Skip to main content
logoTetrate Istio Subscription PlusVersion: Latest

Post Installation Actions

After successfully installing TIS Plus, follow these post-installation actions to optimal configuration and functionality.

Update Istio MeshConfig

info

This is required if you choose not to enable TIS Plus to automatically configure TIS Plus EnvoyFilter in proxies at installation. You then need to manually update the MeshConfig so proxies will send access logs and traces data to TIS Plus control plane.

Following is example of Istio MeshConfig Helm values where proxy will send access logs and traces to TIS Plus.

warning

Make sure to merge TIS Plus MeshConfig with your existing one properly line by line.

cat <<EOF > cluster-1-telemetry.yaml
global:
  meshID: mesh1
  multiCluster:
    clusterName: Kubernetes
  network: ""
meshConfig:
  defaultConfig:
    envoyMetricsService:
      address: "oap.tis-plus-system.svc:11800"
      tlsSettings:
        mode: DISABLE
      tcpKeepalive:
        probes: 3
        time: 10s
        interval: 10s
    tracing:
      sampling: 1
      zipkin:
        address: "zipkin.tis-plus-system.svc.cluster.local:9411"
  defaultProviders:
    tracing:
      - tetrate-oap
    accessLogging:
      - envoy
      - tetrate-http-oap-als
      - tetrate-tcp-oap-als
  extensionProviders:
    - name: tetrate-oap
      zipkin:
        service: zipkin.tis-plus-system.svc.cluster.local
        port: 9411
    - name: tetrate-http-oap-als
      envoyHttpAls:
        service: oap.tis-plus-system.svc.cluster.local
        port: 11800
    - name: tetrate-tcp-oap-als
      envoyTcpAls:
        service: oap.tis-plus-system.svc.cluster.local
        port: 11800
  enableTracing: true
  accessLogFile: /dev/stdout
  enableEnvoyAccessLogService: true
pilot:
  env:
    PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION: true
    PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS: true
EOF

Then update your Istio installation with new Helm values.

Multi endpoints tracing

There can only one active tracing endpoints in Istio. If you already use other tracing solutions you need to replace it with TIS Plus or enable multi endpoints tracing using otel-collector.

Check Discovery Selector Field

info

This is required so Istiod will propagate access logs and tracing configurations to all proxies.

Verify the discovery selector field in the existing Istiod:

kubectl get istiooperator -n istio-system -o jsonpath='{.items[0].spec.meshConfig.discoverySelectors}'

If necessary, label the tis-plus-system namespace:

kubectl label namespace tis-plus-system istio-discovery=enabled

Create a Telemetry Object

info

This is OPTIONAL if you want to control the sampling percentage granularly for the providers that are defined in the meshConfig above. The EnvoyFilter that TIS Plus created configures the sink and sets the random sampling percentage to 1% by default.

The Telemetry object will not be able to override the default sampling percentage if the provider is not specified in the meshConfig. Istio has a limitation that requires a provider to be configured before the telemetry object will take effect.

If you want to configure a custom sampling percentage, you will have edit the Istio meshConfig and add the providers. By default, Tetrate OAP is set as the provider with 1% sampling.

As an example, to set the randomSamplingPercentage to 25% on the tetrate-oap provider, the following can be used.

Create a telemetry object in Istio's root namespace to configure random sampling for the mesh

cat <<EOF > cluster-1-telemetry.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: otel-demo
  namespace: istio-system
spec:
  tracing:
  - providers:
    - name: tetrate-oap
    randomSamplingPercentage: 25
EOF

Apply the Telemetry setting:

kubectl -n istio-system -f cluster-1-telemetry.yaml
Trace Sampling Percentage
  • We enforce specific maximum values for sampling percentage. Please consult the documentation for allowed values.
  • When set to 1%, it samples 1% of total traffic, irrespective of error codes. For example, out of 100 errors, it will pick only one error (e.g., 5xx code).

Troubleshooting

If you encounter issues during the post-installation actions, try the following troubleshooting steps:

  1. Telemetry Object Not Applied

    Verify that the telemetry object was created successfully:

    kubectl get telemetry -n istio-system

    If not present, check for any error messages when applying the YAML file.

  2. MeshConfig Not Updated

    Confirm that the MeshConfig was updated correctly:

    kubectl get configmap istio -n istio-system -o yaml

    Look for the changes you applied in the output.

  3. Discovery Selector Issues

    If Istiod is not propagating configurations, double-check the label on the tis-plus-system namespace:

    kubectl get namespace tis-plus-system --show-labels

  4. Tracing or Access Logging Not Working

    Verify that the Envoy proxies have the correct configuration:

    istioctl proxy-config bootstrap <pod-name>.<namespace>

    Look for the tracing and access logging configurations in the output.

If you continue to experience issues after trying these troubleshooting steps, please consult the TIS Plus documentation or contact Tetrate support for further assistance.

Next Steps

By completing these post-installation actions, you ensure that your TIS Plus installation is properly configured and ready for use. If you encounter any issues or have questions, please consult the TIS Plus documentation or contact Tetrate support.