Exposing GKE services through Anthos Service Mesh with a managed HTTPS load balancer

Istio and GKE

Anthos Service Mesh (ASM)

Use case: Building an ASM on a single GKE cluster

ASM installation

./asmcli install --project_id <GCP-project> \
--cluster_name <GKE-cluster> \
--cluster_location <region> \
--
output_dir <path_to_output_dir> \
--enable-all
./asmcli validate --project_id <GCP-project> \
--cluster_name <GKE-cluster> \
--cluster_location <region> \
--
output_dir <path_to_output_dir>

Istio configuration

$ ./istioctl version 
client version: 1.11.2-asm.17
control plane version: 1.11.2-asm.17
data plane version: none
$ ./istioctl analyze --all-namespaces
Warning [IST0103] (Pod PODNAME) The pod is missing the Istio proxy. This can often be resolved by restarting or redeploying the workload.
Info [IST0102] (Namespace NAMESPACE) The namespace is not enabled for Istio injection. Run 'kubectl label namespace NAMESPACE istio-injection=enabled' to enable it, or 'kubectl label namespace NAMESPACE istio-injection=disabled' to explicitly mark it as not needing injection.
kubectl label namespace NAMESPACE istio-injection- istio.io/rev=REVISION --overwrite
istio.io/rev=asm-1112-17
kubectl rollout restart deployment -n NAMESPACE
kubectl label namespace NAMESPACE istio-injection=disabled
$ ./istioctl proxy-status

Exposing services

service.yaml
BackendConfig
Gateway configuration

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store