This is a cache of https://docs.openshift.com/rosa/service_mesh/v2x/ossm-create-smcp.html. It is a snapshot of the page at 2024-11-22T03:23:11.365+0000.
Creating the <strong>service</strong>MeshControlPlane - <strong>service</strong> Mesh 2.x | <strong>service</strong> Mesh | Red Hat OpenShift <strong>service</strong> on AWS
×

About serviceMeshControlPlane

The control plane includes Istiod, Ingress and Egress Gateways, and other components, such as Kiali and Jaeger. The control plane must be deployed in a separate namespace than the service Mesh Operators and the data plane applications and services. You can deploy a basic installation of the serviceMeshControlPlane(SMCP) from the Red Hat OpenShift service on AWS web console or the command line using the oc client tool.

This basic installation is configured based on the default Red Hat OpenShift service on AWS settings and is not designed for production use. Use this default installation to verify your installation, and then configure your serviceMeshControlPlane settings for your environment.

If you are deploying the control plane for use on Red Hat OpenShift service on AWS, see the Red Hat Knowledgebase article OpenShift service mesh operator Istio basic not starting due to authentication errors, which discusses adding a new project and starting pods.

Deploying the service Mesh control plane from the web console

You can deploy a basic serviceMeshControlPlane by using the web console. In this example, istio-system is the name of the service Mesh control plane project.

Prerequisites
  • The Red Hat OpenShift service Mesh Operator must be installed.

  • You are logged in to the Red Hat OpenShift service on AWS web console as a user with the dedicated-admin role.

Procedure
  1. Log in to the Red Hat OpenShift service on AWS web console as a user with the cluster-admin role. If you use Red Hat OpenShift Dedicated, you must have an account with the dedicated-admin role.

  2. Create a project named istio-system.

    1. Navigate to HomeProjects.

    2. Click Create Project.

    3. In the Name field, enter istio-system. The serviceMeshControlPlane resource must be installed in the istio-system project, separate from your microservices and Operators.

    4. Click Create.

  3. Navigate to OperatorsInstalled Operators.

  4. Click the Red Hat OpenShift service Mesh Operator, then click Istio service Mesh Control Plane.

  5. On the Istio service Mesh Control Plane tab, click Create serviceMeshControlPlane.

    1. Accept the default service Mesh control plane version to take advantage of the features available in the most current version of the product. The version of the control plane determines the features available regardless of the version of the Operator.

    2. Add the spec.security.identity.type.ThirdParty field, required by Red Hat OpenShift service on AWS.

    3. Click Create.

    The Operator creates pods, services, and service Mesh control plane components based on your configuration parameters. You can configure serviceMeshControlPlane settings at a later time.

Verification
  • To verify the control plane installed correctly, click the Istio service Mesh Control Plane tab.

    1. Click the name of the new control plane.

    2. Click the Resources tab to see the Red Hat OpenShift service Mesh control plane resources the Operator created and configured.

Deploying the service Mesh control plane using the CLI

You can deploy a basic serviceMeshControlPlane from the command line.

Prerequisites
  • The Red Hat OpenShift service Mesh Operator must be installed.

  • Access to the OpenShift CLI (oc).

  • You are logged in to Red Hat OpenShift service on AWS as a user with the dedicated-admin role.

Procedure
  1. Create a project named istio-system.

    $ oc new-project istio-system

    The serviceMeshControlPlane resource must be installed in the istio-system project, separate from your microservices and Operators.

  2. Create a serviceMeshControlPlane file named istio-installation.yaml using the following example. The version of the service Mesh control plane determines the features available regardless of the version of the Operator.

    Example serviceMeshControlPlane resource
    apiVersion: maistra.io/v2
    kind: serviceMeshControlPlane
    metadata:
      name: basic
      namespace: istio-system
    spec:
      version: v2.6
      security:
        identity:
          type: ThirdParty (1)
      tracing:
        type: None
        sampling: 10000
      policy:
        type: Istiod
      addons:
        grafana:
          enabled: true
        kiali:
          enabled: true
        prometheus:
          enabled: true
      telemetry:
        type: Istiod
    1 Specifies a required setting for Red Hat OpenShift service on AWS.
  3. Run the following command to deploy the service Mesh control plane, where <istio_installation.yaml> includes the full path to your file.

    $ oc create -n istio-system -f <istio_installation.yaml>
  4. To watch the progress of the pod deployment, run the following command:

    $ oc get pods -n istio-system -w

    You should see output similar to the following:

    NAME                                   READY   STATUS    RESTARTS   AGE
    grafana-b4d59bd7-mrgbr                 2/2     Running   0          65m
    istio-egressgateway-678dc97b4c-wrjkp   1/1     Running   0          108s
    istio-ingressgateway-b45c9d54d-4qg6n   1/1     Running   0          108s
    istiod-basic-55d78bbbcd-j5556          1/1     Running   0          108s
    kiali-6476c7656c-x5msp                 1/1     Running   0          43m
    prometheus-58954b8d6b-m5std            2/2     Running   0          66m

Validating your SMCP installation with the CLI

You can validate the creation of the serviceMeshControlPlane from the command line.

