Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 2. Installing OpenShift Service Mesh
Installing OpenShift Service Mesh consists of three main tasks: installing the OpenShift Operator, deploying Istio, and customizing the Istio configuration. Then, you can also install the sample bookinfo application to push data through the mesh and explore mesh functionality.
2.1. About deploying Istio using the Red Hat OpenShift Service Mesh Operator
To deploy Istio using the Red Hat OpenShift Service Mesh Operator, you must create an Istio resource. Then, the Operator creates an IstioRevision resource, which represents one revision of the Istio control plane.
Based on the IstioRevision resource, the Operator deploys the Istio control plane, which includes the istiod Deployment resource and other resources.
The Red Hat OpenShift Service Mesh Operator might create additional instances of the IstioRevision resource, depending on the update strategy defined in the Istio resource.
Before installing OpenShift Service Mesh 3, ensure you are not running OpenShift Service Mesh 3 and OpenShift Service Mesh 2 in the same cluster, because it causes conflicts unless configured correctly. To migrate from OpenShift Service Mesh 2, see "Migrating from OpenShift Service Mesh 2.6".
2.1.1. About Istio control plane update strategies
The update strategy affects how the Operator performs the update. The spec.updateStrategy field in the Istio resource configuration determines how the OpenShift Service Mesh Operator updates the Istio control plane.
When the Operator detects a change in the spec.version field or identifies a new minor release with a configured vX.Y-latest alias, it initiates an upgrade procedure. For each mesh, you select one of two strategies:
-
InPlace -
RevisionBased
InPlace is the default strategy for updating OpenShift Service Mesh. Both the update strategies apply to sidecar and ambient modes.
If you use ambient mode, you must update the Istio Container Network Interface (CNI) and ZTunnel components in addition to the standard control plane update procedures.
Service Mesh recommends the InPlace update strategy for ambient mode. Using RevisionBased updates with ambient mode has limitations and requires manual intervention.
2.2. Installing the Service Mesh Operator
For clusters without OpenShift Service Mesh instances, install the Service Mesh Operator. OpenShift Service Mesh operates cluster-wide and needs a scope configuration to prevent conflicts between Istio control planes. For clusters with OpenShift Service Mesh 3 or later, see "Deploying multiple service meshes on a single cluster".
Prerequisites
- You have deployed a cluster on OpenShift Container Platform 4.14 or later.
- You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
Procedure
-
In the OpenShift Container Platform web console, navigate to the Operators
OperatorHub page. - Search for the Red Hat OpenShift Service Mesh 3 Operator.
- Locate the Service Mesh Operator, and click to select it.
- When the prompt that discusses the community operator opens, click Continue.
- Click Install.
On the Install Operator page, perform the following steps:
-
Select All namespaces on the cluster (default) as the Installation Mode. This mode installs the Operator in the default
openshift-operatorsnamespace, which enables the Operator to watch and be available to all namespaces in the cluster. - Select Automatic as the Approval Strategy. This ensures that the Operator Lifecycle Manager (OLM) handles the future upgrades to the Operator automatically. If you select the Manual approval strategy, OLM creates an update request. As a cluster administrator, you must then manually approve the OLM update request to update the Operator to the new version.
Select an Update Channel.
- Choose the stable channel to install the latest stable version of the Red Hat OpenShift Service Mesh 3 Operator. It is the default channel for installing the Operator.
-
To install a specific version of the Red Hat OpenShift Service Mesh 3 Operator, choose the corresponding
stable-<version>channel. For example, to install the Red Hat OpenShift Service Mesh Operator version 3.0.x, use the stable-3.0 channel.
-
Select All namespaces on the cluster (default) as the Installation Mode. This mode installs the Operator in the default
- Click Install to install the Operator.
Verification
-
Click Operators
Installed Operators to verify that the Service Mesh Operator is installed. Succeededshould show in the Status column.
2.2.1. About Service Mesh custom resource definitions
Installing the Red Hat OpenShift Service Mesh Operator also installs custom resource definitions (CRD) that administrators can use to configure Istio for Service Mesh installations.
The Operator Lifecycle Manager (OLM) installs two categories of CRDs:
- Sail Operator CRDs
- Istio CRDs.
Sail Operator CRDs define custom resources for installing and maintaining the Istio components required to operate a service mesh. These custom resources belong to the sailoperator.io API group and include the Istio, IstioRevision, IstioCNI, and ZTunnel resource kinds.
