Remotely Accessing Telemetry Addons
This task shows how to configure Istio to expose and access the telemetry addons outside of a cluster.
Configuring remote access
Remote access to the telemetry addons can be configured in a number of different ways. This task covers two basic access methods: secure (via HTTPS) and insecure (via HTTP). The secure method is strongly recommended for any production or sensitive environment. Insecure access is simpler to set up, but will not protect any credentials or data transmitted outside of your cluster.
For both options, first follow these steps:
Install Istio5 in your cluster.
To additionally install the telemetry addons, follow the integrations6 documentation.
Set up the domain to expose addons. In this example, you expose each addon on a subdomain, such as
grafana.example.com
.- If you have an existing domain pointing to the external IP address of
istio-ingressgateway
(say example.com):
- If you do not have a domain, you may use
nip.io
7 which will automatically resolve to the IP address provided. This is not recommended for production usage.
- If you have an existing domain pointing to the external IP address of
Option 1: Secure access (HTTPS)
A server certificate is required for secure access. Follow these steps to install and configure server certificates for a domain that you control.
This example uses self-signed certificates, which may not be appropriate for production usages. For these cases, consider using cert-manager8 or other tools to provision certificates. You may also visit the Securing Gateways with HTTPS9 task for general information on using HTTPS on the gateway.
Set up the certificates. This example uses
openssl
to self sign.Apply networking configuration for the telemetry addons.
Apply the following configuration to expose Grafana:
Apply the following configuration to expose Kiali:
Apply the following configuration to expose Prometheus:
Apply the following configuration to expose the tracing service:
Visit the telemetry addons via your browser.
- Kiali:
https://kiali.${INGRESS_DOMAIN}
- Prometheus:
https://prometheus.${INGRESS_DOMAIN}
- Grafana:
https://grafana.${INGRESS_DOMAIN}
- Tracing:
https://tracing.${INGRESS_DOMAIN}
- Kiali:
Option 2: Insecure access (HTTP)
Apply networking configuration for the telemetry addons.
Apply the following configuration to expose Grafana:
Apply the following configuration to expose Kiali:
Apply the following configuration to expose Prometheus:
Apply the following configuration to expose the tracing service:
Visit the telemetry addons via your browser.
- Kiali:
http://kiali.${INGRESS_DOMAIN}
- Prometheus:
http://prometheus.${INGRESS_DOMAIN}
- Grafana:
http://grafana.${INGRESS_DOMAIN}
- Tracing:
http://tracing.${INGRESS_DOMAIN}
- Kiali:
Cleanup
Remove all related Gateways:
Remove all related Virtual Services:
Remove all related Destination Rules: