From Zero to Istio Ambient + Argo CD on GKE in 15 Minutes!
June 3, 2024
Alex Ly
How long does it take to configure your first GKE development environment, sidecarless service mesh, and GitOps workflow?
How about 15 minutes? Give us that much time and we’ll give you an ephemeral testbed to explore the benefits of the new architecture mode in Istio, deploy a few applications, and validate zero-trust with minimal effort! We’ll host all of this on a GKE cluster to keep the setup standalone and as simple as possible.
For this exercise, we’re going to do all the work on a GKE cluster. All you’ll need to get started is CLI utilities kubectl, gcloud-cli, and curl. Make sure these are all available to you before jumping into the next section. I’m building this on MacOS but other platforms should be perfectly fine as well.
Install GKE
Authenticate with Google Cloud using the gcloud-cli:
gcloud auth login
Set the following variables for cluster name, zone, machine type, number of nodes, k8s version, and the target GKE project:
Reminder if you want a specific version of Istio or to use the officially supported images provided by Solo.io, get the Hub value from the Solo support page for Istio Solo images. The value is present within the Solo.io Istio Versioning Repo key section.
Otherwise, we can use the upstream Istio community image as defined.
Configure the Kubernetes Gateway API CRDs on the cluster, we will need these to deploy components like the Waypoint proxy:
Note that in order to enable ztunnel interception, all that is required is the istio.io/dataplane-mode: ambient label on the workload namespace. The Argo application is already configured with this label, you can verify with the following command:
kubectl get namespace client -oyaml
kubectl get namespace httpbin -oyaml
You can check to see that the applications have been deployed:
kubectl get pods -n client && \
kubectl get pods -n httpbin
Notice that there are no sidecars have been configured for our apps, so no restarts required!
% kubectl get pods -n client && \
kubectl get pods -n httpbin
NAME READY STATUS RESTARTS AGE
sleep-9454cc476-fd8vw 1/1 Running 0 15s
NAME READY STATUS RESTARTS AGE
httpbin-698cc5f69-h4v7p 1/1 Running 0 9s
exec into sleep client and curl httpbin /get endpoint to verify mTLS
In this blog post, we explored how you can get started with Istio Ambient and Argo CD on your own workstation. We walked step-by-step through the process of standing up a GKE cluster, configuring the new Istio Ambient architecture, installing a couple applications, and then validating zero trust for service-to-service communication without injecting sidecars! All of the code used in this guide is available on github.
Istio Ambient is completely open source and free to use, however a Gloo Mesh Core subscription offers even more value to users who require:
Full Support with 24×7 Enterprise SLAs
Long term N-4 support
Hardened images
Architectural guidance and production readiness review
Istio lifecycle management tooling
Ops dashboard for management, monitoring, and insights
Telemetry integration using OTEL
For more information, check out the following resources: