Virtual Machine Installation
Follow this guide to deploy Istio and connect a virtual machine to it.
This guide is tested and validated but note that VM support is still an alpha feature not recommended for production.
Prerequisites
- Download the Istio release
- Perform any necessary platform-specific setup
- Check the requirements for Pods and Services
- Virtual machines must have IP connectivity to the ingress gateway in the connecting mesh, and optionally every pod in the mesh via L3 networking if enhanced performance is desired.
Prepare the guide environment
- Create a virtual machine
Set the environment variables
VM_APP
,WORK_DIR
,VM_NAMESPACE
, andSERVICE_ACCOUNT
(e.g.,WORK_DIR="${HOME}/vmintegration"
):$ VM_APP="<the name of the application this VM will run>"
$ VM_NAMESPACE="<the name of your service namespace>"
$ WORK_DIR="<a certificate working directory>"
$ SERVICE_ACCOUNT="<name of the Kubernetes service account you want to use for your VM>"
Create the working directory:
$ mkdir -p "${WORK_DIR}"
Install the Istio control plane
Install Istio and expose the control plane so that your virtual machine can access it.
Install Istio.
$ istioctl install
This feature is actively in development and is considered
pre-alpha
.$ istioctl install --set values.pilot.env.PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION=true
Deploy the east-west gateway:
$ @samples/multicluster/gen-eastwest-gateway.sh@ --single-cluster | istioctl install -y -f -
Expose the control plane using the provided sample configuration:
$ kubectl apply -f @samples/multicluster/expose-istiod.yaml@
Configure the VM namespace
Create the namespace that will host the virtual machine:
$ kubectl create namespace "${VM_NAMESPACE}"
Create a serviceaccount for the virtual machine:
$ kubectl create serviceaccount "${SERVICE_ACCOUNT}" -n "${VM_NAMESPACE}"
Create files to transfer to the virtual machine
Create a template
WorkloadGroup
for the VM(s)$ istioctl x workload group create --name "${VM_APP}" --namespace "${VM_NAMESPACE}" --labels app="${VM_APP}" --serviceAccount "${SERVICE_ACCOUNT}" > workloadgroup.yaml
This feature is actively in development and is considered
pre-alpha
.- Generate the
WorkloadGroup
:
$ istioctl x workload group create --name "${VM_APP}" --namespace "${VM_NAMESPACE}" --labels app="${VM_APP}" --serviceAccount "${SERVICE_ACCOUNT}" > workloadgroup.yaml
- Push the
WorkloadGroup
to the cluster:
$ kubectl --namespace ${VM_NAMESPACE} apply -f workloadgroup.yaml
Use the
istioctl x workload entry
command to generate:cluster.env
: Contains metadata that identifies what namespace, service account, network CIDR and (optionally) what inbound ports to capture.istio-token
: A Kubernetes token used to get certs from the CA.mesh.yaml
: Provides additional Istio metadata including, network name, trust domain and other values.root-cert.pem
: The root certificate used to authenticate.hosts
: An addendum to/etc/hosts
that the proxy will use to reach istiod for xDS.*
A sophisticated option involves configuring DNS within the virtual machine to reference an external DNS server. This option is beyond the scope of this guide.
