You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

A Service Mesh provides a uniform way to connect, secure, and monitor microservice applications in your OpenShift / Kubernetes container environment. A mesh can be described as a network of microservices that make up applications in a distributed microservice architecture. This tutorial will walk you through steps for installing Istio Service Mesh on OpenShift 4.x Cluster.

Red Hat OpenShift Service Mesh is based on the open source Istio project. It makes it easy to create a network of deployed services that provides discovery, load balancing, service-to-service authentication, failure recovery, metrics, and monitoring.

Features of Istio Service Mesh

  • Traffic Management – Control the flow of traffic and API calls between services, make calls more reliable, and make the network more robust in the face of adverse conditions.
  • Service Identity and Security – Provide services in the mesh with a verifiable identity and provide the ability to protect service traffic as it flows over networks of varying degrees of trustworthiness.
  • Policy Enforcement – Apply organizational policy to the interaction between services, ensure access policies are enforced and resources are fairly distributed among consumers. Policy changes are made by configuring the mesh, not by changing application code.
  • Telemetry – Gain understanding of the dependencies between services and the nature and flow of traffic between them, providing the ability to quickly identify issues.

Components of Istio Service Mesh

The Istio service mesh is split into control plane and data plane.

Control plane components:

  • Pilot – It configures the Envoy sidecar proxies at runtime.
  • Mixer – It enforces access control and usage policies. It is also responsible for collection of telemetry data from the Envoy proxy and other services.
  • Citadel – For certificates management – issuing and rotation.
  • Galley – This ingests the service mesh configuration, then validates, processes, and distributes the configuration.

Data plane:

The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices. They also collect and report telemetry on all mesh traffic.

Envoy built-in features include:

  • Dynamic service discovery
  • Load balancing
  • TLS termination
  • HTTP/2 and gRPC proxies
  • Circuit breakers
  • Health checks
  • Staged rollouts with %-based traffic split
  • Fault injection
  • Rich metrics

Red Hat OpenShift Service Mesh also provides more complex operational functions including:

  • A/B testing
  • Canary releases
  • Rate limiting
  • Access control
  • End-to-end authentication

Install Istio Service Mesh on OpenShift 4.x

Now follow the next few steps to install and configure Red Hat OpenShift Service Mesh – Based on Istio. The istio-operator will be used to manage the installation of the Istio control plane.

Step 1: Install Elasticsearch Operator

The Elasticsearch operator enables you to configure and manage an Elasticsearch cluster for tracing and logging with Jaeger.

Log in to the OpenShift Container Platform web console and navigate to Operators > OperatorHub > Search Elasticsearch Operator

Click “Install“.

Select All namespaces on the cluster (default) for installation mode and automatic approval strategy.

Click Subscribe to initiate installation.

Step 2: Install Jaeger Operator

Jaeger lets you perform tracing to monitor and troubleshoot transactions in complex distributed systems.

Navigate to Operators > OperatorHub > Search Jaeger Operator

Click “Continue” to and select other settings as below to Subscribe.

Step 3: Install Kiali Operator

Kiali enables you to view configurations, monitor traffic, and view and analyze traces in a single console. To install it search for “Kiali Operator” on OperatorHub.

Select installation mode, update channel and approval strategy.

All three operators should now be installed.

Step 4: Install the Red Hat OpenShift Service Mesh Operator

Once Jaeger, Kiali and Elasticsearch operators are installed, proceed to install Istio Service Mesh Operator provided by Red Hat.

Navigate to Operators > OperatorHub > Red Hat OpenShift Service Mesh

Select All namespaces on the cluster (default) to install the Service Mesh Operator in the openshift-operators project.

Click Install and stable Update Channel with Automatic Approval Strategy.

The operator should be visible in the openshift-operators project.

Step 5: Configure Service Mesh control plane

We can now deploy the Service Mesh control plane which defines the configuration to for Control plane installation.