You can use Istio CRDs to configure the mesh and manage your services. These CRDs define custom resources in several istio.io API groups, such as networking.istio.io and security.istio.io. The CRDs also include various resource kinds, such as AuthorizationPolicy, DestinationRule, and VirtualService, that administrators use to configure a service mesh.
2.3. About Istio deployment
To deploy Istio, you must create two resources: Istio and IstioCNI. The Istio resource deploys and configures the Istio Control Plane. The IstioCNI resource deploys and configures the Istio Container Network Interface (CNI) plugin.
You should create these resources in separate projects; therefore, you must create two projects as part of the Istio deployment process.
You can use the OpenShift web console or the OpenShift CLI (oc) to create a project or a resource in your cluster.
In the OpenShift Container Platform, a project functions as a Kubernetes namespace with additional annotations that define the allowed range of user IDs. Typically, the OpenShift Container Platform web console uses the term project, and the CLI uses the term namespace, but the terms are essentially synonymous.
2.3.1. Creating the Istio project using the web console
The Service Mesh Operator deploys the Istio control plane to a project that you create. In this example, istio-system is the name of the project.
Prerequisites
- You have installed the Red Hat OpenShift Service Mesh Operator.
- You have logged in to the OpenShift Container Platform web console as cluster-admin.
Procedure
-
In the OpenShift Container Platform web console, click Home
Projects. - Click Create Project.
-
At the prompt, enter a name for the project in the Name field. For example,
istio-system. The other fields offer supplementary information to theIstioresource definition and are optional. - Click Create. The Service Mesh Operator deploys Istio to the project you specified.
2.3.2. Creating the Istio resource using the web console
Create the Istio resource that will contain the YAML configuration file for your Istio deployment. The Red Hat OpenShift Service Mesh Operator uses information in the YAML file to create an instance of the Istio control plane.
Prerequisites
- You have installed the Service Mesh Operator.
- You have logged in to the OpenShift Container Platform web console as cluster-admin.
Procedure
-
In the OpenShift Container Platform web console, click Operators
Installed Operators. -
Select
istio-systemin the Project drop-down menu. - Click the Service Mesh Operator.
- Click Istio.
- Click Create Istio.
-
Select the
istio-systemproject from the Namespace drop-down menu. Click Create. This action deploys the Istio control plane.
When
State: Healthydisplays in the Status column, Istio is successfully deployed.
2.3.3. Creating the IstioCNI project using the web console
The Service Mesh Operator deploys the Istio CNI plugin to a project that you create. In this example, istio-cni is the name of the project.
Prerequisites
- You have installed the Red Hat OpenShift Service Mesh Operator.
- You have logged in to the OpenShift Container Platform web console as cluster-admin.
Procedure
-
In the OpenShift Container Platform web console, click Home
Projects. - Click Create Project.
-
At the prompt, you must enter a name for the project in the Name field. For example,
istio-cni. The other fields offer supplementary information and are optional. - Click Create.
2.3.4. Creating the IstioCNI resource using the web console
Create an Istio Container Network Interface (CNI) resource, which has the configuration file for the Istio CNI plugin. The Service Mesh Operator uses the configuration specified by this resource to deploy the CNI pod.
Prerequisites
- You have installed the Red Hat OpenShift Service Mesh Operator.
- You have logged in to the OpenShift Container Platform web console as cluster-admin.
Procedure
-
In the OpenShift Container Platform web console, click Operators
Installed Operators. -
Select
istio-cniin the Project drop-down menu. - Click the Service Mesh Operator.
- Click IstioCNI.
- Click Create IstioCNI.
-
Ensure that the name is
default. Click Create. This action deploys the Istio CNI plugin.
When
State: Healthydisplays in the Status column, the Istio CNI plugin is successfully deployed.
2.4. Scoping the Service Mesh with discovery selectors
Service Mesh includes workloads that meet the following criteria:
- The control plane has discovered the workload.
- The workload has an Envoy proxy sidecar injected.
By default, the control plane discovers workloads in all namespaces across the cluster, with the following results:
- Each proxy instance receives configuration for all namespaces, including workloads not enrolled in the mesh.
- Any workload with the appropriate pod or namespace injection label receives a proxy sidecar.
In shared clusters, you might want to limit the scope of Service Mesh to only certain namespaces. This approach is especially useful if many service meshes run in the same cluster.
