Dina's DevOps Blog
Published on

Getting Started with Service Mesh on OpenShift: A Step-by-Step Guide

In modern application architectures, service meshes have become crucial for managing microservices communication, observability, and security. OpenShift, with its Kubernetes-based platform, makes it easy to integrate and manage service meshes like Istio, which can improve the reliability and scalability of your microservices applications.

This guide will walk you through the process of setting up and using a demo Service Mesh on OpenShift using Istio, assuming you already have OpenShift installed. By the end of this tutorial, you will be able to set up Istio on OpenShift, deploy a demo microservice, and use the capabilities of the service mesh to manage and observe traffic between the services.

Prerequisites

  • OpenShift CLI (oc) installed and configured.
  • A running OpenShift cluster.
  • Sufficient permissions to install operators and create resources in your OpenShift cluster.

Step 1: Install the Istio Operator

To get started, we need to install the Istio Operator in OpenShift. This operator manages the installation and lifecycle of Istio service meshes.

1.1: Create an Istio Operator Namespace

Run the following command to create a new namespace for Istio:

oc create namespace istio-operator

1.2: Install the Istio Operator

You can install the Istio Operator from the OpenShift web console or by using the CLI.

To install using the CLI, first add the Istio operator from the OpenShift OperatorHub:

oc apply -f https://github.com/istio/istio/releases/download/1.17.0/istio-operator.yaml

This will create the operator in the istio-operator namespace.

Wait for the Istio operator to be installed and running:

oc get pods -n istio-operator

Step 2: Deploy Istio Service Mesh

Once the operator is installed, we will use it to deploy the Istio service mesh to OpenShift.

2.1: Create a Custom Resource (CR) for Istio Next, create a ServiceMeshControlPlane custom resource that will define the Istio components to install. Save the following YAML into a file named istio-control-plane.yaml:

apiVersion: operator.istio.io/v1alpha1
kind: ServiceMeshControlPlane
metadata:
  name: istio-control-plane
  namespace: istio-operator
spec:
  profile: demo
  version: 1.17.0

apply the above custom resource to the OpenShift cluster:

oc apply -f istio-control-plane.yaml

This will trigger the Istio operator to deploy the Istio control plane. The profile: demo option installs a pre-configured set of Istio components suitable for testing and development, including:

Istio Proxy (Envoy sidecar) Istio ingress/egress gateways Prometheus, Grafana, Kiali for observability

2.2: Verify Istio Components

Run the following command to ensure all Istio components are up and running:

oc get pods -n istio-system

You should see several pods running, including istiod (Istio control plane), istio-ingressgateway, istio-egressgateway, and others related to observability like Prometheus.

Step 3: Deploy the Demo Application

Now that Istio is installed, it's time to deploy a demo application. We'll use a simple sample application with two microservices communicating with each other.

3.1: Create a New Project for the Demo Application

Create a new OpenShift project to hold the demo application:

oc new-project demo-app

3.2: Deploy the Demo Application

The Istio project provides a simple Bookinfo application as a demo. To deploy it, use the following command:

oc apply -f https://raw.githubusercontent.com/istio/istio/release-1.17.0/samples/bookinfo/platform/kube/bookinfo.yaml

This will deploy the Bookinfo application, which consists of four microservices:

  • productpage: Displays the product information.
  • details: Provides the product details.
  • reviews: Shows reviews for the products.
  • ratings: Ranks the products.

3.3: Expose the Application

We need to expose the productpage service so we can access it from outside the OpenShift cluster.

First, create an OpenShift route for the product page service:

oc expose svc/productpage --port=9080

This will create a route for accessing the product page via a web browser. To get the URL for the exposed route, run:

oc get route productpage -o=jsonpath='{.spec.host}'

Visit the URL in your browser to see the product page in action!

Step 4: Enable Istio Proxy Sidecar Injection

Now that the application is deployed, let’s enable Istio’s sidecar injection, which will add the Istio Envoy proxy to each of your microservices.

4.1: Enable Automatic Sidecar Injection

To enable automatic sidecar injection for all pods in your demo-app project, label the namespace:

oc label namespace demo-app istio-injection=enabled

4.2: Redeploy the Application Pods

After enabling sidecar injection, you will need to redeploy the application pods so that the Istio proxy sidecar is injected into each one:

oc delete pods -l app=productpage

You should see new pods being created with the Istio sidecar proxy automatically injected.

4.3: Verify Sidecar Injection

You can verify that the sidecar has been injected by checking the pods in the demo-app project:

oc get pods -n demo-app

The output should show two containers for each pod—one for the application and one for the Istio sidecar proxy (Envoy).

Step 5: Observe and Manage Traffic

With Istio and the demo app running, we can now explore some of the core features of the service mesh, such as traffic management, observability, and security.

5.1: Access the Kiali Dashboard

Kiali provides a web-based UI for visualizing the service mesh topology, managing traffic routing, and more. You can access the Kiali dashboard by exposing its service with the following command:

oc expose svc/kiali -n istio-system

Then, retrieve the URL of the exposed service:

oc get route kiali -n istio-system -o=jsonpath='{.spec.host}'

Visit the URL in your browser to access the Kiali dashboard.

5.2: Monitor Traffic with Prometheus and Grafana

Prometheus and Grafana are deployed by default as part of the demo profile. You can access these tools by exposing their services in a similar way:

oc expose svc/prometheus -n istio-system
oc expose svc/grafana -n istio-system

Get the URLs for Prometheus and Grafana:

oc get route prometheus -n istio-system -o=jsonpath='{.spec.host}'
oc get route grafana -n istio-system -o=jsonpath='{.spec.host}'

Now you can use Prometheus to monitor metrics and Grafana to visualize them.

Conclusion

Congratulations! You’ve now set up a Service Mesh on OpenShift using Istio. You’ve deployed a demo application, enabled automatic sidecar injection, and explored how to monitor and manage the traffic between your microservices.

With Istio’s advanced features, such as traffic management, observability, and security policies, you can continue to experiment and explore how service meshes can improve your microservices architecture. Happy experimenting with Istio on OpenShift!