This article shows you step by step how to use Istio Service Mesh and Apache , to expose services in a Service Mesh-enabled Kubernetes cluster to the outside of the cluster through very detailed steps.
Service Mesh
With the hot development of Cloud-Native technology, Service Mesh is gradually becoming popular in the microservices field. The popular implementations of Service Mesh are Istio and Linkerd.
The following diagram shows the schematic diagram of Service Mesh, which introduces Sidecar Proxy to complete the interconnection and communication between microservices.
The diagram above shows that Service Mesh focuses more on east-west traffic in the traditional sense, i.e., traffic between services. When we use Service Mesh with Kubernetes, the east-west traffic corresponds to the traffic within the Kubernetes cluster.
Back in real-world usage scenarios, we won't only be exposed to traffic within the Kubernetes cluster, we will mostly need to expose some services outside of the cluster for users or other services to use. But when exposing services in a Kubernetes cluster outside the cluster, we have to consider factors such as security and observability.
We'll show you how to securely expose services in a Service Mesh-enabled Kubernetes cluster outside the cluster using Istio Service Mesh and Apache .
Step 1: Prepare the Kubernetes cluster
Here we use Kind to create a temporary cluster locally for demonstration purposes. You can refer to the official documentation for how to install it with the Kind command.
Here is the yaml configuration file used to create the demo cluster, save it as kind-config.yaml.
kind: ClusterapiVersion: kind.x-k8s.io/v1alpha4nodes:- role: control-plane- role: worker- role: worker- role: workerThen use this configuration file to create a cluster.
(MoeLove) ➜ kind create cluster --config kind-config.yamlCreating cluster "kind" ... ✓ Ensuring node image (kindest/node:v1.22.2) 🖼 ✓ Preparing nodes 📦 📦 📦 📦 ✓ Writing configuration 📜 ✓ Starting control-plane 🕹️ ✓ Installing CNI 🔌 ✓ Installing StorageClass 💾 ✓ Joining worker nodes 🚜Set kubectl context to "kind-kind"You can now use your cluster with:kubectl cluster-info --context kind-kindNot sure what to do next? 😅 Check out https://kind.sigs.k8s.io/docs/user/quick-start/Step 2: Deploy Istio
After the Kubernetes cluster is created, let's deploy Istio.
First, create a directory named -istio and do the following after entering the directory.
(MoeLove) ➜ mkdir -istio(MoeLove) ➜ cd -istio(MoeLove) ➜ curl -sL https://istio.io/downloadIstio | sh -Downloading istio-1.12.1 from https://github.com/istio/istio/releases/download/1.12.1/istio-1.12.1-linux-amd64.tar.gz ...Istio 1.12.1 Download Complete!Istio has been successfully downloaded into the istio-1.12.1 folder on your system.Next Steps:See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.To configure the istioctl client tool for your workstation,add the /root/-istio/istio-1.12.1/bin directory to your environment path variable with: export PATH="$PATH:/root/-istio/istio-1.12.1/bin"Begin the Istio pre-installation check by running: istioctl x precheckNeed more information? Visit https://istio.io/latest/docs/setup/install/When the above operation is completed, a new directory will be created under the current directory. We can follow the output of the above command to continue the operation.
(MoeLove) ➜ lsistio-1.12.1(MoeLove) ➜ export PATH="$PATH:/root/-istio/istio-1.12.1/bin"(MoeLove) ➜ istioctl x precheck✔ No issues found when checking the cluster. Istio is safe to install or upgrade! To get started, check out https://istio.io/latest/docs/setup/getting-started/Next, the real deployment process begins. Just set it to --set profile=minimal for a minimal installation.
(MoeLove) ➜ istioctl install --set profile=minimal -y✔ Istio coreinstalled✔ Istiodinstalled✔ InstallationcompleteMaking this installation the default for injection and validation.Thank you for installing Istio 1.12. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/FegQbc9UvePd4Z9z7Finally, check the current deployment status and you can see that the Pod is already running.
(MoeLove) ➜ kubectl -n istio-system get podsNAME READY STATUS RESTARTS AGEistiod-58d79b7bff-g66cv 1/1 Running 0 1mStep 3: Deploy Apache
Next, we will deploy Apache .
First create a Namespace named -istio and enable auto-injection.
(MoeLove) ➜ kubectl create ns -istionamespace/-istio created(MoeLove) ➜ kubectl label namespace -istio istio-injection=enablednamespace/-istio labeledNext, add Helm Repo and use Helm for Apache and Apache Ingress Controller deployments.
(MoeLove) ➜ helm repo add https://charts.apiseven.com"" has been added to your repositories(MoeLove) ➜ helm install -istio / --set gateway.type=NodePort --set ingress-controller.enabled=true --set ingress-controller.config..serviceNamespace=-istio --set ingress-controller.config..serviceName=-istio-admin --namespace -istioNAME: -istioLAST DEPLOYED: Wed Dec 15 14:16:33 2021NAMESPACE: -istioSTATUS: deployedREVISION: 1TEST SUITE: NoneNOTES:1. Get the application URL by running these commands: export NODE_PORT=$(kubectl get --namespace -istio -o jsonpath="{.spec.ports[0].nodePort}" services -istio-gateway) export NODE_IP=$(kubectl get nodes --namespace -istio -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORTAfter executing the above command, you can wait for all Pods to run normally by executing the following command.
(MoeLove) ➜ kubectl -n -istio wait --for=condition=Ready pods --allpod/-istio-7bdfcb4bd9-89jcn condition metpod/-istio-etcd-0 condition metpod/-istio-etcd-1 condition metpod/-istio-etcd-2 condition metpod/-istio-ingress-controller-5fcbb75b8c-b4nnc condition metYou can see that all the Pods are currently running properly. Next, let's test and verify.
Test Session
Simple test
When we deployed Apache using Helm earlier, we selected the service exposure method as NodePort, so we can then access Apache directly using the following command.
<code class="co