Istio (noun) means 'sail' in Greek. Istio Service Mesh is being adopted as the underlying platform for deploying microservices, particularly in the cloud. Istio service mesh works on top of Kubernetes.
This gist describes the first few steps to set up Istio Service Mesh on a single machine and try out a few interesting features. This is only for dev / test purpose.
For production deployments, we need a Kubernetes cluster (often set up on the cloud).
You can find a recorded demo on youtube.
We need a fairly powerful machine to run Istio even for dev set-up. We tested on the following environment:
- Ubuntu 18.10 Desktop
- 5 GB RAM
- 4 CPUs
We actually used a Ubuntu VM running on VirtualBox on Windows
Check CPU and memory available on your Linux system using commands:
grep -c ^processor /proc/cpuinfo
grep ^MemTotal /proc/meminfo- We had to install curl and socat packages:
sudo apt install -y curl socatThen we installed docker, minikube, kubectl and istio.
| Package | Version Used |
|---|---|
| Docker | 19.03.4 |
| Minikube | 1.4.0 |
| Kubectl | 1.6.2 |
| Istio | 1.3.3 |
- First we installed docker community edition . Please follow instructions from Docker documentation .
- We installed Minikube, a single node Kubernetes set-up (please refer to Minikube documentation )
# Install latest version of Minikube
curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 \
&& chmod +x minikube
# Place it on the $PATH
sudo install minikube /usr/local/bin/- Then we installed kubectl using a package installer ( kubectl is a CLI for Kubernetes):
sudo apt-get update && sudo apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubectl- Finally we installed Istio service mesh (we simply need to download the latest version of Istio)
curl -L https://git.io/getLatestIstio | sh -This creates a directory istio-1.3.3 on our machine.
Since we are running this inside a VM, we set vm-driver=none option while starting minikube. With this option, root privileges are needed.
sudo minikube start --vm-driver=none
We set up an Istio environment on Minikube suitable for running a simple demo application (BookInfo). This application is bundled with Istio.
- First Custom Resource Definitions have to be applied. These resource definitions are already bundled with Istio.
cd istio-1.3.3
for i in install/kubernetes/helm/istio-init/files/crd*yaml; do sudo kubectl apply -f $i; done
Note: All kubectl commands in our set-up will have to be run with root privileges, since we are running Minikube with root privileges.
- Then we install a demo-profile of Istio on Minikube. The demo profile is defined in a
.yamlfile in Istio. There are two variants: one using permissive mutual TLS (for communication between the pods), and another using strict mutual TLS. For our set-up we used permissive mutual TLS.
cd istio-1.3.3
sudo kubectl apply -f install/kubernetes/istio-demo.yaml
This will create a namespace called istio-system on Minikube, and set up a large number of services and pods related to Istio (not related to the demo application).
For example, Prometheus, Grafana, Jaeger, etc., which Istio uses, will be set up on Kubernetes.
We can check out that these services and pods are running. It might take a few minutes depending on machine configuration.
sudo kubectl get svc -n istio-system
sudo kubectl get deployments -n istio-system
sudo kubectl get pods -n istio-system
This step is simple but crucial.
The kubernetes pods for the BookInfo application will run on the default namespace on Minikube. We have to enable side-car injection on to this namespace. (You can create another namespace for this purpose if needed.)
sudo kubectl label namespace default istio-injection=enabled
Now we are ready to deploy the BookInfo Sample Application which comes bundled with Istio. Note that this application will be deployed on the default namespace on Minikube, not on the istio-system namespace.
Deployment descriptors (.yaml file) is already bundled with Istio. To deploy, run:
cd istio-1.3.3
sudo kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
We can verify that the services and pods for the BookInfo application (on default namespace) are running. It might take a few minutes for the pods to be ready.
sudo kubectl get svc
sudo kubectl get deployments
sudo kubectl get pods
Once the pods running the BookInfo application are up and running, we can access this application.
