Istio 1.5.2 istiod vs control plane

1

We are using istio as ingress and service mesh , also we have sidecar injection in all pods

NLB —> ingressgateway----->pods

with 1.5.2 , we realised we dont need any other pod except for ingressgatewya and istiod .

Sidecar injection is being done by istiod itself .
I am wondering in what scenario would anyone want to run control plane components in addition to istiod . Also can someone please let me know how to increase replica cound for ingressgatway . I was able to figure out for istiod
istioctl manifest apply --set values.pilot.autoscaleMin=3 --set values.gateways.istio-ingressgateway.type=NodePort --set values.prometheus.hub=abc.com --set values.global.hub=abc.com

2

Hi @aadhik
for replica count of istio-ingressgateway you would use this:

istioctl manifest apply --set profile=demo --set values.gateways.istio-ingressgateway.replicaCount=2

For control plane components see this https://istio.io/docs/setup/additional-setup/config-profiles/ may be this will help you.

3

Tried the above but didn’t work . I m using istio-1.5.2 . Later tried by running the below , where /tmp/gate is the istio operatior definition of gateway . chnaged the count there . It ran successfully
istioctl manifest apply --set values.pilot.autoscaleMin=4 --set values.gateways.istio-ingressgateway.type=NodePort --set values.prometheus.hub=abc.com --set values.global.hub=abc.com -f /tmp/gate -f /tmp/pilot .

Issue is

As you see above i used --set directive as well as the -f for istio operator . During upgrade istio doc say


istioctl upgrade -f <your-custom-configuration-file>
<your-custom-configuration-file> is the IstioOperator API Configuration file you used to customize the installation of the currently-running version of Istio.
istioctl upgrade does not support the --set flag. Therefore, if you installed Istio using the --set command, create a configuration file with the equivalent configuration options and pass it to the istioctl upgrade command using the -f flag instead.

Now if i generate the manifest of the command i ran above which is combination of -f and --set .
The upgrade gives error

Error: failed to generate IOPS from file [/tmp/istio-release], error: could not overlay user config over base: json merge error (Invalid JSON Patch) for base object:

So wondering , istio installtion should only be done using either --set (helm thingy ) OR by chaning the istio api operator as combination seems to give error . this is critcal as it might halt future upgrade

4

I tried this please

istioctl manifest apply --set profile=demo --set values.gateways.istio-ingressgateway.replicaCount=2

it work for me. i give 2 istio-ingressgateway pod. you sould do

istioctl profile dump demo

to see the config of demo.

on upgrade i also have a problem see this https://discuss.istio.io/t/warnings-during-istio-upgrade-1-4-1-5/6083 i alredy post on this but stil stuck here.

5

There probably is no wrong way, but I use config files as you can store them in git.

I have one general file that I use on all clusters, and then a cluster-specific file for each k8s cluster…

NOTES:

  • In this example, I disable the default ingress-gateway and deploy custom ones…
  • always run more than copy of istiod, ingress-gateway, egress-gateway etc, as described in the docs, so you dont have outages when upgrading your istio version

Example Usage: istioctl manifest apply -f istioctl_general_values.yaml -f istioctl_specific_values.yaml

Example Files:

General File

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  creationTimestamp: null
spec:
  addonComponents:
    grafana:
      enabled: true
    istiocoredns:
      enabled: false
    kiali:
      enabled: true
    prometheus:
      enabled: true
  components:
    citadel:
      enabled: true
    egressGateways:
    - enabled: true
      name: istio-egressgateway
      k8s:
        hpaSpec:
          maxReplicas: 5
          minReplicas: 2
    galley:
      enabled: true
      k8s:
        replicaCount: 2
    ingressGateways:
    - enabled: false
      name: istio-ingressgateway
    nodeAgent:
      enabled: false
    pilot:
      enabled: true
      k8s:
        hpaSpec:
          maxReplicas: 5
          minReplicas: 2
    policy:
      enabled: true
      k8s:
        hpaSpec:
          maxReplicas: 5
          minReplicas: 2
    sidecarInjector:
      enabled: true
      k8s:
        replicaCount: 2
    telemetry:
      enabled: false
  meshConfig:
    rootNamespace: istio-system
  values:
    certmanager:
      enabled: false
    gateways:
      istio-egressgateway:
        type: ClusterIP
    global:
      outboundTrafficPolicy:
        mode: ALLOW_ANY
      proxy:
        autoInject: disabled
    prometheus:
      enabled: true
    grafana:
      enabled: true
      service:
        externalPort: 3000
    istio_cni:
      enabled: false
    kiali:
      enabled: true
      createDemoSecret: false
      dashboard:
        grafanaURL: http://grafana:3000
        jaegerURL: http://jaeger-query:16686"
    pilot:
      traceSampling: 1
    sidecarInjectorWebhook:
      rewriteAppHTTPProbe: true
    tracing:
      enabled: true

Cluster-Specific File:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  creationTimestamp: null
spec:
  components:
    pilot:
      enabled: true
      k8s:
        # use more than  1 copy in production
        hpaSpec:
          maxReplicas: 8
          minReplicas: 2
    ingressGateways:
#      enabled: true
    - name: istio-ingressgateway
      enabled: false
    - name: prodpos-ingressgateway
      namespace: prodpos
      enabled: true
      k8s:
        env:
          - name: ISTIO_META_ROUTER_MODE
            value: sni-dnat
        hpaSpec:
          maxReplicas: 5
          minReplicas: 2
          metrics:
            - resource:
                name: cpu
                targetAverageUtilization: 80
              type: Resource
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: prodpos-ingressgateway
        resources:
          limits:
            cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 100m
            memory: 128Mi
        service:
          ports:
            - name: status-port
              port: 15020
              targetPort: 15020
            - name: http2
              port: 80
              targetPort: 80
            - name: https
              port: 443
            - name: kiali
              port: 15029
              targetPort: 15029
            - name: prometheus
              port: 15030
              targetPort: 15030
            - name: grafana
              port: 15031
              targetPort: 15031
            - name: tracing
              port: 15032
              targetPort: 15032
            - name: tls
              port: 15443
              targetPort: 15443
            - name: tcp
              port: 31400
        strategy:
          rollingUpdate:
            maxSurge: 100%
            maxUnavailable: 25%
    - name: prodweb-ingressgateway
      namespace: prodweb
      enabled: true
      k8s:
        env:
          - name: ISTIO_META_ROUTER_MODE
            value: sni-dnat
        hpaSpec:
          maxReplicas: 5
          minReplicas: 1
          metrics:
            - resource:
                name: cpu
                targetAverageUtilization: 80
              type: Resource
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: prodweb-ingressgateway
        resources:
          limits:
            cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 100m
            memory: 128Mi
        service:
          ports:
            - name: status-port
              port: 15020
              targetPort: 15020
            - name: http2
              port: 80
              targetPort: 80
            - name: https
              port: 443
            - name: kiali
              port: 15029
              targetPort: 15029
            - name: prometheus
              port: 15030
              targetPort: 15030
            - name: grafana
              port: 15031
              targetPort: 15031
            - name: tracing
              port: 15032
              targetPort: 15032
            - name: tls
              port: 15443
              targetPort: 15443
            - name: tcp
              port: 31400
        strategy:
          rollingUpdate:
            maxSurge: 100%
            maxUnavailable: 25%
  values:
    global:
      outboundTrafficPolicy:
        mode: REGISTRY_ONLY