Microservice governance Istio 1.6 deployment and application

Wechat official account: Operation and maintenance development story, author: Double Dong

Service Mesh

Service Mesh Chinese translated as “grid Service”, is a used to handle communication between services and infrastructure layer, which is responsible for building complex cloud native applications transmit reliable network requests, and for Service communication to achieve the basic components needed for the micro Service functions, such as Service discovery, load balance, monitoring, traffic management, access control, etc. In practice, a service grid is typically implemented as a set of lightweight network agents deployed with the application, but transparent to the application.Service Mesh Deployment network diagram Service Mesh has four features:

• Independent Governance Capability (Sidecar)

• The application is not aware

• Infrastructure layer for service communication

• Decouple application retry/timeout, monitoring, tracing, and service discovery

In this way, the Service Mesh separates business modules from Service governance. From the figure above, we can see that the control plane and data plane are separated. When applications are deployed, each application comes with a Side Car, which intercepts each application’s external requests. At the same time, the Service governance policy of the control plane is implemented in Side Car. In this way, even the upgrade of business module and Service governance can not be affected by each other, and the rules and policies of Service governance can be dynamically adjusted. From the structure and characteristics of Service Mesh, we can summarize its Service governance concept:

1. Decoupling of microservice governance and business logic: remove most SDK capabilities from the application, disassemble them into independent processes, and deploy them in the mode of Sidecar.

2. Unified governance of heterogeneous systems: it facilitates the implementation of multi-languages and unlocks the difficulties caused by upgrades.

3. Value: (1) Observability: Service grid captures line data such as source, destination, protocol, URL, status code, delay, duration and so on; (2) Flow control: provide intelligent routing, timeout retry, fusing, fault injection, traffic mirroring and other control capabilities for services. (3) High security: authentication of services, encryption of communication between services, enforcement of security-related policies; (4) Robustness: support for fault injection, which is of great help for robustness testing such as disaster recovery and fault drilling. We take Istio, the outstanding representative of Service Mesh, as an example to talk about the latest Service governance architecture. It fully supports Service Mesh, has a clear architecture, and separates the data side and the control side. With communication, security, control, observation and other functions, to achieve open, and plug-in, a variety of optional implementation. Istio can be used in conjunction with K8S. K8S provides service lifecycle management and Istio is implemented on TOP of K8S through service governance. 👉

1 Istio overview

Isito is the product implementation of Service Mesh. It is the most popular Service Mesh with rich functions and high maturity. Linkerd is the world’s first service grid product official address: 👉istio.io! [images] (https://p3-juejin….

• Connect

– Traffic Management

– Load Balancing

– Grayscale publishing

• Secure

– certification

– authentication

• Control

– current limiting

– ACL

• Observe.

– monitor

– call chain

Mainly applied to service governance:👉

2 Isito Architecture and components

image.png

Note: the picture in this page is from Istio official website

The Istio load test grid consists of 1,000 services and 2,000 Sidecars with a QPS of 70,000 across the grid. After running the test using Istio 1.6.2, we got the following results:

• With 1000 QPS passing through the proxy, Envoy used 0.5 vCPU and 50 MB of memory.

• The ISTIO-Telemetry service used 0.6 vCPU when the total GRID QPS was 1000.

• The Pilot uses 1 vCPU and 1.5 GB memory.

• 90% of cases Envoy agents added only 6.3 ms of delay

Note: The pictures and data in this page are from Istio official website

👉

3 Deploy Istio in Kubernetes

Refer to the official documentation for the deployment of version 1.6 as a demonstration, the deployment of demo mode, all components are installed

