10 Mins Read  January 16, 2019  Terence Nero

Istio Service Mesh: The Step by Step Guide

What is Istio Service Mesh?

Istio service mesh provides several capabilities for traffic monitoring, access control, discovery, security, resiliency, and other useful things to a bundle of services. It delivers all that and strikingly does not require any changes to the code of any of those services.

To make this possible, Istio deploys an Istio proxy (called an Istio sidecar) next to each service. All of the traffic meant for assistance is directed to the proxy, which uses policies to decide how, when, or if that traffic should be deployed to the service. It also enables sophisticated techniques such as canary deployments, fault injections, and circuit breakers.

Istio proxy

How Istio Works with Containers and Kubernetes

Istio service mesh, as suggested, uses a sidecar container implementation of the features and functions required mainly for microservices. Developed and announced in 2017, it was built on the Istio envoy framework, and has since then sunk its teeth into areas such as monitoring, tracing, circuit breakers, routing, fault injections, load balancing, retries, timeouts, mirroring, access control and rate limiting procedures.

Istio envoy
  • What makes Istio so unique is that all these functionalities come with no change of code required.
  • Istio runs in a Linux container in the Istio Kubernetes pods using an Istio sidecar implementation and when required injects and extracts functionality and information based on the configuration needed.
  • It also transports operational aspects away from code development and into the heart and center of the operations.
Istio Data Plane

Service Meshing Basics

The theory behind service meshes is that all common network related tasks should be extrapolated away from both the applications and the underlying systems.

  • The mesh thus should be nothing but a network of software entities that perform such tasks for different services when required.
  • Without such setups, the conventional structure requires users to either embed these tasks as part of the networking infrastructure or make massive code changes into the application layer.

In a microservices environment, neither alternative seems to fits. The application overlay approach is application cognizant and can create sophisticated content-based routing.

It backfires though due to a large amount of redundant code that lowers performance. Conversely, using an L3 or L4 overlay has neither the concept nor the visibility of any multiple service requests.

Istio API Gateway vs Service Mesh

As a result, service meshes become a great way to run and manage the microservice environment since it operates at the L7 level, yet is separate from the application code.

It can even implement L3/L4 policies with additional app-level insight.

Service Mesh Control Panel

The Istio Service Mesh Architecture

  • Istio service mesh is an intentionally designed abstraction that has both a control plane and a data plane.
  • Istio is a service mesh created by the combined efforts of IBM, Google, and Lyft. The sidecar patterns are enabled by the Envoy proxy and are based on containers.
Istio Architecture

By infusing Envoy intermediary servers into the system way between administrations, Istio gives refined activity administration controls, for example, stack adjusting and fine-grained steering.

This directing cross section likewise empowers you to separate an abundance of measurements about movement conduct, which can be utilised to authorise arrangement choices, for example, fine-grained get to control and rate confines that administrators can design. Those equivalent measurements are additionally sent to checking frameworks.

Envoy Topology

Istio accomplishes this by conveying:-

  • A control plane that controls the overall network infrastructure and strengthens the policy and traffic rules.
  • A data plane that uses sidecars through the Envoy makeshift which is an open source edge proxy.

The Istio architecture accomplishes the objectives that administration work intends to convey, in a superior and secure activity administration.

  • The information planes are an arrangement of superior intermediaries that capture organized movements and connects them with the system layer to course future activities.
  • The control plane has a Layer 7 understanding and can train the information plane to settle on some complex steering choices dependent on arrangements, security stances, and continuous telemetry data.

The deliberations given by administration works offer great detachments that assist designers, developers and security engineers. The information edited plane works a job in a way that they are the hidden system from the application.

The control plane furthers any edited compositions away which implies that the information plane can center around being the high performing movement interceptor and switch roles without any complications. Together, any administration work can become smarter and avoid the problems of building a large code support gateway.

Another key idea in service meshes is service personality. That is, each administration is relegated a cryptographically robust character. Overseeing administrations concerning substantial aspects empowers a well tuned, personality-based arrangement that might seem impossible in the past.

Key Capabilities and Top Use Cases for Istio Service Meshes

Today, the service mesh workspace is getting expanded considerably. A portion of the key abilities of Istio administration workspace include:-

Istio administration workspace
Source:- https://groups.google.com
  • Stocking And Perceivability
    • Providing understanding and perceivability to which administrations are running, who is conversing with whom and administration conditions.
  • Execution Administration
    • Here execution implies reaction time, asset usage, and the relationship between application execution and business measurements.
    • Through administration work, an association can set certain execution measurements to guarantee that assets are dispersed and utilised in an ideal form among administrations, and those particular operational measurements are met.
  • Security Strategy Administration
    • Service Mesh gives the capacity to characterise and oversee strategies dependent on personalities, e.g., who can converse with whom.
    • Moreover, you can likewise apply authoritative approaches to administer the association between administrations.
  • Movement Administration
  • With a well-worked organisation, it’s genuinely simple to control activity between administrations utilising service meshes.
    • For instance, Istio uncovered an arrangement of APIs that enables you to set fine-grained activity rules. This additionally incorporates programmed directing arrangements that can make the administration ask for more dependency when the system confronts unfavourable conditions.