2.4.1. About discovery selectors
With discovery selectors, the mesh administrator can control the namespaces, which the control plane can access. By using a Kubernetes label selector, the administrator sets the criteria for the namespaces visible to the control plane, excluding any namespaces that do not match the specified criteria.
istiod always opens a watch to OpenShift for all namespaces. However, discovery selectors ignore objects that are not selected very early in its processing, minimizing costs.
The discoverySelectors field accepts an array of Kubernetes selectors, which apply to labels on namespaces. You can configure each selector for different use cases:
-
Custom label names and values. For example, configure all namespaces with the label
istio-discovery=enabled. -
A list of namespace labels by using set-based selectors with OR logic. For example, configure namespaces with
istio-discovery=enabledORregion=us-east1. -
Inclusion and exclusion of namespaces. For example, configure namespaces with
istio-discovery=enabledand the labelapp=helloworld.
Discovery selectors are not a security boundary. istiod continues to have access to all namespaces even when you have configured the discoverySelector field.
2.4.2. Scoping a Service Mesh by using discovery selectors
You can restrict the namespaces that Service Mesh manages by configuring discoverySelectors in the Istio resource to include only specific labeled namespaces.
Prerequisites
- You have the OpenShift Service Mesh operator installed.
- You have created an Istio CNI resource.
Procedure
Add a label to the namespace containing the Istio control plane, for example, the
istio-systemsystem namespace, by running the following command:$ oc label namespace istio-system istio-discovery=enabledChange the
Istiocontrol plane resource to include adiscoverySelectorssection with the same label, similar to the following example:kind: Istio apiVersion: sailoperator.io/v1 metadata: name: default spec: namespace: istio-system values: meshConfig: discoverySelectors: - matchLabels: istio-discovery: enabledApply the
Istiocustom resource (CR) by running the following command:$ oc apply -f istio.yamlEnsure that all namespaces that will contain workloads that are to be part of the Service Mesh have both the
discoverySelectorlabel and, if needed, the appropriate Istio injection label.NoteDiscovery selectors help restrict the scope of a single Service Mesh and are essential for limiting the control plane scope when you deploy many Istio control planes in a single cluster.
2.5. About the Bookinfo application
Installing the bookinfo example application consists of two main tasks: deploying the application and creating a gateway so the application is accessible outside the cluster.
You can use the bookinfo application to explore service mesh features. Using the bookinfo application, you can easily confirm that requests from a web browser pass through the mesh and reach the application.
The bookinfo application displays information about a book, similar to a single catalog entry of an online book store. The application displays a page that describes the book, lists book details (ISBN, number of pages, and other information), and book reviews.
The mesh exposes the bookinfo application, and the mesh configuration defines how the microservices serve requests. The review information comes from one of three services: reviews-v1, reviews-v2 or reviews-v3. If you deploy the bookinfo application without defining the reviews virtual service, then the mesh uses a round robin rule to route requests to a service.
By deploying the reviews virtual service, you can specify a different behavior. For example, you can specify that if a user logs into the bookinfo application, then the mesh routes requests to the reviews-v2 service, and the application displays reviews with black stars. If a user does not log in to the bookinfo application, then the mesh routes requests to the reviews-v3 service, and the application displays reviews with red-colored stars.
For more information, see "Bookinfo Application".
2.5.1. Deploying the Bookinfo application
Prerequisites
- You have deployed a cluster on OpenShift Container Platform 4.15 or later.
-
You have logged in to the OpenShift Container Platform web console as a user with the
cluster-adminrole. - You have access to the OpenShift CLI (oc).
- You have installed the Red Hat OpenShift Service Mesh Operator, created the Istio resource, and the Operator has deployed Istio.
-
You have created
IstioCNIresource, and the Operator has deployed the necessaryIstioCNIpods.
Procedure
-
In the OpenShift Container Platform web console, navigate to the Home
Projects page. - Click Create Project.
Enter
bookinfoin the Project name field.The Display name and Description fields offer supplementary information and are not required.
- Click Create.
