Configuring VMware Tanzu Service Mesh by VMware NSX

Page last updated:

This topic describes how to integrate VMware Tanzu Kubernetes Grid Integrated Edition with VMware Tanzu Service Mesh by VMware NSX.

Tanzu Service Mesh brings application-layer visibility, control, and security to microservices deployed on VMware Tanzu Kubernetes Grid Integrated Edition-managed Kubernetes clusters.

About VMware Tanzu Service Mesh by VMware NSX

VMware Tanzu Service Mesh provides a service mesh solution for Kubernetes based on the NSX platform. Tanzu Service Mesh gives Kubernetes cluster users API-level visibility, control, and security over their clusters’ services, data, and users.

In a Kubernetes cluster, Tanzu Service Mesh runs as a pod and is deployed using a YAML file.

For more information, see NSX Service Mesh on VMware Tanzu: CONNECT & PROTECT Applications Across Your Kubernetes Clusters and Clouds in the VMware Network Virtualization blog.

Prerequisites

These instructions assume that:

  • You have deployed VMware Tanzu Kubernetes Grid Integrated Edition.

  • You have provisioned a target Kubernetes cluster for Tanzu Service Mesh.

  • You have an account with VMware Cloud Services. If you do not already have an account, register as follows:

    1. Contact your Sales contact, or send an email to driggs@vmware.com.
    2. Complete the registration process by following the emails you receive.

Install VMware Tanzu Service Mesh in a Cluster

Install VMware Tanzu Service Mesh in a cluster as follows:

  1. Add the Tanzu Service Mesh Service
  2. Onboard a Kubernetes Cluster to Tanzu Service Mesh
  3. Install and Configure Istio

Add the Tanzu Service Mesh Service

  1. Log in to the VMware Cloud Services console.

  2. Select your organization or create a new one.

  3. Select the Tanzu Service Mesh service offering and add your account to the service.

Onboard a Kubernetes Cluster to Tanzu Service Mesh

Complete the following steps to install Tanzu Service Mesh onto a TKGI-provisioned Kubernetes cluster.

  1. Sign in to the VMware Tanzu Service Mesh by VMware NSX console.

  2. In the upper-left corner of the Tanzu Service Mesh Console, click Add New > Onboard New Cluster to open the Onboard Clusters panel. If this is the first cluster onboarded to Tanzu Service Mesh, the Onboard Clusters panel appears automatically when you finish signing up for Tanzu Service Mesh.

  3. In the Onboard Clusters panel, enter a name for Tanzu Service Mesh to use to identify the target cluster.

    • VMware recommends that you enter the name of the cluster used in TKGI, but you can use a different name.
    • The cluster name must be unique within Tanzu Service Mesh.
  4. Click Generate Security Token to generate a security token.

  5. In the Onboard Clusters panel, click the copy icon to copy the kubectl apply command that applies the registration YAML file to the cluster.

  6. Log in to your TKGI-provisioned Kubernetes cluster.

  7. Run the kubectl apply command that you copied in a previous step to apply the registration YAML to the cluster. For example:

    kubectl apply -f https://prod-1.servicemesh.biz/cluster-registration/k8s/v0.8.5/k8s-registration.yaml
    
  8. In the Onboard Clusters panel, click the copy icon to copy the kubectl create secret command that establishes a secure connection with NSX Service Mesh.

  9. From your cluster, run the kubectl create secret command that you copied in the previous step. For example:

    kubectl -n allspark create secret generic cluster-token --from-literal=token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.xxxxxxxxxxxx
    
  10. Click Install NSX Service Mesh button to install Tanzu Service Mesh on the cluster.

  11. The YAML file deploys a pod to the target Kubernetes cluster that includes the Tanzu Service Mesh agent. If the target cluster is not discovered, click Exit and Reload and try again.

Install and Configure Istio

Once the Tanzu Service Mesh agent is correctly started on a cluster:

  1. Return to the Tanzu Service Mesh console and complete the on-boarding process by clicking on the Install ISTIO button in the on-boarding menu.

    This operation installs the Istio components on the target cluster, including the Istio CNI plugin that lets Istio automatically inject its Envoy sidecar container whenever a new pod is started.

After you have onboarded clusters to Tanzu Service Mesh and installed Istio, they should appear in your Tanzu Service Mesh console.

Known Issue: Timeout

When the tkgi delete cluster command is issued, the system runs an errand to clean up the pods currently running in the cluster. Istio installs a few pods that have a Pod Disruption Budget that conflict with the Tanzu Kubernetes Grid Integrated Edition cleanup errand. This may result in the errand running for an extended period of time.

Tanzu Kubernetes Grid Integrated Edition allows the user to select a timeout for Pod Disruption Budget, and the errand runs up to that timeout.

Workaround

To avoid this problem, try to remove the on-boarded cluster as follows:

  1. Log on to the Tanzu Service Mesh console and click on the name of cluster you want to remove.

  2. Near the top right corner, click Remove Cluster.

    • If this operation is successful, you can safely run the following command to delete the cluster:

      tkgi delete-cluster
      
    • If the operation is not successful, run the following command on the cluster before attempting to delete it with the tkgi delete-cluster command:

      kubectl delete namespace istio-system
      

Please send any feedback you have to pks-feedback@pivotal.io.