Istio Service Mesh 101 — Part (1/3)

We all have heard about monoliths and microservices. The popular one for microservices is Kubernetes. With Kubernetes, we can break down the tightly coupled monolithic application into microservices such as pods or deployments, which are loosely coupled. But, we should define the deployment’s authentication, authorization, networking, logging, and monitoring. When we have multiple deployments, things can get hard as we’ll have to repeat the same process for all the deployments.

What if we could replace all these authentication, authorization, networking, logging and monitoring with a proxy on a sidecar container?

The proxies can communicate with each other through the data plane and then communicate to the server component using a control plane. The Control plane will manage all the traffic into and out of the services via proxies so that the business logic is separated from the networking logic. This approach is known as a Service Mesh.

Service Mesh

A service mesh is a dedicated and configurable infrastructure layer that handles the communication between services without having to change the code in a microservice architecture. Using service mesh, it’s easy to handle security, manage traffic, control observability, and discover services.

Istio

Istio is a service mesh — a modernized service networking layer that provides a transparent and language-independent way to flexibly and easily automate application network functions.

Image credit: https://istio.io/

Being a popular solution for managing the different microservices that make up a cloud-native application, it also supports how those microservices communicate and share data with one another. Istio manages traffic flows between services, enforces access policies, and aggregates telemetry data, all without requiring changes to the application code. It eases deployment complexity by transparently layering onto existing distributed applications. It is also platform-independent and designed to run in a variety of environments like cloud, on-premises, Kubernetes, and Mesos.

An open-source service mesh that helps organizations run distributed, microservices-based apps anywhere.

Istio extends Kubernetes to establish a programmable, application-aware network using the powerful Envoy service proxy. Working with both Kubernetes and traditional workloads, Istio brings standard, universal traffic management, telemetry, and security to complex deployments.

Uses of Istio

Istio allows organizations to deliver distributed applications at scale. It simplifies service-to-service network operations like traffic management, authorization, and encryption, as well as auditing and observability.

Earlier, we mentioned the proxies used for communication. Istio uses an open-source high-performance proxy, named Envoy. The proxy communicates to the server-side components called the control plane. This is where the daemon Istiod lies.

Istiod

The control plane functionality is consolidated into a single binary called Istiod. This contains a few components.

Pilot — for service discovery

Galley — for validating configuration files

Citadel — for managed certificate generation

Each service or port has a separate component in it, along with the Envoy proxy called the Istio Agent. It is responsible for passing configuration secrets to the Envoy proxies.

Installing Istio

There are three ways to install Istio. They are:

1. Using a command-line utility called istioctl

2. Using Istio Operator Install

3. Using Helm package of Istio

We’ll look into installing Istio using istioctl.

Install istioctl

Go to the Istio release page to download the installation file for your OS, or download and extract the latest release automatically (Linux or macOS):

$ curl -L https://istio.io/downloadIstio | sh -

Move to the Istio package directory. For example, if the package is istio 1.14.1:

$ cd istio-1.14.1

The installation directory contains:

• Sample applications in samples/
• The istioctl client binary is in the bin/ directory.

Add the istioctl client to your path (Linux or macOS):

$ export PATH=$PWD/bin:$PATH

Install Istio

For this installation, we will use a demo configuration profile. It’s selected to have a good set of defaults for testing, but there are other profiles for production or performance testing.

If your platform has a vendor-specific configuration profile, e.g., Openshift, use it in the following command, instead of the demo profile. Refer to your platform instructions for details.

Install a profile using the istioctl command.

$ istioctl install - set profile=demo -y

Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later:

$ kubectl label namespace default istio-injection=enabled

If you miss doing the above step, Istio will not inject sidecar containers into the deployments you create.

Now that we have installed Istio, let’s deploy a sample application. We have a sample application in the /samples folder when we installed Istio.

Deploy a sample application

Deploy the Bookinfo sample application:

$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

The application will start. As each pod becomes ready, the Istio sidecar will be deployed along with it.

List services:

$ kubectl get services

List pods:

$ kubectl get pods

Make sure there are two containers in every pod.

Verify everything is working correctly up to this point. Run this command to see if the app is running inside the cluster and serving HTML pages by checking for the page title in the response:

$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings - curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"

You should get an output like this:

<title>Simple Bookstore App</title>

Open the application to outside traffic

The Bookinfo application is deployed but not accessible from the outside. To make it accessible, you need to create an Istio Ingress Gateway, which maps a path to a route at the edge of your mesh.

Associate this application with the Istio gateway:

$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

Ensure that there are no issues with the configuration:

$ istioctl analyze

You should get an output like this:

✔ No validation issues found when analyzing namespace: default.

Determining the ingress IP and ports

Follow these instructions to set the INGRESS_HOST and INGRESS_PORT variables for accessing the gateway.

Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

$ kubectl get svc istio-ingressgateway -n istio-system

If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.

If your environment has an external load balancer.

Set the ingress IP and ports:

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

If your environment does not have an external load balancer, choose a node port instead.

Set the ingress ports:

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

Set GATEWAY_URL:

$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

Ensure an IP address and port were successfully assigned to the environment variable:

$ echo "$GATEWAY_URL"

Your output should be IP_ADDRESS:PORT

Verify external access

Confirm that the Bookinfo application is accessible from outside by viewing the Bookinfo product page using a browser.

Run the following command to retrieve the external address of the Bookinfo application.

$ echo "http://$GATEWAY_URL/productpage"

Paste the output from the previous command into your web browser and confirm that the Bookinfo product page is displayed.

View the dashboard

Istio integrates with several different telemetry applications. These can help you gain an understanding of the structure of your service mesh, display the topology of the mesh, and analyze the health of your mesh.

Deploy the Kiali dashboard, along with Prometheus, Grafana, and Jaeger

Install Kiali and the other add-ons and wait for them to be deployed.

$ kubectl apply -f samples/addons
$ kubectl rollout status deployment/kiali -n istio-system

Access the Kiali dashboard.

$ istioctl dashboard kiali

You can then click on the localhost link to view Kiali. In the left navigation menu, select Graph, and in the Namespace drop-down, select default.

The Kiali dashboard shows an overview of your mesh with the relationships between the services in the Bookinfo sample application. It also provides filters to visualize the traffic flow.

Congratulations on building your service mesh on Istio. We’ll look into Traffic Management, Security, and Observability in the upcoming blogs. Have a nice day!

Read Part 2 here: Istio Service Mesh 101 — Part (2/3)