Service Mesh(Getting Hands-On with Istio)(Part 2)

Istio

  1. Citadel that does authentication and certificate rotation for (mtls).
  2. Galley that provides configuration management.
  3. Pilot responsible for service-discovery.
  4. Side-car injector whose job is to inject sidecars alongside our services.

Installing

  1. A Kubernetes cluster on GKE, with RBAC access.
curl -L https://istio.io/downloadIstio | sh -
# Initialize istio-operator on your clusteristioctl operator init# Create namespace istio-systemkubectl create ns istio-system# Apply the following manifest from this gist: kubectl apply -f istio-manifest.yaml# To check wether manifest was deployed correctly or for validation errors. View logs of istio-operator podkubectl logs -f --selector=name=istio-operator -n istio-operatorA succesfull deployment should display the following info at the end2020-11-02T02:56:33.842590Z info end reconciling resources

Adding Services to Mesh

# Label bookinfo namespacekubectl label namespace bookinfo istio-injection=enabled# Restart all pods in the namespaceKubectl delete pods --all -n bookinfo# Checking one of the pod to see if the side car is injected. kubectl get pods --selector=app=productpage -n bookinfo -o jsonpath="{.items[*].spec.containers[*].image}" 
|\ tr -s '[[:space:]]' '\n'
# And you should see two containers in the pod. docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
docker.io/istio/proxyv2:1.5.3
# The proxyv2 is the envoy proxy and hence it is verified that sidecars are injected.

Exposing our services out of mesh

# Create gateway and virtualservice that redirects traffic to product service kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml# Determine Host Ip and Port
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')# Create firewall rule for GCP
gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
# Now you can verify external at
echo "http://$INGRESS_HOST:INGRESS_PORT/productpage" TaDa!!

Summary

--

--

--

Bikes, Tea, Sunset, IndieMusic in that order. Software Engineer who fell in love with cloud-native infrastructure.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

MongoDB database

Predict Boston House Prices Using Python & Linear Regression

Собственный маркетплейс

Future of happy employees

Kali GUI on AWS with NICE DCV

Kali desktop

HTML in 10 Minutes.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ADIL RAFIQ

ADIL RAFIQ

Bikes, Tea, Sunset, IndieMusic in that order. Software Engineer who fell in love with cloud-native infrastructure.

More from Medium

ETPA’s migration to Kubernetes

Customizing the error code response for Client Certificate Authentication (mTLS) with NGINX ingress…

EKS Anywhere., Part-1 Dell EMC PowerStore CSI 2

Kubernetes Horizontal Pod Autoscaling