# # wget https://github.com/istio/istio/releases/download/1.6.2/istio-1.6.2-linux-amd64.tar.gz tar ZXVF. - Istio-1.6.2-linux-amd64.tar. gz -c /data/ # CD /data/istio-1.6.2/ # mv bin/istioctl /usr/bin # istioctl profile list Istio configuration profiles: default demo empty minimal preview remote # istioctl install --set profile=demo # kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE grafana-75745787f9-jb79g 1/1 Running 0 2d8h istio-egressgateway-78b89c9f79-f7g58 1/1 Running 0  2d2h istio-ingressgateway-845967d5c6-4r7dm 1/1 Running 0 2d2h istio-tracing-7fc897dbb8-gsgfq 1/1 Running 0 2d2h istiod-b56f454c6-9rd5f 1/1 Running 0 55m kiali-5645f98f9-5jkjf 1/1 Running 0 2d1h prometheus-7778b9d84-ncb5r 2/2 Running  0 2d2h # kubectl get svc -n istio-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-egressgateway ClusterIP 10.104.251.176 <none> 80/TCP,443/TCP,15443/TCP 71D istio-ingressgateway NodePort 10.99.33.183 <none> 15020:41020/TCP,80:48035/TCP,443:41862/TCP,15029:44646/TCP,15030:35600/TCP,15031:49406/TCP,15032:41959/TCP,15443:49277/T CP 71 d istio - pilot ClusterIP 10.111.202.110 < none > 15010 / TCP, 15011 / TCP, 15012 / TCP, 8080 / TCP, 15014 / TCP, 443 / TCP 71 d istiod ClusterIP 10.96.68.5 < none > 15012 / TCP, 443 / TCP 71 d jaeger user-agent ClusterIP none < none > 5775 / UDP, 6831 / UDP, the 6832 / UDP 71 d Jaeger - collector ClusterIP 10.106.32.219 < none > 14267 / TCP, 14268 / TCP, 14250 / TCP 71 d jaeger - collector - headless ClusterIP None < None > 14250/TCP 71D Jaeger-query ClusterIP 10.96.35.176 < None > 16686/TCP 71D Kiali ClusterIP 10.101.196.222 < None > 20001/TCP 71D Prometheus ClusterIP 10.98.252.96 <none> 9090/TCP 71D tracing ClusterIP 10.101.199.222 <none> 80/TCP 71D Zipkin ClusterIP 10.110.255.236 < None > 9411/TCP 71DCopy the code

Uninstall:

istioctl manifest generate --set profile=demo | kubectl delete -f -

Copy the code

👉

4 Application demonstration (bookinfo project as an example)

👉

4.1 Sidercar injection

# manual injection kubectl apply -f < (istioctl kube - inject - f XXX. Yaml) or istioctl kube - inject - f XXX. Yaml | kubectl apply - f - # Kubectl label namespace XXX IStio-injection =enabled kubectl label namespace XXX IStio-injection =enabled kubectl label namespace XXX IStio-injection =enabledCopy the code

👉

4.2 Service Gateway: Gateway

The ingressGateway of ISTIO is used for traffic management. Therefore, traffic of corresponding services needs to be written into the gateway. The ingress of K8S is used as the boundary of the service to facilitate traffic management** Gateways provide load balancers for services within the grid, providing the following capabilities:

• Load balancing in L4-L6

• External mTLS

Gateways are divided into:

•IngressGateway: Receives external access and forwards traffic to services within the grid.

•EgressGateway: Services within the grid access external applications. Example:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
 name: httpbin-gateway
spec:
 selector:
   istio: ingressgateway
 servers:
 - port:
     number: 80
     name: http
     protocol: HTTP
   hosts:
   - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
 name: httpbin
spec:
 hosts:
 - "*"
 gateways:
 - httpbin-gateway
 http:
 - route:
   - destination:
       host: httpbin
       port:
         number: 8000

Copy the code

👉

4.3 Example of Deploying the BookInfo microservice

This section will deploy a multilingual heterogeneous microservice example (Bookinfo) to give you a clear picture of the service grid. 👉

4.3.1 Bookinfo – Online book store

The Bookinfo application is divided into four separate microservices:

• ProductPage: The ProductPage microservice invokes the Details and Reviews microservices to generate the page.

• Details: This microservice contains information about books.

• Reviews: This micro-service contains book related reviews. It also invokes the Ratings microservice.

• Ratings: Ratings micro service includes rating information consisting of book reviews.

Reviews Microservices comes in 3 versions:

• Version v1 does not invoke the ratings service.

• Version V2 invokes the ratings service and uses five black five-pointed stars to display rating information.

