Istio Service

• Service Overview
• Alerts: https://alerts.gitlab.net/#/alerts?filter=%7Btype%3D%22istio%22%2C%20tier%3D%22inf%22%7D
• Label: gitlab-com/gl-infra/production~“Service::Istio”

Logging

• istiod (Control Plane)
• istio-gateway
• istio-internal-gateway
• istio-cni-node

Summary

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection.

Istio has two main components: the data plane and the control plane.

• The data plane is the communication between services. All traffic that mesh services send and receive (data plane traffic) is proxied through an Envoy proxy which is deployed along with each service that starts in the cluster, or runs alongside services running on VMs.
• The control plane (istiod) takes your desired configuration, and its view of the services, and dynamically programs the proxy servers, updating them as the rules or the environment changes.

Configurations

Istio components are managed with the help of several Helm Charts. They are deployed using Flux and their definitions and configurations can be found on the repositories below.

• Istio Components: Contains the definition for all Istio Helm Chart releases, namespace definition, as well as service and pod monitor definitions that are shared across all environments.
  • Istio Base: Cluster Wide Resources and CRDs.
  • IstioD: Istio Control Plane.
  • Istio Gateway: Helm release for the Public Istio Ingress Gateways.
  • Istio Internal Gateway: Helm release for the Internal Istio Ingress Gateways.
  • Istio CNI Helm Release for the Istio CNI plugin.

We use overlays on a per environment and cluster level using Flux kustomizations, to override helm chart values and create additional supporting manifest for the Istio deployments.

• Istio - Ops Env Shared Overlay
• Istio - ops-gitlab-gke Cluster Overlay

Upgrade Procedure

Renovate will create an MR whenever there are updates available for the Istio Helm Charts. We have defined dependencies between all HelmRelease definitions in Flux, so after merging the Renovate MR all Istio components will be will be upgraded as follows:

1. istio-base
2. istiod
3. Others: istio-gateway, istio-internal-gateway, istio-cni

Upgrade Istio Gateways

The istio/gateway Helm Chart doesn’t replace the Gateway Deployment pods automatically. After the Renovate MR is merged and Flux has reconciled the changes, we need to execute a rolling restart of both istio-gateway and istio-internal-gateway Deployments.

You can monitor the upgrade procedure as follows:

• From your workstation using istioctl:

• Using Grafana dashboard Istio Components by Version

Monitoring/Alerting

Istio Grafana Dashboards

• Istio Control Plane Dashboard
• Istio Mesh Dashboard
• Istio Service Dashboard
• Istio Workload Dashboard

Istio Mesh Observability Tool - Kiali

• gstg-gitlab-gke
• gstg-us-east1-b
• gstg-us-east1-c
• gstg-us-east1-d
• ops-gitlab-gke
• ops-central