Service Mesh(Getting Hands-On with Istio)(Part 2)

Istio

  1. Citadel that does authentication and certificate rotation for (mtls).
  2. Galley that provides configuration management.
  3. Pilot responsible for service-discovery.
  4. Side-car injector whose job is to inject sidecars alongside our services.

Installing

  1. A Kubernetes cluster on GKE, with RBAC access.
curl -L https://istio.io/downloadIstio | sh -
# Initialize istio-operator on your clusteristioctl operator init# Create namespace istio-systemkubectl create ns istio-system# Apply the following manifest from this gist: kubectl apply -f istio-manifest.yaml# To check wether manifest was deployed correctly or for validation errors. View logs of istio-operator podkubectl logs -f --selector=name=istio-operator -n istio-operatorA succesfull deployment should display the following info at the end2020-11-02T02:56:33.842590Z info end reconciling resources

Adding Services to Mesh

# Label bookinfo namespacekubectl label namespace bookinfo istio-injection=enabled# Restart all pods in the namespaceKubectl delete pods --all -n bookinfo# Checking one of the pod to see if the side car is injected. kubectl get pods --selector=app=productpage -n bookinfo -o jsonpath="{.items[*].spec.containers[*].image}" 
|\ tr -s '[[:space:]]' '\n'
# And you should see two containers in the pod. docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
docker.io/istio/proxyv2:1.5.3
# The proxyv2 is the envoy proxy and hence it is verified that sidecars are injected.

Exposing our services out of mesh

# Create gateway and virtualservice that redirects traffic to product service kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml# Determine Host Ip and Port
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')# Create firewall rule for GCP
gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
# Now you can verify external at
echo "http://$INGRESS_HOST:INGRESS_PORT/productpage" TaDa!!

Summary

--

--

--

Bikes, Tea, Sunset, IndieMusic in that order. Software Engineer who fell in love with cloud-native infrastructure.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Write Files from EC2 to S3 Programmatically

Internal Interface For Service Different Interfaces.

SPOJ DIVSUM — Divisor Summation

CS371g Blog: Jin Huang Week of 7 Jun-13 Jun

AWS Secrets Manager | Store & Rotate DB credentials with AWS Secrets Manager

Road to Genius: superior #59

Getting an app live, and beyond

5 Mistakes That Make a Leader Ineffective

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ADIL RAFIQ

ADIL RAFIQ

Bikes, Tea, Sunset, IndieMusic in that order. Software Engineer who fell in love with cloud-native infrastructure.

More from Medium

Where do Kubernetes Clusters hold significance in your app modernization journey?

What Is GitOps?

Canary Deployment with Istio in Kubernetes

Keeping Secrets hidden on public github repository during deployment to Kubernetes cluster