Perform a clean installation#
Overview#
Introduction#
The following instructions describe how to perform a clean installation of Aspen Mesh. Perform the tasks in order.
If you want to perform an upgrade instead, see Perform an upgrade.
Types of clean installations#
You can perform the following types of clean installations:
Clean-installation type |
Description |
---|---|
Single-stack |
Perform a clean installation of Aspen Mesh in IPv4 single-stack mode in a single-stack cluster (a cluster with IPv4 single-stack networking enabled). |
Dual-stack |
Perform a clean installation of Aspen Mesh in IPv4/IPv6 dual-stack mode in a dual-stack cluster (a cluster with IPv4/IPv6 dual-stack networking enabled). |
Prepare to install#
Before you begin#
Make sure you meet the minimum installation requirements.
Prepare the release#
Download the Aspen Mesh release archive file (for example,
aspenmesh-carrier-grade-1.18.7-am1-linux.tar.gz
).To manually download the release, go to Releases and click or tap the download link. You can also automate downloading. Learn how to download Aspen Mesh using a script.
In the same directory as the Aspen Mesh release archive file, download the corresponding hash file (for example,
aspenmesh-carrier-grade-1.18.7-am1-linux.tar.gz.sha256
).Go to Releases and click or tap the hash link.
In the same directory, verify the integrity of the release archive file by generating its hash and comparing it with the hash in the hash file:
$ sha256sum -c <hashFilename>
If the verification failed, repeat the preceding steps; otherwise, go to step 5.
In the same directory, extract the Aspen Mesh release archive file.
$ tar xzvf <releaseArchiveFilename>
Verify that your cluster meets the installation prerequisites#
Make sure you’re in the Aspen Mesh release directory (for example,
aspenmesh-carrier-grade-1.18.7-am1
).Execute the script to verify that your cluster meets the installation prerequisites:
$ ./tools/verify-installation-prerequisites.sh
Did the script indicate that a prerequisite isn’t met?
Yes:
Make the suggested change.
Go to step 2.
No:
Stop. Your cluster meets the installation prerequisites.
Add the location of the istioctl client to your path#
Change to the Aspen Mesh release directory.
Add the location of the
istioctl
client, located in thebin
directory, to the PATH environment variable.$ export PATH=$PWD/bin:$PATH
Verify that the
istioctl
client is in your path:$ which istioctl
Make sure you can run
istioctl
by checking its version:$ istioctl version
Note
If you get an error message that says the binary file can’t be executed, the release archive file you downloaded may be for a different operating system than the one on your computer. To easily fix this, download and extract the release archive file for your computer’s operating system (make sure it’s the same version). Then copy its
bin/istioctl
file to the same location in the Aspen Mesh release directory that you’ve been working in.
Create an Aspen Mesh override values file#
Decide where you want to store your Aspen Mesh override values file and change to that directory.
Your Aspen Mesh override values file is used to customize the installation and upgrade of Aspen Mesh by overriding default values in the Helm charts. You’ll need access to this file when installing or upgrading Aspen Mesh and should keep the file under version control.
Create a file to use as your Aspen Mesh override values file:
$ touch aspen-mesh-override-values.yaml
Open the file in a text editor.
Are you installing on OpenShift?
Yes:
Copy the following information and paste it into the file:
global: platform: openshift istio_cni: chained: false enabled: true
Go to step 5.
No:
Go to step 5.
Save and close the file.
(Dual-stack installation only) Update your Aspen Mesh override values file to enable dual-stack networking#
Important
Perform this task only if you’re performing a dual-stack clean installation.
Open your Aspen Mesh override values file (
aspen-mesh-override-values.yaml
) in a text editor.Make sure the file contains the following information related to dual-stack networking:
global: dualStack: true gateways: istio-ingressgateway: ipFamilyPolicy: RequireDualStack ipFamilies: - IPv4 - IPv6
Note
The
ingressGatewayDualStack
configuration option is no longer supported.Save and close the file.
Store Aspen Mesh container images in a private artifact registry#
If you want to store Aspen Mesh container images in a private artifact registry instead of the Aspen Mesh artifact registry, do that now.
For instructions and information on when you might want to do this, see Store Aspen Mesh container images in a private artifact registry.
Perform a clean installation#
Install the control-plane dependencies#
Pause all application deployments and configuration changes to your Kubernetes cluster.
