Deploying Service Mesh (Beta)
This topic describes how to deploy service mesh for Cloud Foundry. Following this procedure deploys an new routing plane consisting of three VMs. This routing plane runs in parallel to the existing HTTP and TCP routers. For more information, see Service Mesh (Beta).
This routing plane provides additional features, such as the ability to configure routing weights for apps. For more information, see Using Weighted Routing (Beta).
This procedure requires that you have deployed Cloud Foundry using cf-deployment. For more information, see Deploying Cloud Foundry with cf-deployment.
To deploy Cloud Foundry with service mesh, do the following:
git clone https://github.com/cloudfoundry-incubator/istio-release
In the istio-release repository, run the following command:
(Optional) To use a domain other than
istio.CF-APPS-DOMAINfor Istio routes, modify the
temporary_istio_domainsproperty in the ops file
(Optional) To enable TLS termination at the Istio router, add a
frontend_tls_keypairsproperty to the
copilotjob in the ops file
deploy/cf-deployment-operations/add-istio.yml. This step is strongly recommended for security.
frontend_tls_keypairs: - cert_chain: | -----BEGIN CERTIFICATE----- YOUR-CERTIFICATE -----END CERTIFICATE----- - private_key: | -----BEGIN RSA PRIVATE KEY----- YOUR-PRIVATE-KEY -----END RSA PRIVATE KEY-----
YOUR-CERTIFICATEis your TLS certificate.
YOUR-PRIVATE-KEYis the private key pair to your TLS certificate.
During deployment, the routing plane integrates the certificates with any Istio routes. All routes created using the Istio routing plane then use TLS.
Create and upload the Istio release with BOSH:
bosh create-release && bosh upload-release
Deploy your cf-deployment with the Istio ops file:
bosh -e YOUR-ENV -d cf deploy PATH-TO-CF-MANIFEST -v PATH-TO-VARIABLES \ -o deploy/cf-deployment-operations/add-istio.yml
YOUR-ENVis the name of the BOSH environment that contains your CF deployment.
PATH-TO-CF-MANIFESTis the path to the manifest file for your CF deployment.
PATH-TO-VARIABLESis the path to the variables file for your CF deployment.
$ bosh -e my-env -d cf deploy ~/workspace/cf-deployment/cf-deployment.yml -v cf-deployment/cf-deployment.yml \ -o deploy/cf-deployment-operations/add-istio.yml
Once you deploy with the ops file, you can run
bosh vmsto see the new VMs in your deployment:
When you deploy a Cloud Foundry with service mesh, you must set up a new load balancer to communicate with the Istio routers.
To configure load balancing, choose one of the following procedures that correspond to your use case:
If you deployed CF on GCP using
bbl, you can use a custom
bbl-config to set up load balancers that point to the Istio routers.
To configure load balancing with bbl, do the following:
In a terminal window, navigate to the
bosh-bootloaderrepository from which you initially ran
bbl upto pave your infrastructure.
Run the following command to copy the
cloud-configfile from your
istio-releasedirectory to the
cp ~/workspace/istio-release/deploy/bbl-config/cloud-config/istio.yml cloudconfig/gcp/fixtures/
Copy the following Terraform template from the
istio-releasedirectory to the
cp ~/workspace/istio-release/deploy/bbl-config/terraform/istio-router.tf terraform/gcp/templates/
To configure your load balancer, do the following. The exact procedure varies by IaaS.
- Create a load balancer with a static IP.
- Configure the backends of the load balancer to be the
istio-routerVMs. You can retrieve the IPs of the router VMs by running
- Configure the health check to be port
- Add firewall rules for the load balancer to allow HTTP port
80, TLS on
443, and HTTP on
8002for the healthcheck.
- Create a new DNS name that resolves to the IP of the load balancer. By default this must be
*.istio.CF-APPS-DOMAIN. If you modified the
temporary_istio_domainsfield in the ops file, use the domain you specified.
You must create a new domain dedicated to service mesh. Routes pushed to this domain are handled by the Istio router, and can take advantage of service mesh features like weighted routing.
To create a domain, do the following:
Using the CF CLI, create a new apps domain that matches the DNS name created when configuring load balancing. For example:
cf create-shared-domain istio.YOUR-APPS-DOMAIN.com