Overview

Skill Level: Any Skill Level

Basic Understanding of Kubernetes

Learn how to install and validate Istio on IBM Cloud Private 1.2.0

Step-by-step

  1. Background

    IBM Cloud Private

    IBM Cloud Private is a Kubernetes based platform that provides an integrated and private PaaS cloud platform for running on-premises enterprise workloads. The platform has three main use cases:

    • Developing and running production cloud native applications in a private cloud
    • Securely integrating and using data and services from sources external to the private cloud
    • Refactoring and modernizing heritage enterprise applications

    For more information about IBM Cloud Private, see its official announcement page.

     

    Istio
    Istio is an encrypted service network mesh for microservices. Istio runs within Kubernetes, and its use requires no changes to the application code. Istio can manage traffic flows between microservices, enforce access policies, and aggregate telemetry data.
    For more information about Istio, see Istio – About.

  2. Install IBM Cloud private

    Install IBM Cloud Private V 1.2. See Installing a standard IBM Cloud Private environment for details.

  3. Install kubectl

    Install the Kubernetes command line interface, kubectl. See Install and Set Up kubectl.

    The installation instructions for Linux are replicated here:

    Download kubectl

    curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl

    Make kubectl executable:

    chmod +x ./kubectl

    Move kubectl to your PATH:

    sudo mv ./kubectl /usr/local/bin/kubectl

     

    To install kubectl for Power¬ģ 64-bit LE, you can obtain the installation binary from the IBM Cloud Private installation files. See Accessing your IBM Cloud Private cluster by using the kubectl CLI

    For¬†¬†Power¬ģ 64-bit LE¬†the following command:

    docker run -e LICENSE=accept --net=host --rm -v /root:/data ppc64le/kubernetes:v1.6.1 cp /kubectl /data
  4. Configure kubectl

    Navigate to the IBM Cloud Private web console at `https://<Master_Node_Address>:8443` and log in. By default, the admin credentials are admin/admin.

    Click admin to open the user menu and then click Configure Client. Copy the configuration information and paste it into the console of the machine where you installed kubectl. If you did not install kubectl on the master node of IBM Cloud Private, replace the server address in the first command with the web console URL that you use to access the dashboard.

    user menu

    CLI Configuration page

    The configuration information resembles the following code:

    kubectl config set-cluster cfc --server=https://10.10.25.134:8001 --insecure-skip-tls-verify=true
    kubectl config set-context cfc --cluster=cfc
    kubectl config set-credentials user --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjY5NjI2ZDJkNjM2NjYzMmQ3MzY1NzI3NjY5NjM2NTJkNmI2NTc5NjkiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJjZmMtc2VydmljZSIsImV4cCI6MTUwMDQyNjY5OSwiaWF0IjoxNTAwMzgzNDk5LCJpc3MiOiJodHRwczovL21hc3Rlci5jZmM6ODQ0My9hY3MvYXBpL3YxL2F1dGgiLCJwcm9qZWN0cyI6WyJkZWZhdWx0Il0sInN1YiI6ImFkbWluIn0.R3Tihse_wxf1jh_rXmek49ip4SaMFr1pS8520e2U_E2KvS1M0gNig9h6dLkx0CogL9dKJt0nDWRWS9katEqO49Z9ZvvRqFRBOIErktKqJLcg1GgrfWYIzSUiA4s7I_DljLvjKYjVk43Gngz02z5lSiYqkVxUvh-I4SpQyjvjurX12sTSBNh-3OIbDJWzFvKXEBRHPoaUBbivpT78rdeQcttMHU1TyJ02qwRH6SPdKgyHaX_AMciGf-hTQb3EDs8D9Fi7YfFK533vQwyr0bSVKaqKUajd0ejY8ZQ_3guF5fzZLJwVaZkvFWZfw_Lk4JpGMmp4Py7hb8HYkYtfnVxoSw
    kubectl config set-context cfc --user=user --namespace=default
    kubectl config use-context cfc

     

  5. Check and Change Calico's MTU

    IBM Cloud Private uses Calico to manage network traffic. Calico is a scalable network fabric that can provide an IP-in-IP overlay for IP tunneling. Calico’s headers are 20 bytes, so you must set the maximum transmission unit (MTU) of the tunnel interface (tunl0 below) so that it is at least 20 bytes less than the size of the largest interfaces for each node in the IBM Cloud Private cluster.
    To check the MTU values for each network interface, run this command from the master node of your cluster:

    ip addr | grep mtu

    Review its output:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
    3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    4: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1
    5: calif54cb664aca@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    6: calia008485a90e@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    7: cali9a454650cae@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    8: cali25d211466b3@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    9: cali0a68687358d@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default

    Scan the output for the interface with the lowest MTU value, excluding the the tunl0 interface. In this case, the ens3 interface has the lowest MTU value. Its MTU is 1450 bytes, and the MTU for tunl0, the tunnel, is 1440 bytes. Because of the 20 byte header size of messages in calico, the MTU size of the tunl0 interface must be reduced to to 1430 to avoid messages being lost.

    To reduce the MTU size, download mtu.yaml from GitHub, and set the container arg value to 1430. The MTU size parameter is on line 22 of mtu.yaml.