Cluster updates may fail while the installation is in progress.
If you want to plug in CA certificates or enable ECC workload certificates, do so now.
Change to the Aspen Mesh release directory.
Create the
istio-system
namespace:$ kubectl create namespace istio-system
Install the cluster-wide objects used by the Istio control plane in the
istio-system
namespace (other namespaces are not supported):$ helm install istio-base --namespace istio-system manifests/charts/base --wait
Verify that the Istio CRDs were committed to the Kubernetes or OpenShift API server:
$ kubectl get crds | grep 'istio.io'
The output of the command should include the following CRDs:
authorizationpolicies.security.istio.io
destinationrules.networking.istio.io
envoyfilters.networking.istio.io
gateways.networking.istio.io
istiooperators.install.istio.io
peerauthentications.security.istio.io
proxyconfigs.networking.istio.io
requestauthentications.security.istio.io
serviceentries.networking.istio.io
sidecars.networking.istio.io
telemetries.telemetry.istio.io
virtualservices.networking.istio.io
wasmplugins.extensions.istio.io
workloadentries.networking.istio.io
workloadgroups.networking.istio.io
(OpenShift only) Install the Istio CNI plugin#
Important
Perform this task only if you’re performing a clean installation in an OpenShift cluster.
Verify that no
istio-cni
network-attachment definition exists in thedefault
namespace:$ kubectl get network-attachment-definitions
Install the Istio CNI plugin:
$ helm install istio-cni manifests/charts/istio-cni \ --namespace kube-system \ --wait
Verify that the
istio-cni
network-attachment definition has been created in thedefault
namespace:$ kubectl get network-attachment-definitions
Note
Beginning with Aspen Mesh 1.18, it’s no longer necessary to do the following:
Add the
anyuid
security context constraint (SCC) to the service accounts in theistio-system
namespace.Add the
anyuid
andprivileged
SCCs to the service accounts in all namespaces in which sidecar injection should occur.Create an
istio-cni
network-attachment definition in all namespaces in which sidecar injection should occur.
Install the control plane and gateway components#
Copy your Aspen Mesh override values file (
aspen-mesh-override-values.yaml
) to the Aspen Mesh release directory.Install the Istio control plane:
$ helm install istiod manifests/charts/istio-control/istio-discovery \ --namespace istio-system \ --values aspen-mesh-override-values.yaml \ --wait
Create a namespace for the Istio ingress gateway components, making sure to replace
<ingressNamespaceName>
with the name of the namespace to use for these components:$ kubectl create namespace <ingressNamespaceName>
Install the Istio ingress gateway components, making sure to replace
<ingressNamespaceName>
with the name of the namespace to use for these components:$ helm install istio-ingress manifests/charts/gateways/istio-ingress \ --namespace <ingressNamespaceName> \ --values aspen-mesh-override-values.yaml
Note
If you’re installing on OpenShift, do not use the
--wait
option with this command because the service it creates will not be in a ready state until you complete the next step.Are you installing on OpenShift?
Yes:
Create an OpenShift route for the ingress gateway:
$ oc expose svc/istio-ingressgateway --namespace <ingressNamespace> --port=http2
Go to step 6.
No:
Go to step 6.
If you need the Istio egress gateway, create a namespace for the Istio egress gateway components, making sure to replace
<egressNamespaceName>
with the name of the namespace to use for these components:$ kubectl create namespace <egressNamespaceName>
If you need the Istio egress gateway, install the Istio egress gateway components, making sure to replace
<egressNamespaceName>
with the name of the namespace to use for these components:$ helm install istio-egress manifests/charts/gateways/istio-egress \ --namespace <egressNamespaceName> \ --values aspen-mesh-override-values.yaml \ --wait
(Dual-stack installation only) Verify dual-stack functionality and configure your services#
Verify dual-stack functionality and configure your services#
Perform the tasks in Verify dual-stack functionality and configure your services.
Enable automatic sidecar injection#
Enable automatic sidecar injection#
Apply the
istio-injection
label to any namespace in which automatic sidecar injection should occur:$ kubectl label namespace <namespaceName> istio-injection=enabled --overwrite
Install optional companion products#
Introduction#
The Aspen Mesh release archive file includes optional companion products that are installed and upgraded separately from Aspen Mesh.
Install optional companion products#
If you want to use any of the Aspen Mesh companion products, you can install them now. See the following sections: