Coder Society Logo

Setting Up Istio from Scratch: Part 2

Check out our latest article, where we delve into the practical implementation of Istio, leveraging the versatility of Minikube as a testing environment.

Kentaro Wakayama Avatar

Kentaro Wakayama

15 June 2023

Setting Up Istio from Scratch: Part 2

While container orchestrators like Kubernetes enable lifecycle management for microservices, there are inherent challenges when it comes to security and traffic management. In such cases, Istio acts as a reverse-proxy load balancer that eliminates the manual processes involved in deploying, scaling, and managing communication between microservices.

The previous article in this series discussed how to set up Istio from scratch in a Kubernetes environment. This post explores how developers can leverage Istio for microservices deployment, traffic management, and telemetry for monitoring. 

Configuring Microservices with Istio on Kubernetes

For this tutorial, you will use a Minikube cluster with sufficient resources to deploy basic applications with Istio. 

Note: The basic difference between a Minikube cluster and a production-grade Kubernetes cluster is that Minikube allows you to run a smaller setup (even on your local machine) for testing. Although you are using a Minikube cluster for this tutorial, the steps are the same when deploying your microservices/applications to production-grade Kubernetes clusters.

In the following four steps, you will learn how to use Istio for:

  • Microservices deployment
  • Ingress, load balancing, and traffic management
  • Monitoring and metrics

Step 1: Enabling Automatic Sidecar Injection

Istio uses Envoy proxies as sidecars to mediate the communication between microservices. The proxies also enable control of the workload instances they are attached to by connecting them with the mixer, the telemetry hub, and a general-purpose policy. When it forwards traffic between the application and the Internet, the sidecar configuration allows you to finetune the set of protocols and ports that the Envoy proxies can service. 

Note: Istio allows both manual and automated sidecar injection. Though they sound similar, automatic injection happens at the pod level, while manual injection operates at the configuration (deployment) level.

This section describes how to ensure that Istio automatically configures each sidecar proxy to reach all workload instances in the cluster.

  1. Follow the Istio download and installation instructions for your OS.

Note: In this step, you will download the binaries for istioctl. This is Istio’s command-line tool, used for installing, deploying, and managing Istio components.

$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.18.0 TARGET_ARCH=x86_64 sh -
  1. Navigate to the Istio package directory by running this command: 
$ cd istio-1.18.0
  1. Add the Istioctl client to your library. For Linux and MacOS, do this by running the command: 
$ export PATH=$PWD/bin:$PATH
  1. Initiate the operator by running this command: 
$ istioctl

This returns a prompt similar to:

Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.

Quick Tip: Istio provides several built-in configuration profiles to help customize the control plane and sidecars. In this exercise, you are relying on Istio’s demo configuration profile, which is specifically suitable for quickly exploring Istio functionalities. For production-grade instances, it is recommended to use Istio’s default configuration profile.

  1. To install the profile, use the command: 
$ istioctl install --set profile=demo -y

Once the components are installed, the client will return a confirmation similar to this:

✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
Making this installation the default for injection and validation.
  1. To enable automatic sidecar injection, add a namespace that instructs the controller to configure Envoy proxies when an application is deployed. To add the default namespace with sidecar injection, use the command: 
$ kubectl label namespace default istio-injection=enabled

If the operation is performed successfully, the CLI client will return a prompt similar to this:

namespace/default labeled

Step 2: Deploying the Application

In this tutorial, you will use Bookinfo as the sample application that comes with the Istio installation package. The demo application also includes service accounts, services, and deployments that you can use to configure and test Istio features and functionalities.

  1. Deploy the Bookinfo sample application using the kubectl command: 
$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

A successful installation returns an output similar to:

service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
  1. Once the application launches and the pods are ready, the Istio sidecars are deployed alongside the application. To check the list of services running, use the command: 
$ kubectl get services

This will return the following prompt:

NAME          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   10.99.199.27     <none>        9080/TCP   20s
kubernetes    ClusterIP   10.96.0.1        <none>        443/TCP    6m27s
productpage   ClusterIP   10.101.74.145    <none>        9080/TCP   20s
ratings       ClusterIP   10.111.192.228   <none>        9080/TCP   20s
reviews       ClusterIP   10.108.26.182    <none>        9080/TCP   20s
  1. Use this command to check the pods: 
$ kubectl get pods

This returns the following result:

NAME                             READY   STATUS    RESTARTS   AGE
details-v1-5ffd6b64f7-84kqp      2/2     Running   0          91s
productpage-v1-8b588bf6d-x52wz   2/2     Running   0          91s
ratings-v1-5f9699cfdf-mnfmm      2/2     Running   0          91s
reviews-v1-569db879f5-wgzhk      2/2     Running   0          91s
reviews-v2-65c4dc6fdc-x6lx8      2/2     Running   0          91s
reviews-v3-c9c4fb987-m8f2m       2/2     Running   0          91s
  1. The final step in validating the application installation is to check whether the application is running as intended and responding to requests. To do this, request the product page title from one of the details pods. 
$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep \<title

In this case, the output of the above command returned the response <title>Simple Bookstore App</title>, confirming that the application is running within the cluster.

