Installing Istio

Return to Workshop

Installing Istio - the Easy Button

You will conduct these labs in an OpenShift cluster. First, test you have access to your cluster via console and CLI.

OpenShift

Navigate to the console URI provided by your instructor and login with the username/password provided.

For example:

http://console-openshift-console.apps.cluster-naa-xxxx.naa-xxxx.example.opentlc.com

Once logged in, you should see the following:


OpenShift Welcome


You will use the OpenShift 'oc' CLI to execute commands for the majority of this lab.

Login using API endpoint and remember to add the '--insecure-skip-tls-verify=true' flag

For example:

oc login https://api.cluster-naa-xxxx.naa-xxxx.example.opentlc.com:6443 --insecure-skip-tls-verify=true
Check the status of the cluster:
oc status

You should see two services running 'svc/openshift' and 'svc/kubernetes'.


Application Code

Next we need a local copy of our application code. The application code includes the resources to install Istio.

Clone the repository in your home directory:
cd $HOME
git clone https://github.com/dudash/openshift-microservices.git
Checkout the workshop-stable branch:
cd $HOME/openshift-microservices
git checkout workshop-stable


Istio

Let's install Istio in our cluster.

Navigate to the directory for installing Istio:
cd $HOME/openshift-microservices/deployment/install/istio

Start by installing the Istio Operator. The operator is used to install and manage Istio in the cluster.


Run the following command:
oc apply -f ./istio-operator.yaml


Use oc to watch the operator installation:
oc get pods -n openshift-operators -l name=istio-operator --watch

The Istio operator should be in a running state. For example:

istio-operator-xxxxxxxxx-xxxxx   1/1   Running   0     17s

Once the operator is running, install the Istio control plane in its own namespace 'istio-system':


Run the following 2 commands:
oc new-project istio-system
oc create -n istio-system -f ./istio-resources.yaml


Watch the control plane installation:
oc get servicemeshcontrolplane/istio-demo -n istio-system --template='{{range .status.conditions}}{{printf "%s=%s, reason=%s, message=%s\n\n" .type .status .reason .message}}{{end}}' --watch

Wait a couple of minutes. The installation should complete. For example:

Installed=True, reason=InstallSuccessful, message=Successfully installed all mesh components

Reconciled=True, reason=InstallSuccessful, message=Successfully installed version 1.0.6-1.el8-1

Ready=True, reason=ComponentsReady, message=All component deployments are Available


List all the Istio components:
oc get pods -n istio-system

Output:

NAME                                      READY   STATUS    RESTARTS   AGE
grafana-xxxxxxxxx-xxxxx                  2/2     Running   0          17m
istio-citadel-xxxxxxxxx-xxxxx            1/1     Running   0          20m
istio-egressgateway-xxxxxxxx-xxxxx       1/1     Running   0          17m
istio-galley-xxxxxxxx-xxxxx              1/1     Running   0          19m
istio-ingressgateway-xxxxxxxxx-xxxxx     1/1     Running   0          17m
istio-pilot-xxxxxxxxx-xxxxx              2/2     Running   0          18m
istio-policy-xxxxxxxxx-xxxxx             2/2     Running   0          19m
istio-sidecar-injector-xxxxxxxxx-xxxxx   1/1     Running   0          17m
istio-telemetry-xxxxxxxxx-xxxxx          2/2     Running   0          19m
jaeger-xxxxxxxxx-xxxxx                   2/2     Running   0          19m
kiali-xxxxxxxxx-xxxxx                    1/1     Running   0          16m
prometheus-xxxxxxxxx-xxxxx               2/2     Running   0          19m

The primary control plane components are Pilot, Mixer, and Citadel. Pilot handles traffic management. Mixer handles policy and telemetry. Citadel handles security.


Setup Projects

As the instructor, you will create projects for users (identified as users1...x). You also need to grant each user view access to the Istio namespace 'istio-system'.

Run the following:
NUM_USERS=<enter number of users>
for (( i=1 ; i<=$NUM_USERS ; i++ ))
do 
  oc new-project user$i --as=user$i \
    --as-group=system:authenticated --as-group=system:authenticated:oauth
  oc adm policy add-role-to-user view user$i -n istio-system
done


Next, add projects to the service mesh using a Member Roll resource. If you do not add the projects to the mesh, the users' microservices will not be added to the service mesh.

Add projects to the mesh. Adjust the number of user projects if needed:
oc apply -f - <<EOF
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
  namespace: istio-system
spec:
  members:
    - user1
    - user2
    - user3
    - user4
    - user5
    - user6
    - user7
    - user8
    - user9
    - user10
    - user11
    - user12
    - user13
    - user14
    - user15
    - user16
    - user17
    - user18
    - user19
    - user20
EOF


Summary

Congratulations, you installed Istio!

A few key highlights are:

If you want to learn more about Istio's architecture, the best place to start is the Istio documentation.


Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop