With Tech Preview 10 of the Service Mesh the installation method changed. With the new operator and the respective custom resource you now get much more control over the to be installed components, like autoscaling behaviour and resource limits.

Official docs can be found here: https://docs.openshift.com/container-platform/3.11/servicemesh-install/servicemesh-install.html

Installing it is straight forward - just follow the docs and you’re good to go. For my use cases, I used the following custom resource:

apiVersion: maistra.io/v1
kind: ServiceMeshControlPlane
metadata:
  name: istio-installation
spec:
  # TODO: be less lazy and configure proper limits / requests
  #
  # NOTE, if you remove all children from an element, you should remove the
  # element too.  An empty element is interpreted as null and will override all
  # default values (i.e. no values will be specified for that element, not even
  # the defaults baked into the chart values.yaml).
  istio:
    multitenant: false
    launcher:
      enabled: false
    global:
      # force to use rhel7 based proxy-init container
      proxy_init:
        image: proxy-init
      hub: registry.redhat.io/openshift-istio-tech-preview
      tag: 0.11.0
      # the following lines enable tls across the control and data planes
      controlPlaneSecurityEnabled: true
      mtls:
        enabled: true
      disablePolicyChecks: false
      policyCheckFailOpen: false
      outboundTrafficPolicy:
        mode: REGISTRY_ONLY # defaults to ALLOW_ANY
      # its either * or . - in case we can test all use cases, lets start with . in our dev env only
      # this will set the following in the config map:
      # defaultServiceExportTo:
      #   - "."
      # defaultVirtualServiceExportTo:
      #   - "."
      # defaultDestinationRuleExportTo:
      #   - "."
      # defaultConfigVisibilitySettings:
        # - "*" # bookinfo didn't even work for me without it (even when I exported the GW and VS)
      proxy:
        accessLogFile: /dev/stdout # in envs higher than test this should be empty
        accessLogEncoding: TEXT
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi
    gateways:
      istio-egressgateway:
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi
        autoscaleEnabled: true
        autoscaleMin: 1
        autoscaleMax: 3
      istio-ingressgateway:
        autoscaleEnabled: true
        autoscaleMin: 1
        autoscaleMax: 3
        ior_enabled: false
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi
    mixer:
      policy:
        autoscaleEnabled: true
        autoscaleMin: 1
        autoscaleMax: 3
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi
      telemetry:
        autoscaleEnabled: true
        autoscaleMin: 1
        autoscaleMax: 3
        resources:
          requests:
            cpu: 100m
            memory: 1G
          limits:
            cpu: 500m
            memory: 4G
    pilot:
      autoscaleEnabled: true
      traceSampling: 100.0
      autoscaleMin: 1
      autoscaleMax: 3
      resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi
    kiali:
      enabled: true
      tag: 0.20.0
    tracing:
      enabled: true
      hub: distributed-tracing-tech-preview
      tag: 1.11

Time to explain some things.

  1. I am on OCP 3.11 with RHEL7 nodes. The RHEL8 based proxy image uses nftables and not iptables which wouldn’t work, so we have to make sure to use the RHEL7 based image:

    proxy_init:
      image: proxy-init
    hub: registry.redhat.io/openshift-istio-tech-preview
    tag: 0.11.0
    
    1. One of the many advantages of the service mesh is the out of the box security between your application services. But you can enable mTLS for the entire control plane as well!
    controlPlaneSecurityEnabled: true
    
  2. Speaking of security - let’s enable mTLS for the workloads:

    mtls:
    enabled: true
    
    1. I want to use policy checks. in TP9 the default changed, so we gotta enable them explicitly:
    disablePolicyChecks: false
    
  3. I want to have control over the outbound communication of the workloads in my service mesh. So, only those external services can be called, which are known to Istio’s registry:

    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
    

    This basically means either it is a K8s service or it has to be defined via ServiceEntry.

    1. For testing I want to have an access log in the proxies. Maybe nothing I would want in a productive environment (of course it depends), but for testing, definitely useful:
    proxy:
      accessLogFile: /dev/stdout
      accessLogEncoding: TEXT
    
  4. Kiali now supports authentication via oauth proxy. Not defining a username and password enables that:

    kiali:
      enabled: true
      tag: 0.20.0
    
    1. There’s a component called IOR which automatically creates routes for the hosts defined in the Gateway. This comes in handy, but my tests right now use a wildcard routes, so I don’t need that for now.
    ior_enabled: false
    

The rest is just autoscaling, resource limits etc. The defaults work for me, in non-playground environments like my homelab you want run tests to check which parameters work best for you there.