     

    The image name on line 45 of mtu.yaml references a placeholder. You must replace this image name parameter with the name of the calico-cal image that IBM Cloud Private uses. Determine the image name by running the following command:

    kubectl get job configure-calico-mtu --namespace=kube-system -o yaml | grep "image:"

    The image value displays something like:

    image: registry.ng.bluemix.net/mdelder/calico-ctl:v1.2.1

    Specify the image name in line 45 of mtu.yaml.

    To apply these changes to your environment, run this command:

    kubtctl apply -f mtu.yaml
  6. Install the Helm and Istio

    Return to the IBM Cloud Private dashboard.
    Open the navigation menu and click System.

    Dashboard menu - system

    Click Repositories, then click Add Repository.

    Add Repository

    Add a repository with the name “incubator” and url http://storage.googleapis.com/kubernetes-charts-incubator.

    Add repository dialog

    Open the navigation menu and click App Center.

    App Center

    Locate the Istio package and click Install Package on its tile. The configuration page displays.

    Istio in App Center

    Scroll to the bottom, enable rbac.install, and click Review and Install. Review the settings and click Install.

    Istio Install Options

  7. Verify that the Istio Pods are Running

    Before you test Istio, each Istio pods must be running:

    kubectl get pod --namespace default

    In the command output, confirm that each pod is running.

    NAME READY STATUS RESTARTS AGE
    dealing-dragon-istio-ca-1445500396-2j0cr 1/1 Running 0 19h
    dealing-dragon-istio-egress-1922593265-kwfvg 1/1 Running 0 19h
    dealing-dragon-istio-grafana-75673227-mpqj5 1/1 Running 0 19h
    dealing-dragon-istio-ingress-900258805-ld3wl 1/1 Running 0 19h
    dealing-dragon-istio-istio-pilot-2560511672-gzk3t 2/2 Running 0 19h
    dealing-dragon-istio-mixer-3369964069-q256v 1/1 Running 0 19h
    dealing-dragon-istio-prometheus-2187359241-zk9jw 1/1 Running 0 19h
    dealing-dragon-istio-servicegraph-2575582838-9vdrs 1/1 Running 0 19h
    dealing-dragon-istio-zipkin-2224140931-8khrr 1/1 Running 0 19h
  8. Install the Istio CLI

    Install istioctl, the Istio CLI. Run the following commands or follow the full installation instructions.

    Download the Istio release:

    curl -L https://git.io/getIstio | sh -

    Add istioctl to your local path:

    sudo cp istio-*/bin/istioctl /usr/local/bin
  9. Validate the Istio Install

    The BookInfo App is the official Istio app. You can use this app to validate that your installation of Istio is working correctly. Install the Istio BookInfo app.

    To install the BookInfo app, run this command:

    kubectl apply -f <(istioctl kube-inject -f istio-*/samples/apps/bookinfo/bookinfo.yaml)

    After the pods initialize, confirm that they are running:

    kubectl get pod --namespace default

    Review the output, and confirm that each pod has the Running status.

    NAME READY STATUS RESTARTS AGE
    dealing-dragon-istio-ca-1445500396-2j0cr 1/1 Running 0 19h
    dealing-dragon-istio-egress-1922593265-kwfvg 1/1 Running 0 19h
    dealing-dragon-istio-grafana-75673227-mpqj5 1/1 Running 0 19h
    dealing-dragon-istio-ingress-900258805-ld3wl 1/1 Running 0 19h
    dealing-dragon-istio-istio-pilot-2560511672-gzk3t 2/2 Running 0 19h
    dealing-dragon-istio-mixer-3369964069-q256v 1/1 Running 0 19h
    dealing-dragon-istio-prometheus-2187359241-zk9jw 1/1 Running 0 19h
    dealing-dragon-istio-servicegraph-2575582838-9vdrs 1/1 Running 0 19h
    dealing-dragon-istio-zipkin-2224140931-8khrr 1/1 Running 0 19h
    productpage-v1-1440812148-2tpnf 2/2 Running 0 19h
    ratings-v1-3755476866-9gz7p 2/2 Running 0 19h
    reviews-v1-3728017321-4x1qx 2/2 Running 0 19h
    reviews-v2-196544427-mz6wp 2/2 Running 0 19h
    reviews-v3-959055789-npcln 2/2 Running 0 19h

    The istio ingress pod is a front-end proxy. The ingress pod and associated service act as a gateway for application communication between the outside world and istio-enabled applications. To communicate with the BookInfo application, we will need to know the public IP address of our cluster and the port that the Istio service is running. The commands below will accomplish that:

    export PUBLIC_ADDRESS=<master node's public address>
    export PUBLIC_PORT=$(kubectl get svc istio-ingress -o 'jsonpath={.spec.ports[0].nodePort}')
    export GATEWAY_URL=$PUBLIC_ADDRESS:$PUBLIC_PORT

    Run the following command:

    curl -o /dev/null -s -w "%{http_code}\n" http://${GATEWAY_URL}/productpage

    If the command returns 200, then Istio has been successfully injected into the BookInfo application!

    If you navigate to the URL that is in the curl command, a page like this one displays:

    Bookinfo frontend

  10. Conclusion

    IBM Cloud Private is a Kubernetes based cloud platform. Running Istio within IBM Cloud Private allows for secure communication between running application with minimal additional configuration. Another example of using Istio can be found in @todkap’s article Istio is not just for Microservices.

2 comments on"Running Istio on IBM Cloud Private"

  1. hi Jesse, could you post steps to enable TLS for the ISTIO ingress, bookinfo and ISTIO addon applications?

Join The Discussion