Istio addresses the challenges developers and operators face as monolithic applications transition towards a distributed microservice architecture. The term service mesh is used to describe the network of microservices that make up such applications and the interactions between them. As a service mesh grows in size and complexity, it can become harder to understand and manage. Its requirements can include discovery, load balancing, failure recovery, metrics, and monitoring. A service mesh also often has more complex operational requirements, like A/B testing, canary rollouts, rate limiting, access control, and end-to-end authentication.
Istio provides behavioral insights and operational control over the service mesh as a whole, offering a complete solution to satisfy the diverse requirements of microservice applications.
Below blog entry gives details about how to install Instio. I have installed Docker, Kubernetes and Minikube and will be installation istio with Minikube. Below are the versions used,
Istio details here: https://istio.io/
Istio documentation: https://istio.io/docs/
Step 1: Prepare Minikube for Istio installation with sufficient resources to run Istio. Follow below link for the same, https://istio.io/docs/setup/kubernetes/prepare/platform-setup/minikube/
Start Minikube with 8192 MB of memory and 4 CPUs. I have used additional string vm-driver =none as I already have virtualization enabled and running on aws cloud.
- minikube start --memory=8192 --cpus=4 --vm-driver=none
If you want a Load balancer in Minikube for use by Istio, you can use the Minikube Tunnel by running,
- minikube tunnel
Running the minikube tunnel feature will block your terminal and output diagonstic information.
Step 2: Download and prepare for the installation
Istio is installed in its own istio-system namespace and can manage services from all other namespaces. Go to the Istio release page to download the installation file corresponding to your OS. On a macOS or Linux system, you can run the following command to download and extract the latest release automatically:
- curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.1.7 sh -
Move to the Istio package directory. For example, if the package is istio-1.1.7:
- cd istio-1.1.7
The installation directory contains:
Installation YAML files for Kubernetes in install/
Sample applications in samples/
The istioctl client binary in the bin/ directory. istioctl is used when manually injecting Envoy as a sidecar proxy.
The istio.VERSION configuration file
Add the istioctl client to your PATH environment variable, on a macOS or Linux system:
- export PATH=$PWD/bin:$PATH
where $PWD is the path where you are currently running on. In my case I am on /k8s directory.
Step 3: Quickly evaluate Istio in a Kubernetes cluster on any platform. This flow installs Istio’s built-in demo configuration profile using basic Kubernetes commands without needing to download or install Helm.
Follow this link for installation, https://istio.io/docs/setup/kubernetes/install/kubernetes/
Install all the Istio Custom Resource Definitions (CRDs) using kubectl apply, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
- for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
Install one of the following variants of the demo profile. Either use Permissive mutual TLS option or Strict mutual TLS
Permissive mutual TLS
When using the permissive mutual TLS mode, all services accept both plain text and mutual TLS traffic. Clients send plain text traffic unless configured for mutual migration. Visit our mutual TLS permissive mode page for more information.
Choose this variant for:
Clusters with existing applications, or
Applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services
Run the following command to install this variant:
- kubectl apply -f install/kubernetes/istio-demo.yaml
Strict mutual TLS
This variant will enforce mutual TLS authentication between all clients and servers.
Use this variant only on a fresh Kubernetes cluster where all workloads will be Istio-enabled. All newly deployed workloads will have Istio sidecars installed.
Run the following command to install this variant:
- kubectl apply -f install/kubernetes/istio-demo-auth.yaml
Step 4: Verifying the installation
Ensure the following Kubernetes services are deployed and verify they all have an appropriate CLUSTER-IP except the jaeger-agent service:
- kubectl get svc -n istio-system
Note: If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the EXTERNAL-IP of istio-ingressgateway will say <pending>. To access the gateway, use the service’s NodePort, or use port-forwarding instead.
Ensure corresponding Kubernetes pods are deployed and have a STATUS of Running:
- kubectl get pods -n istio-system
This completes Istio installation process. We can now deploy your own application or one of the sample applications provided with the installation like Bookinfo (as per the documentation).
Reference links for Docker, k8s and minikube