Installing Istio – Implementing Traffic Management, Security, and Observability with Istio

The general way of installing Istio is to download Istio using the provided link and run a shell, which will install Istio on our system, including the istioctl component. Then, we need to use istioctl to install Istio within a Kubernetes cluster. However, since we’re using GitOps, we will use the GitOps principles to install it. Istio offers another method to install Istio – that is, using Helm. Since we know that Argo CD supports Helm, we will use that instead.

Therefore, we will create new Argo CD applications to deploy it. We will create an Argo CD application for istio-base, istiod, and ingress. The following YAML describes istio-base:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-base
namespace: argo
spec:
project: default
source:
chart: base
repoURL: https://istio-release.storage.googleapis.com/charts
targetRevision: 1.19.1
helm:
releaseName: istio-base
destination:
server: “https://kubernetes.default.svc”
namespace: istio-system
syncPolicy:
syncOptions:
CreateNamespace=true
automated: selfHeal: true

As we can see, it will deploy v1.19.1 of the istio-base helm chart from https://istio-release.storage.googleapis.com/charts to the istio-system namespace of the Kubernetes cluster. Similarly, we will deploy istiod to the istio-system namespace using the following config:
…
source:
chart: istiod
repoURL: https://istio-release.storage.googleapis.com/charts
targetRevision: 1.19.1
helm:
releaseName: istiod
destination:
server: “https://kubernetes.default.svc”
namespace: istio-system
…

Finally, we will install the istio-ingress component on the istio-ingress namespace using the following config:
…
source:
chart: gateway
repoURL: https://istio-release.storage.googleapis.com/charts
targetRevision: 1.19.1
helm:
releaseName: istio-ingress
destination:
server: “https://kubernetes.default.svc”
namespace: istio-ingress
…

We will also define the configuration on Terraform so that we can use push-based GitOps to create our application automatically. So, we will append the following to the app.tf file:
data “kubectl_file_documents” “istio” {
content = file(“../manifests/argocd/istio.yaml”)
}
resource “kubectl_manifest” “istio” {
depends_on = [
kubectl_manifest.gcpsm-secrets,
]
for_each = data.kubectl_file_documents.istio.manifests
yaml_body = each.value
override_namespace = “argocd”
}

Now, we can commit and push these files to our remote repository and wait for Argo CD to reconcile the changes using the following commands:
$ cd ~
$ cp -a ~/modern-devops/ch15/install-istio/app.tf \
~/mdo-environments/terraform/app.tf
$ cp -a ~/modern-devops/ch15/install-istio/istio.yaml \ ~/mdo-environments/manifests/argocd/istio.yaml
$ git add –all
$ git commit -m “Install istio”
$ git push

As soon as we push the code, we’ll see that the GitHub Actions workflow has been triggered. To access the workflow, go to https://github.com//mdo-environments/ actions. Soon, the workflow will apply the configuration and create the Kubernetes cluster, deploy Argo CD, external secrets, our Blog App, and Istio.

Once the workflow succeeds, we must access the Argo Web UI. To do that, we need to authenticate with the GKE cluster. To do so, run the following command:
$ gcloud container clusters get-credentials \ mdo-cluster-dev –zone us-central1-a –project $PROJECT_ID

To utilize the Argo CD Web UI, you will require the external IP address of the argo-server service.

To get that, run the following command:
$ kubectl get svc argocd-server -n argocd

NAME TYPE EXTERNAL-IP PORTS AGE argocd-server LoadBalaner 34.122.51.25 80/TCP,443/TCP 6m15s
Now, we know that Argo CD can be accessed at https://34.122.51.25/.

Next, we will run the following commands to reset the admin password:
$ kubectl patch secret argocd-secret -n argocd \
-p ‘{“data”: {“admin.password”: null, “admin.passwordMtime”: null}}’ $ kubectl scale deployment argocd-server –replicas 0 -n argocd $ kubectl scale deployment argocd-server –replicas 1 -n argocd

Now, allow 2 minutes for the new credentials to be generated. After that, execute the following command to retrieve the password:
$ kubectl -n argocd get secret argocd-initial-admin-secret \ -o jsonpath=”{.data.password}” | base64 -d && echo

Now that we have the credentials, we can log in. We will see the following page:

Figure 15.4 – Argo CD Web UI – home page

As we can see, the Istio applications are up and running. Though Istio is installed and running, the sidecars won’t be injected unless we ask Istio to do so. We’ll look at this next.