Istio
Istio is an opensource tool that allows you to connect, secure, control, and observe services. It is commonly used as a service mesh in Kubernetes.
In software architecture, a service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between microservices, often using a sidecar proxy.
Having such a dedicated communication layer can provide a number of benefits, such as providing observability into communications, providing secure connections, or automating retries and backoff for failed requests.
Contents
Istio architecture
Istio is made up of the following components:
- Envoy (L7 proxy)
- Dynamic service discovery
- Load balancing
- Health checks
- Stagged rollouts
- Fault injection
- Control Plane API
- Pilot (sends traffic to proxy)
- Routing policies
- Service discovery
- Intelligent routing
- Resiliency
- Citadel
- User authentication
- Credential management
- Certificate management
- Traffic encryption
- Mixer
- Access control
- Usage policies
- Telemetry data
- Misc
- Galley
- Istio policies
- Uses Mixer
Install Istio
Docker method
- Add current user to docker group:
sudo usermod -aG docker $(whoami)
- Install docker-compose and make it executable:
COMPOSE_VERSION=1.23.2 sudo curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-Linux-x86_64" \ -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
- Download Istio and unpack it:
wget https://github.com/istio/istio/releases/download/1.0.6/istio-1.0.6-linux.tar.gz tar -xvf istio-1.0.6-linux.tar.gz
- Preconfigure kubectl for pilot:
kubectl config set-context istio --cluster=istio kubectl config set-cluster istio --server=http://localhost:8080 kubectl config use-context istio
- Create a DOCKER_GATEWAY environment variable:
export DOCKER_GATEWAY=172.28.0.1: # <- don't forget the colon
- Bring up Istio's control plane (this command may need to be repeated to ensure the pilot container starts):
docker-compose -f install/consul/istio.yaml up -d
- Change bookinfo.yaml to set port 30080 in place of port 9081:
sed -i 's/9081/30080/' ./istio-1.0.6/samples/bookinfo/platform/consul/bookinfo.yaml
- Bring up the application:
docker-compose -f ./istio-1.0.6/samples/bookinfo/platform/consul/bookinfo.yaml up -d
- Bring up the sidecars:
docker-compose -f ./istio-1.0.6/samples/bookinfo/platform/consul/bookinfo.sidecars.yaml up -d
Kubernetes method
- Get the Istio installation package onto the Kube Master and unpack it:
$ wget https://github.com/istio/istio/releases/download/1.0.6/istio-1.0.6-linux.tar.gz $ tar -xvf istio-1.0.6-linux.tar.gz
- Add istioctl to our path:
$ export PATH:<path_to_istio_bin>:$PATH
- Set Istio to NodePort at port 30080:
$ sed -i 's/LoadBalancer/NodePort/;s/31380/30080/' ./istio-1.0.6/install/kubernetes/istio-demo.yaml
- Bring up the Istio control plane:
$ kubectl apply -f ./istio-1.0.6/install/kubernetes/istio-demo.yaml
- Verify that the control plane is running:
$ kubectl -n istio-system get pods
When all of the pods are up and running (which we can verify by running that command again) we can move on.
- Install the bookinfo application with manual sidecar injection:
$ kubectl apply -f $(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)
- Verify that the application is running and that there are 2 containers per pod:
$ kubectl get pods
- Once everything is running, create an Ingress and virtual service for the application:
$ kubectl apply -f istio-1.0.6/samples/bookinfo/networking/bookinfo-gateway.yaml
Verify the page loads at the URI http://<kn1_IP ADDRESS>:30080/productpage
- Verify That Routing Rules Are Working by Configuring the Application to Route to v1 Then v2 of the reviews Backend Service
- Set the default destination rules:
$ kubectl apply -f istio-1.0.6/samples/bookinfo/networking/destination-rule-all.yaml
- Route all traffic to version 1 of the application and verify that it is working:
$ kubectl apply -f istio-1.0.6/samples/bookinfo/networking/virtual-service-all-v1.yaml
- Update the virtual service file to point to version 2 of the service and verify that it is working. Edit
istio-1.0.6/samples/bookinfo/networking/virtual-service-all-v1.yaml
(using whatever text editor you like) and change this:
- destination: host: reviews subset: v1
to this:
- destination: host: reviews subset: v2
Prometheus and Grafana
In this section, we will be looking at using Prometheus and Grafana to gain insight into the behavior of the traffic inside the Istio mesh. In order to gain access to this with a browser, we are going to be using Nginx to create a proxy for the services. This is the Nginx configuration that is used in the lesson, located at /etc/nginx/sites-enabled/default
:
server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / {proxy_pass http://127.0.0.1:9090;} # Prometheus #location / {proxy_pass http://127.0.0.1:3000;} # Grafana }
There are also 2 commands that are used to forward the ports.
- The command to forward the ports for Prometheus:
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=prometheus -o jsonpath='{.items[0].metadata.name}') 9090:9090 &
- The command the forward the port for Grafana:
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') 3000:3000 &