IBM Cloud
Published in

IBM Cloud

Running Istio on IBM Cloud Private

A guide for IBM Cloud Private 1.2.0

Background

IBM Cloud private

IBM Cloud Private is a Kubernetes based platform that provides an integrated and private PaaS cloud platform for running on-premises enterprise workloads. The platform has three main use cases:

  • Developing and running production cloud native applications in a private cloud
  • Securely integrating and using data and services from sources external to the private cloud
  • Refactoring and modernizing heritage enterprise applications

For more information about IBM Cloud Private, see its official announcement page.

Istio

Istio is an encrypted service network mesh for microservices. Istio runs within Kubernetes, and its use requires no changes to the application code. Istio can manage traffic flows between microservices, enforce access policies, and aggregate telemetry data.
For more information about Istio, see Istio — About.

Install IBM Cloud Private

Install IBM Cloud Private V 1.2. See Installing a standard IBM Cloud Private environment for details.

Install kubectl

Install the Kubernetes command line interface, kubectl. See Install and Set Up kubectl.

The installation instructions for Linux are replicated below:

Download kubectl:

curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl

Make kubectl executable:

chmod +x ./kubectl

Move kubectl to your PATH:

sudo mv ./kubectl /usr/local/bin/kubectl

To install kubectl for Power® 64-bit LE, you can obtain the installation binary from the IBM Cloud Private installation files. See Accessing your IBM Cloud Private cluster by using the kubectl CLI

For Power® 64-bit LE, run the following command:

docker run -e LICENSE=accept --net=host — rm -v /root:/data ppc64le/kubernetes:v1.6.1 cp /kubectl /data

Configure kubectl

Navigate to the IBM Cloud Private web console at https://<master_node_address>:8443 and log in. By default, the admin credentials are admin/admin.

Click admin to open the user menu and then click Configure Client. Copy the configuration information and paste it into the console of the machine where you installed kubectl. If you did not install kubectl on the master node of IBM Cloud Private, replace the server address in the first command with the web console URL that you use to access the dashboard.

  • The configuration information resembles the following code:
kubectl config set-cluster cfc --server=https://10.10.25.134:8001 — insecure-skip-tls-verify=true
kubectl config set-context cfc --cluster=cfc
kubectl config set-credentials user --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjY5NjI2ZDJkNjM2NjYzMmQ3MzY1NzI3NjY5NjM2NTJkNmI2NTc5NjkiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJjZmMtc2VydmljZSIsImV4cCI6MTUwMDQyNjY5OSwiaWF0IjoxNTAwMzgzNDk5LCJpc3MiOiJodHRwczovL21hc3Rlci5jZmM6ODQ0My9hY3MvYXBpL3YxL2F1dGgiLCJwcm9qZWN0cyI6WyJkZWZhdWx0Il0sInN1YiI6ImFkbWluIn0.R3Tihse_wxf1jh_rXmek49ip4SaMFr1pS8520e2U_E2KvS1M0gNig9h6dLkx0CogL9dKJt0nDWRWS9katEqO49Z9ZvvRqFRBOIErktKqJLcg1GgrfWYIzSUiA4s7I_DljLvjKYjVk43Gngz02z5lSiYqkVxUvh-I4SpQyjvjurX12sTSBNh-3OIbDJWzFvKXEBRHPoaUBbivpT78rdeQcttMHU1TyJ02qwRH6SPdKgyHaX_AMciGf-hTQb3EDs8D9Fi7YfFK533vQwyr0bSVKaqKUajd0ejY8ZQ_3guF5fzZLJwVaZkvFWZfw_Lk4JpGMmp4Py7hb8HYkYtfnVxoSw
kubectl config set-context cfc --user=user --namespace=default
kubectl config use-context cfc

Check and Change Calico’s MTU

IBM Cloud Private uses Calico to manage network traffic. Calico is a scalable network fabric that can provide an IP-in-IP overlay for IP tunneling. Calico’s headers are 20 bytes, so you must set the maximum transmission unit (MTU) of the tunnel interface (tunl0 below) so that it is at least 20 bytes less than the size of the largest interfaces for each node in the IBM Cloud Private cluster.
To check the MTU values for each network interface, run this command from the master node of your cluster:

ip addr | grep mtu

Review its output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
4: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1
5: calif54cb664aca@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
6: calia008485a90e@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
7: cali9a454650cae@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
8: cali25d211466b3@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
9: cali0a68687358d@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default

Scan the output for the interface with the lowest MTU value, excluding the the tunl0 interface. In this case, the ens3 interface has the lowest MTU value. Its MTU is 1450 bytes, and the MTU for tunl0, the tunnel, is 1440 bytes. Because of the 20 byte header size of messages in calico, the MTU size of the tunl0 interface must be reduced to to 1430 to avoid messages being lost.

To reduce the MTU size, download mtu.yaml from GitHub, and set the container arg value to 1430. The MTU size parameter is on line 22 of mtu.yaml.

The image name on line 45 of mtu.yaml references a placeholder. You must replace this image name parameter with the name of the calico-cal image that IBM Cloud Private uses. Determine the image name by running the following command:

kubectl  get job configure-calico-mtu — namespace=kube-system -o yaml | grep “image:”

The image value displays something like:

image: registry.ng.bluemix.net/mdelder/calico-ctl:v1.2.1

Specify the image name in line 45 of mtu.yaml.

To apply these changes to your environment, run this command:

kubectl apply -f mtu.yaml

Install the Helm and Istio

Return to the IBM Cloud Private dashboard.
Open the navigation menu and click System.

Click Repositories, then click Add Repository.

Add a repository with the name “incubator” and url http://storage.googleapis.com/kubernetes-charts-incubator.

Open the navigation menu and click App Center.

Locate the Istio package and click Install Package on its tile. The configuration page displays.

Scroll to the bottom, enable rbac.install, and click Review and Install. Review the settings and click Install.

Verify that the Istio Pods are Running

Before you test Istio, each Istio pods must be running:

kubectl get pods --namespace default

In the command output, confirm that each pod is running.

NAME                                                 READY     STATUS    RESTARTS   AGE
dealing-dragon-istio-ca-1445500396-2j0cr 1/1 Running 0 19h
dealing-dragon-istio-egress-1922593265-kwfvg 1/1 Running 0 19h
dealing-dragon-istio-grafana-75673227-mpqj5 1/1 Running 0 19h
dealing-dragon-istio-ingress-900258805-ld3wl 1/1 Running 0 19h
dealing-dragon-istio-istio-pilot-2560511672-gzk3t 2/2 Running 0 19h
dealing-dragon-istio-mixer-3369964069-q256v 1/1 Running 0 19h
dealing-dragon-istio-prometheus-2187359241-zk9jw 1/1 Running 0 19h
dealing-dragon-istio-servicegraph-2575582838-9vdrs 1/1 Running 0 19h
dealing-dragon-istio-zipkin-2224140931-8khrr 1/1 Running 0 19h

Install the Istio CLI

Install istioctl, the Istio CLI. Run the following commands or follow the full installation instructions.

Download the Istio release:

curl -L https://git.io/getIstio | sh -

Add istioctl to your local path:

sudo cp istio-*/bin/istioctl /usr/local/bin

Validate the Istio Install

The BookInfo App is the official Istio app. You can use this app to validate that your installation of Istio is working correctly. Install the Istio BookInfo app.

To install the BookInfo app, run this command:

kubectl apply -f <(istioctl kube-inject -f istio-*/samples/apps/bookinfo/bookinfo.yaml)

After the pods initialize, confirm that they are running:

kubectl get pods --namespace dafault

Review the output, and confirm that each pod has the Running status.

NAME                                                 READY     STATUS    RESTARTS   AGE
dealing-dragon-istio-ca-1445500396-2j0cr 1/1 Running 0 19h
dealing-dragon-istio-egress-1922593265-kwfvg 1/1 Running 0 19h
dealing-dragon-istio-grafana-75673227-mpqj5 1/1 Running 0 19h
dealing-dragon-istio-ingress-900258805-ld3wl 1/1 Running 0 19h
dealing-dragon-istio-istio-pilot-2560511672-gzk3t 2/2 Running 0 19h
dealing-dragon-istio-mixer-3369964069-q256v 1/1 Running 0 19h
dealing-dragon-istio-prometheus-2187359241-zk9jw 1/1 Running 0 19h
dealing-dragon-istio-servicegraph-2575582838-9vdrs 1/1 Running 0 19h
dealing-dragon-istio-zipkin-2224140931-8khrr 1/1 Running 0 19h
productpage-v1-1440812148-2tpnf 2/2 Running 0 19h
ratings-v1-3755476866-9gz7p 2/2 Running 0 19h
reviews-v1-3728017321-4x1qx 2/2 Running 0 19h
reviews-v2-196544427-mz6wp 2/2 Running 0 19h
reviews-v3-959055789-npcln 2/2 Running 0 19h

The istio ingress pod is a front-end proxy. The ingress pod and associated service act as a gateway for application communication between the outside world and istio-enabled applications. To communicate with the BookInfo application, we will need to know the public IP address of our cluster and the port that the Istio service is running. The commands below will accomplish that:

export  PUBLIC_ADDRESS=<master node’s public address>
export PUBLIC_PORT=$(kubectl get svc istio-ingress -o ‘jsonpath={.spec.ports[0].nodePort}’)
export GATEWAY_URL=$PUBLIC_ADDRESS:$PUBLIC_PORT

Run the following command:

curl -o /dev/null -s -w “%{http_code}\n” http://${GATEWAY_URL}/productpage

If the command returns 200, then Istio has been successfully injected into the BookInfo application!

If you navigate to the URL that is in the curl command, a page like this one displays:

Conclusion

IBM Cloud Private is a Kubernetes based cloud platform. Running Istio within IBM Cloud Private allows for secure communication between running application with minimal additional configuration. Another example of using Istio can be found in Todd Kaplinger’s article Istio is not just for Microservices.

Originally published at developer.ibm.com.

--

--

--

Understand how to bring elastic runtimes to the Enterprise with effective security and data protection at scale.

Recommended from Medium

Human Activity Recognition

What is TestNG? Installation with Simple Example

Parcl Testnet 2.0

GameDevHQ Git Class 1B — Set up Unity

how to install whatsapp on pc latest tricks in hindi/urdu by just solution in hindi

The Ten Timeless Commandments of Egoless Programming

Get Started with Airflow + Google Cloud Platform + Docker

CS371p Fall 2021: Martin Nguyen

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jesse Antoszyk

Jesse Antoszyk

DevOps Systems Engineer at BoxBoat Technologies. The opinions expressed here are my own.

More from Medium

Monitoring Applications in OpenShift using Red Hat Advanced Cluster Manager

Kubernetes : A Container Management tool

Chaos Testing with Istio

Store a sensitive kubeconfig with Kubernetes and clouds providers