Apply the Istio discovery selector and injection label to the
bookinfonamespace by entering the following command:$ oc label namespace bookinfo istio-discovery=enabled istio-injection=enabledNoteIn this example, the name of the
Istioresource isdefault. If theIstioresource name is different, you must set theistio.io/revlabel to the name of theIstioresource instead of adding theistio-injection=enabledlabel.Apply the
bookinfoYAML file to deploy thebookinfoapplication by entering the following command:oc apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo.yaml -n bookinfo
Verification
Verify that the
bookinfoservice is available by running the following command:$ oc get services -n bookinfoYou should see output similar to the following example:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE details ClusterIP 172.30.137.21 <none> 9080/TCP 44s productpage ClusterIP 172.30.2.246 <none> 9080/TCP 43s ratings ClusterIP 172.30.33.85 <none> 9080/TCP 44s reviews ClusterIP 172.30.175.88 <none> 9080/TCP 44sVerify that the
bookinfopods are available by running the following command:$ oc get pods -n bookinfoYou should see output similar to the following example:
NAME READY STATUS RESTARTS AGE details-v1-698d88b-km2jg 2/2 Running 0 66s productpage-v1-675fc69cf-cvxv9 2/2 Running 0 65s ratings-v1-6484c4d9bb-tpx7d 2/2 Running 0 65s reviews-v1-5b5d6494f4-wsrwp 2/2 Running 0 65s reviews-v2-5b667bcbf8-4lsfd 2/2 Running 0 65s reviews-v3-5b9bd44f4-44hr6 2/2 Running 0 65sWhen the
Readycolumns displays2/2, the proxy sidecar was successfully injected. Confirm thatRunningdisplays in theStatuscolumn for each pod.Verify that the
bookinfoapplication is running by sending a request to thebookinfopage. Run the following command:$ oc exec "$(oc get pod -l app=ratings -n bookinfo -o jsonpath='{.items[0].metadata.name}')" -c ratings -n bookinfo -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
2.5.2. About accessing the Bookinfo application using a gateway
The Red Hat OpenShift Service Mesh Operator does not deploy gateways. Gateways are not part of the control plane. As a security best-practice, you can deploy Ingress and Egress gateways in a separate namespace than the namespace that has the control plane.
You can deploy gateways by using either the Gateway API or the gateway injection method.
2.5.3. Accessing the Bookinfo application by using Istio gateway injection
Gateway injection uses the same mechanisms as Istio sidecar injection to create a gateway from a Deployment resource coupled with a Service resource. The Service resource is accessible from outside an OpenShift Container Platform cluster.
Prerequisites
-
You have logged in to the OpenShift Container Platform web console as
cluster-admin. - You have installed the Red Hat OpenShift Service Mesh Operator.
-
You have deployed the
Istioresource.
Procedure
Create the
istio-ingressgatewaydeployment and service by running the following command:$ oc apply -n bookinfo -f ingress-gateway.yamlNoteThis example uses a sample
ingress-gateway.yamlfile that is available in the Istio community repository.Configure the
bookinfoapplication to use the new gateway. Apply the gateway configuration by running the following command:$ oc apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/bookinfo/networking/bookinfo-gateway.yaml -n bookinfoNoteTo configure gateway injection with the
bookinfoapplication, this example provides a sample gateway configuration file that you must apply in the application’s namespace.Use a route to expose the gateway external to the cluster by running the following command:
$ oc expose service istio-ingressgateway -n bookinfoChange the YAML file to automatically scale the pod when ingress traffic increases.
You can see the following example configuration for reference:
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: labels: istio: ingressgateway release: istio name: ingressgatewayhpa namespace: bookinfo spec: maxReplicas: 5 metrics: - resource: name: cpu target: averageUtilization: 80 type: Utilization type: Resource minReplicas: 2 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istio-ingressgateway-
spec.maxReplicasshows an example that sets the maximum replicas to5and the minimum replicas to2. It also creates another replica when usage reaches 80%.
-
Specify the minimum number of pods that must be running on the node.
You can see the following example configuration for reference:
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: labels: istio: ingressgateway release: istio name: ingressgatewaypdb namespace: bookinfo spec: minAvailable: 1 selector: matchLabels: istio: ingressgatewayspec.minAvailableshows an example that ensures one replica is running if a pod gets restarted on a new node.Obtain the gateway hostname and the URL for the product page by running the following command:
$ HOST=$(oc get route istio-ingressgateway -n bookinfo -o jsonpath='{.spec.host}')Verify that the
productpageis accessible from a web browser by running the following command:$ echo productpage URL: http://$HOST/productpage
2.5.4. Accessing the Bookinfo application by using Gateway API
Manage gateway resources in Red Hat OpenShift Service Mesh by using the Kubernetes Gateway API, which transitioned from manual installation to automated platform management in recent OpenShift Container Platform releases.
