Virtual Machines in Multi-Network Meshes

    • One or more Kubernetes clusters with versions: 1.15, 1.16, 1.17, 1.18.

    • Virtual machines (VMs) must have IP connectivity to the Ingress gateways in the mesh.

    • Services in the cluster must be accessible through the Ingress gateway.

    Installation steps

    The first step when adding non-Kubernetes services to an Istio mesh is to configure the Istio installation itself, and generate the configuration files that let VMs connect to the mesh. Prepare the cluster for the VM with the following commands on a machine with cluster admin privileges:

    1. Create a Kubernetes secret for your generated CA certificates using a command similar to the following. See for more details.

    2. Follow the same steps as setting up single-network configuration for the initial setup of the cluster and certificates with the change of how you deploy Istio control plane:

    Setting up the VM

    Next, run the following commands on each machine that you want to add to the mesh:

    1. Copy the previously created and *.pem files to the VM. For example:

      1. $ export GCE_NAME="your-gce-instance"
      2. $ gcloud compute scp --project=${MY_PROJECT} --zone=${MY_ZONE} {key.pem,cert-chain.pem,cluster.env,root-cert.pem} ${GCE_NAME}:~

    2. Install the Debian package with the Envoy sidecar.

      1. $ gcloud compute ssh --project=${MY_PROJECT} --zone=${MY_ZONE} "${GCE_NAME}"
      2. $ curl -L https://storage.googleapis.com/istio-release/releases/1.6.0/deb/istio-sidecar.deb > istio-sidecar.deb
      3. $ sudo dpkg -i istio-sidecar.deb

    A better options is to configure the DNS resolver of the VM to resolve the address, using a split-DNS server. Using /etc/hosts is an easy to use example. It is also possible to use a real DNS and certificate for Istiod, this is beyond the scope of this document.

    1. Install root-cert.pem, key.pem and cert-chain.pem under /etc/certs/.

      1. $ sudo mkdir -p /etc/certs
      2. $ sudo cp {root-cert.pem,cert-chain.pem,key.pem} /etc/certs

    2. Install root-cert.pem under /var/run/secrets/istio/.

    4. Transfer ownership of the files in /etc/certs/ , /var/lib/istio/envoy/ and /var/run/secrets/istio/to the Istio proxy.

      1. $ sudo chown -R istio-proxy /etc/certs /var/lib/istio/envoy /var/run/secrets/istio/

    5. Start Istio using systemctl.

      1. $ sudo systemctl start istio

    After setup, the machine can access services running in the Kubernetes cluster or on other VMs.

    The following example shows accessing a service running in the Kubernetes cluster from a VM using /etc/hosts/, in this case using a service from the Bookinfo example.

    1. Connect to the cluster service from VM as in the example below:

      1. $ curl -v ${GWIP}/productpage
      2. < HTTP/1.1 200 OK
      3. < content-type: text/html; charset=utf-8
      4. < content-length: 1836
      5. < server: istio-envoy
      6. ... html content ...

    The server: istio-envoy header indicates that the sidecar intercepted the traffic.

    Running services on the added VM

    1. Setup an HTTP server on the VM instance to serve HTTP traffic on port 8080:

      1. $ gcloud compute ssh ${GCE_NAME}
      2. $ python -m SimpleHTTPServer 8080

    2. Add VM services to the mesh

      Ensure you have added the istioctl client to your path, as described in the download page.

    3. Deploy a pod running the sleep service in the Kubernetes cluster, and wait until it is ready:

      1. $ kubectl apply -f @samples/sleep/sleep.yaml@
      2. $ kubectl get pod
      3. NAME                             READY     STATUS    RESTARTS   AGE
      4. sleep-88ddbcfdd-rm42k            2/2       Running   0          1s
      5. ...

    4. Send a request from the sleep service on the pod to the VM’s HTTP service:

      1. $ kubectl exec -it sleep-88ddbcfdd-rm42k -c sleep -- curl vmhttp.${SERVICE_NAMESPACE}.svc.cluster.local:8080
      1. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
      2. <title>Directory listing for /</title>
      3. <body>
      4. <h2>Directory listing for /</h2>
      5. <hr>
      6. <ul>
      7. <li><a href=".bashrc">.bashrc</a></li>
      8. <li><a href=".ssh/">.ssh/</a></li>
      10. </body>

    Congratulations! You successfully configured a service running in a pod within the cluster to send traffic to a service running on a VM outside of the cluster and tested that the configuration worked.

    Run the following commands to remove the expansion VM from the mesh’s abstract model.

    See also

    Deploy istio and connect a workload running within a virtual machine to it.

    Bookinfo with a Virtual Machine

    Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh.

    Learn how to add a service running on a virtual machine to your single network Istio mesh.

    DNS Certificate Management

    Provision and manage DNS certificates in Istio.

    A more secure way to manage Istio webhooks.

    Demystifying Istio’s Sidecar Injection Model