Open in app

Sign in

Write

Sign in

How to set up Anypoint Service Mesh

Shouvojit Sarker
agiledigital
Published in
9 min readNov 24, 2020

A practical walkthrough of installation and validation for Anypoint Service Mesh.

Organised wires mimicking microservices successfully operating with Service Mesh.
Photo by Victor Aznabaev on Unsplash

Using a Service Mesh is a great way to address the challenges inherent in a microservices architecture. Anypoint Service Mesh is MuleSoft’s Service Mesh extension that integrates seamlessly with Anypoint Platform, allowing Kubernetes hosted services to be seamlessly managed through Anypoint.

In this walkthrough, we’ll install Istio and Anypoint Service Mesh on miniKube. Then we’ll provision the MuleSoft adapter and deploy a non-mule service in the adapter namespace. We’ll manage the non-mule service from Anypoint Platform and run some initial checks to see if our Service Mesh is working as expected. Also, we’ll secure our service using Anypoint Platform.

Before you Start

  1. Request an Anypoint Service Mesh trial license from MuleSoft. Actioning the trial license may require some time, so it may be wise to send a request a few days before starting on this demo.
  2. Get the YAML files used in the rest of the exercise.
  3. Request the Anypoint permissions that you will need from your organisation. To define the API to be applied through the Service Mesh, the API creator role is required. To access analytics and apply policies, API Manager Environment Administration permission is required.

Install Service Mesh client and provision adapter

  • Minikube should be started with 4 CPUs for this tutorial. NB: Minikube is a great tool to use for development purposes while experimenting with a Service Mesh trial licence. For production use, Google Kubernetes Engine (GKE), Amazon EKS or Azure Kubernetes Service (AKS) are fully supported by MuleSoft and are recommended.
$ minikube start --memory=16384 --cpus=4 
🙄  minikube v1.6.1 on Ubuntu 19.10 
✨  Selecting 'kvm2' driver from user configuration (alternates: [none]) 
💡  Tip: Use 'minikube start -p <name>' to create a new cluster, or 'minikube delete' to delete this one. 
🔄  Starting existing kvm2 VM for "minikube" ... 
⌛  Waiting for the host to be provisioned ... 
🐳  Preparing Kubernetes v1.17.5 on Docker '19.03.5' ... 
🚀  Launching Kubernetes ...  
🏄  Done! kubectl is now configured to use "minikube"
  • Download and install Istio 1.6.8 (Anypoint Service Mesh at this time does not support Istio versions above 1.6.8).
$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.8 sh -

