Istio on AWS

From PKC
Jump to navigation Jump to search

Preface

Pre-Requisite

What is istio

Installing Istio

In order to install istio.io, first we are goingt to download the source into local machine by using below command, at the time this document is written, current version of istio.io is 1.11.2

curl -L https://istio.io/downloadIstio | sh -

move to istio folder installation

cd istio-1.11.2

Add the istioctl client to your path (Linux or macOS):

export PATH=$PWD/bin:$PATH

Then, one can start to install istio on the cluster

istioctl install --set profile=demo -y

Please noted, that we are going to install the demo application. Next step is to create the default namespace for sidecar injection.

kubectl label namespace default istio-injection=enabled

Next, deploy the Bookinfo sample application.

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

Inspecting the installation result.

kubectl get pod

Output :

NAME                              READY   STATUS            RESTARTS   AGE
details-v1-79f774bdb9-2vfgq       0/2     PodInitializing   0          9s
productpage-v1-6b746f74dc-lp2dh   0/2     PodInitializing   0          3s
ratings-v1-b6994bb9-6hftr         0/2     PodInitializing   0          7s
reviews-v1-545db77b95-rt69k       0/2     PodInitializing   0          6s
reviews-v2-7bf8c9648f-tvgn6       0/2     PodInitializing   0          5s
reviews-v3-84779c7bbc-trknm       0/2     PodInitializing   0          4s
kubectl get services

Output :

NAME          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   10.100.109.10    <none>        9080/TCP   21s
kubernetes    ClusterIP   10.100.0.1       <none>        443/TCP    68m
productpage   ClusterIP   10.100.151.213   <none>        9080/TCP   15s
ratings       ClusterIP   10.100.1.63      <none>        9080/TCP   20s
reviews       ClusterIP   10.100.119.183   <none>        9080/TCP   18s

Please ensure all the pod status becomes READY <2/2> before proceed to next step. Verify everything is working correctly up to this point. Run this command to see if the app is running inside the cluster and serving HTML pages by checking for the page title in the response:

kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"

Output:

<title>Simple Bookstore App</title>

Exposing Application to outside traffic

At this point, the application is already running but we cannot access it from the outside. To make it accessible, you need to create an Istio Ingress Gateway, which maps a path to a route at the edge of your mesh. To execute this, there are two step that we need to execute.

1. Associate this application with the Istio gateway:

kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

Expected Output:

gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created

2. Ensure that there are no issues with the configuration:

istioctl analyze

Expected Output:

✔ No validation issues found when analyzing namespace: default.

3. Determining INGRESS IP and Ports Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

kubectl get svc istio-ingressgateway -n istio-system

Expected output, tabled out from shell output

Expected output
NAME istio-ingressgateway
TYPE LoadBalancer
CLUSTER-IP 10.100.32.131
EXTERNAL-IP a63eca23a2998474c9feda458e127103-292095897.us-west-2.elb.amazonaws.com
PORT(S) 15021:31607/TCP,80:30526/TCP,443:30361/TCP,31400:30605/TCP,15443:32431/TCP

If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.
There are three environment variable that we need to set inside the cluster's ingress controller to enable the external traffic.
In AWS environments, the load balancer may be exposed using a host name, instead of an IP address. In this case, the ingress gateway’s EXTERNAL-IP value will not be an IP address, but rather a host name, Please use below command to set the environment variables

export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')