$ istioctl x workload entry configure -f workloadgroup.yaml -o "${WORK_DIR}"
This feature is actively in development and is considered
pre-alpha
.$ istioctl x workload entry configure -f workloadgroup.yaml -o "${WORK_DIR}" --autoregister
Configure the virtual machine
Run the following commands on the virtual machine you want to add to the Istio mesh:
Securely transfer the files from
"${WORK_DIR}"
to the virtual machine. How you choose to securely transfer those files should be done with consideration for your information security policies. For convenience in this guide, transfer all of the required files to"${HOME}"
in the virtual machine.Install the root certificate at
/etc/certs
:$ sudo mkdir -p /etc/certs
$ sudo cp "${HOME}"/root-cert.pem /etc/certs/root-cert.pem
Install the token at
/var/run/secrets/tokens
:$ sudo mkdir -p /var/run/secrets/tokens
$ sudo cp "${HOME}"/istio-token /var/run/secrets/tokens/istio-token
Install the package containing the Istio virtual machine integration runtime:
$ curl -LO https://storage.googleapis.com/istio-release/releases/1.8.0/deb/istio-sidecar.deb
$ sudo dpkg -i istio-sidecar.deb
$ curl -LO https://storage.googleapis.com/istio-release/releases/1.8.0/rpm/istio-sidecar.rpm
$ sudo rpm -i istio-sidecar.deb
Install
cluster.env
within the directory/var/lib/istio/envoy/
:$ sudo cp "${HOME}"/cluster.env /var/lib/istio/envoy/cluster.env
Install the Mesh Config to
/etc/istio/config/mesh
:$ sudo cp "${HOME}"/mesh.yaml /etc/istio/config/mesh
Add the istiod host to
/etc/hosts
:$ sudo sh -c 'cat $(eval echo ~$SUDO_USER)/hosts >> /etc/hosts'
Transfer ownership of the files in
/etc/certs/
and/var/lib/istio/envoy/
to the Istio proxy:$ sudo mkdir -p /etc/istio/proxy
$ sudo chown -R istio-proxy /var/lib/istio /etc/certs /etc/istio/proxy /etc/istio/config /var/run/secrets /etc/certs/root-cert.pem
Start Istio within the virtual machine
Start the Istio agent:
$ sudo systemctl start istio
Verify Istio Works Successfully
Check the log in
/var/log/istio/istio.log
. You should see entries similar to the following:$ 2020-08-21T01:32:17.748413Z info sds resource:default pushed key/cert pair to proxy
$ 2020-08-21T01:32:20.270073Z info sds resource:ROOTCA new connection
$ 2020-08-21T01:32:20.270142Z info sds Skipping waiting for gateway secret
$ 2020-08-21T01:32:20.270279Z info cache adding watcher for file ./etc/certs/root-cert.pem
$ 2020-08-21T01:32:20.270347Z info cache GenerateSecret from file ROOTCA
$ 2020-08-21T01:32:20.270494Z info sds resource:ROOTCA pushed root cert to proxy
$ 2020-08-21T01:32:20.270734Z info sds resource:default new connection
$ 2020-08-21T01:32:20.270763Z info sds Skipping waiting for gateway secret
$ 2020-08-21T01:32:20.695478Z info cache GenerateSecret default
$ 2020-08-21T01:32:20.695595Z info sds resource:default pushed key/cert pair to proxy
Create a Namespace to deploy a Pod-based Service:
$ kubectl create namespace sample
$ kubectl label namespace sample istio-injection=enabled
Deploy the
HelloWorld
Service:$ kubectl apply -f @samples/helloworld/helloworld.yaml@
Send requests from your Virtual Machine to the Service:
$ curl helloworld.sample.svc:5000/hello
Hello version: v1, instance: helloworld-v1-578dd69f69-fxwwk
Uninstall
Stop Istio on the virtual machine:
$ sudo systemctl stop istio
Then, remove the Istio-sidecar package:
$ sudo dpkg -r istio-sidecar
$ dpkg -s istio-sidecar
$ sudo rpm -e istio-sidecar
To uninstall Istio, run the following command:
$ kubectl delete -f @samples/multicluster/expose-istiod.yaml@
$ istioctl manifest generate | kubectl delete -f -
The control plane namespace (e.g., istio-system
) is not removed by default. If no longer needed, use the following command to remove it:
$ kubectl delete namespace istio-system
See also
Virtual Machines in Multi-Network Meshes
Learn how to add a service running on a virtual machine to your multi-network Istio mesh.
Bookinfo with a Virtual Machine
Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh.
Example Application using Virtual Machines in a Single Network Mesh
Learn how to add a service running on a virtual machine to your single-network Istio mesh.
Provision and manage DNS certificates in Istio.
A more secure way to manage Istio webhooks.
Demystifying Istio’s Sidecar Injection Model
De-mystify how Istio manages to plugin its data-plane components into an existing deployment.