Mac friendly. Probably not Linux friendly. Throughout the course of these commands, feel free to check out the contents of the yaml files you apply with kubectl.
Get eksctl
brew tap weaveworks/tap
brew install weaveworks/tap/eksctl
Spin up a kubernetes cluster
eksctl create cluster -n indy-devops-demo -t t3.medium -N 4 -m 4 -M 4 --external-dns-access
Download istio
curl -sSL https://git.io/getLatestIstio | ISTIO_VERSION=1.2.5 sh -
Install istioctl (OS X)
brew install istioctl
# Setup shell completion (see https://istio.io/docs/ops/setup/istioctl/)
Check that your cluster supports istio
./istio-1.2.5/bin/istioctl verify-install
Install helm (OS X) (note: see https://helm.sh/docs/using_helm/#securing-your-helm-installation)
brew install kubernetes-helm
Create a service account for tiller
kubectl apply -f istio-1.2.5/install/kubernetes/helm/helm-service-account.yaml
Install tiller (note: see https://helm.sh/docs/using_helm/#securing-your-helm-installation)
helm init --service-account tiller
Add the Istio helm repo
helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.2.5/charts/
Create an istio-system namespace
kubectl create namespace istio-system
Initialize Istio CRDs
helm install istio-1.2.5/install/kubernetes/helm/istio-init \
--name istio-init \
--namespace istio-system \
--set certmanager.enabled=true
kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l # 28
kubectl get crds
Install Istio
Note: there are a ton of options at https://istio.io/docs/reference/config/installation-options/#gateways-options
helm install istio-1.2.5/install/kubernetes/helm/istio \
--name istio \
--namespace istio-system \
--values istio-1.2.5/install/kubernetes/helm/istio/values-istio-sds-auth.yaml \
--set certmanager.enabled=true \
--set certmanager.email=gswallow@gmail.com \
--set gateways.istio-ingressgateway.sds.enabled=true \
--set global.proxy.logLevel=info \
--set global.sds.enabled=true \
--set grafana.enabled=true \
--set istiocoredns.enabled=true \
--set kiali.enabled=true \
--set mixer.policy.enabled=true \
--set nodeagent.enabled=true \
--set tracing.enabled=true
Note that we have new API resources
kubectl api-resources --api-group=networking.istio.io
kubectl api-resources --api-group=certmanager.k8s.io
Enable automatic sidecar injection for the "default" namespace
kubectl label namespace default istio-injection=enabled
From here we'll be following the Istio-supplied demo app: https://istio.io/docs/examples/bookinfo/ Deploy Istio's sample application and see that it's up and running
kubectl apply -f istio-1.2.5/samples/bookinfo/platform/kube/bookinfo.yaml
# sleep 90
kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
kubectl apply -f istio-1.2.5/samples/bookinfo/networking/bookinfo-gateway.yaml
kubectl get gw bookinfo-gateway -oyaml
kubectl get vs bookinfo -oyaml
export INGRESS_HOST=$(kubectl get service istio-ingressgateway -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
curl -s http://$INGRESS_HOST/productpage | grep -o '<title>.*</title>'
That provides us with the simplest router ever: map all HTTP requests in the world to the bookinfo app. What's going on is that you have a virtual service bound to a gateway. These items are linked together and applied to the istio-proxy container, running in the istio-ingressgateway pod that runs in the istio-ingressgateway service. Let's trace it:
kubectl get pod -l app=istio-ingressgateway -n istio-system -ojsonpath='{.items[].spec.containers[\*].name}'
kubectl get svc istio-ingressgateway -n istio-system -ojsonpath='{.metadata.labels}'
kubectl get gw bookinfo-gateway -ojsonpath='{.spec.selector}'
kubectl get vs bookinfo -ojsonpath='{.spec.gateways}'
Now, let's break it:
kubectl apply -f istio-1.2.5/samples/bookinfo/networking/destination-rule-all-mtls.yaml
kubectl get vs bookinfo -ojsonpath='{.spec.http[0].route[].destination.host}'
kubectl get dr productpage -oyaml
kubectl get service bookinfo -oyaml
(As an aside, we enabled mTLS between all services in the cluster when we installed Istio, and it just works. Mind. Blown.) Create additional virtual services:
kubectl get vs
kubectl apply -f istio-1.2.5/samples/bookinfo/networking/virtual-service-all-v1.yaml
kubectl get vs
kubectl get vs productpage -oyaml
curl -s http://$INGRESS_HOST/productpage | grep -o '<title>.*</title>'
From here, you can explore more advanced Istio features by going through their task-based tutorials: https://istio.io/docs/tasks/