$ ./istioctl install --set profile=demo 
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details. 
✔ Istio core installed 
✔ Istiod installed 
✔ Ingress gateways installed 
✔ Egress gateways installed 
✔ Addons installed - Pruning removed resources 
Pruned object ClusterRole::istio-mixer-istio-system. 
Pruned object ClusterRole::istio-policy. 
Pruned object ClusterRoleBinding::istio-mixer-admin-role-binding-istio-system. 
Pruned object ClusterRoleBinding::istio-policy-admin-role-binding-istio-system. 
✔ Installation complete
  • Istio can be installed with basic demo setup since Anypoint platform is being used to apply policies¹. Apply default-manifest.yaml.
  • Create a namespace for pod deployment.
$ kubectl create namespace mule-apis
  • Enable istio injection so that deployed pods can spin up with sidecar proxies.
$ kubectl label namespace mule-apis istio-injection=enabled$ kubectl get namespace -L istio-injection
NAME                   STATUS   AGE     ISTIO-INJECTION 
<snip>   
mule-apis              Active   85s     enabled
  • Apply the example manifest file for Anypoint Service Mesh².
$ ./istioctl manifest apply -f manifest-custom.yaml 
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details. 
✔ Istio core installed                                                                                                                                                                                       ✔ Istiod installed                                                                                                                                                                                           ✔ Addons installed                                                                                                                                                                                           ✔ Telemetry installed                                                                                                                                                                                        ✔ Policy installed                                                                                                                                                                                           - Pruning removed resources                                                                                                                                                                                   
<snip>
✔ Installation complete
  • Download and install Anypoint Service Mesh client.
$ curl -Ls http://anypoint.mulesoft.com/servicemesh/xapi/v1/install > asmctl && chmod +x asmctl
  • Install Anypoint Service Mesh. You will need an Anypoint Service Mesh license key and the client id and secret associated with that license key.
$ ./asmctl install --clientId=<clientId> --clientSecret=<clientSecret> --license=<license absolute or relative path> --platformUri=<Anypoint Platform Uri>
INFO: Welcome to Service Mesh installer! 
INFO: Installing Service Mesh... 
INFO: Checking Client credentials... 
INFO: Checking Configuration... 
INFO: Checking dependencies... 
INFO: Checking kubernetes supported version... 
INFO: Checking helm supported version... 
INFO: Checking Istio supported version... 
INFO: Checking kubernetes user role... 
INFO: Create 'service-mesh' namespace... 
INFO: Install Service Mesh... 
INFO: > Add Service Mesh Helm Repository... 
INFO: > Install 'service-mesh' Helm Chart... 
INFO: Done!
  • Verify the status of all pods. There should be six pods in total running in the service-mesh namespace.
$ kubectl get pods -n service-mesh 
NAME READY STATUS RESTARTS AGE 
service-mesh-catalog-controller-manager-5978488d4f-vcnx8 1/1 Running 0 5m33s
service-mesh-catalog-webhook-787bfd45c-k26n6 1/1 Running 0 5m33s
service-mesh-envoy-filter-server-7f45d47f79-4qhkw 1/1 Running 0 5m33s
service-mesh-incluster-broker-64b667584-kkbm9 1/1 Running 0 5m33s
service-mesh-incluster-broker-impl-8cc8974c-swf95 1/1 Running 0 5m33s
service-mesh-mule-clusterip-service-576876f484-nmgm6 1/1 Running 0 5m33s
service-mesh-registry-credentials-rotator-7b9bc49658-dq6bl 1/1 Running 3 8m3s
  • Provision an adapter for the Service Mesh. The deployment you want to be in Service Mesh needs to be in the same namespace as the provisioned adapter.
$ ./asmctl adapter create \ --name=<adapter name> \ --namespace=<adapter namespace> \ --size=<adapter plan size> \ --replicas=<amount of replicas for the adapter> \ --clientId=<clientId of the environment or organization> \ --clientSecret=<client secret of the environment or organization> \ --platformUri=<URL of Anypoint Platform>
INFO: Service Mesh Adapter 'mule-adapter' with clientId=11a38ed972db48b0b8a54da8da15050a and 1 replica(s) in namespace 'mule-apis' created
  • Verify that there is a new adapter pod in Service Mesh pod list.
$ kubectl get pods -n service-mesh
NAME READY STATUS RESTARTS AGE 
grpcmule-mule-apis-75c64484f-mwx28 1/1 Running 3 16s
service-mesh-catalog-controller-manager-5978488d4f-vcnx8 1/1 Running 0 7m25s
service-mesh-catalog-webhook-787bfd45c-k26n6 1/1 Running 0 7m25s
service-mesh-envoy-filter-server-7f45d47f79-4qhkw 1/1 Running 0 7m25s
service-mesh-incluster-broker-64b667584-kkbm9 1/1 Running 0 7m25s
service-mesh-incluster-broker-impl-8cc8974c-swf95 1/1 Running 0 7m25s
service-mesh-mule-clusterip-service-576876f484-nmgm6 1/1 Running 0 7m25s
service-mesh-registry-credentials-rotator-7b9bc49658-dq6bl 1/1 Running 3 7m25s
  • Verify the adapter status.
$ ./asmctl adapter list
NAMESPACE NAME SIZE REPLICAS STATUS 
mule-apis mule-adapter medium 1 Ready

Deploy a service

  • As we are going to be building a new image, we need to make sure that the built image is available to minikube. Run the following command to point local docker daemon to minikube’s internal docker registry.
$ eval $(minikube -p minikube docker-env)
  • Go into the hello_world_api folder. Build an image for hello_world_api. This is the service that we will deploy into Kubernetes.
$ docker build -t hello-world-image .               
Sending build context to Docker daemon   2.01MB
Step 1/7 : FROM node:8<snip>Successfully built 3da43e3bc3dc
Successfully tagged hello-world-image:latest
  • Deploy the application in Kubernetes using the YAML file.
$ kubectl apply -f deployment.yml -n mule-apis
deployment.apps/hello-world-deployment configured
service/hello-world-deployment created
  • Change context to mule-apis namespace.
$ kubectl config set-context $(kubectl config current-context) --namespace mule-apis
Context "minikube" modified.
  • Run a pod with curl image in mule-apis namespace and send a request to the service. It should come back with a hello-world response.
$ kubectl run curl-debug  --generator=run-pod/v1  --image curlimages/curl -i -t  --command -- bin/sh
If you don't see a command prompt, try pressing enter.
 $ curl hello-world-deployment:8000/hello_world
Hello World powered by Shouv
 $
  • This method can be used to send requests to the endpoint for testing purposes later too. As the testing pod is now created, to use it again after exiting, run the following command.
$ kubectl attach curl-debug -c curl-debug -i -t                                               
If you don't see a command prompt, try pressing enter.
 $ curl hello-world-deployment:8000/hello_world
Hello World powered by Shouv
 $

The deployed application can be interacted with by sending requests and getting responses back. Though Service Mesh is installed and the service is deployed in the same namespace as the adapter, the endpoint still will not have any traceability, metrics or security. To get this, we will need to create a corresponding API in Anypoint Platform and bind it before applying security and other policies from Anypoint Platform.

