Skip to main content

Kubernetes with Istio

When running a GraphQL server in Kubernetes, inside of an Istio service mesh, an alternative Inigo deployment model is advisable. Istio runs its sidecar container in the GraphQL server Pod which would conflict with an Inigo sidecar container.

The alternative Inigo deployment model is to run an Inigo proxy service inside of your service mesh as shown in the following diagram:

(Istio Ingress) --> (Inigo Proxy + Istio Sidecar) --> (GraphQL Server + Istio Sidecar)

Note: When using Istio Ambient mode, the Kubernetes Inigo sidecar deployment will work, as there will not be a sidecar conflict. This installation guide only pertains to the Istio sidecar deployment model.

Prerequisites

  • A working Kubernetes instance with kubectl. If not, see the Kubernetes documentation for installation instructions.
  • A working Istio installation in your Kubernetes cluster. If not, see the Istio Getting Started guide.
  • A working GraphQL Server instance deployed as a Kubernetes Pod with an Istio sidecar. If not, label your namespace with istio-injection=enabled and restart all of the pods.
  • External client ingress into Kubernetes and the service mesh, likely using Istio Ingress, as shown in the following diagram:
(Istio Ingress) --> (GraphQL Server + Istio Sidecar)

Inigo Proxy Deployment

An independent Inigo proxy should be deployed for every GraphQL server deployment. The following example is for a starwars GraphQL server running in Kubernetes, inside of the Istio service mesh:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: starwars-inigo
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: starwars-inigo
spec:
  selector:
    matchLabels:
      app: starwars-inigo
  template:
    metadata:
      labels:
        app: starwars-inigo
    spec:
      serviceAccountName: starwars-inigo
      containers:
        - name: sidecar
          image: "inigohub/sidecar:latest"
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
                name: starwars-inigo
            - secretRef:
                name: starwars-inigo-token
          resources:
            requests:
              memory: "512Mi"
              cpu: 1
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: starwars-inigo
  labels:
    app: starwars-inigo
data:
  #LOG_TYPE: "json"
  #LOG_LEVEL: "debug"
  SERVICE_LISTEN_PORT: "8888"
---
apiVersion: v1
kind: Secret
metadata:
  name: starwars-inigo-token
  labels:
    app: starwars-inigo
stringData:
  INIGO_SERVICE_TOKEN: "PASTE_INIGO_SERVICE_TOKEN_HERE"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: starwars-inigo
  labels:
    app: starwars
data:
  #LOG_TYPE: "json"
  #LOG_LEVEL: "debug"
  INIGO_LISTEN_PORT: "80"
  INIGO_ENABLE: "true"
  INIGO_EGRESS_URL: http://starwars:80/query
  INIGO_GRAPHQL_PLAYGROUND_ROUTE: /playground
---
apiVersion: v1
kind: Service
metadata:
  name: starwars-inigo
  labels:
    app: starwars
spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: starwars-inigo

Run kubectl apply to deploy the Inigo proxy. Per the prerequisites, the namespace should be labeled with istio-injection=enabled so an Istio sidecar sidecar will be automatically added to the Inigo proxy Pod deployment.

GraphQL Server Deployment

Next, deploy a GraphQL server that is deployed at the service configured for the Inigo proxy using the INIGO_EGRESS_URL.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: starwars
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: starwars
spec:
  selector:
    matchLabels:
      app: starwars
  template:
    metadata:
      labels:
        app: starwars
    spec:
      serviceAccountName: starwars
      containers:
        - name: sidecar
          image: "inigohub/starwars:latest"
          imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: starwars
  labels:
    app: starwars
spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: starwars

After deployment, both the Inigo proxy and the GraphQL server Pods should have 2 containers, with 1 being for the Istio sidecar proxy.

kubectl get pods -n dev     
NAME                              READY   STATUS    RESTARTS   AGE
starwars-inigo-866dd9c4c4-pfmzz   2/2     Running   0          73m
starwars-68b999bb5-n7s55          2/2     Running   0          65m

Checking Connectivity

If an Instio Ingress Gateway configured, kubectl port-forward can be used as a substitute to verify connectivity from the Inigo proxy to the GraphQL server through the Istio service mesh.

kubectl port-forward -n dev svc/starwars-inigo 9080:80

After running this command, the GraphQL endpoint will be exposed at localhost:9080, and GraphQL queries can be run against this endpoint using Inigo Explorer.

IMPORTANT: A managed schema is required for your GraphQL server in order to see the schema in Inigo and have detailed analytics when using the Inigo proxy.

NOTE: An Istio demo app is available to try at https://github.com/inigolabs/workshops/tree/main/istio that has a README with detailed instructions.