Lightstep

    If you only want to collect tracing spans directly from Istio (and not add specific instrumentation directly to your code), then you don’t need to configure any tracers, as long as your services forward the .

    This task uses the Bookinfo sample application as an example.

    1. Ensure you have a Lightstep account. for a free trial of Lightstep.

    2. If you’re using on-premise Satellites, ensure you have a satellite pool configured with TLS certs and a secure GRPC port exposed. See for details about setting up satellites.

      For Lightstep Public Satellites or , your satellites are already configured. However you need to download this certificate to a local directory.

    3. Ensure sure you have a Lightstep . Access tokens allow your app to communicate with your Lightstep project.

    Deploy Istio

    How you deploy Istio depends on which type of Satellite you use.

    These instructions do not assume TLS. If you are using TLS for your Satellite pool, follow the config for the Public Satellite pool, but use your own cert and your own pool’s endpoint ().

    1. You need to deploy Istio with your Satellite address at an address in the format <Host>:<Port>, for example lightstep-satellite.lightstep:9292. You find this in your file.

    2. Deploy Istio with the following configuration parameters specified:

      • pilot.traceSampling=100
      • global.proxy.tracer="lightstep"
      • global.tracer.lightstep.address="<satellite-address>"
      • global.tracer.lightstep.accessToken="<access-token>"

      You can set these parameters using the --set key=value syntax when you run the install command. For example:

    Deploy Istio with Public or Developer Mode Satellites

    Follow these steps if you’re using the Public or Developer Mode Satellites, or if you’re using on-premise Satellites with a TLS certificate.

      1. $ CACERT=$(cat Cert_Auth.crt | base64) # Cert_Auth.crt contains the necessary CACert
      2. $ NAMESPACE=default

    2. Deploy Istio with the following configuration parameters specified:

      1. global:
      2.   proxy:
      3.   tracer:
      4.     lightstep:
      5.       address: "ingest.lightstep.com:443"
      6.       accessToken: "<access-token>"
      7. meshConfig:
      9.     tracing:
      10.       sampling: 100
      11.       tlsSettings
      12.         mode: "SIMPLE"
      13.         # Specifying ca certificate here will moute `lightstep.cacert` secret volume
      14.         # at all sidecars by default.
      15.         caCertificates="/etc/lightstep/cacert.pem"
      16. components:
      17.   ingressGateways:
      18.   # `lightstep.cacert` secret volume needs to be mount at gateways via k8s overlay.
      19.   - name: istio-ingressgateway
      20.     enabled: true
      21.     k8s:
      22.       overlays:
      23.       - kind: Deployment
      24.         name: istio-ingressgateway
      25.         patches:
      27.             name: lightstep-certs
      28.             mountPath: /etc/lightstep
      29.             readOnly: true
      30.         - path: spec.template.spec.volumes[-1]
      31.           value: |
      32.             name: lightstep-certs
      33.             secret:
      34.               secretName: lightstep.cacert
      35.               optional: true

    1. Follow the instructions to deploy the Bookinfo sample application.

    2. Follow the .

    3. To verify the previous step’s success, confirm that you set GATEWAY_URL environment variable in your shell.

    4. Send traffic to the sample application.

    Visualize trace data

    1. Load the Lightstep web UI. You’ll see the three Bookinfo services listed in the Service Directory.

      Bookfinder services in the Service Directory

    2. Navigate to the Explorer view.

      Explorer view

      Explorer view

    3. Find the query bar at the top. The query bar allows you to interactively filter results by a Service, Operation, and Tag values.

    5. Click Run. You see something similar to the following:

      Explorer

    6. Click on the first row in the table of example traces below the latency histogram to see the details corresponding to your refresh of the /productpage. The page then looks similar to:

      Detailed Trace View

      Detailed Trace View

    The screenshot shows that the trace is comprised of a set of spans. Each span corresponds to a Bookinfo service invoked during the execution of a /productpage request.

    Two spans in the trace represent every RPC. For example, the call from productpage to reviews starts with the span labeled with the reviews.default.svc.cluster.local:9080/* operation and the productpage.default: proxy client service. This service represents the client-side span of the call. The screenshot shows that the call took 15.30 ms. The second span is labeled with the reviews.default.svc.cluster.local:9080/* operation and the service. The second span is a child of the first span and represents the server-side span of the call. The screenshot shows that the call took 14.60 ms.

    The Lightstep integration does not currently capture spans generated by Istio’s internal operation components such as Mixer.

    Istio captures traces at a configurable trace sampling percentage. To learn how to modify the trace sampling percentage, visit the .

    When using Lightstep, we do not recommend reducing the trace sampling percentage below 100%. To handle a high traffic mesh, consider scaling up the size of your satellite pool.

    Cleanup

    If you are not planning any follow-up tasks, remove the Bookinfo sample application and any Lightstep secrets from your cluster.

    2. Remove the secret generated for Lightstep:

    1. $ kubectl delete secret lightstep.cacert