Create a new project: Home > Projects > Create Project

Name the project istio-system

Creation of project automatically switch to new project in OpenShift. Navigate to Operators > Installed Operators > Istio Service Mesh Control Plane

Click Create ServiceMeshControlPlane

A default ServiceMeshControlPlane template is provided in YAML format. Modify these to fit your use case. You can refer to Customization guide for more details.

I customized my configuration to look like below.

NOTE: Please don’t COPY PASTE this configuration – it includes tolerations for running Istio services on infra nodes with taints. It may not work for you!!.

apiVersion: maistra.io/v1
kind: ServiceMeshControlPlane
metadata:
  name: full-install
  namespace: istio-system
spec:
  istio:
    global:
      proxy:
        accessLogFile: "/dev/stdout"
      mtls:
        enabled: false
      disablePolicyChecks: true
      policyCheckFailOpen: false
      outboundTrafficPolicy:
          mode: "REGISTRY_ONLY"
    gateways:
      istio-ingressgateway:
        autoscaleEnabled: true
        ior_enabled: true
      istio-egressgateway:
        autoscaleEnabled: true
        nodeSelector:
          node-role.kubernetes.io/infra: ""
        tolerations:
          - key: infra
            value: reserved
            effect: NoSchedule
          - key: infra
            value: reserved
            effect: NoExecute
    mixer:
      enabled: true
      nodeSelector:
        node-role.kubernetes.io/infra: ""
      tolerations:
        - key: infra
          value: reserved
          effect: NoSchedule
        - key: infra
          value: reserved
          effect: NoExecute
    kiali:
      enabled: true
      dashboard:
        viewOnlyMode: false
      ingress:
        enabled: true
      nodeSelector:
        node-role.kubernetes.io/infra: ""
      tolerations:
        - key: infra
          value: reserved
          effect: NoSchedule
        - key: infra
          value: reserved
          effect: NoExecute
    grafana:
      enabled: true
      nodeSelector:
        node-role.kubernetes.io/infra: ""
      tolerations:
        - key: infra
          value: reserved
          effect: NoSchedule
        - key: infra
          value: reserved
          effect: NoExecute
    tracing:
      enabled: true
      jaeger:
        template: all-in-one

Click “Create” and control plane should start installing.

You can check the status of the control plane installation from CLI

$ oc get smcp -n istio-system

You can watch the progress of the Pods as they are created.

$ oc get pods -n istio-system -w

Step 6: Configure Service Mesh member roll

The Projects that belong to the control plane are listed in ServiceMeshMemberRoll. You need to create a ServiceMeshMemberRoll resource named default in the istio-system project.

Switch to istio-system project: Home > Projects > istio-system

The navigate to Operators > Installed Operators > Red Hat OpenShift Service Mesh > Istio Service Mesh Member Roll

Under ServiceMeshMemberRolls click Create ServiceMeshMemberRoll.

Add the projects you want to be part of Istio service mesh and click “Create“. From CLI, the ServiceMeshMemberRoll resource can be updated after creation.

$ oc edit smmr -n istio-system

Step 7: Deploy applications with Automatic sidecar injection

To deploy your applications into the Service Mesh, you must opt in to injection by specifying the sidecar.istio.io/inject annotation with a value of "true".

See example below.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true"
      labels:
        app: sleep
    spec:
      containers:
      - name: sleep
        image: tutum/curl
        command: ["/bin/sleep","infinity"]
        imagePullPolicy: IfNotPresent

For pre-existing applications in a project added as member to control plane, you can update the pod template in the deployment by adding or modifying an annotation:

$ oc patch deployment/<deployment> -p '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt": "'`date -Iseconds`'"}}}}}'

You can learn more by going through the Deploy Bookinfo scenario.

More guides on OpenShift.

Configure Chrony NTP Service on OpenShift 4.x / OKD 4.x

Run Ceph toolbox for Rook on Kubernetes / OpenShift

Add Harbor Image Registry Pull Secret to Kubernetes / OpenShift

Manage OpenShift / OKD Users with HTPasswd Identity Provider

How To Display Logs of OpenShift Nodes With oc Command

How To Open a Shell Prompt on an OpenShift Node

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF