A Service Mesh provides a uniform way to connect, secure, and monitor microservice applications in your OpenShift / Kubernetes container environment. A mesh can be described as a network of microservices that make up applications in a distributed microservice architecture. This tutorial will walk you through steps for installing Istio Service Mesh on OpenShift 4.x Cluster.
Red Hat OpenShift Service Mesh is based on the open source Istio project. It makes it easy to create a network of deployed services that provides discovery, load balancing, service-to-service authentication, failure recovery, metrics, and monitoring.
OpenShift Courses:
Practical OpenShift for Developers – New Course 2021
Ultimate Openshift (2021) Bootcamp by School of Devops
Features of Istio Service Mesh
- Traffic Management – Control the flow of traffic and API calls between services, make calls more reliable, and make the network more robust in the face of adverse conditions.
- Service Identity and Security – Provide services in the mesh with a verifiable identity and provide the ability to protect service traffic as it flows over networks of varying degrees of trustworthiness.
- Policy Enforcement – Apply organizational policy to the interaction between services, ensure access policies are enforced and resources are fairly distributed among consumers. Policy changes are made by configuring the mesh, not by changing application code.
- Telemetry – Gain understanding of the dependencies between services and the nature and flow of traffic between them, providing the ability to quickly identify issues.
Components of Istio Service Mesh
The Istio service mesh is split into control plane and data plane.
Control plane components:
- Pilot – It configures the Envoy sidecar proxies at runtime.
- Mixer – It enforces access control and usage policies. It is also responsible for collection of telemetry data from the Envoy proxy and other services.
- Citadel – For certificates management – issuing and rotation.
- Galley – This ingests the service mesh configuration, then validates, processes, and distributes the configuration.
Data plane:
The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices. They also collect and report telemetry on all mesh traffic.
Envoy built-in features include:
- Dynamic service discovery
- Load balancing
- TLS termination
- HTTP/2 and gRPC proxies
- Circuit breakers
- Health checks
- Staged rollouts with %-based traffic split
- Fault injection
- Rich metrics
Red Hat OpenShift Service Mesh also provides more complex operational functions including:
- A/B testing
- Canary releases
- Rate limiting
- Access control
- End-to-end authentication
Install Istio Service Mesh on OpenShift 4.x
Now follow the next few steps to install and configure Red Hat OpenShift Service Mesh – Based on Istio. The istio-operator will be used to manage the installation of the Istio control plane.
Step 1: Install Elasticsearch Operator
The Elasticsearch operator enables you to configure and manage an Elasticsearch cluster for tracing and logging with Jaeger.
Log in to the OpenShift Container Platform web console and navigate to Operators > OperatorHub > Search Elasticsearch Operator
Click “Install“.
Select All namespaces on the cluster (default) for installation mode and automatic approval strategy.
Click Subscribe to initiate installation.
Step 2: Install Jaeger Operator
Jaeger lets you perform tracing to monitor and troubleshoot transactions in complex distributed systems.
Navigate to Operators > OperatorHub > Search Jaeger Operator
Click “Continue” to and select other settings as below to Subscribe.
Step 3: Install Kiali Operator
Kiali enables you to view configurations, monitor traffic, and view and analyze traces in a single console. To install it search for “Kiali Operator” on OperatorHub.
Select installation mode, update channel and approval strategy.
All three operators should now be installed.
Step 4: Install the Red Hat OpenShift Service Mesh Operator
Once Jaeger, Kiali and Elasticsearch operators are installed, proceed to install Istio Service Mesh Operator provided by Red Hat.
Navigate to Operators > OperatorHub > Red Hat OpenShift Service Mesh
Select All namespaces on the cluster (default) to install the Service Mesh Operator in the openshift-operators project.
Click Install and stable Update Channel with Automatic Approval Strategy.
The operator should be visible in the openshift-operators project.
Step 5: Configure Service Mesh control plane
We can now deploy the Service Mesh control plane which defines the configuration to for Control plane installation.
Create a new project: Home > Projects > Create Project
Name the project istio-system
Creation of project automatically switch to new project in OpenShift. Navigate to Operators > Installed Operators > Istio Service Mesh Control Plane
Click Create ServiceMeshControlPlane
A default ServiceMeshControlPlane template is provided in YAML format. Modify these to fit your use case. You can refer to Customization guide for more details.
I customized my configuration to look like below.
NOTE: Please don’t COPY PASTE this configuration – it includes tolerations for running Istio services on infra nodes with taints. It may not work for you!!.
apiVersion: maistra.io/v1
kind: ServiceMeshControlPlane
metadata:
name: full-install
namespace: istio-system
spec:
istio:
global:
proxy:
accessLogFile: "/dev/stdout"
mtls:
enabled: false
disablePolicyChecks: true
policyCheckFailOpen: false
outboundTrafficPolicy:
mode: "REGISTRY_ONLY"
gateways:
istio-ingressgateway:
autoscaleEnabled: true
ior_enabled: true
istio-egressgateway:
autoscaleEnabled: true
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- key: infra
value: reserved
effect: NoSchedule
- key: infra
value: reserved
effect: NoExecute
mixer:
enabled: true
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- key: infra
value: reserved
effect: NoSchedule
- key: infra
value: reserved
effect: NoExecute
kiali:
enabled: true
dashboard:
viewOnlyMode: false
ingress:
enabled: true
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- key: infra
value: reserved
effect: NoSchedule
- key: infra
value: reserved
effect: NoExecute
grafana:
enabled: true
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- key: infra
value: reserved
effect: NoSchedule
- key: infra
value: reserved
effect: NoExecute
tracing:
enabled: true
jaeger:
template: all-in-oneClick “Create” and control plane should start installing.
You can check the status of the control plane installation from CLI
$ oc get smcp -n istio-systemYou can watch the progress of the Pods as they are created.
$ oc get pods -n istio-system -wStep 6: Configure Service Mesh member roll
The Projects that belong to the control plane are listed in ServiceMeshMemberRoll. You need to create a ServiceMeshMemberRoll resource named default in the istio-system project.
Switch to istio-system project: Home > Projects > istio-system
The navigate to Operators > Installed Operators > Red Hat OpenShift Service Mesh > Istio Service Mesh Member Roll
Under ServiceMeshMemberRolls click Create ServiceMeshMemberRoll.
Add the projects you want to be part of Istio service mesh and click “Create“. From CLI, the ServiceMeshMemberRoll resource can be updated after creation.
$ oc edit smmr -n istio-systemStep 7: Deploy applications with Automatic sidecar injection
To deploy your applications into the Service Mesh, you must opt in to injection by specifying the sidecar.istio.io/inject annotation with a value of "true".
See example below.
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
spec:
replicas: 1
template:
metadata:
annotations:
sidecar.istio.io/inject: "true"
labels:
app: sleep
spec:
containers:
- name: sleep
image: tutum/curl
command: ["/bin/sleep","infinity"]
imagePullPolicy: IfNotPresent
For pre-existing applications in a project added as member to control plane, you can update the pod template in the deployment by adding or modifying an annotation:
$ oc patch deployment/<deployment> -p '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt": "'`date -Iseconds`'"}}}}}'You can learn more by going through the Deploy Bookinfo scenario.
More guides on OpenShift.
Configure Chrony NTP Service on OpenShift 4.x / OKD 4.x
Run Ceph toolbox for Rook on Kubernetes / OpenShift
Add Harbor Image Registry Pull Secret to Kubernetes / OpenShift
Manage OpenShift / OKD Users with HTPasswd Identity Provider
