Istio Service Mesh

Shifting to a microservice-based architecture delivers numerous benefits for building distributed fault-tolerant applications. However, this approach also introduces many challenges, such as security, network tracing, and traffic routing that are often left to the application developer to code. This can lead to inconsistent and fragmented implementation. A service mesh is designed to solve these problems.

A service mesh is a network of microservices that consists of applications and interactions between those applications. Istio provides both a transparent open-source service mesh that overlays onto existing distributed applications and a platform that includes APIs for integration with any logging, telemetry, or policy system. For a detailed description of Istio features, see What is Istio? (link opens an external website in a new browser tab/window).

This article includes the following topics:

Deploying Istio on HPE Ezmeral Container Platform

HPE Ezmeral Container Platform includes two implementations of Istio:

  • Kubeflow 1.1, which supports Istio 1.3.1 for managing ingress/egress traffic for Kubeflow components. It also integrates Dex for user authentication and authorization.

  • Standalone, which can be used for Kubernetes clusters EXCEPT the following:

    • A cluster that is or will be running Kubeflow. Do not enable Istio when creating or editing a Kubernetes cluster that will be running Kubeflow because doing so creates a conflict with the instance of Istio that is included in Kubeflow.
    • An HPE Ezmeral Data Fabric cluster. Do not enable Istio when creating or editing a Data Fabric cluster. Although Istio Service Mesh is suitable for clusters that host compute workloads, Istio Service Mesh is not supported on Data Fabric clusters.

Istio Service Mesh can be enabled while creating or editing Kubernetes clusters deployed by HPE Ezmeral Container Platform. You can also enable or disable Istio Service Mesh and enable mTLS for each tenant within the cluster.

To deploy Istio in a Kubernetes cluster inside HPE Ezmeral Container Platform, perform the following steps.

Step One: Add or Assign Istio Ingress Gateway Nodes

All Istio-enabled Kubernetes clusters require one or more Istio Ingress gateway(s) to be configured to allow incoming traffic into the mesh. To add one or more Istio Ingress Gateway node(s), you may either:

Note: If you are not using the web interface, then mtls mode must have a valid value even if Istio is not enabled.

Adding an Istio Ingress Gateway node automatically creates a key value pair for that node, if you added a public SSH key when adding the node. See Kubernetes Host Step 1: Add the Public SSH Key.

Step Two: Create or Edit a Kubernetes Cluster

While creating or editing a Kubernetes cluster, check the Istio check box in the Application Configurations screen. See Creating a New Kubernetes Cluster and Editing an Existing Kubernetes Cluster.

CAUTION: Do not select Istio if you are creating an HPE Ezmeral Data Fabric cluster or a cluster that will be running Kubeflow.

Add-ons with Istio selected

Step Three: Enable/Disable Istio Injection

While creating or editing a Kubernetes tenant:

  1. Check the Enable Istio Service Mesh check box in the Create New Kuberentes Tenant or Edit K8s Tenant screen. See Creating a New Kubernetes Tenant and Editing an Existing Kubernetes Tenant.

    The Manual TLS Mode pull-down menu appears, which allows you to specify the security level to apply to envoy communications.

  2. Select one of the following options:
    • Disable: Service mesh communication will not be encrypted.
    • Permissive: Envoys will accept either plain or TLS-enabled communications. This is the default setting. You can use this setting while creating or migrating workloads and then switch to the Strict level later.
    • Strict: Envoys only accept TLS-enabled communications.
Note: Assigning multiple node(s) as Istio Ingress Gateways adds load balancing for improved performance in large deployments.

Step 4: Add Applications

After creating the Kubernetes cluster and tenant:

Visualizing Services

To access Kiali visualization for the Istio service mesh:

  1. Open the Service Endpoints tab of the Kubernetes Applications screen. See Service Endpoints Tab.
  2. Click the endpoint you want to add.

    The Kiali dashboard... popup appears.

  3. Copy the token to your clipboard.
  4. Click the Proceed to Kiali Dashboard button.

    The Log in Kiali screen appears.

  5. Paste the token you copied into the Token field, and then click the Log In button.

    The Kiali Overview screen appears.

Please refer to the Kiali documentation for instructions on using Kiali (link opens an external website in a new browser tab/window).