Link Service Mesh with Anypoint Platform

  • Go back to the project root directory. Fill in environmentId, instanceLabel, assetId, version, apiSpec,apiInstance tags, username and passwordin anypoint-api-auto-create.yaml and apply auto-create YAML file to create your API in Anypoint Platform automatically.
$ kubectl apply -f anypoint-api--auto-create.yaml
serviceinstance.servicecatalog.k8s.io/hello-world-deployment created
  • Verify the endpoint is created on Anypoint Platform.
$ ./asmctl api list                                                        NAMESPACE   NAME                     ENVIRONMENT ID                         ASSET ID      VERSION   INSTANCE LABEL   STATUS 
mule-apis   hello-world-deployment   537f4a39-127b-43b3-a75e-e628ac60f7a2   hello-world   0.0.1     public           Ready
  • Bind your API endpoint.
$ kubectl apply -f anypoint-bind-hello.yaml
servicebinding.servicecatalog.k8s.io/hello-api-binding created
  • Verify the binding status.
$ ./asmctl api binding list 
NAMESPACE NAME ADAPTER API SERVICE NAME STATUS 
mule-apis hello-api-binding mule-adapter hello-world-deployment hello-world-deployment Ready
  • API binding may show success and status ready despite health checks failing and therefore Anypoint Service Mesh being unable to send data to Anypoint Platform. In that case, check binding logs.
  • Verify Istio sidecar status.
$ ./asmctl management check sidecar --namespace=mule-apis
INFO: Running sidecar check for namespace mule-apis ...
INFO: > pod/hello-world-deployment-77884f5cf-6sxdg: sidecar injected
INFO: > pod/hello-world-deployment-77884f5cf-xnrc8: sidecar injected
INFO: > pod/sleep-f8cbf5b76-w2qgm: sidecar injected
INFO: Done!
  • Log in to Anypoint Platform to apply policies and view analytics. You will require API Manager Environment Administrator permission on the environment the API is being created in.
  • It may take some time for analytics data to show up on Anypoint Platform. The best way to test the new API is to apply a policy and test if the policy is being honoured.
Anypoint Platform Analytics Dashboard
Anypoint Platform Analytics Dashboard
  • APIs can be updated, created and deleted while Service Mesh is running. Changes should be reflected on Anypoint Platform without needing to restart Service Mesh or the service.

Apply SLA rate-limiting and basic auth

Now that we have our API endpoint exposed, it is time to apply policies from Anypoint Platform and see if it is being honoured.

  • Log into Anypoint Platform account and navigate to API manager.
  • Verify that our API endpoint is showing up in the list of APIs with status active.
API Manager Dashboard
API Manager Dashboard
  • Click on the version name.
  • It should take you to the settings page. From the left-hand side, click on SLA tier.
  • Click on Add new SLA tier, define the tier, and click add. The SLA tier is now added to the API endpoint.
SLA tier configuration
SLA tier configuration
  • Navigate to policies and then click on apply new policy.
  • Click on rate-limiting SLA based. Then click on configure policy.
  • Configure and apply the new rate-limiting policy. For testing purposes, 2 requests per minute can be set.
Rate limiting SLA based configuration.
Rate Limiting SLA based configuration
  • Send 2 requests to the endpoint. Verify that the first request comes back with an expected response and the second one with a blank response.
  • Go back to policies and click on apply new policy.
  • Select apply basic authentication — Simple Policy. Define a username and password for authentication.
  • Select apply configuration to all API methods and resources and click apply.
Basic Authentication with simple policy
Basic Authentication with a simple policy
  • Try sending a request to the endpoint without any authentication header or a header with wrong username and password.
  • Verify that it comes back with a 401 unauthorised response.

It works!

Congratulations! You now have a fully functional Anypoint Service Mesh up and running. Please note, the free trial license lets you experiment with a broad range of functionalities and is really good to try out for development purposes. Still, a full version is required for production use.

[1] Anypoint Service Mesh also honours policies and other configurations applied through Istio. In that case, a full default installation of Istio is required.

[2] Related to [1], the manifest file used here will depend on the purpose of installation, Istio native policies can be installed and used by specifying them in this manifest file.

Code Walkthrough
Anypoint Platform
Service Mesh
Mulesoft
Microservices

--

--

Shouvojit Sarker
agiledigital

Written by Shouvojit Sarker

141 Followers
Writer for

A regular techie currently too involved with spatial data.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams