☁️Istio Installation on Huawei Cloud CCE Service

Istio Installation on Huawei Cloud CCE Service

Introduction

Istio is a service gateway for Kubernetes clusters. It is used to manage, scale, and secure traffic within and between clusters. Istio offers a wide range of features for Kubernetes clusters.

The Huawei Cloud CCE service makes creating a Kubernetes cluster that supports Istio easy. This article will explain how to install Istio on Huawei Cloud CCE service.

Istio Service Mesh

What is Istio?

Istio is an open-source service mesh that helps enterprises run distributed, microservices-based applications anywhere. It provides a uniform way to secure, connect, and monitor microservices, regardless of the underlying infrastructure or cloud provider.

Istio does this by sitting as a layer on top of your existing Kubernetes or other container orchestration platform. It injects a sidecar proxy envoy into each of your application’s pods. This proxy intercepts all network traffic between your microservices and enforces the policies you define in Istio’s control plane.

Istio Control Plane

What can you do with Istio?

With Istio, you can tackle some of the biggest challenges of managing complex, distributed microservices architectures.

Traffic Management:

• Fine-grained routing: Direct traffic to specific versions of services, specific data centers, or even subsets of services based on custom criteria.
• Load balancing: Spread traffic evenly across healthy instances of a service to optimize performance and resource utilization.
• Canary deployments and A/B testing: Gradually roll out new versions of services or test different configurations without impacting production traffic.
• Circuit breaking: Automatically failover to healthy instances or backends when encountering errors, preventing cascading failures.

Security:

• Mutual TLS authentication: Secure communication between services with mutual TLS encryption, ensuring only authorized services can talk to each other.
• Authorization: Enforce access control policies to restrict which services can call each other and which resources they can access.
• Rate limiting: Prevent service overload by limiting the number of requests a service can receive.
• Auditing and monitoring: Track all service interactions and network traffic for security and compliance purposes.

Observability:

• Distributed tracing: Gain insights into the entire request flow across multiple services, pinpointing performance bottlenecks and errors.
• Metrics and telemetry: Collect and analyze detailed metrics about service health, performance, and resource utilization.
• Logging aggregation: Centralize logs from all services for easier troubleshooting and analysis.
• Visualization tools: Integrate with dashboards and Grafana to visualize your service mesh data and gain actionable insights.

Resilience:

• Service health checks: Continuously monitor service health and automatically switch to healthy instances for improved uptime.
• Retry logic: Automatically retry failed requests, mitigating transient errors and improving service availability.
• Timeouts: Configure timeouts for requests to prevent hanging connections and improve overall system responsiveness.

Istio empowers you to manage the complexity of your microservices ecosystem with granular control, robust security, and comprehensive observability, paving the way for smoother operations, faster development, and increased reliability for your applications.

Kubernetes Traffic Infrastructure

Kubernetes, the container orchestration platform, excels at managing and deploying containerized applications. But with complex microservices architectures, efficient traffic routing becomes crucial. Enter the Kubernetes traffic infrastructure, a robust ecosystem of tools and techniques that guide application traffic seamlessly.

Imagine your Kubernetes cluster as a bustling port:

• Containerized applications: Ships carrying valuable cargo (functionality)
• Services: Lighthouses guiding ships to their destinations (desired pods)
• Traffic: The ocean itself, carrying data packets like ships navigating their routes

Here’s how Kubernetes traffic infrastructure orchestrates this digital voyage:

1. Services: Act as abstract entities representing a set of pods. They provide a stable endpoint for external and internal traffic, decoupling consumers from the underlying pods’ specifics.

2. Service Types: Different service types cater to diverse routing needs:

• ClusterIP: Internal service, accessible only within the cluster.
• NodePort: Exposes the service on a dedicated port on each node, reachable from outside the cluster using the node IP and port.
• LoadBalancer: Creates a cloud load balancer automatically, distributing traffic across healthy pods.
• ExternalName: Maps the service to an external DNS name.

3. Ingress: Acts as a single entry point for routing external HTTP/HTTPS traffic to internal services based on rules defined in an Ingress resource. It simplifies managing external access and eliminates needing individual Service Load Balancers.

4. Network Policies: Enforce fine-grained access control by specifying which pods can communicate with each other and with the external network. Think of them as maritime traffic regulations, ensuring safe and authorized passage.

5. Network Plugins: Provide the underlying network fabric for connecting pods and services. Popular options include Flannel, Calico, and CNI. These act as the invisible infrastructure beneath the ocean waves.

Benefits of a Robust Traffic Infrastructure:

• Scalability: Handle traffic surges as you scale your application.
• Resilience: Route around failures and maintain service availability.
• Security: Enforce access control and protect your applications.
• Observability: Monitor and troubleshoot traffic flow effectively.
• Agility: Adapt your routing rules dynamically to meet changing needs.

Kubernetes traffic infrastructure empowers you to build and manage complex microservices deployments with confidence. By harnessing the right tools and techniques, you can guide your application traffic efficiently, ensuring a smooth and reliable digital voyage for your users.

Remember, choosing the optimal setup depends on your specific needs and environment. Explore the diverse options available and chart your course toward a thriving microservices architecture!

Pre-Requirements

1. Huawei Cloud Account
2. A CCE Cluster
3. The CCE connection
4. K9s and kubectl

How to install Istio on your Kubernetes env.

Download Istio

Go to the link for another OS. If you need to use a different version, please visit this site.

curl -L https://istio.io/downloadIstio | sh -

Install Istio

We need to install the package we downloaded. And we have to add the Istio to the PATH environment. For this, you can use the commands below.

cd istio-1.20.2
export PATH=$PWD/bin:$PATH

You can tell if the commands are not working by doing version control. Type in “istioctl version” and get an output similar to the one below.

Isito version checking

After Istioctl is installed, we can install the structures required for our Kubernetes environment by using the command below.

istioctl install

The expected output should be as below. In the event of a deficiency, incorrect installation may occur.

Istioctl install | service mesh

Normally, if you do not see the Egress gateway in the output below, you will also run the command below and install the egress gateway without any problems.

istioctl install <flags-you-used-to-install-Istio> \
                   --set components.egressGateways[0].name=istio-egressgateway \
                   --set components.egressGateways[0].enabled=true

To check the services, please perform your checks using the command below.

Kubernetes service checking for Istio

We need to add a label to the namespace where the traffic we want to check with Istio to indicate that Istio can control this namespace. If you are working in different namespaces, you need to change the default value to your namespace.

kubectl label namespace default istio-injection=enabled

For Istio to be an example in our environment, you can create an instance running on the system by applying the bookinfo.yaml file in the istio file. If you need a different example, you can copy the manifest.yaml file from the link here. An example with more confusion.

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

When we apply the bookinfo.yaml file, we can see which workloads are installed in the CLI. The expected output should be in this box.

Istio service mesh book info example

Check the services in the Default Namespace. We will see that the product page is created for the book info site.

kubectl get services

kubectl service checking

We can also use the following command to check the pods in the Istio-system.

kubectl get pods -A | grep istio

Output must be like the below image.

checking istio pods

The Bookinfo application is deployed but not accessible from the outside. To make it accessible, you need to create an Istio Ingress Gateway, which maps a path to a route at the edge of your mesh.

# Associate this application with the Istio gateway:
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

# Ensure that there are no issues with the configuration:
istioctl analyze

Output:

Command output

Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

If you encounter any problems, please visit this page.

kubectl get svc istio-ingressgateway -n istio-system

We see that the status is pending. In this case, you need to set a public EIP over the CCE console. Follow the steps below.

Istio ingress

On the CCE homepage, we select the service & ingress tab from the left and update it.

Huawei Cloud CCE Service and ingress configurations

Let’s do the EIP settings as below.

Use the addon file to remove the addon file. This file is in the file we downloaded during the installation. Use “kubectl apply -f samples/addons” to install all addons.

Istio add-ons

Kiali Dashboard

To see the Kiali dashboard, you can run the “istioctl dashboard kiali” command and access the Kiali dashboard with the given URL.

istioctl kiali dashboard

When you want to go through the browser, the page you will see will be like this.

Kiali Graph page

Kiali application page.

Kiali application page.

Kiali traffic policies page like this.

traffic policies

Grafana Dashboard

To access the Garafana dashboard, you can use “istioctl dashboard grafana” as follows.

istio grafana dashboard command

When you go to the Grafana URL, you will see a page like this. If you want, you can use the ready-made dashboards that come with Istio. Or you can use a ready-made dashboard in the structure you want from the Grafana dashboard library.

Grafana dashboard page

Example dashboard.

grafana dashboard

Jaeger Dashboard

You can access the jaeger page with the output of the “istioctl dashboard jaeger” command.

jaeger dashboard

With Jaeger, we can view system architecture.

jaeger system architecture page

Here you can see all the options that we can display as a dashboard.

Istioctl dashboards, istio addons

Conclusion

As a result, installing Istio on Huawei Cloud is a critical step for the security, stability, and scalability of your microservice-based applications. By following the steps described in this article, you can take advantage of the benefits of Istio and make your applications more secure and efficient.

References

Huawei Cloud Hesabı Oluşturma

How to Create Huawei Cloud CCE Cluster?

☁️ How can Huawei CCE be monitored using LTS (Log Tank Service) on Huawei Cloud?

☁️ How to connect the CCE (Kubernetes Environment) on Huawei Cloud?

Huawei Cloud

Getting Started

How to Install k9s and kubectl — Testing on Huawei CCE