• V3 invokes the ratings service and uses five red five-pointed stars to display the rating information. A picture is worth a thousand words. The overall structure is as follows:👉

4.3.2 Deploying Bookinfo to Istio

Deploy Bookinfo to the K8S default namespace, default. 👉

Start sidecar auto injection

kubectl label namespace default istio-injection=enabled

Copy the code

👉

Deployed to k8s

# Go to istio working directory [root@master01 ~]# CD /data/istio-1.6.2/ # deploy to K8S using kubectl [root@master01 istio-1.6.2]# kubectl apply-f samples/bookinfo/platform/kube/bookinfo.yaml service/details created serviceaccount/bookinfo-details created deployment.apps/details-v1 created service/ratings created serviceaccount/bookinfo-ratings created deployment.apps/ratings-v1 created service/reviews created serviceaccount/bookinfo-reviews created deployment.apps/reviews-v1 created deployment.apps/reviews-v2 created deployment.apps/reviews-v3 created service/productpage created serviceaccount/bookinfo-productpage created deployment.apps/productpage-v1 createdCopy the code

👉

Obtain access address

[root @ # for Bookinfo deployment entrance gateway master01 istio - 1.6.2] # kubectl apply -f samples/Bookinfo/networking/Bookinfo - gateway. Yaml Gateway.net working. Istio. IO/bookinfo - gateway created virtualservice.net working. Istio. IO/bookinfo created # access gateway address [root@master01 istio-1.6.2]# export INGRESS_HOST=$(kubectl get po-l istio=ingressgateway -n istio-system-o Jsonpath ='{.items[0].status.hostip}') [root@master01 istio-1.6.2]# export INGRESS_PORT=$(kubectl -n istio-system get Service istio-ingressgateway -o jsonPath ='{.spec.ports[?(@.name=="http2")].nodeport}') [root@master01 istio-1.6.2]# Export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORTCopy the code

Note: In production environments, istio-ingressGateway is used as the only gateway for networking.

👉

access

👉

5. Visual monitoring

Istio comes with three monitoring platforms • Monitoring metrics (Grafana) 1, Request error rate 2, Request latency (response time) • Grid Visualization (Kiali) 3, link call topology 4, RPS (Requests per second), Also have request error rate 5, request/response packet size 6, view POD log 7, ISTIO configuration resource online editing • Call chain Tracing (Jaeger) 8, a service involved in the call 9, analyze the specific request/response information in the packet 10, response time

[root@master01 opt]# istioctl dashboard -h Access to Istio web UIs Usage: istioctl dashboard [flags] istioctl dashboard [command] Aliases: dashboard, dash, d Available Commands: controlz Open ControlZ web UI envoy Open Envoy admin web UI grafana Open Grafana web UI jaeger Open Jaeger web UI kiali Open Kiali web UI prometheus Open Prometheus web UI zipkin Open Zipkin web UI Flags: --address string Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, Istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these addresses are available to bind. (default "localhost") -h, --help help for dashboard -p, --port int Local port to listen to Global Flags: --context string The name of the kubeconfig context to use -i, --istioNamespace string Istio system namespace (default "istio-system") -c, --kubeconfig string Kubernetes configuration file -n, --namespace string Config namespace Use "istioctl dashboard [command] --help" for more information about a command. [root@master01 opt]# kubectl get pod -n istio-system NAME READY STATUS RESTARTS AGE grafana-75745787f9-w8md6 1/1 Running  0 25m istio-egressgateway-794db4db55-hstw6 1/1 Running 0 25m istio-ingressgateway-799b86d9-x2gkh 1/1 Running 0 25m istio-tracing-c7b59f68f-fp66x 1/1 Running 0 25m istiod-55fff4d845-zmdg8 1/1 Running 0 25m kiali-85dc7cdc48-vmh29 1/1 Running 0 25m Prometheus -8685fb8c59-65qxl 2/2 Running 0 25m ## Controlz IStiod-55FFF4d845-ZMDG8-n istio-system --address=10.211.55.16 http://localhost:33673Copy the code

👉

In order to be able to access all three monitoring platforms through ingressGateway, monitor monitor-gateway.yaml needs to be written

[root@master01 istio-1.6.2]# kubectl get svc-n istio-system NAME TYPE cluster-ip external-ip PORT(S) AGE grafana ClusterIP 10.68.185.28 < None > 3000/TCP 26H IStio-egressGateway ClusterIP 10.68.80.126 < None > 80/TCP,443/TCP,15443/TCP 26h istio-ingressGateway LoadBalancer 10.68.139.54 < Pending > 15021:30792 / TCP, 80:22516 / TCP, 443:34994 / TCP, 31400:21999 / TCP, 15443:22618 / TCP 26 h istiod ClusterIP 10.68.213.107 < none > 15010 / TCP, 15012 / TCP, 443 / TCP, 15014 / TCP, 853 / TCP 26 h h 26 kiali NodePort 10.68.227.1 < none > 20001:24347 / TCP 26 h Prometheus ClusterIP 10.68.241.113 < None > 9090/TCP 26H 18M Tracing ClusterIP 10.68.156.89 < None > 80/TCP 26h zipkin NodePort 10.68.182.176 < none > 9411:24218 / TCP 26 hCopy the code

