Getting started with Amazon EKS Anywhere and Istio service mesh

Lin Sun
| September 9, 2021

How long does it take to getting started with Amazon EKS Anywhere, Istio, and Gloo Mesh?  Assuming you already have the Kubernetes clusters, it will take you 15 minutes to configure secure and seamless global failover of your services from EKS Anywhere (EKS-A) to traditional EKS in the AWS cloud.

Pre-requisites

1. An EKS-A cluster, which you can deploy using the eksctl anywhere CLI on your desktop machine or VMware vSphere environment.

eksctl anywhere create cluster -f eks-a-cluster1.yaml

2. EKS Clusters. You can deploy 2 EKS clusters using the eksctl CLI, for example:

eksctl create cluster --name gm-mgmt --region=us-east-1
eksctl create cluster --name cluster2 --region=us-east-1

3. Configure cluster context environment variables for these 3 clusters:

export MGMT=gm-mgmt
export CLUSTER1=cluster1
export CLUSTER2=cluster2

4. Export your GLOO_MESH_LICENSE_KEY. If you don’t have one, you can get a free trial license by contacting Solo.io.

export GLOO_MESH_LICENSE_KEY=$REPLACE_WITH_KEY_VALUE

You’ll deploy Istio, Gloo Mesh, and the famous “book info” app to our clusters on EKS Anywhere and EKS.  You’ll try a failover of reviews service seamlessly from EKS Anywhere in your corporate data center to EKS in AWS cloud as the diagram shows:

Service Failover from EKS-A to EKS

Let’s get started!

Install Istio

Download Istio:

export ISTIO_VERSION=1.10.3
curl -L https://istio.io/downloadIstio | sh -

Install Istio on cluster1 running on EKS Anywhere and on cluster2 running on EKS:

./istio-1.10.3/bin/istioctl --context ${CLUSTER1} install -f https://raw.githubusercontent.com/linsun/istio-yamls/main/gm-eks/cluster1.yaml
./istio-1.10.3/bin/istioctl --context ${CLUSTER2} install -f https://raw.githubusercontent.com/linsun/istio-yamls/main/gm-eks/cluster2.yaml

A couple of installation notes:

  • In cluster1.yaml, you configured Istio ingress gateway to run on type: NodePort because we don’t have a load balancer deployed in our EKS Anywhere cluster. Change the service type to type: LoadBalancer if needed.
  • In cluster2.yaml, you had the 15021 status port as the first port in the Istio ingress gateway service. This is on purpose because the AWS ELB by default performs health check on the first port.

Enable mutual TLS on both clusters to only allow mutual TLS traffic for services in the mesh:

kubectl --context ${CLUSTER1} apply -f https://raw.githubusercontent.com/linsun/istio-yamls/main/gm-eks/mtls.yaml
kubectl --context ${CLUSTER2} apply -f https://raw.githubusercontent.com/linsun/istio-yamls/main/gm-eks/mtls.yaml
Install Gloo Mesh Enterprise

First, install the meshctl CLI:

curl -sL https://run.solo.io/meshctl/install | GLOO_MESH_VERSION=v1.1.0 sh -
export PATH=$HOME/.gloo-mesh/bin:$PATH

Second, run the following commands to deploy Gloo Mesh Enterprise:

helm repo add gloo-mesh-enterprise https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-enterprise
helm repo update
kubectl --context ${MGMT} create ns gloo-mesh
helm install gloo-mesh-enterprise gloo-mesh-enterprise/gloo-mesh-enterprise \
--namespace gloo-mesh --kube-context ${MGMT} \
--version=1.1.1 \
--set licenseKey=${GLOO_MESH_LICENSE_KEY}
kubectl --context ${MGMT} -n gloo-mesh rollout status deploy/enterprise-networking

Third, you need to register the cluster1 and cluster2:

SVC=$(kubectl --context ${MGMT} -n gloo-mesh get svc enterprise-networking -o jsonpath='{.status.loadBalancer.ingress[0].*}')
meshctl cluster register --mgmt-context=${MGMT} --remote-context=${CLUSTER1} --relay-server-address=$SVC:9900 enterprise cluster1 --cluster-domain cluster.local
meshctl cluster register --mgmt-context=${MGMT} --remote-context=${CLUSTER2} --relay-server-address=$SVC:9900 enterprise cluster2 --cluster-domain cluster.local

Check the status of the server with the meshctl check server command, you should be able to confirm that Gloo Mesh is installed successfully with agents from cluster1 and cluster2 connected to the management cluster.

Create a virtual mesh for cluster1 and cluster2

The Istio CA’s signing certificates are different in the cluster1 and cluster2. Creating a Virtual Mesh can help you easily reconfigure Istiod on both clusters with a common root identity so the services across clusters can communicate with each other securely using mTLS with the passthrough gateways. Run the following command to create the Virtual Mesh:

cat << EOF | kubectl --context ${MGMT} apply -f -
apiVersion: networking.mesh.gloo.solo.io/v1
kind: VirtualMesh
metadata:
  name: virtual-mesh
  namespace: gloo-mesh
spec:
  mtlsConfig:
    autoRestartPods: true
    shared:
      rootCertificateAuthority:
        generated: {}
  federation:
    selectors:
    - {}
  meshes:
  - name: istiod-istio-system-cluster1
    namespace: gloo-mesh
  - name: istiod-istio-system-cluster2
    namespace: gloo-mesh
EOF

You can describe your virtualmesh resource and check its status, you should see a bunch of ACCEPTED status:

kubectl describe virtualmesh -n gloo-mesh
Global traffic failover from EKS Anywhere to EKS

Deploy productpage, details, reviews v1 & v2, ratings services and the productpage gateway resource on cluster1. Deploy reviews v3 and ratings services on cluster2:

kubectl --context ${CLUSTER1} label namespace default istio-injection=enabled
kubectl --context ${CLUSTER1} apply -f https://raw.githubusercontent.com/linsun/istio-yamls/main/gm-eks/bookinfo-cluster1.yaml
kubectl --context ${CLUSTER2} label namespace default istio-injection=enabled
kubectl --context ${CLUSTER2} apply -f https://raw.githubusercontent.com/linsun/istio-yamls/main/gm-eks/bookinfo-cluster2.yaml

Apply the virtual destination custom resource for the global review service on the management cluster:

cat << EOF | kubectl --context ${MGMT} apply -f -
apiVersion: networking.enterprise.mesh.gloo.solo.io/v1beta1
kind: VirtualDestination
metadata:
 name: reviews-global
 namespace: gloo-mesh
spec:
 hostname: reviews.global
 port:
   number: 9080
   protocol: http
 localized:
   outlierDetection:
     consecutiveErrors: 1
     maxEjectionPercent: 100
     interval: 5s
     baseEjectionTime: 120s
   destinationSelectors:
   - kubeServiceMatcher:
       labels:
         app: reviews
 virtualMesh:
   name: virtual-mesh
   namespace: gloo-mesh
EOF

Apply the traffic policy on the managemnt cluster to use the global review virtual destination you just created:

cat << EOF | kubectl --context ${MGMT} apply -f -
apiVersion: networking.mesh.gloo.solo.io/v1
kind: TrafficPolicy
metadata:
 name: reviews-shift-failover
 namespace: default
spec:
 sourceSelector:
 - kubeWorkloadMatcher:
     namespaces:
     - default
 destinationSelector:
 - kubeServiceRefs:
     services:
       - clusterName: cluster1
         name: reviews
         namespace: default
 policy:
   trafficShift:
     destinations:
       - virtualDestination:
           name: reviews-global
           namespace: gloo-mesh
EOF

Visit the bookinfo application via the Istio ingress gateway on cluster1 a few times to confirm that you will only see reviews v1 and v2. This is because you have programmed Gloo Mesh and Istio to use the reviews service in the local cluster when they are healthy.

kubectl --context ${CLUSTER1} port-forward deploy/istio-ingressgateway -n istio-system 8080
open http://localhost:8080/productpage

Scale down reviews v1 & v2 in cluster1 to simulate a failover scenario:

kubectl scale deploy reviews-v1 --replicas=0 --context $CLUSTER1
kubectl scale deploy reviews-v2 --replicas=0 --context $CLUSTER1

Visit the bookinfo application again to confirm you will see review v3 seamlessly:

 

When the reviews v1 and v2 service deployments fail in cluster1, the productpage service in cluster1 is automatically routed to the reviews v3 service in cluster2 automatically without any manual intervention.

Visit Gloo Mesh UI and navigate to Graph, you should be able to view the service communication graph among 2 clusters:

kubectl --context ${MGMT} port-forward -n gloo-mesh svc/dashboard 8090
open http://localhost:8090/graph/?virtual_mesh=gloo-mesh.virtual-mesh

Gloo Mesh UI Reviews Failover

Wrapping Up

We hope this gets you excited about how easy it is getting started with EKS Anywhere and Istio using Gloo Mesh! If you are looking to increase service resiliency of your services across different clusters and different clouds with zero trust security model, join us in our upcoming Istio or Gloo Mesh workshops to learn more about how Istio and Gloo Mesh can help you to easily increase resiliency or security or observability of your services regardless of where you are running your services in your hybrid cloud environment.

 

Back to Blog