  1. Prerequisites

    • The Red Hat OpenShift service Mesh Operator must be installed.

    • Access to the OpenShift CLI (oc).

    • You are logged in to Red Hat OpenShift service on AWS as a user with the dedicated-admin role.

Procedure
  1. Run the following command to verify the service Mesh control plane installation, where istio-system is the namespace where you installed the service Mesh control plane.

    $ oc get smcp -n istio-system

    The installation has finished successfully when the STATUS column is ComponentsReady.

    NAME    READY   STATUS            PROFILES      VERSION   AGE
    basic   10/10   ComponentsReady   ["default"]   2.6.3     66m

About control plane and cluster-wide deployments

A cluster-wide deployment contains a service Mesh Control Plane that monitors resources for an entire cluster. Monitoring resources for an entire cluster closely resembles Istio functionality in that the control plane uses a single query across all namespaces to monitor Istio and Kubernetes resources. As a result, cluster-wide deployments decrease the number of requests sent to the API server.

You can configure the service Mesh Control Plane for cluster-wide deployments using either the Red Hat OpenShift service on AWS web console or the CLI.

Configuring the control plane for cluster-wide deployment with the web console

You can configure the serviceMeshControlPlane resource for cluster-wide deployment using the Red Hat OpenShift service on AWS web console. In this example, istio-system is the name of the service Mesh control plane project.

Prerequisites
  • The Red Hat OpenShift service Mesh Operator is installed.

  • You are logged in to Red Hat OpenShift service on AWS as a user with the dedicated-admin role.

Procedure
  1. Create a project named istio-system.

    1. Navigate to HomeProjects.

    2. Click Create Project.

    3. In the Name field, enter istio-system. The serviceMeshControlPlane resource must be installed in a project that is separate from your microservices and Operators.

      These steps use istio-system as an example. You can deploy the service Mesh control plane to any project as long as it is separate from the project that contains your services.

    4. Click Create.

  2. Navigate to OperatorsInstalled Operators.

  3. Click the Red Hat OpenShift service Mesh Operator, then click Istio service Mesh Control Plane.

  4. On the Istio service Mesh Control Plane tab, click Create serviceMeshControlPlane.

  5. Click YAML view. The version of the service Mesh control plane determines the features available regardless of the version of the Operator.

  6. Modify the spec.mode field and add the spec.security.identity.type.ThirdParty field:

    Example serviceMeshControlPlane resource
    apiVersion: maistra.io/v2
    kind: serviceMeshControlPlane
    metadata:
      name: basic
      namespace: istio-system
    spec:
      version: v2.6
      mode: ClusterWide (1)
      security:
        identity:
          type: ThirdParty (2)
      tracing:
        type: Jaeger
        sampling: 10000
      policy:
        type: Istiod
      addons:
        grafana:
          enabled: true
        jaeger:
          install:
            storage:
              type: Memory
        kiali:
          enabled: true
        prometheus:
          enabled: true
      telemetry:
        type: Istiod
    1 Specifies that the resource is for a cluster-wide deployment.
    2 Specifies a required setting for Red Hat OpenShift service on AWS.
  7. Click Create. The Operator creates pods, services, and service Mesh control plane components based on your configuration parameters. The operator also creates the serviceMeshMemberRoll if it does not exist as part of the default configuration.

Verification
  • To verify that the control plane installed correctly:

    1. Click the Istio service Mesh Control Plane tab.

    2. Click the name of the new serviceMeshControlPlane object.

    3. Click the Resources tab to see the Red Hat OpenShift service Mesh control plane resources that the Operator created and configured.

Configuring the control plane for cluster-wide deployment with the CLI

You can configure the serviceMeshControlPlane resource for cluster-wide deployment using the CLI. In this example, istio-system is the name of the service Mesh control plane namespace.

Prerequisites
  • The Red Hat OpenShift service Mesh Operator is installed.

  • You have access to the OpenShift CLI (oc).

  • You are logged in to Red Hat OpenShift service on AWS as a user with the dedicated-admin role.

Procedure
  1. Create a project named istio-system.

    $ oc new-project istio-system
  2. Create a serviceMeshControlPlane file named istio-installation.yaml using the following example:

    Example serviceMeshControlPlane resource
    apiVersion: maistra.io/v2
    kind: serviceMeshControlPlane
    metadata:
      name: basic
      namespace: istio-system
    spec:
      version: v2.6
      mode: ClusterWide (1)
      security:
        identity:
          type: ThirdParty (2)
    1 Specifies that the resource is for a cluster-wide deployment.
    2 Specifies a required setting for Red Hat OpenShift service on AWS.
  3. Run the following command to deploy the service Mesh control plane:

    $ oc create -n istio-system -f <istio_installation.yaml>

    where:

    <istio_installation.yaml>

    Specifies the full path to your file.