[root @ master01 istio - 1.6.2] # cat monitor - gateway. Yaml - # grid visualization kiala apiVersion: networking. Istio. IO/v1alpha3 kind: Gateway metadata: name: kiala-gateway namespace: istio-system spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: kiali namespace: istio-system spec: hosts: - "kiali.istio.double.com" gateways: - kiala-gateway http: - route: - destination: host: Kiali port: number: # 20001 - monitoring visualization - apiVersion: networking. Istio. IO/v1alpha3 kind: VirtualService metadata: name: grafana namespace: istio-system spec: hosts: - "grafana.istio.double.com" gateways: - grafana-gateway http: - route: - destination: host: grafana port number: 3000 # call chain - - - apiVersion: networking. Istio. IO/v1alpha3 kind: VirtualService metadata: name: tracing namespace: istio-system spec: hosts: - "tracing.istio.double.com" gateways: -tracing -gateway HTTP: -route: -destination: host: tracing port: number: 80 networking.istio.io/v1alpha3 kind: VirtualService metadata: name: zipkin namespace: istio-system spec: hosts: - "zipkin.istio.double.com" gateways: - monitor-gateway http: - route: - destination: host: zipkin port: number: 8441Copy the code

👉

Deploy the monitoring gateway

[root@master01 istio-1.6.2]# kubectl apply-f monitor-gateway.yaml [root@localhost istio-1.6.2]# kubectl get gateway,vs -n istio-system NAME AGE gateway.networking.istio.io/grafana-gateway 34s gateway.networking.istio.io/kiala-gateway 34s gateway.networking.istio.io/monitor-gateway 34s gateway.networking.istio.io/traing-gateway 34s NAME GATEWAYS HOSTS AGE virtualservice.networking.istio.io/grafana [grafana-gateway] [grafana.istio.double.com] 34s virtualservice.networking.istio.io/kiali [kiala-gateway] [kiali.istio.double.com] 34s virtualservice.networking.istio.io/tracing [tracing-gateway] [tracing.istio.double.com] 34s virtualservice.networking.istio.io/zipkin [monitor-gateway] [zipkin.istio.double.com] 34sCopy the code

👉

Install Nginx as lb, load balancing to ingressGateway exposed Nodeport, all external traffic through ingressGateway into ISTIO for management

[root@mysql-cloud-kafka-zk ~]# cat /data/nginx/vhosts/istio.holder.cn.conf .... Omit the include the/etc/nginx/conf. D / *. Conf. Upstream ingressgateway {server 10.100.132.8:22516; Server 10.100.132.5:22516; Server 10.100.132.6:22516; } server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { proxy_pass http://ingressgateway; proxy_set_header Host $host; Proxy_http_version 1.1; }}Copy the code

To access 👉, bind the domain name to local hosts

6. Switch bookInfo entry traffic to IngressGateway

[root @ # for Bookinfo deployment entrance gateway master01 istio - 1.6.2] # cat samples/Bookinfo/networking/Bookinfo - gateway. Yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "bookinfo.istio.double.com" gateways: - bookinfo-gateway http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080 [root @ master01 istio - 1.6.2] # kubectl apply -f samples/bookinfo/networking/bookinfo - gateway. Yaml Gateway.net working. Istio. IO/bookinfo - gateway unchanged virtualservice.net working. Istio. IO/bookinfo changed # access gateway address [root @ master01 istio - 1.6.2] # kubectl get gateway, vs the NAME gateway.net working AGE. Istio. IO/bookinfo - 29 h gateway NAME GATEWAYS HOSTS AGE virtualservice.networking.istio.io/bookinfo [bookinfo-gateway] [bookinfo.istio.double.com] 29hCopy the code

Binding domain, and then visit bookinfo.istio.double.com can access, constantly refresh page book item, in kiali real-time rendering service grid, as follows:

The request response is as follows:

Real-time control based on weighted flow is as follows:

Monitoring indicators are as follows:

Kiali also provides a number of additional capabilities for observability of services, which Istio has over other service grid frameworks that are not shown here.

Public account: Operation and maintenance development story

Making:Github.com/orgs/sunsha…

Love life, love operation