Use SuperGloo to install Istio, route traffic and more

Originally posted at Learn Istio Blog

For a while, when installing Istio, questions like “How do I include Grafana?” or “How to enable mTLS?” would pop-up and the answers to those questions was a specific variable you had to set when installing the Istio Helm chart, or setting the value, then rendering the template and install it. There is a plethora of settings, levers, and buttons that can be pushed, pulled or configured. Luckily, Istio has a couple of built-in configuration profiles you can use to install it, so that makes it a bit better.

SuperGloo is an open source project from solo.io that promises to simplify the installation, management, and operation of your service mesh(es).

Installing SuperGloo

curl -sL https://run.solo.io/supergloo/install | sh

By default, the supergloo binary lives under $HOME/.supergloo/bin. You can either add it to your path as the post-installation instructions suggest, but I usually just create a symlink to the /usr/local/bin folder like this:

ln -s $HOME/.supergloo/bin/supergloo /usr/local/bin/supergloo

The first thing you want to do after you’ve installed the CLI is to run the supergloo init command. This command will create services accounts, cluster roles and bindings, and three deployments, all in the supergloo-system namespace.

Note: make sure you switch the context to the correct Kubernetes config/cluster, before running the command.

You can run the kubectl get pods -n supergloo-system command to check if and when all the pods are up and running:

$ kubectl get po -n supergloo-system
NAME READY STATUS RESTARTS AGE
discovery-68df78f9c-rk2w4 1/1 Running 0 58s
mesh-discovery-bc9fbcb7f-z84r9 1/1 Running 0 58s
supergloo-59445698c5-p2fvm 1/1 Running 0 58s

Install Istio with SuperGloo

Here are different flags (as of version 0.3.15) you can set to install Istio:

--auto-inject                     enable auto-injection? (default true)
--egress enable egress gateway?
--grafana add grafana to the install?
--ingress enable ingress gateway?
--installation-namespace string which namespace to install Istio into? (default "istio-system")
--jaeger add jaeger to the install?
--mtls enable mtls? (default true)
--prometheus add prometheus to the install?
--version string version of istio to install? available: [1.0.3 1.0.5 1.0.6] (default "1.0.6")

We’ll start with this setup — latest Istio supported in SuperGloo (1.0.6) with auto-injection turned on, mTLS enabled and ingress enabled. Later on, we will try to add/enable additional features.

Run the following command to install the Istio using SuperGloo defaults:

$ supergloo install istio --name istio --ingress
+---------+------------+---------+---------------------------+
| INSTALL | TYPE | STATUS | DETAILS |
+---------+------------+---------+---------------------------+
| istio | Istio Mesh | Pending | enabled: true |
| | | | version: 1.0.6 |
| | | | namespace: istio-system |
| | | | mtls enabled: true |
| | | | auto inject enabled: true |
| | | | grafana enabled: false |
| | | | prometheus enabled: false |
| | | | jaeger enabled: false |
| | | | ingress enabled: true |
| | | | egress enabled: false |
+---------+------------+---------+---------------------------+

There is also an interactive mode, where SuperGloo CLI takes you through all options and asks you which one you want. You can run it by adding the -i flag like this: supergloo install istio -i

To check the installation progress, you can run kubectl get po -n istio-system and once the status on pods is either Running or Completed, the mesh is successfully installed.

Finally, let’s label the default namespace with istio-injection=enabled, so we don't need to manually inject the sidecar proxies:

kubectl label namespace default istio-injection=enabled

You can run the command below to check which namespaces have automatic injection enabled:

$ kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 121m enabled
istio-system Active 69m
kube-public Active 121m
kube-system Active 121m
supergloo-system Active 100m

Route traffic with SuperGloo

cat << EOF | kubectl apply -f -
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: helloweb
labels:
app: helloweb
version: v1
spec:
replicas: 3
template:
metadata:
labels:
app: helloweb
version: v1
spec:
containers:
- image: learnistio/hello-web:1.0.0
imagePullPolicy: Always
name: web
ports:
- containerPort: 3000
env:
- name: GREETER_SERVICE_URL
value: 'http://greeter-service.default.svc.cluster.local:3000'
---
kind: Service
apiVersion: v1
metadata:
name: helloweb
labels:
app: helloweb
spec:
selector:
app: helloweb
ports:
- port: 3000
name: http
EOF

