Редагувати

Поділитися через


Deploy the Open Service Mesh add-on using Bicep in Azure Kubernetes Service (AKS)

This article shows you how to deploy the Open Service Mesh (OSM) add-on to Azure Kubernetes Service (AKS) using a Bicep template.

Note

With the retirement of Open Service Mesh (OSM) by the Cloud Native Computing Foundation (CNCF), we recommend identifying your OSM configurations and migrating them to an equivalent Istio configuration. For information about migrating from OSM to Istio, see Migration guidance for Open Service Mesh (OSM) configurations to Istio.

Important

Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

Kubernetes version OSM version installed
1.24.0 or greater 1.2.5
Between 1.23.5 and 1.24.0 1.1.3
Below 1.23.5 1.0.0

Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the AKS Kubernetes release calendar for information on AKS version support windows.

Bicep is a domain-specific language that uses declarative syntax to deploy Azure resources. You can use Bicep in place of creating Azure Resource Manager templates to deploy your infrastructure-as-code Azure resources.

Before you begin

Before you begin, make sure you have the following prerequisites in place:

Install the OSM add-on for a new AKS cluster by using Bicep

For deployment of a new AKS cluster, you enable the OSM add-on at cluster creation. The following instructions use a generic Bicep template that deploys an AKS cluster by using ephemeral disks and the kubenet container network interface, and then enables the OSM add-on. For more advanced deployment scenarios, see What is Bicep?

Create a resource group

  • Create a resource group using the az group create command.

    az group create --name <my-osm-bicep-aks-cluster-rg> --location <azure-region>
    

Create the main and parameters Bicep files

  1. Create a directory to store the necessary Bicep deployment files. The following example creates a directory named bicep-osm-aks-addon and changes to the directory:

    mkdir bicep-osm-aks-addon
    cd bicep-osm-aks-addon
    
  2. Create the main file and the parameters file.

    touch osm.aks.bicep && touch osm.aks.parameters.json
    
  3. Open the osm.aks.bicep file and copy in the following content:

    // https://learn.microsoft.com/azure/aks/troubleshooting#what-naming-restrictions-are-enforced-for-aks-resources-and-parameters
    @minLength(3)
    @maxLength(63)
    @description('Provide a name for the AKS cluster. The only allowed characters are letters, numbers, dashes, and underscore. The first and last character must be a letter or a number.')
    param clusterName string
    @minLength(3)
    @maxLength(54)
    @description('Provide a name for the AKS dnsPrefix. Valid characters include alphanumeric values and hyphens (-). The dnsPrefix can\'t include special characters such as a period (.)')
    param clusterDNSPrefix string
    param k8Version string
    param sshPubKey string
    param location string
    param adminUsername string
    
    
    resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-03-01' = {
      name: clusterName
      location: location
      identity: {
        type: 'SystemAssigned'
      }
      properties: {
        kubernetesVersion: k8Version
        dnsPrefix: clusterDNSPrefix
        enableRBAC: true
        agentPoolProfiles: [
          {
            name: 'agentpool'
            count: 3
            vmSize: 'Standard_DS2_v2'
            osDiskSizeGB: 30
            osDiskType: 'Ephemeral'
            osType: 'Linux'
            mode: 'System'
          }
        ]
        linuxProfile: {
          adminUsername: adminUserName
          ssh: {
            publicKeys: [
              {
                keyData: sshPubKey
              }
            ]
          }
        }
        addonProfiles: {
            openServiceMesh: {
                enabled: true
                config: {}
          }
        }
      }
    }
    
  4. Open the osm.aks.parameters.json file and copy in the following content. Make sure you replace the deployment parameter values with your own values.

    Note

    The osm.aks.parameters.json file is an example template parameters file needed for the Bicep deployment. Update the parameters specifically for your deployment environment. The parameters you need to add values for include: clusterName, clusterDNSPrefix, k8Version, sshPubKey, location, and adminUsername. To find a list of supported Kubernetes versions in your region, use the az aks get-versions --location <region> command.

    {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "clusterName": {
          "value": "<YOUR CLUSTER NAME HERE>"
        },
        "clusterDNSPrefix": {
          "value": "<YOUR CLUSTER DNS PREFIX HERE>"
        },
        "k8Version": {
          "value": "<YOUR SUPPORTED KUBERNETES VERSION HERE>"
        },
        "sshPubKey": {
          "value": "<YOUR SSH KEY HERE>"
        },
        "location": {
          "value": "<YOUR AZURE REGION HERE>"
        },
        "adminUsername": {
          "value": "<YOUR ADMIN USERNAME HERE>"
        }
      }
    }
    

Deploy the Bicep files

  1. Open a terminal and authenticate to your Azure account for the Azure CLI using the az login command.

  2. Deploy the Bicep files using the az deployment group create command.

    az deployment group create \
      --name OSMBicepDeployment \
      --resource-group osm-bicep-test \
      --template-file osm.aks.bicep \
      --parameters @osm.aks.parameters.json
    

Validate installation of the OSM add-on

  1. Query the add-on profiles of the cluster to check the enabled state of the installed add-ons. The following command should return true:

    az aks list -g <my-osm-aks-cluster-rg> -o json | jq -r '.[].addonProfiles.openServiceMesh.enabled'
    
  2. Get the status of the osm-controller using the following kubectl commands.

    kubectl get deployments -n kube-system --selector app=osm-controller
    kubectl get pods -n kube-system --selector app=osm-controller
    kubectl get services -n kube-system --selector app=osm-controller
    

Access the OSM add-on configuration

You can configure the OSM controller using the OSM MeshConfig resource, and you can view the OSM controller's configuration settings using the Azure CLI.

  • View the OSM controller's configuration settings using the kubectl get command.

    kubectl get meshconfig osm-mesh-config -n kube-system -o yaml
    

    Here's an example output of MeshConfig:

    apiVersion: config.openservicemesh.io/v1alpha1
    kind: MeshConfig
    metadata:
      creationTimestamp: "0000-00-00A00:00:00A"
      generation: 1
      name: osm-mesh-config
      namespace: kube-system
      resourceVersion: "2494"
      uid: 6c4d67f3-c241-4aeb-bf4f-b029b08faa31
    spec:
      certificate:
        serviceCertValidityDuration: 24h
      featureFlags:
        enableEgressPolicy: true
        enableMulticlusterMode: false
        enableWASMStats: true
      observability:
        enableDebugServer: true
        osmLogLevel: info
        tracing:
          address: jaeger.osm-system.svc.cluster.local
          enable: false
          endpoint: /api/v2/spans
          port: 9411
      sidecar:
        configResyncInterval: 0s
        enablePrivilegedInitContainer: false
        envoyImage: mcr.microsoft.com/oss/envoyproxy/envoy:v1.18.3
        initContainerImage: mcr.microsoft.com/oss/openservicemesh/init:v0.9.1
        logLevel: error
        maxDataPlaneConnections: 0
        resources: {}
      traffic:
        enableEgress: true
        enablePermissiveTrafficPolicyMode: true
        inboundExternalAuthorization:
          enable: false
          failureModeAllow: false
          statPrefix: inboundExtAuthz
          timeout: 1s
        useHTTPSIngress: false
    

    Notice that enablePermissiveTrafficPolicyMode is configured to true. In OSM, permissive traffic policy mode bypasses SMI traffic policy enforcement. In this mode, OSM automatically discovers services that are a part of the service mesh. The discovered services will have traffic policy rules programmed on each Envoy proxy sidecar to allow communications between these services.

    Warning

    Before you proceed, verify that your permissive traffic policy mode is set to true. If it isn't, change it to true using the following command:

    kubectl patch meshconfig osm-mesh-config -n kube-system -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":true}}}' --type=merge
    

Clean up resources

Next steps

This article showed you how to install the OSM add-on on an AKS cluster and verify that it's installed and running. With the OSM add-on installed on your cluster, you can deploy a sample application or onboard an existing application to work with your OSM mesh.