C3 AI Documentation Home

Install and Set Up Istio for C3 Agentic AI Platform

You can use Istio in the C3 Agentic AI Platform as a service mesh for traffic management, security, and service-to-service communication within the platform Kubernetes infrastructure.

See the Istio documentation to learn more about Istio and how to use it.

To set up Istio for the C3 Agentic AI Platform, complete the following steps:

  1. Install Istio for the platform
  2. Enable Istio sidecar injection
  3. Enable and configure mTLS
  4. Configure Nginx ingress
  5. Route ingress object traffic to a single upstream service
  6. Enable Istio on the C3 AI cluster

After you set up Istio, you can visualize traffic flow between services and workloads. See the following sections to complete Istio setup and visualize traffic flow.

Requirements

To set up Istio, you must have the following requirements:

  • C3.ClusterAdmin to install and set up Istio for the C3 Agentic AI Platform
  • Access to Kubernetes and Helm for your deployment

1. Install Istio for the platform

Install and configure an Istio service mesh using Helm. See the Istio documentation Install with Helm for more information.

Run the following script in the command line on a machine with internet access to install an Istio mesh for the C3 Agentic AI platform:

Text
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update

kubectl create namespace istio-system
helm install istio-base istio/base -n istio-system --version 1.24 --set defaultRevision=default

kubectl apply -f - <<EOF
apiVersion: v1
data:
  .dockerconfigjson: <docker-secret-config-base64encoded>
immutable: false
kind: Secret
metadata:
  name: registryc3ai
  namespace: istio-system
type: kubernetes.io/dockerconfigjson
EOF

tee values.yaml <<EOF
pilot:
  hub: registry.c3.ai/c3.ai
  tag: 1.24.2-r2-202501311634
  image: istio-pilot-fips
global:
  hub: registry.c3.ai/c3.ai
  tag: 1.24.2-r0-202501311631
  proxy:
    image: istio-proxy-fips
  proxy_init:
    image: istio-proxy-fips
  imagePullSecrets: [registryc3ai]
meshConfig:
  defaultConfig:
    holdApplicationUntilProxyStarts: true
EOF

helm install istiod istio/istiod -n istio-system --version 1.24 --values values.yaml --wait

The script does the following:

  • Configures the Helm repository
  • Installs Istio in the istio-system namespace
  • Creates a Kubernetes secret that contains Docker registry credentials so Kubernetes can pull container images from C3 AI's registry
    • This is a standard way to pull additional Istio images provided by C3. You can use other ways to pull Istio images that have different authentication mechanisms, such as a private registry.
  • Sets Istio configuration values to use FIPS-compliant images, specify image tags and versions, refer to the Docker registry secret for image pulls, and configures the mesh to hold application startup until Istio proxy sidecars are ready
  • Installs Istio control plane with configuration values from previous stanza

You might want to adjust the script content or run it elsewhere to suit your specific needs. For example, you might not create a Kubernetes secret if it already exists, or you might adjust the registry if you use a private registry. Also, you might use the script in a CI/CD pipeline to handle how the commands run.

2. Enable Istio sidecar injection

To optimize Istio's features, configure Kubernetes pods in the Istio mesh to run a sidecar proxy. The sidecar proxy intercepts and encrypts traffic between pods.

To learn more about the sidecar data plane mode, see Sidecar mode in the Istio documentation.

When you configure sidecar proxies for the C3 Agentic AI Platform, enable automatic sidecar injection. Add the following annotation on the namespace where you deployed the C3 Agentic AI Platform server:

Text
kubectl label namespace <namespace> istio-injection=enabled --overwrite

This code adds a label to the Kubernetes namespace, enables automatic sidecar injection, and overwrites an existing label if it exists.

To learn more about automatic sidecar injection, see Automatic sidecar injection in the Istio documentation.

3. Enable and configure mTLS

Enable and configure Mutual Transport Layer Security (mTLS) to ensure all workloads communicate using mTLS once they migrate to Istio. As part of the migration to the Istio mesh, delete any pods in the namespace that do not have an Istio sidecar proxy. After you add the sidecar injection annotation from the previous step, any pods you add to the namespace include a sidecar proxy.

Istio automatically configures workload sidecars to use mTLS when calling other workloads. Istio configures the destination workloads using PERMISSIVE mode. When you enable PERMISSIVE mode, a service can accept both plain text and mTLS traffic.

To learn more about mTLS in Istio, see Auto mutual TLS in the Istio documentation.

Add the following code on the namespace where you deployed the C3 Agentic AI Platform server to enable and configure mTLS:

Text
kubectl apply -n <namespace> -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: <namespace>
spec:
  mtls:
    mode: PERMISSIVE
EOF

This code creates a security policy in the Kubernetes namespace, sets the mTLS mode to PERMISSIVE, and applies the configuration to all services.

4. Configure Nginx ingress

When you deploy the C3 AI Helm chart in the Istio-enabled cluster, do not allow inbound ingress controller traffic to go through the Istio sidecar proxy. This ensures that the Nginx ingress controller handles traffic for mTLS encryption. Add the following Nginx ingress controller annotation to the C3 AI Helm chart:

Text
c3-nginx-ingress:
  controller:
    podAnnotations:
      traffic.sidecar.istio.io/includeInboundPorts: ""
      traffic.sidecar.istio.io/excludeInboundPorts: "80,443"
      traffic.sidecar.istio.io/excludeOutboundIPRanges: "<IP>"

Allow the Nginx ingress proxy to make a call to the Kubernetes API server without sidecar interference. Replace <IP> with the following value:

Text
IP=$(kubectl -n default get svc kubernetes -o jsonpath='{.spec.clusterIP}')

5. Route ingress object traffic to a single upstream service

In the Nginx configuration, annotate every ingress object to route traffic to a single upstream service instead of a list of endpoints. This step allows the Istio sidecar to intercept traffic.

Set the following field to true in the C3 AI Helm chart:

Text
c3:
  security:
    istio:
      enabled: true

When you set this field to true, you enable the annotation nginx.ingress.kubernetes.io/service-upstream: "true" on C3 AI cluster ingress objects.

6. Enable Istio on the C3 AI Cluster

After you complete the setup steps, run the following command in the c3/c3 C3 AI Console to enable Istio on the C3 AI cluster:

JavaScript
K8sClusterConfig.forId(C3.cluster().id).withIstioEnabled(true).setConfig()

(Optional) Visualize traffic flow

You can use Kiali, an observability console for Istio, to visualize your Istio mesh. To learn more about visualizing your mesh, see Visualizing Your Mesh in the Istio documentation.

Run the following code to visualize traffic flow between services and workloads:

Text
kubectl -n <namespace> apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/prometheus.yaml
kubectl -n <namespace> apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/kiali.yaml
istioctl dashboard kiali

This code sets up observability and visualization tools for the Istio mesh in the platform. It does the following:

  • Installs Prometheus, a monitoring and metrics collection
  • Installs Kiali, an Istio observability and visualization tool
  • Opens a Kiali dashboard that displays traffic flow between services and workloads
Was this page helpful?