In OpenShift Container Platform 4.15 and later, Red Hat OpenShift Service Mesh implements the Gateway API custom resource definitions (CRDs). However, in OpenShift Container Platform 4.18 and earlier, the CRDs are not installed by default. Therefore, in OpenShift Container Platform 4.15 through 4.18, you must manually install the CRDs. Starting with OpenShift Container Platform 4.19, these CRDs are automatically installed and managed, and you can no longer create, update, or delete them.
For details about enabling Gateway API for Ingress in OpenShift Container Platform 4.19 and later, see "Configuring ingress cluster traffic" in the OpenShift Container Platform documentation.
Red Hat provides support for using the Kubernetes Gateway API with Red Hat OpenShift Service Mesh. Red Hat does not offer support for the Kubernetes Gateway API custom resource definitions (CRDs). This procedure uses community Gateway API CRDs for demonstration purposes only.
Prerequisites
-
You have logged in to the OpenShift Container Platform web console as
cluster-admin. - You have installed the Red Hat OpenShift Service Mesh Operator.
-
You have deployed the
Istioresource.
Procedure
Enable the Gateway API CRDs for OpenShift Container Platform 4.18 and earlier, by running the following command:
$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; }Create and configure a gateway by using the
GatewayandHTTPRouteresources by running the following command:$ oc apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/bookinfo/gateway-api/bookinfo-gateway.yaml -n bookinfoNoteTo configure a gateway with the
bookinfoapplication by using the Gateway API, this example provides a sample gateway configuration file that you must apply to the application’s namespace.Ensure that the Gateway API service is ready, and has an address allocated by running the following command:
$ oc wait --for=condition=programmed gtw bookinfo-gateway -n bookinfoRetrieve the host by running the following command:
$ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.status.addresses[0].value}')Retrieve the port by running the following command:
$ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')Retrieve the gateway URL by running the following command:
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORTObtain the gateway hostname and the URL of the product page by running the following command:
$ echo "http://${GATEWAY_URL}/productpage"
Verification
- Verify that the productpage is accessible from a web browser.
2.6. Customizing Istio configuration
Customize the Istio control plane by using the values field in the Istio resource to apply advanced Helm configuration settings optimized for OpenShift environments.
When you create this resource by using the OpenShift Container Platform web console, it is pre-populated with configuration settings to enable Istio to run on OpenShift.
Procedure
-
Click Operators
Installed Operators. - Click Istio in the Provided APIs column.
-
Click the
Istioinstance, nameddefault, in the Name column. Click YAML to view the
Istioconfiguration and make modifications.For a list of available configuration for the
valuesfield, refer to "Istio’s artifacthub chart documentation".
2.7. About Istio High Availability
Running the Istio control plane in High Availability (HA) mode prevents single points of failure, and ensures continuous mesh operation even if an istiod pod fails.
By using HA, if one istiod pod becomes unavailable, another one continues to manage and configure the Istio data plane, preventing service outages or disruptions. HA provides scalability by distributing the control plane workload, enables graceful upgrades, supports disaster recovery operations, and protects against zone-wide mesh outages.
There are two ways for a system administrator to configure HA for the Istio deployment:
-
Defining a static replica count: This approach involves setting a fixed number of
istiodpods, providing a consistent level of redundancy. -
Using autoscaling: This approach dynamically adjusts the number of
istiodpods based on resource usage or custom metrics, providing more efficient resource consumption for fluctuating workloads.
2.7.1. Configuring Istio HA by using autoscaling
Configure the Istio control plane in High Availability (HA) mode to prevent a single point of failure, and ensure continuous mesh operation even if one of the istiod pods fails.
Autoscaling defines the minimum and maximum number of Istio control plane pods that can operate. OpenShift Container Platform uses these values to scale the number of control planes in operation based on resource usage, such as CPU or memory, to efficiently respond to the varying number of workloads and overall traffic patterns within the mesh.
Prerequisites
-
You have logged in to the OpenShift Container Platform web console as a user with the
cluster-adminrole. - You have installed the Red Hat OpenShift Service Mesh Operator.
-
You have deployed the
Istioresource.
Procedure
- In the OpenShift Container Platform web console, click Installed Operators.
