Install community Istio

Install community Istio for use with Gloo Mesh in a multicluster setting. These instructions are provided for reference only, as your Istio installation process might differ depending on your organization's policies and procedures.

If you do not have a specific requirement to use community Istio, then consider installing Gloo Mesh Istio instead. Gloo Mesh Istio is a hardened Istio enterprise image to maintain n-4 support for CVEs and other security fixes longer than the community Istio, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1.

Before you begin

Install Istio version 1.8 or later

In the following IstioOperator manifests for a multicluster Istio setup, a LoadBalancer is used to expose the Istio ingress gateway. If you must deploy Istio on different cluster setup, update your gateway settings accordingly.

  1. Install Istio in each remote cluster that you want to register with Gloo Mesh. In a typical production setup, the cluster that serves as the management cluster does not run an Istio service mesh. In a proof-of-concept or testing setup, you can install Istio into the management cluster as well.

    cat << EOF | istioctl manifest install -y --context $REMOTE_CONTEXT_1 -f -
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      name: example-istiooperator
      namespace: istio-system
    spec:
      profile: minimal
      meshConfig:
        enableAutoMtls: true
        defaultConfig:
          proxyMetadata:
            # Enable Istio agent to handle DNS requests for known hosts
            # Unknown hosts are automatically resolved using upstream DNS servers in resolv.conf
            ISTIO_META_DNS_CAPTURE: "true"
      components:
        # Istio Gateway feature
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            env:
              - name: ISTIO_META_ROUTER_MODE
                value: "sni-dnat"
            service:
              type: LoadBalancer
              ports:
                - port: 80
                  targetPort: 8080
                  name: http2
                - port: 443
                  targetPort: 8443
                  name: https
                - port: 15443
                  targetPort: 15443
                  name: tls
      values:
        global:
          pilotCertProvider: istiod
    EOF
    
  2. After the installation is complete, verify that the Istio control plane pods are running in each cluster.

    kubectl get pods -n istio-system --context $REMOTE_CONTEXT_1
    

    Example output:

    NAME                                    READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-746d597f7c-g6whv   1/1     Running   0          5d23h
    istiod-7795ccf9dc-vr4cq                 1/1     Running   0          5d22h
    

Install Istio version 1.7

In the following IstioOperator manifests for a multicluster Istio setup, a NodePort is used to expose the Istio ingress gateway. If you must deploy Istio on different cluster setup, update your gateway settings accordingly.

  1. Install Istio in each remote cluster that you want to register with Gloo Mesh. In a typical production setup, the cluster that serves as the management cluster does not run an Istio service mesh. In a proof-of-concept or testing setup, you can install Istio into the management cluster as well.

    cat << EOF | istioctl manifest install --context $REMOTE_CONTEXT_1 -f -
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      name: remote-cluster-istiooperator
      namespace: istio-system
    spec:
      profile: minimal
      addonComponents:
        istiocoredns:
          enabled: true
      components:
        # Istio Gateway feature
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            env:
              - name: ISTIO_META_ROUTER_MODE
                value: "sni-dnat"
            service:
              ports:
                - port: 80
                  targetPort: 8080
                  name: http2
                - port: 443
                  targetPort: 8443
                  name: https
                - port: 15443
                  targetPort: 15443
                  name: tls
      meshConfig:
        enableAutoMtls: true
      values:
        prometheus:
          enabled: false
        gateways:
          istio-ingressgateway:
            type: NodePort
            ports:
              - targetPort: 15443
                name: tls
                nodePort: 32000
                port: 15443
        global:
          pilotCertProvider: istiod
          controlPlaneSecurityEnabled: true
          podDNSSearchNamespaces:
          - global
    EOF
    
  2. After the installation is complete, verify that the Istio control plane pods are running in each cluster.

    kubectl get pods -n istio-system --context $REMOTE_CONTEXT_1
    

    Example output:

    NAME                                    READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-746d597f7c-g6whv   1/1     Running   0          5d23h
    istiod-7795ccf9dc-vr4cq                 1/1     Running   0          5d22h
    
  3. In each Istio cluster, modify coredns to enable Istio DNS for the .global stub domain for multicluster communication across the remote clusters.

    ISTIO_COREDNS=$(kubectl --context $REMOTE_CONTEXT_1 -n istio-system get svc istiocoredns -o jsonpath={.spec.clusterIP})
    kubectl --context $REMOTE_CONTEXT_1 apply -f - <<EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: coredns
      namespace: kube-system
    data:
      Corefile: |
        .:53 {
            errors
            health
            ready
            kubernetes cluster.local in-addr.arpa ip6.arpa {
               pods insecure
               upstream
               fallthrough in-addr.arpa ip6.arpa
            }
            prometheus :9153
            forward . /etc/resolv.conf
            cache 30
            loop
            reload
            loadbalance
        }
        global:53 {
            errors
            cache 30
            forward . ${ISTIO_COREDNS}:53
        }
    EOF
    

Next steps

Now that Istio service meshes are installed, you can install the Gloo Mesh Enterprise management plane components into a cluster.