Deploying Istio Service Mesh

This topic describes how to deploy Istio Service Mesh on a Kubernetes cluster in HPE Ezmeral Runtime Enterprise.

Prerequisites

Required access rights: Kubernetes Administrator

You have chosen a Kubernetes cluster for which cluster-level installation of Istio is appropriate. For information about the kinds of Kubernetes clusters on which you can use this procedure to deploy Istio Service Mesh, see Istio Service Mesh.

About this task

You can deploy Istio Service Mesh while creating or editing Kubernetes clusters in HPE Ezmeral Runtime Enterprise. You can also enable or disable Istio Service Mesh and enable mTLS for each tenant within the cluster.

NOTE

If you are not using the HPE Ezmeral Runtime Enterprise web interface to create or edit the Kubernetes cluster, then mtls mode must have a valid value, even if Istio is not enabled.

Procedure

Add or assign Istio Ingress gateway nodes.
To allow incoming traffic into the mesh, all Istio-enabled Kubernetes clusters require one or more Istio Ingress gateways. Assigning multiple nodes as Istio Ingress Gateways adds load balancing for improved performance in large deployments.
- Add new nodes: Select the istio-ingressgateway tag during Kubernetes Host Step 2: Select the Hosts, and then assign the value true to that tag.
- Assign existing nodes: Select one or more existing Kubernetes nodes in the Kubernetes Host Installation screen (see The Kubernetes Installation Screen), and then assign the istio-ingressgateway=true tag, as described in Assigning Tags to a Host.
If you added a public SSH key when adding the node, adding an Istio Ingress Gateway node automatically creates a key value pair for that node. See Kubernetes Host Step 1: Add the Public SSH Key.
Create or edit a Kubernetes cluster, and during the cluster creation or editing process, on the Application Configurations screen, select Istio.

IMPORTANT
This step deploys "standalone" Istio on the Kubernetes cluster. Not all Kubernetes clusters support the use of standalone Istio. See Istio Service Mesh.

For detailed information about creating or editing Kubernetes clusters, see Creating a New Kubernetes Cluster or Editing an Existing Kubernetes Cluster.

For example:
When creating or editing a Kubernetes tenant, enable Istio Service Mesh and set the Mutual TLS Mode.
Mutual TLS Mode specifies the security level to apply to envoy communications.

For detailed instructions, see one of the following:
- Creating a New Kubernetes Tenant
- Editing an Existing Kubernetes Tenant
For example:
Add Kubernetes applications as described in Deploying Applications and Onboarding Applications.
Access Istio virtual services using the Virtual Endpoints tab of the Kubernetes Applications screen.

See The Kubernetes Applications Screen.

For example: