jmhbnz/talks

Fork 0

Files

History

James Blair ee994e251b Progress on istio ambient talk.

2025-08-21 12:53:11 +12:00

README.org

Progress on istio ambient talk.

2025-08-21 12:53:11 +12:00

README.org

OpenShift Ambient Mesh Setup

Pre-requisites
- Verify cluster auth status
- Upgrade cluster
Install service mesh operator
Deploy ambient istio

This is a short demonstration of Istio Ambient Mesh on OpenShift 4.19 via the OpenShift Service Mesh operator.

You can install Istio ambient mode on OpenShift Container Platform 4.19 or later and Red Hat OpenShift Service Mesh 3.1.0 or later with the required Gateway API custom resource definitions (CRDs).

This is currently a Technology Preview feature of OpenShift.

Pre-requisites

Before we begin, let's ensure we are logged into our cluster in the terminal and the cluster meets our version requirements.

Verify cluster auth status

oc version && oc whoami

Client Version: 4.19.7
Kustomize Version: v5.5.0
Server Version: 4.19.9
Kubernetes Version: v1.32.7
admin

Upgrade cluster

The Red Hat demo system environment available was not yet running OpenShift 4.19 so I needed to upgrade it before performing any demo preparation steps.

The first step is to acknowledge the k8s api deprecations between 4.18 and 4.19.

oc -n openshift-config patch cm admin-acks --patch '{"data":{"ack-4.18-kube-1.32-api-removals-in-4.19":"true"}}' --type=merge

Once admin acks are in place we can set the upgrade channel to fast-.419.

oc adm upgrade channel fast-4.19

Now we're ready to trigger the upgrade.

oc adm upgrade --to 4.19.9

Before proceeding with any further steps let's wait for the cluster upgrade to complete.

oc adm wait-for-stable-cluster

Install service mesh operator

Our first step to prepare the demonstration is to install the service mesh operator.

cat << EOF | oc apply --filename -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: servicemeshoperator3
  namespace: openshift-operators
spec:
  channel: stable
  installPlanApproval: Automatic
  name: servicemeshoperator3
  source: redhat-operators
  sourceNamespace: openshift-marketplace
EOF

subscription.operators.coreos.com/servicemeshoperator3 created

Once the operator has completed installation we should see new Custom Resources available for use:

oc get crd | grep sail

istiocnis.sailoperator.io	2025-08-21T00:30:28Z
istiorevisions.sailoperator.io	2025-08-21T00:30:28Z
istiorevisiontags.sailoperator.io	2025-08-21T00:30:29Z
istios.sailoperator.io	2025-08-21T00:30:28Z
ztunnels.sailoperator.io	2025-08-21T00:30:28Z

Deploy ambient istio

Deploy istio control plane

With the operator installed lets install the istio control plane with the ambient profile.

#+NAME Install istio control plane

cat << EOF | oc apply --filename -
apiVersion: v1
kind: Namespace
metadata:
  name: istio-system

---
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  namespace: istio-system
  profile: ambient
  values:
    pilot:
      trustedZtunnelNamespace: ztunnel
EOF

namespace/istio-system created
istio.sailoperator.io/default created

Once the custom resources are created we can wait for the istio control plane deployment to become ready.

oc wait --for=condition=Ready istios/default --timeout=3m

istio.sailoperator.io/default condition met

Deploy istio container network interface

Once the control plane is in place we'll create the corresponding networking components, again with the profile ambient.

cat << EOF | oc apply --filename -
apiVersion: v1
kind: Namespace
metadata:
  name: istio-cni

---
apiVersion: sailoperator.io/v1
kind: IstioCNI
metadata:
  name: default
spec:
  namespace: istio-cni
  profile: ambient
EOF

namespace/istio-cni created
istiocni.sailoperator.io/default created

As we did earlier, after creating the custom resources we can wait for the components to become ready.

oc wait --for=condition=Ready istios/default --timeout=3m

istio.sailoperator.io/default condition met

Deploy istio ztunnel proxies

Lastly, we need to deploy the istio ztunnel proxies which are a per-node proxy that manages secure, transparent tcp connections for all workloads on the node. Once again these will be deployed with the ambient profile.

cat << EOF | oc apply --filename -
apiVersion: v1
kind: Namespace
metadata:
  name: ztunnel

---
apiVersion: sailoperator.io/v1alpha1
kind: ZTunnel
metadata:
  name: default
spec:
  namespace: ztunnel
  profile: ambient
EOF

namespace/ztunnel created
ztunnel.sailoperator.io/default created

And again let's wait to verify that these have deployed successfully before proceeding.

oc wait --for=condition=Ready ztunnel/default --timeout=3m

ztunnel.sailoperator.io/default condition met