Getting Started - Prepare Your Environment ## Exercise 1 - Accessing your Kubernetes Cluster ## Exercise 2 - Installing Istio ## Exercise 3 - Deploy Guestbook with Istio Proxy ## Exercise 4 - Expose the service mesh with the Istio Ingress Gateway ## Exercise 5 - Telemetry ## Exercise 6 - Traffic Management ## Exercise 7 - Security
The components deployed on the service mesh by default are not exposed outside the cluster. External access to individual services so far has been provided by creating an external load balancer or node port on each service.
An Ingress Gateway resource can be created to allow external requests through the Istio Ingress Gateway to the backing services.
-
Configure the guestbook default route with the Istio Ingress Gateway. The
guestbook-gateway.yaml
file is in this repository (istio101) in theworkshop/plans
directory.cd ../../plans kubectl create -f guestbook-gateway.yaml
-
Get the EXTERNAL-IP of the Istio Ingress Gateway.
kubectl get service istio-ingressgateway -n istio-system
Output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.21.254.53 169.6.1.1 80:31380/TCP,443:31390/TCP,31400:31400/TCP 1m 2d
-
Make note of the external IP address that you retrieved in the previous step, as it will be used to access the Guestbook app in later parts of the course. Create an environment variable called $INGRESS_IP with your IP address.
Example:
export INGRESS_IP=169.6.1.1
NLB host names are the DNS host names you can generate for each IBM Cloud Kubernetes deployment exposed with the Network LoadBalancer(NLB) service. These host names come with SSL certificate, the DNS registration, and health checks so you can benefit from them for any deployments that you expose via the NLB on IBM Cloud Kubernetes Service.
For example, you can run the IBM Cloud Kubernetes Service ALB, an API gateway of your choice, an Istio ingress gateway, and an MQTT server in parallel in your IBM Cloud Kubernetes Service cluster. Each one will have its own:
- Publicly available wildcard host name
- Wildcard SSL certificate associated with the host name
- Health checks that you can configure if you use multizone deployments.
Let's leverage this feature with Istio ingress gateway:
-
Switch back the
ibmcloud
CLI to the IBM Lab account by logging in again:ibmcloud login
-
From the account list, choose IBM as the Account (NOT your own)
-
Create the NLB host with the Istio ingress gateway's public IP address:
ibmcloud ks nlb-dns create classic --cluster $MYCLUSTER --ip $INGRESS_IP
-
List the NLB host names for your cluster:
ibmcloud ks nlb-dns ls --cluster $MYCLUSTER
Example output:
Hostname IP Health Monitor H.Monitor Status istio1010bin09-0e3e0ef4c9c6d831e8aa6fe01f33bfc4-0000.eu-gb.containers.appdomain.cloud 141.125.94.2 None created istio1010bin09-0e3e0ef4c9c6d831e8aa6fe01f33bfc4-0000 default istio1010bin09-0e3e0ef4c9c6d831e8aa6fe01f33bfc4-0001.eu-gb.containers.appdomain.cloud 141.125.94.6 None pending - default
Note: This list will contain two NLB host names. The first one would be the host name of the Kubernetes ingress, so watch for the correct IP address! (
echo $INGRESS_IP
) -
Make note of the NLB host name, as it will be used to access your Guestbook app in later parts of the course. Create an environment variable for it and test using curl or visit in your browser.
Example:
export NLB_HOSTNAME=istio1010bin09-0e3e0ef4c9c6d831e8aa6fe01f33bfc4-0001.eu-gb.containers.appdomain.cloud
curl $NLB_HOSTNAME
-
Enable health check of the NLB host for Istio ingress gateway:
ibmcloud ks nlb-dns monitor configure --cluster $MYCLUSTER --nlb-host $NLB_HOSTNAME --type HTTP --description "Istio ingress gateway health check" --path "/healthz/ready" --port 15020 --enable
-
Monitor the health check of the NLB host for Istio ingress gateway:
ibmcloud ks nlb-dns monitor status --cluster $MYCLUSTER
After waiting for a bit, you should start to see the health monitor's status changed to Enabled.
Example output:
Hostname IP Health Monitor H.Monitor Status istio1010bin09-0e3e0ef4c9c6d831e8aa6fe01f33bfc4-0001.eu-gb.containers.appdomain.cloud 169.1.1.1 Enabled Healthy
Congratulations! You extended the base Ingress features by providing a DNS entry to the Istio service.
You can now access the Guestbook app using the (somewhat complicated) URL of the NLB_HOSTNAME. In real life you would now map this URL to your own website URL.