How to Install Istio Using istioctl with an operator and custom-default profile.

Wai Yan Pyae SoneWai Yan Pyae Sone
4 min read

Table of contents

How to Install Istio Using istioctl with an Operator and Custom default Profile.

This post assumes that you have installed Istio using the following steps:

 curl -L https://istio.io/downloadIstio \ | ISTIO_VERSION=1.18.3 \ TARGET_ARCH=x86_64 sh -

Then, navigate to the istio-1.20.3 directory and add the istioctl binary to your PATH:

cd istio-1.18.3/ 

export PATH=$PWD/bin:$PATH

This guide explains how to install Istio using istioctl with the IstioOperator, starting from modifying the demo profile to customizing resources for various Istio components such as the ingress gateways and pilot. We will use a custom profile based on the default Istio demo profile to meet specific resource requirements and configuration needs.

Steps for Installing Istio Using IstioOperator

1. Copy the Demo Profile to a Custom Profile

Start by copying the Istio demo profile (demo.yaml) to a new file (custom-default.yml) so that we can modify it without affecting the original demo profile.

cp istio-1.18.3/manifests/profiles/demo.yaml custom-default.yml

The reason for using the demo profile instead of the default profile is that the Pilot session for istiod (the Istio control plane component) is present in the demo profile but not in the default profile.

2. Edit the Custom Profile

Open the custom-default.yml file in a text editor to customize the Istio configuration according to the specific requirements. This example modifies resource requests for egress gateways, ingress gateways, and pilot.

vi custom-default.yml

Inside the file, modify the configuration to include the following settings:

kind: IstioOperator
spec:
  components:
    egressGateways:
      - name: istio-egressgateway
        enabled: true
        k8s:
          resources:
            requests:
              cpu: 10m
              memory: 40Mi
    ingressGateways:
      - name: istio-ingressgateway
        enabled: false  # Disable default ingress gateway
      - name: payments-ingressgateway
        namespace: payments  # Custom ingress gateway in the 'payments' namespace
        enabled: true
        k8s:
          resources:
            limits:
              cpu: 1000m  # Limits CPU to 1000m for payments-ingressgateway
              memory: 1000Mi  # Limits memory to 1000Mi for payments-ingressgateway
    pilot:
      k8s:
        resources:
          requests:
            cpu: 10m  # Requests 10m CPU for Pilot component
            memory: 100Mi  # Requests 100Mi memory for Pilot component
  meshConfig:
    sessionAffinity: true  # Enable session affinity in mesh config
  values:
    global:
      resources:
        requests:
          cpu: 100m  # Global CPU requests
          memory: 512Mi  # Global memory requests
        limits:
          cpu: 1000m  # Global CPU limits
          memory: 1Gi  # Global memory limits

Experiment with resource requests and limits for the ingress gateway, egress gateway, and pilot (istiod deployment).

Explanation of Modifications:

Egress Gateway (istio-egressgateway): Enabled with resource requests for 10m CPU and 40Mi memory.

Ingress Gateways: Disabled the default istio-ingressgateway. Enabled a custom payments-ingressgateway in the payments namespace with resource limits of 1000m CPU and 1000Mi memory.

Pilot: Allocated 10m CPU and 100Mi memory for the istiod deployment.

MeshConfig: Enabled sessionAffinity for session-based routing.

Global Resource Requests and Limits: Defined global resource requests and limits for Istio components.

istioctl install --set profile=default -f custom-default.yml --dry-run

The --dry-run option checks the configuration without actually applying any changes. If the validation passes successfully, you can proceed with the installation.

3. Install Istio Using the Custom Profile

Once the configuration is validated, proceed to install Istio with the custom profile:

istioctl install --set profile=default -f custom-default.yml

This command will apply the configuration to your Kubernetes cluster, deploying Istio components with the settings defined in custom-default.yml. You will see logs indicating the installation progress and the resources being configured.

kubectl get pods -n istio-system

This will list all the Istio control plane pods. Check that the istiod pod and other components like the custom payments-ingressgateway are up and running.

To verify the specific ingress gateway (payments-ingressgateway), run:

kubectl get svc -n payments

You should see the payments-ingressgateway service listed.

4. Inspect Resource Configurations

To check if the resource configurations were applied correctly, you can describe the istiod deployment and the payments-ingressgateway:

kubectl describe deployment istiod -n istio-system

Check the resource requests and limits under the containers section for istiod. Similarly, describe the payments-ingressgateway service:

kubectl describe deployment payments-ingressgateway -n payments

Ensure that the resource limits are set to 1000m CPU and 1000Mi memory as defined in the custom profile.

By following these steps, you’ve successfully customized and installed Istio using the IstioOperator and a custom profile. This approach allows you to fine-tune Istio's resources and configurations, ensuring that it meets the specific requirements for your workloads. Custom profiles can be modified further to suit any additional needs or optimizations.

0
Subscribe to my newsletter

Read articles from Wai Yan Pyae Sone directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#istioKubernetes

Written by

Wai Yan Pyae Sone
Wai Yan Pyae Sone