Where can Istio Service Mesh be useful?

Istio Service Mesh use
  • Finding And Recognizing Services
    • It’s common for organisations to be unaware of which services are running in their infrastructure which becomes worse for a microservices led environment. Istio service mesh provides service-level visibility and telemetry that helps any organisation be updated with service inventories and dependency analysis.
  • Operation Reliability
    • The telemetry data service tells you how well a service is performing such as the time taken to respond to service requests, resources used and how often they were used.
    • This helps developers in spotting issues and correcting them before they cause any repercussions to the wider application environment.
  • Structured Traffic Governance
    • In the case that any organisation thinks about sidelining or restricting specific content such as URLs or sub-URLs, the Istio service mesh allows for such arrangements for any range of traffic management systems.
    • As with Istio, this can be done without the need of redressing the application by simply using the sidecar functionalities of Istio. This includes services within a specific mesh as well as the ingress and egress traffic that exits and enters the mesh.
  • Safer Service-To-Service Communications
    • As the Istio service mesh allows a secure universal service identity system, companies can use a mutually integrated TLS for service-to-service communications.
    • This also allows users to add service-level authentication procedures employing either the TLS or a JSON Web Tokens (JWS).
  • Systems For Trust-Based Access Control
    • Instead of configuring access to mainframe systems based on common static attributes such as user identities, IP addresses, or access control lists, service meshes like Istio allow for real-time hosting as well as using network telemetry on the data.
    • For instance, users can draft and execute a safety policy that states that every service request can be accessed based on the purpose of the request or might even demand a Certificate Signing Request (CSR) that becomes a valid id should the requester pass a string of confirmatory checks.
  • Measures For Drastic Times
    • Service meshes are equipped with specific functions that perform fault injection procedures and test the resiliency of al services. Istio service mesh can inject specific delays in the service responses to see how the application executes and responds to requesters as a whole component.
    • Injecting delays is also a tried and tested method of modern chaos engineering techniques that are used to raise the longevity and resilience of the systems against faulty situations.

Getting Started With Istio

Getting Started With Istio
  • Installing Istio on the Minikube Platform

The best way to test Istio locally on Istio Kubernetes is through Istio Minikube. Microservices with Kubernetes service mesh and Docker should be used. To install Istio on Minikube, you would have to enable the following plugins at startup.

Minikube start setup—extra-config-device-controller-lokalcube.setup.rg

Minikube startup setup—extra-config- clustersign.

  • After running Minikube, enable Docker on Minikube’s VM. This will help you in compiling and running commands on the docker platform. Send a call function for the service mesh by specifying the token, delimiter and minikube docker.

@FOR /f “tokens=*      [The star sign reflects that all tokens will be loaded at the run time]

delimiter=^K” %[CallName] IN ([DockerSource]) DO @call %[CallName]   [At the callname, the new window will be opened with delimiter K and all the tokens].

  • Next, install Istio and all its core components through the Minikube to enter the plugin and add-on commands after entering the YAML code.

kubectl apply -f install/kubernetes/istio.yaml

Istio’s Core Components

weaving the mesh - sidecars
  • Envoy
    • Envoy is an open-source extension and service proxy provider, built for cloud-extensive meshes. The Istio mesh creates an extendible proxy system through Envoy.
  • Mixer
    • The mixer is a part of the service mesh that helps in enforcing safety protocols, allowing access controls and implementing usage policies and works independently from the mesh.
  • Pilot
    • Pilot provides all services for the Istio Envoy sidecars and allows for a more coherent traffic management system with high level routing.

On checking the configuration files inside the istio.yaml deployments, you’ll find some pods and services which can be activated using the kubectl command running commands on the minikube command central.

Building Sample Applications

Building Sample Applications

Before configuring any traffic rules with Istio, sample applications have to be created to communicate with each other. There are two services available: caller-service and callme-service.
[wcp-carousel id=”10026″]
Both of them expose an endpoint ping which lists the application’s name and version. The following is the implementation of the endpoint GET /callme/ping.


@RestController

@RequestMapping(“/callme”)

public class CallmeController {

private static final Logger LOGGER = LoggerFactory.getLogger(CallmeController.class);

@Autowired

BuildProperties buildProperties;

@GetMapping(“/ping”)

public String ping() {

LOGGER.info(“Ping: name={}, version={}”, buildProperties.getName(), buildProperties.getVersion());

return buildProperties.getName() + “:” + buildProperties.getVersion();

}

}

Below is the code that calls the GET /callme/ping endpoint using Spring RestTemplate. This serviced output will be exposed inside the Minikube node under port 8091.

@RestController

@RequestMapping(“/caller”)

public class CallerController {

private static final Logger LOGGER = LoggerFactory.getLogger(CallerController.class);

@Autowired

BuildProperties buildProperties;

@Autowired

RestTemplate restTemplate;

@GetMapping(“/ping”)

public String ping() {

LOGGER.info(“Ping: name={}, version={}”, buildProperties.getName(), buildProperties.getVersion());

String response = restTemplate.getForObject(“http://callme-service:8091/callme/ping”, String.class);

LOGGER.info(“Calling: response={}”, response);

return buildProperties.getName() + “:” + buildProperties.getVersion() + “. Calling… ” + response;

}

}


Working On Sample Applications

Working On Sample Applications

All sample applications have to be started on a Docker container. Below is the Dockerfile that is responsible for building images using the critical caller-service application.