- Click Red Hat OpenShift Service Mesh 3 Operator.
- Click Istio.
-
Click the name of the Istio installation. For example,
default. - Click YAML.
Change the
Istiocustom resource (CR) similar to the following example:apiVersion: sailoperator.io/v1 kind: Istio metadata: name: default spec: namespace: istio-system values: pilot: autoscaleMin: 2 autoscaleMax: 5 cpu: targetAverageUtilization: 80 memory: targetAverageUtilization: 80-
spec.values.pilot.autoscaleMinspecifies the minimum number of Istio control plane replicas that always run. -
spec.values.pilot.autoscaleMaxspecifies the maximum number of Istio control plane replicas, allowing for scaling based on load. To support HA, there must be at least two replicas. -
spec.values.pilot.cpu.targetAverageUtilizationspecifies the target CPU usage for autoscaling to 80%. If the average CPU usage exceeds this threshold, the Horizontal Pod Autoscaler (HPA) automatically increases the number of replicas. -
spec.values.pilot.memory.targetAverageUtilizationspecifies the target memory usage for autoscaling to 80%. If the average memory usage exceeds this threshold, the HPA automatically increases the number of replicas.
-
Verification
Verify the status of the Istio control pods by running the following command:
$ oc get pods -n istio-system -l app=istiodYou should see output similar to the following example:
NAME READY STATUS RESTARTS AGE istiod-7c7b6564c9-nwhsg 1/1 Running 0 70s istiod-7c7b6564c9-xkmsl 1/1 Running 0 85sTwo
istiodpods are running. Two pods, the minimum requirement for an HA Istio control plane, indicates that a basic HA setup is in place.
2.7.1.1. API settings for Service Mesh HA autoscaling mode
Use the following Istio custom resource definition (CRD) parameters when you configure a service mesh for High Availability (HA) by using autoscaling.
| Parameter | Description |
|---|---|
|
|
Defines the minimum number of OpenShift uses this parameter only if you enable the Horizontal Pod Autoscaler (HPA) for the Istio deployment. This is the default behavior. |
|
|
Defines the maximum number of
For OpenShift to automatically scale the number of You must also configure metrics for autoscaling to work properly. If you do not configure any metrics, the autoscaler cannot scale the deployment up or down. OpenShift uses this parameter only if you enable the Horizontal Pod Autoscaler (HPA) for the Istio deployment. This is the default behavior. |
|
|
Defines the target CPU usage for the |
|
|
Defines the target memory usage for the |
|
|
You can use the For more information, see "Configurable Scaling Behavior". |
2.7.2. Configuring Istio HA by using replica count
Configure the Istio control plane for high availability (HA) by setting a static replica count to ensure continuous mesh operation and redundancy across multiple istiod pods.
The replica count defines a fixed number of Istio control plane pods that can operate. Use replica count for mesh environments where the control plane workload is relatively stable or predictable, or when you prefer to manually scale the istiod pod.
Prerequisites
-
You have logged in to the OpenShift Container Platform web console as a user with the
cluster-adminrole. - You have installed the Red Hat OpenShift Service Mesh Operator.
- You have deployed the Istio resource.
Procedure
Obtain the name of the
Istioresource by running the following command:$ oc get istio -n istio-sytemYou should see output similar to the following example:
NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE default 1 1 0 default Healthy v1.24.6 24mThe name of the
Istioresource isdefault.Update the
Istiocustom resource (CR) by adding theautoscaleEnabledandreplicaCountparameters by running the following command:$ oc patch istio default -n istio-system --type merge -p ' spec: values: pilot: autoscaleEnabled: false replicaCount: 2 '-
spec.values.pilot.autoscaleEnabledspecifies a setting that disables autoscaling and ensures that the number of replicas remains fixed. -
spec.values.pilot.replicaCountspecifies the number of Istio control plane replicas. To support HA, there must be at least two replicas.
-
Verification
Verify the status of the Istio control pods by running the following command:
$ oc get pods -n istio-system -l app=istiodYou should see output similar to the following example:
NAME READY STATUS RESTARTS AGE istiod-7c7b6564c9-nwhsg 1/1 Running 0 70s istiod-7c7b6564c9-xkmsl 1/1 Running 0 85sTwo
istiodpods are running, which is the minimum requirement for an HA Istio control plane and indicates that a basic HA setup is in place.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}