This article helps you install Istio on your Kubernetes cluster using Helm, deploy applications on cluster, and migrate the Istio control plane and application workloads to a target environment using SWIFT. It walks you through the prerequisites, Istio installation, deploying a sample application, exposing the application through the Istio ingress gateway, and enabling observability with Istio addons such as Kiali. The article also includes simple validation steps to confirm that the installation and migration are completed successfully.
Istio Deployment and Migration Workflow
If you need helm to deploy the Istio, then you can follow below pre-requisite steps. The steps have been validated on a Kubernetes cluster. Istio versions may change over time, so ensure you confirm the appropriate version before proceeding.
Pre-requisite:
1. Install the Helm client version 3.6 or later.
2. Configure the Istio Helm Repository
helm repo add istio https://istio-release.storage.googleapis.com/charts helm repo update
3.Download Istio : Download the latest version of Istio to your local system:
curl -L https://istio.io/downloadIstio | sh -
To download a specific Istio version, use:
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.17.2 TARGET_ARCH=x86_64 sh -
4. Install istioctl on the Source Cluster : Ensure that istioctl is installed on the source cluster.
If it is not already installed, run the following command:
istioctl install --skip-confirmation
5. Set the PATH for istioctl : Add istioctl to your system PATH:
cd istio-1.17.2 export PATH=$PWD/bin:$PATH
How to deploy Istio
Step 1: Create Istio Namespace
Create a dedicated namespace for Istio components:
kubectl create namespace istio-system
Step 2: Install Istio Base Chart
Install the Istio base chart, which contains cluster-wide Custom Resource Definitions (CRDs). These CRDs must be installed before deploying the Istio control plane:
helm install istio-base istio/base -n istio-system
Step 3: Install Istio Discovery (istiod)
Install the Istio discovery chart, which deploys the istiod service:
helm install istiod istio/istiod -n istio-system --wait
Step 4: Verify Helm Installation
Verify that the Helm charts are installed successfully:
helm ls -n istio-system
Step 5: Check Istiod Status
Confirm that the Istio control plane is deployed and running:
helm status istiod -n istio-system
How to Deploy application
Step 1: Create Application Namespace
Create a new namespace for the Bookinfo application:
kubectl create namespace pk
Step 2: Enable Istio Sidecar Injection
Label the namespace to enable automatic Istio sidecar injection:
kubectl label namespace pk istio-injection=enabled
Step 3: Set Istio CLI Path
Navigate to the Istio installation directory and update the PATH variable:
cd istio-1.17.2 export PATH=$PWD/bin:$PATH
Step 4: Deploy Bookinfo Application
Deploy the Bookinfo sample application manifests:
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -n pk
Step 5: Verify Deployment
Check the status of the deployed pods:
kubectl get pods -n pk
Steps 6: Enable the Istio Ingress Gateway
helm install istio-ingressgateway istio/gateway -n istio-systemThis command deploys the ingress gateway components required to handle incoming traffic.
Steps 7: Verify Ingress Gateway Status
Confirm that the Istio ingress gateway pod is running:
kubectl get pods -l app=istio-ingressgateway -n istio-system
Exposing Bookinfo Application Using Istio Ingress Gateway
Step 1: Expose Bookinfo via Ingress Gateway
Apply the Bookinfo gateway configuration to expose the application: This creates the required Gateway and VirtualService resources.
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml -n pkStep 2: Set Ingress Gateway Environment Variables
Retrieve the external IP address of the Istio ingress gateway:
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')Retrieve the HTTP port used by the ingress gateway:
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')Set the gateway URL using the retrieved host and port:
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORTStep 3: Access the Bookinfo Application
Use the gateway URL to access the Bookinfo application: Copy the displayed URL and open it in a web browser.
echo http://${GATEWAY_URL}/productpage
Monitoring
To deploy the monitoring tools in Istio, follow the steps below:
- Navigate to the Istio installation directory.
- Go to the following path where all monitoring YAML files are available:
Navigate to the Istio addons directory:
cd /root/istio-1.24.1/samples/addons/
Apply the monitoring addon YAML files:
kubectl apply -f .
Check the istio-system namespace and verify if all pods are running.
Access Istio Telemetry Addons Outside the Cluster
Istio telemetry addons can be accessed remotely using the following methods:
1. Access via Local Port Forwarding.
Set up a local proxy and access the addon service through localhost.
kubectl -n istio-system port-forward \
$(kubectl -n istio-system get pod -l app=kiali -o jsonpath='{.items[0].metadata.name}') \
20001:20001 &Access URL:
http://localhost:200012. Remote Secure Access via HTTPS
Telemetry addons can also be accessed remotely using a secure HTTPS setup.
Note: Refer to the official Istio documentation for configuring secure remote access to telemetry addons.
3. Create Kiali Secret Token for Secure UI Access
To enable secure access to the Kiali UI, create a service account token:
kubectl -n istio-system create token kiali-service-accountUse the generated token to log in to the Kiali dashboard.
Control plane and application migration with SWIFT
Follow the steps below to sync Control plane and application between SWIFT source and target clusters:
In this migration, Istio-related components will be moved from the source cluster to the target cluster using SWIFT. This includes both the control plane and application workloads running in Istio-managed namespaces.
1.Create Required Namespaces
Create the necessary namespaces on source cluster:
-istio-system – for Istio control plane components
-istio-app – for deployed application workloads
2. Verify istioctl installed on source cluster.
istioctl version
If its not installed , then install it using below command.
istioctl install --skip-confirmation
3. Discover both Clusters using SWIFT.
4. Sync Istio Control Plane (istio-system) Namespace
Sync the Istio control plane namespace using SWIFT with webhook configurations included.
Enable the sync-webhooks flag to ensure the following resources are also synchronized:
- MutatingWebhookConfiguration
- ValidatingWebhookConfiguration
During this process, SWIFT will operate in Passthrough Sync Mode.
Steps in SWIFT Dashboard:
5. Navigate to Sync Administration. Click on All Replication to initiate the sync process for the istio-system namespace.
6. Click on New, select Application Replication , and choose Passthrough Replication.
3. Choose the source and target cluster and select istio-system namespace since this is a control plane migration, Sync Webhook will be selected automatically. Make sure sync webhook is selected.
4. Once you click the Add button, the Istio replication process will start.
5.Wait for sync job complete. As shown below control plane replication is completed.
6. Now, proceed with identifying the application workloads to be migrated. Once the application is identified, begin the migration of the application workloads.
Navigate to All Replication > New, select Passthrough Sync, and then choose the source cluster and namespace where your actual application is running. Fill up the required information's and click on Add button to start the migration.
7. The migration process will start once you click the Add button.
8. Wait for the sync to completes. As shown below the application has been migrated successfully.
9. After sync complete, Validate at target side that if the MutatingWebhookConfiguration and ValidatingWebhookConfiguration have been migrated successfully.
10.Also verify if control plane has been migrated to the target side.
11. The application has been successfully replicated to the target cluster.
