appendix E. How the virtual machine is configured to join the mesh
In this appendix, we take a closer look at the configuration generated by istioctl for virtual machines (VMs) when we want to register them to the mesh. Specifically, the files were generated when we executed the following command in chapter 13:
$ tree ch13/workload-files
istioctl x workload entry configure
--name forum
--namespace forum-services
--clusterID "west-cluster"
--externalIP $VM_IP
--autoregister
-o ./ch13/workload-files/Quite a few files were generated, with a lot of structured configuration. If users had to come up with it, a lot of trial and error would be required to get it right. That’s why this process is automated with istioctl.
To learn more about the generated configuration, start by listing all the files.
$ tree ch13/workload-files ch13/workload-files ├── cluster.env ├── hosts ├── istio-token ├── mesh.yaml ├── root-cert.pem
-
The hosts file is configured with the host entry
istiod.istio-system.svc, which resolves to the IP of the east-west gateway. By default, this host entry uses the IP of the gateway namedistio-eastwestgateway. However, you can change that by specifying the name with the flag--ingressServiceor the IP directly with--ingressIP. -
The istio-token file contains a short-lived token (by default, 1 hour) that the workload uses to identify itself to
istiod. You can specify the expiry duration with the flag--tokenDuration. -
The root-cert.pem file is the public certificate of the root certificate authority (CA) that enables the workload to validate the control-plane certificate.
-
The cluster.env file contains metadata for the workload such as the namespace, service accounts, network, workload group it belongs to, and so on. To get a better idea, let’s print the configured values:
-
$ cat ch13/workload-files/cluster.env ISTIO_META_AUTO_REGISTER_GROUP='forum' ❶ ISTIO_META_CLUSTER_ID='west-cluster' ❷ ISTIO_META_DNS_CAPTURE='true' ❸ ISTIO_META_MESH_ID='usmesh' ISTIO_META_NETWORK='vm-network' ❹ ISTIO_META_WORKLOAD_NAME='forum' ISTIO_NAMESPACE='forum-services' ISTIO_SERVICE='forum.forum-services' ISTIO_SERVICE_CIDR='*' ISTIO_SVC_IP='138.91.249.118' POD_NAMESPACE='forum-services' SERVICE_ACCOUNT='forum-sa' TRUST_DOMAIN='cluster.local'
❶ The workload automatically registers to the forum group.
❷ The workload authenticates to the west-cluster.
❸ DNS capture is enabled, and traffic routes correctly to services within the mesh.
-
The mesh.yaml file configures the discovery address and the probes by which the sidecar tests the application’s readiness to receive traffic.
This is all the configuration needed to integrate one VM into the service mesh. It’s preferable to always use istioctl to generate the configuration; but when troubleshooting why a workload is not connecting to the mesh, you will iterate faster by making changes directly to the files and restarting the service proxy to pick up the changes.