- First we access a pod on which a HTTP service (Book ratings) is running, directly.
sudo kubectl exec -it $(sudo kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
- Then we try to access the BookInfo application externally.
To do so, we have to first install a Gateway, using a .yaml file already bundled with Istio.
cd istio-1.3.3
sudo kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
We can verify that the Gateway is set up:
sudo kubectl get gateway
To access the BookInfo application externally through the Gateway, we need to find out the URL (host and port) of the Gateway. This is also called the Ingress host and port.
# Determine Ingress Host
export INGRESS_HOST=$(sudo minikube ip)
# Determine Ingress Port
export INGRESS_PORT=$(sudo kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
Hence find out the Gateway URL:
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
echo $GATEWAY_URL
Now access the application externally through the Gateway:
curl -s http://${GATEWAY_URL}/productpage | grep -o "<title>.*</title>"
Istio has many many features, but for our initial dev set-up, we would like to check out the following:
- Service Graph (Kiali)
- Dashboard (Grafana)
- Monitoring (Prometheus)
- Distributed Tracing (Jaeger)
- Traffic Management
First we simply bring up the browser interfaces for the first four services above. Later we run a command to send repeated HTTP requests every 1 second to the BookInfo application, and re-visit each browser interface. In the end, we try out a simple traffic management use case.
The pods running the various services are tagged (for example, app=kiali). This makes it easier to forward the ports on the relevant pods to similar ports on the localhost.
Tip: Run each of the port-forwarding commands below on a separate terminal.
- To port-forward Kiali (running on port 20001):
sudo kubectl -n istio-system port-forward $(sudo kubectl -n istio-system get pod -l app=kiali -o jsonpath="{.items[0].metadata.name}") 20001:20001
- To port forward Grafana (running on port 3000):
sudo kubectl -n istio-system port-forward $(sudo kubectl -n istio-system get pod -l app=grafana -o jsonpath="{.items[0].metadata.name}") 3000:3000
- To port forward Prometheus (running on port 9090):
sudo kubectl -n istio-system port-forward $(sudo kubectl -n istio-system get pod -l app=prometheus -o jsonpath="{.items[0].metadata.name}") 9090:9090
- To port forward Jaeger (running on port 16686):
sudo kubectl port-forward -n istio-system $(sudo kubectl get pod -n istio-system -l app=jaeger -o jsonpath="{.items[0].metadata.name}") 16686:16686
These four services can now be accessed through a browser on localhost using the following URLs:
| Service | URL |
|---|---|
| Kiali | http://localhost:20001 |
| Grafana | http://localhost:3000/ |
| Prometheus | http://localhost:9090/graph |
| Jaeger | http://localhost:16686 |
For now, we simply check that the URLs above are accessible.
For Kiali web UI, log in with default username / password (admin / admin)
You can send repeated HTTP requests to the product page of the BookInfo app, using the watch command on Linux:
watch -n 1 curl -o /dev/null -s -w %{http_code} $GATEWAY_URL/productpage
This will send 1 request every second.
After a few seconds, we can access the browser interfaces of the service graph, dashboard, monitoring and tracing services. Now a lot more graphs, metrics, and tracing information will be visible.
We'll just touch upon this feature. It requires more time to test it out fully.
The BookInfo demo comes with a few destination rules, which can be applied as follows:
sudo kubectl apply -f samples/bookinfo/networking/destination-rule-all-mtls.yaml
We can dump all the rules just applied, using the command:
sudo kubectl get destinationrules -o yaml
Clean-up tasks (.yaml descriptors) are also bundled with Istio.
- You can clean-up the BookInfo app using the command:
cd istio-1.3.3
sudo samples/bookinfo/platform/kube/cleanup.sh
- You can clean-up the Istio set-up on Minikube using the command:
cd istio-1.3.3
sudo kubectl delete -f install/kubernetes/istio-demo.yaml
- You can even undeploy Minikube itself
sudo minikube stop
sudo minikube delete