Verification
  1. To monitor the progress of the pod deployment, run the following command:

    $ oc get pods -n istio-system -w

    You should see output similar to the following example:

    Example output
    NAME                                   READY   STATUS    RESTARTS   AGE
    grafana-b4d59bd7-mrgbr                 2/2     Running   0          65m
    istio-egressgateway-678dc97b4c-wrjkp   1/1     Running   0          108s
    istio-ingressgateway-b45c9d54d-4qg6n   1/1     Running   0          108s
    istiod-basic-55d78bbbcd-j5556          1/1     Running   0          108s
    jaeger-67c75bd6dc-jv6k6                2/2     Running   0          65m
    kiali-6476c7656c-x5msp                 1/1     Running   0          43m
    prometheus-58954b8d6b-m5std            2/2     Running   0          66m

Customizing the member roll for a cluster-wide mesh

In cluster-wide mode, when you create the serviceMeshControlPlane resource, the serviceMeshMemberRoll resource is also created. You can modify the serviceMeshMemberRoll resource after it gets created. After you modify the resource, the service Mesh operator no longer changes it. If you modify the serviceMeshMemberRoll resource by using the Red Hat OpenShift service on AWS web console, accept the prompt to overwrite the modifications.

Alternatively, you can create a serviceMeshMemberRoll resource before deploying the serviceMeshControlPlane resource. When you create the serviceMeshControlPlane resource, the service Mesh Operator will not modify the serviceMeshMemberRoll.

The serviceMeshMemberRoll resource name must be named default and must be created in the same project namespace as the serviceMeshControlPlane resource.

There are two ways to add a namespace to the mesh. You can either add the namespace by specifying its name in the spec.members list, or configure a set of namespace label selectors to include or exclude namespaces based on their labels.

Regardless of how members are specified in the serviceMeshMemberRoll resource, you can also add members to the mesh by creating the serviceMeshMember resource in each namespace.

Validating your SMCP installation with Kiali

You can use the Kiali console to validate your service Mesh installation. The Kiali console offers several ways to validate your service Mesh components are deployed and configured properly.

  1. Prerequisites

    • The Red Hat OpenShift service Mesh Operator must be installed.

    • Access to the OpenShift CLI (oc).

    • You are logged in to Red Hat OpenShift service on AWS as a user with the dedicated-admin role.

Procedure
  1. In the Red Hat OpenShift service on AWS web console, navigate to NetworkingRoutes.

  2. On the Routes page, select the service Mesh control plane project, for example istio-system, from the Namespace menu.

    The Location column displays the linked address for each route.

  3. If necessary, use the filter to find the route for the Kiali console. Click the route Location to launch the console.

  4. Click Log In With OpenShift.

    When you first log in to the Kiali Console, you see the Overview page which displays all the namespaces in your service mesh that you have permission to view. When there are multiple namespaces shown on the Overview page, Kiali shows namespaces with health or validation problems first.

    Kiali Overview page showing istio-system
    Figure 1. Kiali Overview page

    The tile for each namespace displays the number of labels, the Istio Config health, the number of and Applications health, and Traffic for the namespace. If you are validating the console installation and namespaces have not yet been added to the mesh, there might not be any data to display other than istio-system.

  5. Kiali has four dashboards specifically for the namespace where the service Mesh control plane is installed. To view these dashboards, click the Options menu kebab on the tile for the control plane namespace, for example, istio-system, and select one of the following options:

    • Istio Mesh Dashboard

    • Istio Control Plane Dashboard

    • Istio Performance Dashboard

    • Istio Wasm Exetension Dashboard

      Istio Control Plane Dashboard showing data for bookinfo sample project
      Figure 2. Grafana Istio Control Plane Dashboard

      Kiali also installs two additional Grafana dashboards, available from the Grafana Home page:

    • Istio Workload Dashboard

    • Istio service Dashboard

  6. To view the service Mesh control plane nodes, click the Graph page, select the Namespace where you installed the serviceMeshControlPlane from the menu, for example istio-system.

    1. If necessary, click Display idle nodes.

    2. To learn more about the Graph page, click the Graph tour link.

    3. To view the mesh topology, select one or more additional namespaces from the service Mesh Member Roll from the Namespace menu.

  7. To view the list of applications in the istio-system namespace, click the Applications page. Kiali displays the health of the applications.

    1. Hover your mouse over the information icon to view any additional information noted in the Details column.

  8. To view the list of workloads in the istio-system namespace, click the Workloads page. Kiali displays the health of the workloads.

    1. Hover your mouse over the information icon to view any additional information noted in the Details column.

  9. To view the list of services in the istio-system namespace, click the services page. Kiali displays the health of the services and of the configurations.

    1. Hover your mouse over the information icon to view any additional information noted in the Details column.

  10. To view a list of the Istio Configuration objects in the istio-system namespace, click the Istio Config page. Kiali displays the health of the configuration.

    1. If there are configuration errors, click the row and Kiali opens the configuration file with the error highlighted.

Additional resources

Red Hat OpenShift service Mesh supports multiple independent control planes within the cluster. You can create reusable configurations with serviceMeshControlPlane profiles. For more information, see Creating control plane profiles.

Next steps