Step 3: Discovery and Traffic Flow Management with Istio Pilot

The Istio Pilot provides traffic management capabilities for the Istio service mesh. To do this, Pilot abstracts service discovery into a standard format that any Envoy sidecar can consume. The Istio Pilot then propagates Envoy-specific configurations to sidecars during runtime. These configurations are high-level routing rules that Istiod converts to manage traffic behavior.

  1. To open the application to external traffic, create an Istio Ingress gateway . The gateway makes the application accessible to Internet traffic by mapping a path at the edge of the service mesh. 

The gateway for the sample application is saved to the folder /samples/bookinfo/networking/bookinfo-gateway.yaml and has a configuration similar to:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
    name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway 
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

Quick Tip: networking.istio.io/v1alpha3 is Istio’s traffic management API. It enables the creation of various configuration resources to control traffic within, outside of, and into the mesh. The Gateway object creates a HTTP/TCP traffic load balancer, while the VirtualService resource enables the configuration of routing rules for various destination services.

  1. Associate the cluster with the Istio ingress gateway by using the command: 
$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

This returns the prompt: 

gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created

Use the istioctl analyze command to ensure the configuration works properly.

If Istio is running correctly, you will see this message:

✔ No validation issues found when analyzing namespace: default
  1. Once the gateway is up, set the ingress IP and ports using the INGRESS_HOST and INGRESS_PORT variables. Since you are using a Minikube cluster, use the following two commands:

First command:

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')

Second command: 

$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

Next, to verify that each variable was successfully assigned a port, use the commands echo "$INGRESS_PORT" and echo "$SECURE_INGRESS_PORT", which return port numbers (in this case, 31593 and 30542).

  1. To set the Ingress IP for the host, get your host’s IP address. For Minikube, use the command: 
$ minikube ip

This returns the IP for the Minikube cluster (in this case, 192.168.49.2). Use this IP to set the IP address of the host, as shown below:

$ export "$INGRESS_HOST"=$ 192.168.49.2
  1. Verify that the host environment variable was assigned an IP, using the command   
$ echo "$INGRESS\_HOST". This returns the IP assigned to the INGRESS\_HOST environment variable. 
  1. Set the gateway URL using the command:  
$ echo GATEWAY\_URL=$INGRESS\_HOST:$INGRESS\_PORT.

This assigns the port and IP address to the GATEWAY_URL environment variable: 192.168.49.2:30542.

  1. To verify external access, go to the demo application by using the URL of the form http://$GATEWAY_URL/productpage in a web browser. In this case, you can use http://192.168.49.2:30542/productpage on the browser that returns your demo instance’s Bookinfo Product page.

BookInfo product page

Figure 1: BookInfo product page

Step 4: Istio Mixer for Telemetry and Monitoring

The Istio Mixer integrates with multiple telemetry applications that help you understand the health, topology, and structure of the mesh. Some popular telemetry add-ons for Istio include Prometheus, Grafana, Jaeger, and the Kiali dashboard. In this section, you’ll learn how to configure and send metrics to the Kiali dashboard.

  1. Install the add-ons for the metrics dashboard into the cluster by running the command: 
$ kubectl apply -f samples/addons
  1. Deploy the dashboard into the cluster by rolling out the Kiali deployment, using this command: 
$ kubectl rollout status deployment/kiali -n istio-system

This deploys the dashboard and returns the prompt:

Waiting for deployment "kiali" rollout to finish: 0 of 1 updated replicas are available...
deployment "kiali" successfully rolled out
  1. You can then access the Kiali dashboard by running the command istioctl dashboard kiali . This opens the dashboard on the URL http://localhost:20001/kiali , with app data and an overview of the relationships between services in the mesh.

Kiali dashboard

Figure 2: Kiali dashboard

Conclusion

Istio simplifies how you manage your microservices communication by moving this functionality out of Kubernetes and into a cloud-native managed control plane. Istio’s Envoy proxies are deployed as sidecars alongside Kubernetes workloads to help enhance security, observability, and traffic management for containerized workloads. 

This article explored how to use the Istio service mesh to deploy a sample application, enable ingress for service discovery, and enable monitoring for microservices.

For our latest insights and updates, follow us on LinkedIn

Kentaro Wakayama Avatar

Kentaro Wakayama

Managing Director, CEO

Kentaro leads Coder Society as CEO, bringing hands-on expertise in software development, cloud technologies, and building high-performing engineering teams.

EmailConnect

Contact us