gateway, so we will create a new folder called newInstalltion and create below yaml file.
Run below command,
kubectl apply -f grafanaingress.yml
Once it is created, we are almost done, now we need to modify the host file so that we can access it, for windows host file is present it at \Windows\System32\drivers\etc\hosts
Lets, explore https://grafana.arkainc.test.dev, you should be able to see the Istio Grafana, if do you to self signed certificate, you are not able to see the Grafana instance then type “thisisunsafe” in chrome, it will remove the certificate related restrictions.
Now we have exposed Grafana, similarly you need to repeat these steps in order to expose other addons such as Kiali and Zipkin, I will skip those steps only paste the actual result.
Jaeger UI will be available https://tracing.arkainc.test.dev and Kiali UI will be available at https://kiali.arkainc.test.dev
Now in Kiali, we can visualize how our request is going to certain pods,
From the above screenshots we can see that, all our requests are going to Istio ingress gateway, and then forwarded to each pods, depending the rules set for them, gateway is also basically handling the TLS security.
We have installed Istio and related addons successfully, in the next blog in the series, we will see how to do a traffic management via Istio.
For Reference,
Previous Blog in the Series:
