Istio

Istio is an open-source service mesh that overlays current distributed applications in a transparent manner. Istio functions as a connective tissue between your services, providing features such as traffic control, service discovery, load balancing, resilience, observability, and security. In this blog, I’ll guide you to install Istio on the Kubernetes cluster step by step. Prior to setting up Istio, I hope you have set up a Kubernetes cluster in minikube or any cloud platform. If you haven’t set up a K8s cluster yet, I recommend you read one of my previous blog posts which will guide you to set up a Kubernetes cluster on Google Cloud Provider. If you are using minikube or any other cloud platform, refer to some materials and set up a K8s cluster. Here, we are installing istio with istioctl.

1. Download Istio

1.1. Download the Istio installation file. curl -L https://istio.io/downloadIstio | sh -

1.2. Move to the Istio package directory. Let’s say the downloaded Istio version is istio-1.13.0. (If you are unable to find the Istio version, use ls command in the terminal and then you will see the istio directory.) cd istio-1.13.0

1.3. Add the istioctl client to your path. export PATH=$PWD/bin:$PATH

2. Install Istio

2.1. In this installation, we use the demo configuration profile. istioctl install --set profile=demo -y

If your installation is successful, you will get the below result.

2.2. Add a namespace label to tell Istio to inject Envoy sidecar proxies automatically when you deploy your app later: kubectl label namespace default \istio-injection=enabled

Note: Here, we are enabling envoy sidecar proxies injection for default namespace. If your application is going to be deployed in a different namespace, you will have to enable istio-injection for that particular namespace. For an example, let’s think my application is going to be deployed under the namespace, mesh-test. Then, you will have to change the above command like below. kubectl label namespace mesh-test \istio-injection=enabled

Now, you have successfully set up Istio on K8s cluster!

Install with Helm

Follow this guide to install and configure an Istio mesh using Helm.

The Helm charts used in this guide are the same underlying charts used when installing Istio via Istioctl or the Operator.

Prerequisites

1. Perform any necessary platform-specific setup.

2. Check the Requirements for Pods and Services.

3. Install the Helm client, version 3.6 or above.

4. Configure the Helm repository:

$ helm repo add istio https://istio-release.storage.googleapis.com/charts
$ helm repo update

Installation steps

This section describes the procedure to install Istio using Helm. The general syntax for helm installation is:

$ helm install <release> <chart> --namespace <namespace> --create-namespace [--set <other_parameters>]

The variables specified in the command are as follows:

• <chart> A path to a packaged chart, a path to an unpacked chart directory or a URL.

• <release> A name to identify and manage the Helm chart once installed.

• <namespace> The namespace in which the chart is to be installed.

Default configuration values can be changed using one or more --set <parameter>=<value> arguments. Alternatively, you can specify several parameters in a custom values file using the --values <file> argument.

You can display the default values of configuration parameters using the helm show values <chart> command or refer to artifacthub chart documentation at Custom Resource Definition parameters, Istiod chart configuration parameters and Gateway chart configuration parameters.

1. Create the namespace, istio-system, for the Istio components:

   This step can be skipped if using the --create-namespace argument in step 2.

   $ kubectl create namespace istio-system

2. Install the Istio base chart which contains cluster-wide Custom Resource Definitions (CRDs) which must be installed prior to the deployment of the Istio control plane:

   When performing a revisioned installation, the base chart requires the --set defaultRevision=<revision> value to be set for resource validation to function. Below we install the default revision, so --set defaultRevision=default is configured.

   $ helm install istio-base istio/base -n istio-system --set defaultRevision=default

3. Validate the CRD installation with the helm ls command:

   $ helm ls -n istio-system
   NAME       NAMESPACE    REVISION UPDATED         STATUS   CHART        APP VERSION
   istio-base istio-system 1        ... ... ... ... deployed base-1.16.1  1.16.1

   In the output locate the entry for istio-base and make sure the status is set to deployed.

4. Install the Istio discovery chart which deploys the istiod service:

   $ helm install istiod istio/istiod -n istio-system --wait

5. Verify the Istio discovery chart installation:

   $ helm ls -n istio-system
   NAME       NAMESPACE    REVISION UPDATED         STATUS   CHART         APP VERSION
   istio-base istio-system 1        ... ... ... ... deployed base-1.16.1   1.16.1
   istiod     istio-system 1        ... ... ... ... deployed istiod-1.16.1 1.16.1

6. Get the status of the installed helm chart to ensure it is deployed:

   $ helm status istiod -n istio-system
   NAME: istiod
   LAST DEPLOYED: Fri Jan 20 22:00:44 2023
   NAMESPACE: istio-system
   STATUS: deployed
   REVISION: 1
   TEST SUITE: None
   NOTES:
   "istiod" successfully installed!
   
   To learn more about the release, try:
     $ helm status istiod
     $ helm get all istiod
   
   Next steps:
     * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
     * Try out our tasks to get started on common configurations:
       * https://istio.io/latest/docs/tasks/traffic-management
       * https://istio.io/latest/docs/tasks/security/
       * https://istio.io/latest/docs/tasks/policy-enforcement/
       * https://istio.io/latest/docs/tasks/policy-enforcement/
     * Review the list of actively supported releases, CVE publications and our hardening guide:
       * https://istio.io/latest/docs/releases/supported-releases/
       * https://istio.io/latest/news/security/
       * https://istio.io/latest/docs/ops/best-practices/security/
   
   For further documentation see https://istio.io website
   
   Tell us how your install/upgrade experience went at https://forms.gle/99uiMML96AmsXY5d6

7. Check istiod service is successfully installed and its pods are running:

   $ kubectl get deployments -n istio-system --output wide
   NAME     READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                         SELECTOR
   istiod   1/1     1            1           10m   discovery    docker.io/istio/pilot:1.16.1   istio=pilot

8. (Optional) Install an ingress gateway:

   $ kubectl create namespace istio-ingress
   $ helm install istio-ingress istio/gateway -n istio-ingress --wait

   See Installing Gateways for in-depth documentation on gateway installation.

   The namespace the gateway is deployed in must not have a istio-injection=disabled label. See Controlling the injection policy for more info.

See Advanced Helm Chart Customization for in-depth documentation on how to use Helm post-renderer to customize the Helm charts.

Updating your Istio configuration

You can provide override settings specific to any Istio Helm chart used above and follow the Helm upgrade workflow to customize your Istio mesh installation. The available configurable options can be found by using helm show values istio/<chart>; for example helm show values istio/gateway.