Getting Started with the Service Mesh¶
This guide introduces the fundamental concepts of the Service Mesh and outlines the first steps to get it running for your applications.
Our managed Service Mesh is built on Istio, the industry-standard open-source service mesh. This guide is not a replacement for the official Istio documentation but will provide you with the necessary context to follow their comprehensive tutorials.
Core Concepts¶
Before you begin, it's helpful to understand a few core components of Istio:
- Sidecar Proxy: Istio deploys a lightweight proxy, called a sidecar, next to each of your application pods. These proxies intercept all network traffic in and out of your containers, allowing Istio to enforce policies and collect telemetry without any changes to your application code.
- Control Plane: This is the central brain of the service mesh. We manage the control plane for you. It takes your desired configuration and dynamically programs all the sidecar proxies in the mesh.
- Custom Resources: You will interact with the service mesh by creating
Kubernetes resources. The most common ones are:
Gateway: Manages inbound and outbound traffic for your mesh, specifying the ports to be exposed, certificate configuration, etc.VirtualService: Configures how requests are routed to a service within the mesh. You can define sophisticated traffic rules, like sending 20% of traffic to a new version of your service.DestinationRule: Configures policies for traffic intended for a service after routing has occurred, such as load balancing settings, connection pool size, and outlier detection.
Prerequisites¶
Before you begin, please ensure you have an application deployed and running in your Kubernetes namespace. For more information, see the Contain Base getting started guide.
Step 1: Enable the Sidecar Proxy Injection¶
To enable the service mesh for your application, you need to instruct Istio to automatically inject the sidecar proxy into your application's pods. This is done by adding a label to the Kubernetes namespace where your application resides.
Manifest Example (Namespace Operator)¶
If you use Istio in all namespaces, update the spec.labels field of the
BootstrapConfig config:
apiVersion: project.tcs.trifork.com/v1alpha1
kind: BootstrapConfig
metadata:
name: default
namespace: netic-gitops-system
spec:
# [...]
labels:
istio-injection: enabled
# [...]
If you only use Istio in individual namespaces, update the ProjectBootstrap
configuration for that namespace to include the istio-injection: enabled
label:
apiVersion: project.tcs.trifork.com/v1alpha1
kind: ProjectBootstrap
metadata:
name: my-app
namespace: netic-gitops-system
spec:
namespace: my-app
config:
ref: default
size: default
git:
branch: main
path: apps/prod
metadata: {}
overrides:
labels:
istio-injection: enabled
Manifest Example (Recommended)¶
Update your namespace manifest to include the istio-injection: enabled label.
Kubectl Example¶
Alternatively, you can apply this label using kubectl:
Once the label is applied, any new pods created in this namespace (or existing pods, if restarted) will have the sidecar proxy automatically injected.
Next Steps¶
Now that you have enabled the service mesh for your namespace, you are ready to explore its powerful features. We recommend following the official Istio "Getting Started" guide, which provides an excellent hands-on tutorial with a sample application.
Proceed to the official Istio Getting Started guide
This external guide will walk you through:
- Downloading and installing
istioctl, the command-line tool for managing Istio. - Deploying the
Bookinfosample application. - Controlling traffic, enforcing security policies, and observing your services.
By following their tutorial, you will gain practical experience in configuring and managing your services within the mesh.