|
| 1 | +--- |
| 2 | +title: Deploying Service Mesh (Beta) |
| 3 | +owner: Routing |
| 4 | +--- |
| 5 | + |
| 6 | +This topic describes how to deploy service mesh for Cloud Foundry. Following this procedure deploys an new routing plane consisting of three VMs. This routing plane runs in parallel to the existing HTTP and TCP routers. For more information, see [Service Mesh (Beta)](../adminguide/service-mesh.html). |
| 7 | + |
| 8 | +This routing plane provides additional features, such as the ability to configure routing weights for apps. For more information, see [Using Weighted Routing (Beta)](../devguide/weighted-routing.html). |
| 9 | + |
| 10 | +## <a id="prereq"></a> Prerequisite |
| 11 | + |
| 12 | +This procedure requires that you have deployed Cloud Foundry using cf-deployment. |
| 13 | + |
| 14 | +## <a id="deploy"></a> Deploy Cloud Foundry with the Istio Ops File |
| 15 | + |
| 16 | +Follow the steps below to deploy Cloud Foundry with service mesh. |
| 17 | + |
| 18 | +1. Clone the `istio-release` repository: |
| 19 | + |
| 20 | + ``` |
| 21 | + git clone https://github.com/cloudfoundry-incubator/istio-release |
| 22 | + ``` |
| 23 | + |
| 24 | +1. In the istio-release repository, run the following command: |
| 25 | + |
| 26 | + ``` |
| 27 | + ./scripts/update |
| 28 | + ``` |
| 29 | + |
| 30 | +1. (Optional) To use a domain other than `istio.CF-APPS-DOMAIN` for Istio routes, modify the `temporary_istio_domains` property in the ops file `deploy/cf-deployment-operations/add-istio.yml`. |
| 31 | + |
| 32 | +1. (Optional) To enable TLS termination at the Istio router, add a `frontend_tls_keypairs` property to the `copilot` job in the ops file `deploy/cf-deployment-operations/add-istio.yml`. This step is strongly recommended for security. |
| 33 | + |
| 34 | + ``` |
| 35 | + frontend_tls_keypairs: |
| 36 | + - cert_chain: | |
| 37 | + -----BEGIN CERTIFICATE----- |
| 38 | + YOUR-CERTIFICATE |
| 39 | + -----END CERTIFICATE----- |
| 40 | + - private_key: | |
| 41 | + -----BEGIN RSA PRIVATE KEY----- |
| 42 | + YOUR-PRIVATE-KEY |
| 43 | + -----END RSA PRIVATE KEY----- |
| 44 | + ``` |
| 45 | + |
| 46 | + Where: |
| 47 | + * `YOUR-CERTIFICATE` is your TLS certificate. |
| 48 | + * `YOUR-PRIVATE-KEY` is the private key pair to your TLS certificate. |
| 49 | + |
| 50 | + During deploy, the routing plane integrates the certificates with any Istio routes. All routes created using the Istio routing plane then use TLS. |
| 51 | + |
| 52 | +1. Create and upload the Istio release with BOSH: |
| 53 | + |
| 54 | + ``` |
| 55 | + bosh create-release && bosh upload-release |
| 56 | + ``` |
| 57 | + |
| 58 | +1. Deploy your cf-deployment with the Istio ops file: |
| 59 | + ``` |
| 60 | + bosh -e my-env -d cf deploy cf.yml -v deployment-vars.yml \ |
| 61 | + -o deploy/cf-deployment-operations/add-istio.yml |
| 62 | + ``` |
| 63 | + |
| 64 | + <p class="note"><strong>Note</strong>: The above <code>bosh deploy</code> command is an example, but your deployment command should match the one you used to deploy CF initially, with the addition of a <code>-o add-istio.yml</code> option.</p> |
| 65 | + |
| 66 | +1. Once you deploy with the ops file, you can run `bosh vms` to see the new VMs in your deployment: `istio-router`, `istio-control`, and `cc-route-syncer`. |
| 67 | + |
| 68 | +## <a id="deploy"></a> Configure Load Balancing |
| 69 | + |
| 70 | +Once you have deployed a Cloud Foundry with service mesh, you must set up a new load balancer to communicate with the Istio routers. To configure load balancing, follow the procedure below that corresponds to your use case. |
| 71 | + |
| 72 | +### <a id="deploy"></a> Configure with bbl |
| 73 | + |
| 74 | +If you deployed CF on GCP using `bbl`, you can use a custom `bbl-config` to set up load balancers that point to the Istio routers. Use the following file from the istio-release repository https://github.com/cloudfoundry/istio-release/tree/master/deploy/bbl-config to re-run `bbl up` on your BOSH director. |
| 75 | + |
| 76 | +### <a id="deploy"></a> Configure Manually |
| 77 | + |
| 78 | +Configure your load balancer as follows. The exact procedure varies by IaaS. |
| 79 | + |
| 80 | +1. Create a load balancer with a static IP. |
| 81 | +1. Configure the backends of the load balancer to be the `istio-router` VMs. You can retrieve the IPs of the router VMs by running `bosh vms`. |
| 82 | +1. Configure the health check to be port `8002` and path `/healthcheck`. |
| 83 | +1. Add firewall rules for the load balancer to allow HTTP port `80`, TLS on `443`, and HTTP on `8002` for the healthcheck. |
| 84 | +1. Create a new DNS name that resolves to the IP of the load balancer. By default this must be `*.istio.CF-APPS-DOMAIN`. If you modified the `temporary_istio_domains` field in the ops file, use the domain you specified. |
| 85 | + |
| 86 | +## <a id="domain"></a> Create a Domain |
| 87 | + |
| 88 | +You must create a new domain dedicated to service mesh. Routes pushed to this domain are handled by the Istio router, and can take advantage of service mesh features like weighted routing. |
| 89 | + |
| 90 | +Using the CF CLI, create a new apps domain that matches the DNS name created when configuring load balancing. For example: |
| 91 | + |
| 92 | +``` |
| 93 | +cf create-shared-domain istio.YOUR-APPS-DOMAIN.com |
| 94 | +``` |
| 95 | + |
| 96 | + |
| 97 | + |
0 commit comments