Tetrate Istio SubscriptionVersion: Next

Consul

This guide will walk you through setting up istio-registry-sync integration with Consul.

Prerequisites

Before you begin, you will need the following:

An Kubernetes cluster with Istio installed. If you do not have a cluster with TIS Istio installed, you can follow the Installing TIS Guide.
- You must enable DNS proxy in Istio. If you use Helm, you can do this by using following Istio Helm values.yaml:
```
meshConfig:
  defaultConfig:
    proxyMetadata:
      ISTIO_META_DNS_CAPTURE: "true"
      ISTIO_META_DNS_AUTO_ALLOCATE: "true"
```
  Then install or update Istio with the following command:
```
helm upgrade --install istiod tetratelabs/istiod -n istio-system -f values.yaml
```
kubectl and helm are installed and configured with the correct credentials.

Integration Steps

Following are steps to set up istio-registry-sync integration with Consul:

tip

You can skip the first two steps if you already have Consul installed and it has registered services. Note that your Kubernetes cluster must be able to reach services endpoints that are registered in Consul.

Before continue, let's set up some environment variables:

export CONSUL_NS=consul
export SLEEP_NS=sleep
export TIS_NS=tis

1. Install Consul

caution

Following Consul installation are for demo purposes only. Please refer to Consul documentation for production installation.

Run the following commands to install Consul in the Kubernetes cluster. It is assumed that Consul is installed in same cluster as Istio.

kubectl create ns $CONSUL_NS
kubectl run consul -n $CONSUL_NS --image consul:1.15.4
kubectl wait --for=condition=Ready pod/consul -n $CONSUL_NS --timeout=120s
CONSUL_ENDPOINT=http://$(kubectl get pod -n $CONSUL_NS consul --template '{{.status.podIP}}'):8500

2. Register Services

Deploy a sample nginx service on Kubernetes and register it with Consul.

kubectl run -n $CONSUL_NS nginx --image=nginx:1.24
kubectl wait --for=condition=Ready pod/nginx -n $CONSUL_NS --timeout=120s
NGINX_IP=$(kubectl get pod -n $CONSUL_NS nginx --template '{{.status.podIP}}')
kubectl exec -n $CONSUL_NS -it consul -- consul services register -name=nginx.example.com -address=$NGINX_IP -port=80

Check that service has been registered

kubectl exec -n $CONSUL_NS -it consul -- curl http://127.0.0.1:8500/v1/catalog/service/nginx.example.com

3. Obtain Consul Token

If resources in Consul registry are secured with ACLs then a token is required to access those resources. For more information about Consul ACL and how to create a token refer to official documentation

If Consul is not secured with ACLs then you can skip this step.

4. Install Istio Registry Sync

Create following values.yaml file with the correct values for your environment. Note that you use credentials to pull images that you created before.

Without Token
With Token

cat <<EOF > values.yaml
consul:
  endpoint: $CONSUL_ENDPOINT

publishNamespace: $SLEEP_NS

imagePullSecrets: 
  - name: tetrate-addons-creds
EOF

If Consul is secured with ACLs, provide a token to access resources in Consul registry.

export CONSUL_TOKEN=<consul-token>

cat <<EOF > values.yaml
consul:
  endpoint: $CONSUL_ENDPOINT
  token: $CONSUL_TOKEN

publishNamespace: $SLEEP_NS

imagePullSecrets: 
  - name: tetrate-addons-creds
EOF

Run the following command to deploy istio-registry-sync to your cluster using Helm.

helm upgrade --install istio-registry-sync tis-addons/istio-registry-sync \
    --namespace $TIS_NS --create-namespace \
    -f values.yaml

Make sure the istio-registry-sync pod is running:

kubectl get pods -n $TIS_NS

NAME                                   READY   STATUS    RESTARTS   AGE
istio-registry-sync-64f77bdb77-l9hrb   1/1     Running   0          1m

If everything is set up correctly, you should see the following output:

kubectl get serviceentry -n $SLEEP_NS

NAME                       HOSTS                    LOCATION        RESOLUTION   AGE
consul-consul              ["consul"]                               STATIC       1m
consul-nginx.example.com   ["nginx.example.com"]                    STATIC       1m

This means that istio-registry-sync has successfully synced the service registered with Consul to Istio ServiceEntry.

5. Verify Istio Registry Sync

Install sleep sample app and verify that it can reach the nginx service that is registered in Consul.

kubectl create ns $SLEEP_NS
kubectl label namespace $SLEEP_NS istio-injection=enabled
kubectl apply -n $SLEEP_NS -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml

Request to nginx.example.com should be successful:

kubectl exec -n $SLEEP_NS -it deploy/sleep -- curl nginx.example.com

Cleanup

# Delete istio-registry-sync
helm delete -n $TIS_NS istio-registry-sync

# Delete Consul
kubectl delete pod -n $CONSUL_NS consul
kubectl delete pod -n $CONSUL_NS nginx
kubectl delete ns $CONSUL_NS

# Remove sleep app
kubectl delete -n $SLEEP_NS -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml
kubectl delete ns $SLEEP_NS

Consul

Prerequisites​

Integration Steps​

1. Install Consul​

2. Register Services​

3. Obtain Consul Token​

4. Install Istio Registry Sync​

5. Verify Istio Registry Sync​

Cleanup​