FROM openjdk:8-jre-alpine

ENV APP_FILE caller-service-1.0.0-SNAPSHOT.jar

ENV APP_HOME /usr/app

EXPOSE 8090

COPY target/$APP_FILE $APP_HOME/

WORKDIR $APP_HOME

ENTRYPOINT [“sh”, “-c”]

CMD [“exec java -jar $APP_FILE”]

The callme-service has a similar Docker file. Now let’s move on to building Docker images.

docker build -t piomin/callme-service:1.0 .

docker build -t piomin/caller-service:1.0.

docker build -t piomin/callme-service:2.0.


Deploying Sample Applications On Minikube

Begin by deploying the callme-service in two versions: 1.0 and 2.0. The application caller-service is just calling callme-service.

You can route traffic between two versions of callme-service in various proportions using the Istio routerule. Also, Minikube does not support Ingress, and it’s best to use Kubernetes Service Mesh. Set the type to NodePort if the objective is to extend it beyond the Minikube service.


apiVersion: v1

kind: Service

metadata:

name: callme-service

labels:

app: callme-service

spec:

type: NodePort

ports:

– port: 8091

name: http

selector:

app: callme-service



apiVersion: extensions/v1beta1

kind: Deployment

metadata:

name: callme-service

spec:

replicas: 1

template:

metadata:

labels:

app: callme-service

version: v1

spec:

containers:

– name: callme-service

image: piomin/callme-service:1.0

imagePullPolicy: IfNotPresent

ports:

– containerPort: 8091


Next, it’s time to implement some Istio properties. The command below prints a new version of the deployment definition with any Istio configuration.

istioctl kube-inject -f deployment.yaml

To apply this configuration to Kubernetes, type in the command below.

kubectl apply -f deployment-with-istio.yaml

All YAML configuration files are committed together and can be found in the root directory of every application’s module. On successfully deploying all the required components, you should see the following elements in the Minikube’s dashboard.

Setting Up Istio Routing Rules

Istio works on a domain-specific language (DSL) that allows you to configure efficient rules that control how requests are routed within the service mesh.

The following code splits traffic in proportions 20:80 between the versions while also adding a 5-second delay in 10% of the requests,= and returns an HTTP 500 error code for 10% of the requests.


apiVersion: config.istio.io/v1alpha2

kind: RouteRule

metadata:

  name: callme-service

spec:

  destination:

    name: callme-service

  route:

  – labels:

      version: v1

    weight: 20

  – labels:

      version: v2

    weight: 80

  httpFault:

    delay:

      per cent: 10

      fixedDelay: 5s

    abort:

      per cent: 10

      httpStatus: 500



Applying Further Rules

Use the following command to apply a new route rule to Kubernetes.

kubectl apply -f routerule.yaml

Programmers can now easily verify that rule by typing the command istioctl get routerule.

If a case arrives where an Istio Ingress controller is required, a Kubernetes Ingress resource for the application can be annotated with kubernetes.io/ingress.class: “istio”. Here is one such example using the case study of the books in a library/store:-


cat <<EOF  “` kubectl create -f –

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

 name: bookinfo

 annotations:

   kubernetes.io/ingress.class: “istio.”

spec:

 rules:

 – http:

     paths:

     – path: /productpage

       backend:

         serviceName: productpage

         servicePort: 9080

     – path: /login

       backend:

         serviceName: productpage

         servicePort: 9080

     – path: /logout

       backend:

         serviceName: productpage

         servicePort: 9080



The new application can be accessed using the code:-

export BOOKINFO_URL=$(kubectl get po -l istio=ingress -o jsonpath={.items[0].status.hostIP}):$(kubectl get svc istio-ingress -o jsonpath={.spec.ports[0].nodePort})

Testing Solutions

Istio Testing Solutions
Source:- https://sysdig.com

Before jumping up to the testing phase, it’s useful to deploy Zipkin on Minikube. Istio provides the deployment definition file zipkin.yaml that can be found inside the directory ${ISTIO_HOME}/install/kubernetes/addons.

kubectl apply -f zipkin.yaml

The API provided by the application caller-service can be viewed under the port as mentioned in the source code.

If you do feel like testing the service, open up a web browser and call the URL generated with the address and caller ping. The name and version of the service will be printed as well as the name and version of callme-service invoked by caller-service.

Closing Words

Istio Service Mesh is a clear indication that with the advancements of technology, the industry doesn’t get older but just better each year.

Despite being a relatively young addition to the family of softwares, Istio Service Mesh has offered tremendously great new applications that are changing the way companies deal with their processes. As new additions and packages become a part of its extensive library with further help from the Envoy backframe and  Google, it’s clear that Istio is the certain next industry standard for microservices.Must Reads:
[wcp-carousel id=”10008″]

Recommended Content

Go Back to Main Page