Service Mesh aims to solve the problem of connecting Service topologies between cloud native applications. If you want to build cloud native applications, you need Service Mesh. Istio is one of the star projects in the Service Mesh and is covered in the Istio documentation: Istio. IO /docs/concep… Proxy, an extremely promising Service Mesh solution, is being jointly developed by several technology giants.
For now, Istio is best suited for Kubernetes, but other platforms will be supported in the future. Therefore, in order to deploy Istio and demonstrate its capabilities, you first need a Kubernetes cluster. Once this condition is met, Rancher 2.0 is easy to use.
preparation
For a successful demo, you need to do the following:
-
A Google Cloud account, free of charge
-
An instance of Ubuntu 16.04 (this will be the running environment for the Rancher instance)
-
A Kubernetes cluster deployed on the Google Cloud Platform and using the GKE service. This demo uses version 1.10.5-GKE.2
-
Istio 0.8.0 (this is the version used at the time of writing, Istio 1.0 is now available)
In general, the steps in this tutorial apply to newer versions as well.
Start the Rancher 2.0
First, launch an instance of Rancher 2.0. For more information on how to start Rancher 2.0, see the tutorial on Rancher’s website, which is very straightforward (rancher.com/quick-start…
Examples in this article will use the Google Cloud Platform, so the first thing we start an Ubuntu instance and through the Console or CLI (cloud.google.com/compute/doc…). . It communicates with the HTTP and HTTPs protocols. The command to do this is as follows:
Make sure the Rancher instance has at least 1 vCPU and approximately 4GB of RAM available.
Then, through SSH login to Ubuntu instance and install Docker (docs.docker.com/install/lin…). . Once Docker is installed, you can launch Rancher to verify that it is running.
Get the public IP address of your Ubuntu instance and access it with your browser.
The page redirects to Rancher’s HTTPs protocol page and you’ll see a browser warning. Because Rancher uses a self-signed certificate. Ignore these warnings, because you’ve started the instance (never do this on an untrusted site), and now start setting up your administrator password and server URL to launch Rancher 2.0. Now you are ready to start the Kubernetes cluster.
Start a Kubernetes cluster
First, you need a Google Cloud Service Account with the following roles attached: Compute Viewer, Kubernetes Engine Admin, Service Account User, Project Viewer. Then, you need to generate a service account key, specific steps refer to: cloud.google.com/iam/docs/cr…
You can now start a Kubernetes cluster using Rancher 2.0 with your service account key (it is safe to use the default Compute Engine service account) :
Please note that the < SA – NAME > @ developer.gserviceaccount.com values, you will need it later.
You are now ready to start the cluster. Open Rancher’s panel and click Add Cluster/Add Cluster. You need to do the following:
When selecting Kubernetes hosting service provider, select GCE;
Give your cluster a name, such as Rancher-demo;
Export or copy and paste the Service key details from the key.json file generated in the previous steps into the Service Account field.
Go to Configure Nodes and press the following option:
-
Kubernetes version selection, you can choose the latest version, but this test was conducted on 1.10.5-GKE.2;
-
Region selection, select the region closest to you;
-
Machine type selection, at least N1-standard-1;
-
As for the number of nodes, for Istio Demo, at least 4 nodes are required.
When the above Settings are complete, your Settings page should look like the following:
Don’t hesitate to click Create/Create.
After a few minutes, you can see that the cluster is active on Rancher’s panel. Remember the < SA mentioned above – the NAME > @ developer.gserviceaccount.com values? Now it’s going to come in handy. You need it to grant cluster administrator privileges to the current user (administrator privileges are required to create the necessary RBAC rules for Istio). To do this, you need to click on the rancher-Demo cluster name on the Rancher panel and then go to the Rancher-Demo cluster panel.
Now start Kubectl, which opens the Kubectl command line for this particular cluster. You can also export Kubeconfig files to use with locally installed Kubectl. For the purposes of this example, use the command line provided by Rancher. After you have opened the command line, run the following command:
Deploy Istio on Rancher
Istio has a Helm package that Rancher can use to install Istio. To get the official Istio Helm package, you need to add Istio’s libraries to Rancher’s application directory. To do this, first go to the Rancher Global View, go to the directory options, and select “Add Directory” with the name istio-Github and the directory URL github.com/istio/istio… Rancher handles everything git Clone does. In the Branch section, you can write the Branch name and set it to master. The Settings should look like the screenshot below:
Click Create/Create.
In this step, you will begin deploying Istio using the Rancher Catalog. First, access the default project for the Rancher-Demo cluster and select the directory application. When you click Launch, you’ll see a number of apps available by default. Since this demo is about Istio, select the istio-Github directory in All Catalogs that you just created yourself. This will give you two options: ISTIO and isTIO-remote. Select ISTIO and click on “View Details/View Details”. You will see the option to deploy ISTIO.
Set the name to istio-demo;
Leave the template version at 0.8.0;
The default isTIO namespace is istio-system, so the namespace is set to istio-system.
By default, Istio does not encrypt access between components, but encryption is important, so we need to add encryption.
Istio’s Helm Chart does not add Grafana by default, and we should add it as well.
Click Add Answer to global. ControlPlaneSecurityEnabled and grafana enabled value is set to true. You can add the above functions.
Once you’ve done that, the interface should look like the following:
Click “Launch”.
If you now see the workload label, you should be able to see all the components of Istio running in your cluster, and make sure all the workloads are green. In addition, load balancing labels need to be checked, and both ISTIO-Ingress and ISTIo-IngressGateway should be active.
If the IStiO-ingressGateway is Pending, you need to apply for the IStio-ingressGateway service again. To do this, click Import Yaml; For Import Mode, select Cluster: Direct Import of any resources into this Cluster; Copy/paste the istio-Demo-ingressgateway. yaml service into the Import Yaml editor and click Import:
This step will resolve the pending status of the IStio-IngressGateway.
Now you need to check on Rancher’s panel that all of Istio’s workloads, load balancing, and service discovery are in good shape.
One last thing to add: add an IStio-injected tag to your default namespace, and the Istio Sidecar container will automatically inject your node with the Kubectl command below (as mentioned above, you can start Kubectl from inside Rancher).
This tag will enable IStio-Sidecar-Injector to automatically inject an Envoy container into your application node.
Deploy the Bookinfo sample application
Now you can deploy a test application and test the power of Istio. First, deploy the Bookinfo sample application. The interesting part of the app is that it has three versions of the Reviews program running at the same time. We can experience some of Istio’s features in all three versions of the application. Next, access the workloads in the default project of Rancher-Demo to deploy the Bookinfo app by:
Click Import Yaml; Download bookinfo. Yaml (info.rancher.com/hubfs/booki…
When you enter the Import Yaml menu, upload it to Rancher by reading it from a file.
For Import Mode, select Cluster: Direct Import of any resources into this Cluster;
Click Import /Import.
This should add six workloads to your Rancher-Demo Default project. The diagram below:
Now, by Istio exposed Bookinfo app, you need to apply this Bookinfo – gateway. Yaml (info.rancher.com/hubfs/booki…). , operates in the same way as bookinfo.yaml. At this point, you can access the BookInfo app with a browser. You can obtain the external IP address of the istio-ingressgateway load balancer in either of the following ways:
First, get it from Rancher. To access load balancing, select View in API from the menu bar on the right hand side. It will open a new browser page, search for publicEndpoints -> addresses, and you’ll see public IP addresses.
Second, kubectl:
Use your browser to visit: http://${INGRESS_HOST}/productpage and then you should see the Bookinfo app. As you refresh the page multiple times, you should see three different versions of the Book Reviews section: the first version has no stars; The second version had black stars; The third version has red stars.
With Istio, you can restrict your application to routing only to the first version of the application. Specific operation is: import the route – rule – all – v1. Yaml (info.rancher.com/hubfs/route…). Go to Rancher, refresh the page a few seconds later, and you won’t see any stars on the Reviews.
Alternatively, you can route traffic to only one set of users. When you import route-rule-review-test-v2. yaml to Rancher and log in to the Bookinfo app using the username Jason (no password required), you should only see version 2 reviews (with black stars). But when you log out, you’ll only see the version 1Reviews app.
At this point, you’ve seen the power of Istio. Of course, this is not all. Istio has many other functions. After creating this setting, you can complete the tasks in the Istio document.
The remote sensing Istio
Now it’s time to delve into another of Istio’s more useful features: providing metrics by default.
Let’s start with Grafana. When we deploy Istio, grafana.enabled with a value of true creates an instance of Grafana and is configured to collect Istio metrics and display them in several panels. By default, Grafana’s service is not displayed publicly, so to see metrics, you first need to expose Grafana’s service to a public IP address. There is another option, of course, can also be exposed services: NodePort kubernetes. IO/docs/concep… However, this requires you to open Nodeport on all nodes of the Google Cloud Platform firewall, which is more than one task, so exposing the service via a public IP address is easier.
To do this, access the workload in the default project of Rancher-Demo and select the Service Discovery TAB. When all work is done on the cluster, there should be 5 services in the default namespace and 12 services in the IStio-system namespace, and all of these services should be active. Next, select the Grafana service and select View/Edit YAML from the menu bar on the right.
Find the row that contains type: ClusterIP, change it to type: LoadBalancer, and click Save /Save. It should then start configuring the load balancer in the Google Cloud Platform and expose Grafana on its default port 3000. If you want to get the public IP address of Grafana, just repeat the steps in the Bookinfo example to get the IP address. That is, look at the Grafana service in the API, where you can find the IP address, or get it from Kubectl:
Go to http://${GRAFANA_HOST}:3000/ with your browser and select one of the panels, such as Istio Service. Through the configuration of the previous application, we limited the traffic to show only the Version 1 Reveiws application. From the drop-down menu service reviews. The default. SVC. Cluster. The local, you can see from the graph. Now use the following command to generate some traffic from Rancher’s Kubectl:
It takes about 5 minutes for the traffic generated for Grafana to be displayed on the following panel:
If you scroll the panel, under SERVICE WORKLOADS you will see a graph of Incoming Requests by Destination And Response Code, which requires the Reviews application to only end at the V1 endpoint. Generate a request for the version 2 app if you use the following command (remember that user Jason has access to the Version 2 Reviews app) :
You should also see the request displayed on the Version 2 app:
In the same way, it is possible to expose and see other Istio default metrics, such as Prometheus, Tracing, and ServiceGraph.
Summary and Reflection
As you can see, Istio is a powerful and useful Service Mesh platform. In the future, it will definitely become a core tool in the cloud native ecosystem. For now, Istio does not recommend going into production. To quote Kelsey Hightower: “Don’t just consume it, deploy it into production. You will be in the news “. In any case, please be assured that Istio will be deployed into production in the near future.
As for Rancher 2.0, it is very useful for viewing Kubernetes cluster status, all workloads, services, and nodes. It provides an easy way to manage clusters through the web user interface (WebUI) and deploy applications through Helm Charts, making Rancher easy to use even for those unfamiliar with Kubernetes. With Rancher 2.0, you’ll have everything you need to manage a Kubernetes cluster and a good overview of its state. I’m sure Rancher’s friends will continue to add more and more useful features to improve Rancher.