This article provides a basic setup of Appmesh on Azure Kubernetes using the API Gateway & Micro Gateway trial images available for public use on docker hub. It provides steps to setup AKS, install Istio service mesh on AKS and then finally configure Appmesh.
Prerequisites
- Basic understanding of API Gateway, Micro gateway, App Mesh and policy enforcement.
- Basic understanding of Kubernetes and Istio Service Mesh concepts.
Steps to setup Appmesh on Azure Kubernetes (AKS)
-
Login to portal.azure.com with an active subscription
-
Create a new resource group or choose an existing resource group.
-
Next in the top search box of the Azure Portal, search for Kubernetes and select Kubernetes services.
-
Click on Add and select Add Kubernetes cluster.
-
The Create Kubernetes cluster window opens as shown below
Select the Resource group, provide the cluster name and choose the Kubernetes version desired.
-
Next choose the number of nodes, though three is recommended, we use 2 nodes as this is a test setup. The node count can be chosen as per the desired resiliency and workloads.
-
Next choose the node pools OS Type, size etc. and the virtual nodes and virtual machine scale sets.
-
Next choose the authentication and encryption methods. One can even choose service principals if needed and connect to Azure Active directory.
-
Next choose the networking options. Use kubenet to create a new Vnet for cluster and Azure CNI for new or existing Vnet with customizable addresses.
-
Next enable or disable integrations as shown below. Azure policy & monitor is disabled as this is a test setup. Also, connection can be provided to image registry to pull images from.
-
Next add any tags if needed and click on “Review +Create”
-
Once the validation is passed, click on create to create the Kubernetes cluster.
-
After this step, Kubernetes cluster should be installed successfully.
-
Next step is to download and install Istio client library
Here I am using a Windows machine for the client. Below are the steps for Istio client installation in windows power shell –
#Specify the Istio version that will be leveraged throughout these instructions
$ISTIO_VERSION="1.7.4"
[Net.ServicePointManager]::SecurityProtocol = "tls12"
$ProgressPreference = 'SilentlyContinue';Invoke-WebRequest -URI "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istioctl-$ISTIO_VERSION-win.zip" -OutFile "istioctl-$ISTIO_VERSION.zip"
Expand-Archive -Path "istioctl-$ISTIO_VERSION.zip" -DestinationPath.
#Copy istioctl.exe to C:\Istio
New-Item -ItemType Directory -Force -Path "C:\Istio"
Move-Item -Path .\istioctl.exe -Destination "C:\Istio\"
# Add C:\Istio to PATH.
# Make the new PATH permanently available for the current User
$USER_PATH = [environment]::GetEnvironmentVariable("PATH", "User") + ";C:\Istio\"
[environment]::SetEnvironmentVariable("PATH", $USER_PATH, "User")
# Make the new PATH immediately available in the current shell
$env:PATH += ";C:\Istio\"
Client installation for different OS can be found in the below link –
https://docs.microsoft.com/en-us/azure/aks/servicemesh-istio-install?pivots=client-operating-system-windows -
After the Isitio client is installed, the next step is to install Azure CLI on your machine. More details on usage and download can be found here –
How to install the Azure CLI | Microsoft Learn -
Next login to Azure portal from your local machine using the below command using PowerShell
az login –tenant <tenantId>
A browser window opens, where you can login to your azure portal. After logging in, you should see the below message
Tenant ID can be obtained from portal as below –
• Navigate to portal.azure.com.
• Select Azure Active Directory.
• Select Properties.
• Then, scroll down to the Tenant ID field. -
If you have multiple subscriptions on Azure, then you need to choose your target subscription through the next commands:
az account list --output table
az account set --subscription <name or id>
-
Next connect to AKS cluster from CLI using the below command
az aks get-credentials --resource-group <ResourceGroupName> --name <AKS clustername>
-
Next step is to install Istio using the below command
istioctl operator init
-
The Istio Operator is installed into the istio-operator namespace. Verify the Istio Operator installed using the below command
kubectl get all -n istio-operator
-
Next step is to install Istio components to AKS
First execute the below command
istioctl profile dump default
Copy the contents to a file and name it as istio.aks.yaml
Simple Istio configuration attached below
istio.aks.yaml.zip (530 Bytes)
Create istio system namespace and apply the configuration using the below commands
kubectl create ns istio-system
kubectl apply -f istio.aks.yaml
-
Verify the Istio installation using the below command
kubectl get all -n istio-system
-
Next Create Container Registry in Azure Portal. Search for container registries and create new container registry.
Finally review and create the container registry -
Next attach the created container registry to the AKS cluster using the below command
az aks update -n <AKS cluster name> -g <ResGrpName> --attach-acr <container Registry Name>
-
Login to acr and download the API Gateway and Micro Gateway images from docker hub to container registry
az acr import --name kubeRegistryDemo --source docker.io/store/softwareag/microgateway-trial:10.5.0.2 --image microgw-appmesh:10.5.0.2 --username <docker hub username> --password <docker hub password>
az acr import --name kubeRegistryDemo --source docker.io/store/softwareag/apigateway-trial:10.5.0.2 --image apigw-appmesh:10.5.0.2 --username <docker hub username> --password <docker hub password>
Please note that the username used above should have access to API Gateway and Micro Gateway images. They are available for public usage after docker hub login. -
Next create Appmesh namespace and enable istio injection
kubectl create namespace appmesh
kubectl label namespace appmesh istio-injection=enabled
kubectl describe namespace appmesh
-
Set current context to appmesh namespace and install API Gateway
kubectl config set-context --current --namespace=appmesh
Create a sample YAML file for API Gateway installation with vm_max_map count needed for elastic search and using the image downloaded to container registry.
apigw.aks.yaml.zip (473 Bytes)
Install API Gateway using the below command
kubectl apply -f apigw.aks.yaml
Next expose the different ports of API Gateway as given below
kubectl expose deployment apigw --port 5555 --target-port 5555 --name http-apigw
kubectl expose deployment apigw --port 9072 --target-port 9072 --name http-apigwui --type=LoadBalancer
kubectl expose deployment apigw --port 5555 --target-port 5555 --name http-apigwisext --type=LoadBalancer
kubectl expose deployment apigw --port 9999 --target-port 9999 --name http-apigwdiag --type=LoadBalancer
-
Next execute the below command to verify the services installed
kubectl get services
Use the external IP provided above to connect to API Gateway.
-
Now let’s deploy a sample API server to the cluster and enable the node port.
kubectl create deployment apiserver --image apiserver:1.0
kubectl expose deployment apiserver --port 8080 --target-port 8080 --name=http-apiserver --type=NodePort
kubectl get services
-
Next configure Service Mesh properties in the API Gateway under Administration->External Accounts ->Service Mesh
Use the configuration file exported earlier to the user directory.
For Windows the path is C:\Users<Username>.kube\config
Save configuration and navigate to Appmesh tab. Sample API server endpoint should be visible.
Click on View details to see more details on API server deployed. -
Next click on APIfy to enable application context to the service and apply different policies and deploy the policies as a micro gateway side car deployment.
After clicking on APIfy, navigate to APIs section to see the API for apiserver created.
Select the API and update the specification and desired policies. -
Navigate back to Appmesh, select the API server endpoint, and deploy the changes back to AKS cluster.
Micro gateway will be deployed as side car. To confirm this, navigate back to CLI and execute kubectl get services again. The service listening on original port 8080 will be not listening via Micro gateway port 4485
-
Test the API Server from Postman for different scenarios including before and after micro gateway side car deployment and see how Appmesh provides application context to the service.
- Reference Article for API configuration in AppMesh - AppMesh User guide