Let’s also deploy 2 versions of the greeter service:

cat << EOF | kubectl apply -f -
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: greeter-service-v1
labels:
app: greeter-service
version: v1
spec:
replicas: 3
template:
metadata:
labels:
app: greeter-service
version: v1
spec:
containers:
- image: learnistio/greeter-service:1.0.0
imagePullPolicy: Always
name: svc
ports:
- containerPort: 3000
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: greeter-service-v2
labels:
app: greeter-service
version: v2
spec:
replicas: 3
template:
metadata:
labels:
app: greeter-service
version: v2
spec:
containers:
- image: learnistio/greeter-service:2.0.0
imagePullPolicy: Always
name: svc
ports:
- containerPort: 3000
EOF

And the Kubernetes service:

cat << EOF | kubectl apply -f -
kind: Service
apiVersion: v1
metadata:
name: greeter-service
labels:
app: greeter-service
spec:
selector:
app: greeter-service
ports:
- port: 3000
name: http
EOF

Finally, let’s also deploy a Gateway and a virtual service for the Hello Web, so we can access the service from the outside:

cat <<EOF | kubectl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- '*'
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloweb
spec:
hosts:
- '*'
gateways:
- gateway
http:
- route:
- destination:
host: helloweb.default.svc.cluster.local
port:
number: 3000
EOF

At this point, you can access the gateway and you will see responses coming from either v1 or v2 pods since we haven’t created any routing rules.

We could deploy an Istio virtual service for the greeter service and a destination rule to do that, but instead, we will use SuperGloo to do that. SuperGloo introduces a custom resource called RoutingRule. The nice thing about this resource is that regardless of which underlying mesh you’re using (be it Istio or Linkerd), SuperGloo translates the rules accordingly.

To apply a routing rule, run the following SuperGloo command in interactive mode — using this mode CLI asks you a bunch of questions and creates the rule based on your answers:

$ supergloo apply routingrule trafficshifting -i
? name for the Routing Rule: greeter-service-v2
? namespace for the Routing Rule: default
? create a source selector for this rule? [y/N]: N
? create a destination selector for this rule? [y/N]: y
? what kind of selector would you like to create? Upstream Selector
choose upstreams for this selector
? add an upstream (choose <done> to finish): supergloo-system.default-greeter-service-3000
? add an upstream (choose <done> to finish): <done>
? add a request matcher for this rule? [y/N]: N
? select a target mesh to which to apply this rule supergloo-system.istio
select the upstreams to which you wish to direct traffic
? add an upstream (choose <done> to finish): supergloo-system.default-greeter-service-v2-3000
? add an upstream (choose <done> to finish): <done>
? choose a weight for {default-greeter-service-v2-3000 supergloo-system} 100

Alternatively, you can apply the exact same rule without the interactive mode:

supergloo apply routingrule trafficshifting \
--name greeter-service-v2 \
--dest-upstreams supergloo-system.default-greeter-service-3000 \
--target-mesh supergloo-system.istio \
--destination supergloo-system.default-greeter-service-v2-3000:100

If you try to access the gateway URL now, you will only get the responses from the greeter service v2.

Enable Grafana and Jaeger with SuperGloo

Let’s see how can we update the existing Istio installation, managed by SuperGloo, to enable Prometheus, Grafana, and Jaeger.

To update the Istio installation, you can use the --update flag and provide a new set of options. Note that you need to provide all the options you want to change, otherwise SuperGloo will revert to default values. For example: if you enabled ingress originally and you don't enable it when updating the installation, the ingress will get disabled.

Here’s the command you can use to add Grafana, Prometheus, and Jaeger to the existing Istio installation:

$ supergloo install istio --update \
--name istio \
--ingress \
--jaeger --prometheus --grafana

Above command updates the existing Istio installation — you can monitor the changes by looking at the pods in the istio-system namespace.

Conclusion

Want to learn more about everything service mesh? Check out the Learn Istio Blog