Deploying Service Mesh (Beta)

Page last updated:

This topic describes how to deploy service mesh for VMware Tanzu Application Service for VMs (TAS for VMs).

For more information about service mesh, see Service Mesh (Beta).

Prerequisite

To deploy service mesh for TAS for VMs, you must download and install the om CLI. To download and install om, see the Om repository on GitHub.

Configure Load Balancer

To configure a load balancer for service mesh:

  1. Create a load balancer with:

    • A static IP
    • Health check port 8002 and path /healthcheck
    • Firewall rules to allow:
      • HTTP on port 80
      • HTTP on port 8002
      • TLS on port 443
  2. Navigate to your DNS provider and create a DNS name that resolves to the IP of the load balancer:

    • If you did not configure the External domain field in the Networking - Service Mesh (Beta) pane of the TAS for VMs tile, create the DNS name using the default value of *.mesh.APPS-DOMAIN, where APPS-DOMAIN is the name of the external domain.
    • If you configured the External domain field in the Networking - Service Mesh (Beta) pane of the TAS for VMs tile, create the DNS name using the value you configured.

Deploy Service Mesh in TAS for VMs

To deploy service mesh:

  1. Retrieve the staged product configuration by running:

    om staged-config --product-name=cf > /tmp/staged-config.yml
    
  2. Create an ops file to enable Istio by running:

    cat <<EOF > /tmp/enable-istio.yml
    - type: replace
      path: /product-properties/.properties.istio?
      value:
        value: enable
        selected_option: enable
    
    - type: replace
      path: /product-properties/.istio_router.static_ips?
      value:
        value: ((istio_static_ips))
    
    - type: replace
      path: /product-properties/.properties.istio_domain?
      value:
        value: ((istio_domain))
    
    - type: replace
      path: /product-properties/.properties.istio_frontend_tls_keypairs?
      value:
        value: ((istio_frontend_tls_keypairs))
    
    - type: replace
      path: /resource-config/istio_router/elb_names
      value: ((istio_router_lb_names))
    
    - type: replace
      path: /resource-config/istio_router/instances
      value: ((istio_router_instances))
    
    - type: replace
      path: /resource-config/istio_control/instances
      value: ((istio_control_instances))
    
    - type: replace
      path: /resource-config/route_syncer/instances
        value: ((route_syncer_instances))
    EOF
    
  3. Create a base vars file by running:

    cat <<EOF > /tmp/enable-istio-vars.yml
    istio_domain: mesh.app-domain.com
    istio_static_ips:
    istio_router_lb_names:
      - LOAD-BALANCER
    istio_router_instances: 1
    istio_control_instances: 1
    route_syncer_instances: 1
    istio_frontend_tls_keypairs:
      - name: CERTIFICATE-1
        certificate:
          cert_pem: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
          private_key_pem: |
        -----BEGIN RSA PRIVATE KEY-----
        -----END RSA PRIVATE KEY-----
      - name: CERTIFICATE-2
        certificate:
          cert_pem: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
          private_key_pem: |
        -----BEGIN RSA PRIVATE KEY-----
        -----END RSA PRIVATE KEY-----
    EOF
    
  4. For istio_domain, enter the domain for Istio routers. The default domain is mesh.app-domain.com.

  5. For istio_static_ips, depending on your IaaS:

    • vSphere: Enter a comma-separated string of static IPs for the Istio routers. You must also configure your load balancer with these IPs.
    • Other: Leave this field blank.
  6. If your deployment is on an IaaS other than vSphere, for istio_router_lb_names, enter the name of the loud balancer you created.

  7. For istio_router_instances, istio_control_instances, and route_syncer_instances, enter the number of instances to deploy.

  8. For istio_frontend_tls_keypairs, enter these values for each keypair you want to add:

    • name: Enter a name for the keypair.
    • certificate: Enter the private key and certificate for TLS handshakes with clients. These must be in PEM block format.
  9. Apply the configuration changes by running:

    om configure-product -c /tmp/staged-config.yml -o /tmp/enable-istio.yml -l /tmp/enable-istio-vars.yml
    
  10. Run:

    om apply-changes