Configuring VMware Tanzu Service Mesh by VMware NSX (Beta)

Page last updated:

This topic describes how to integrate VMware Enterprise PKS with VMware Tanzu Service Mesh by VMware NSX.

Tanzu Service Mesh brings application-layer visibility, control, and security to microservices deployed on VMware Enterprise PKS-managed Kubernetes clusters.

About VMware Tanzu Service Mesh by VMware NSX

VMware Tanzu Service Mesh provides a service mesh solution for Kubernetes based on the NSX platform. Tanzu Service Mesh gives Kubernetes cluster users API-level visibility, control, and security over their clusters’ services, data, and users.

In a Kubernetes cluster, Tanzu Service Mesh runs as a pod and is deployed using a YAML file.

For more information, see NSX Service Mesh on VMware Tanzu: CONNECT & PROTECT Applications Across Your Kubernetes Clusters and Clouds in the VMware Network Virtualization blog.

Prerequisites

These instructions assume that:

  • You have deployed VMware Enterprise PKS v1.7.0 or later.

  • You have provisioned a target Kubernetes cluster for Tanzu Service Mesh.

  • You have an account with VMware Cloud Services. If you do not already have an account, register as follows:

    1. Contact your Sales contact, or send an email to driggs@vmware.com.
    2. Complete the registration process by following the emails you receive.

Install VMware Tanzu Service Mesh in a Cluster

Install VMware Tanzu Service Mesh in a cluster as follows:

  1. Add the Tanzu Service Mesh Service
  2. Onboard a Kubernetes Cluster to Tanzu Service Mesh
  3. Install and Configure Istio

Add the Tanzu Service Mesh Service

  1. Log in to the VMware Cloud Services console.

  2. Select your organization or create a new one. VMware Cloud Services console

  3. Select the Tanzu Service Mesh service offering and add your account to the service.

Onboard a Kubernetes Cluster to Tanzu Service Mesh

Complete the following steps to install Tanzu Service Mesh onto a PKS-provisioned Kubernetes cluster.

  1. Sign in to the VMware Tanzu Service Mesh by VMware NSX console.

  2. At upper-left, click ADD NEW… > Onboard New Cluster…. Tanzu Service Mesh console

  3. At the Onboard Clusters screen, enter a name for Tanzu Service Mesh to use to identify the target cluster.

    • It is recommended that you enter the name of the cluster used in PKS, but it can be a different name.
    • The cluster name must be unique within Tanzu Service Mesh. Tanzu Service Mesh Enter Cluster Name and Generate Token
  4. Click GENERATE SECURITY TOKEN

  5. From the Onboard Clusters pane, click the copy icon to copy the kubectl apply command that applies the registration YAML file to the cluster.

  6. Log in to your PKS-provisioned Kubernetes cluster.

  7. Apply the registration YAML to the cluster by running the kubectl apply command you copied. For example: kubectl apply -f https://prod-1.servicemesh.biz/cluster-registration/k8s/v0.8.5/k8s-registration.yaml Apply the registration YAML to the cluster

  8. From the Onboard Clusters pane, click the copy icon to copy the kubectl create secret command that establishes a secure connection with NSX Service Mesh.

  9. From your cluster, run the kubectl create secret command you copied. For example kubectl -n allspark create secret generic cluster-token --from-literal=token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.xxxxxxxxxxxx

  10. Click the green INSTALL NSX SERVICE MESH button to install Tanzu Service Mesh on the cluster. Tanzu Service Mesh Enter Cluster Name and Generate Token

  11. The YAML file deploys a pod to the target Kubernetes cluster that includes the Tanzu Service Mesh agent.

    • If the target cluster is not discovered, click EXIT AND RELOAD and try again. Tanzu Service Mesh Enter Cluster Name and Generate Token

Install and Configure Istio

Once the Tanzu Service Mesh agent is correctly started on a cluster:

  1. Return to the Tanzu Service Mesh console and complete the on-boarding process by clicking on the Install ISTIO button in the on-boarding menu.
    • This operation installs the Istio components on the target cluster, including the Istio CNI plugin that lets Istio automatically inject its Envoy sidecar container whenever a new pod is started.

After you have onboarded clusters to Tanzu Service Mesh and installed Istio, they should appear in your Tanzu Service Mesh console:

Tanzu Service Mesh console showing installed clusters

Known Issue: Timeout

When the pks delete cluster command is issued, the system runs an errand to clean up the pods currently running in the cluster. Istio installs a few pods that have a Pod Disruption Budget that conflict with the Enterprise PKS cleanup errand. This means that the errand runs for a long time.

Enterprise PKS v1.7 allows the user to select a timeout for Pod Disruption Budget, and the errand runs up to that timeout. Prior to v1.7, the timeout was very long (approximately 24 hours) and it looked like the deleting process was hanging forever.

Workaround

To avoid this problem, try to remove the on-boarded cluster as follows:

  1. Log on to the Tanzu Service Mesh console and click on the name of cluster you want to remove.

  2. Near the top right corner click REMOVE CLUSTER.

    • If this operation is successful, you can safely delete the cluster with the pks delete-cluster command.
    • If the operation is not successful, run the following command on the cluster before attempting to delete it with pks delete-cluster:
    • kubectl delete namespace istio-system

Please send any feedback you have to pks-feedback@pivotal.io.