Recently I was working on a private 5g deployment, a military project for one of the nations in Europe. My task was to deploy Kubernetes cluster where we deploy a group of microservices federation, that together perform a Cloud-Native Network Function (CNF). The deployment was segregated in 2 types, 5g Application components and PaaS.
Our main application components for core network were
fed-nrf, Network Function Repository, fed-amf Access & Mobility Management Function, fed-nssf Network Slicing Selection Function, fed-smf Session Management Function ,fed-upf User Plane Function
There were 23 PaaS components like fed-sriovdp, fed-metallb, fed-crds, fed-rbac, fed-postgres, fed-db_etcd, fed-alerta, fed-db_mongo_ram, fed-kafka, fed-kubedb-operator, fed-elastic, fed-service-reg and fed-istio. ISTIO service mesh is our topic today which connects Microservices.
These PaaS components are the infrastructure components, common across the domains, no matter you run Banking application, content streaming applications or any other applications. It is ISTIO service mesh which connects these microservices. They might need some fine tuning aligned with the applications but base remains the same. Let me draw and analogy to explain this.
Ever wondered how Indian restaurants prepare different types of curries within minutes. well, the answer is the multipurpose basic curry sauce or curry base recipe, prepare it once, refrigerate it and use it for curries like kadai paneer, mutter peas paneer, cashew masala or mix veg gravy. Depending up the dish you order Chef will use the basic curry sauce and mix it with other raw contents.
Our PaaS is similar to curry base , an reusable component which can support all microservices we intend to run.
Our topic of discussion for today is ISTIO (Greek word) . ISTIO was developed by Indian employee of Google Varun Talwar and Louis Ryan in 2017. Istio is a service mesh networking layer that provides a transparent way to automate application network functions (connecting microservices). It is a solution for managing the different microservices that make up a cloud-native application.
Istio Service Mesh is logically divided into data plane and control plane. The control plane and data plane together make up a service mesh.
- Data plane – consists of a set of smart proxies deployed as sidecars. These proxies provide and control all network communication between services together with the Mixer center of policies and telemetry;
- Control Plane – Configures proxies for routing traffic. The control plane also configures the Mixer to apply policies and telemetry.
Istio components
- Envoy is a high-performance proxy to transfer all incoming and outgoing traffic for all services;
- Mixer – provides access control and usage policies for the network of services and collects telemetry data from the Envoy proxy server and other services;
- Pilot – provides service discovery for Envoy sidecar, provides opportunities for intelligent traffic routing and fault tolerance (timeouts, retries, circuit breakers);
- Citadel – provides reliable service-to-service and end-user authentication;
- Galley – is a component of Istio configuration validation. He is responsible for isolating the remaining components of Istio from the user configuration of the underlying platform.
ISTIO supports multiple cluster models, Network models ,control plane models ,identity and trust models ,mesh models, and Tenancy models . Because of its versality it has become widely popular for Microservice communications.
Let’s take case when the microservices are without service mesh. In such a scenario there will be no encryption and control over the 5g application/components communication, no metric gathering and retry mechanism. These features cannot be embedded in the application like AMF or SMF. AMF is expected to handle connection and mobility management tasks and SMF is expected to handle all session management tasks. Therefore, additional tasks for inter microservices are offloaded to ITSIO. Istio service mesh enables application developers to stay focussed on business logic for loosely coupled microservices without worrying about communication logic and security
The service mesh provides observability, service discovery, load balancing through components controlled by APIs.
In effect, if a service wants to call another service, there is no direct call to the destination service. The request is routed to the local proxy and the proxy routes it to the destination service. This means, the service instance isn’t aware of the outside world and is only aware of the local proxy.
Apart from the business logic ISTIO provides Communication control, Security between components, Retries logic
There is no need to make any changes in application data plane , all changes re in control plane
Let us deploy the ISTIO Mesh . We will use the sample pods bookstores. These are similar to any other applications even the 5g eco system.
Lets start the deployment of ISTIO, by downloading it.
[root@kubernetesM ~]# curl -L https://istio.io/downloadIstio | sh - % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 102 100 102 0 0 346 0 --:--:-- --:--:-- --:--:-- 346 100 4856 100 4856 0 0 9465 0 --:--:-- --:--:-- --:--:-- 31329 Downloading istio-1.17.1 from https://github.com/istio/istio/releases/download/1.17.1/istio-1.17.1-linux-amd64.tar.gz ... Istio 1.17.1 Download Complete! Istio has been successfully downloaded into the istio-1.17.1 folder on your system.
Set istioctl client to your path and perform pre-check.
[root@kubernetesM istio-1.17.1]# export PATH=$PWD/bin:$PATH [root@kubernetesM istio-1.17.1]# istioctl x precheck ✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
Set the profile
[root@kubernetesM istio-1.17.1]# istioctl install --set profile=demo -y ✔ Istio core installed ✔ Istiod installed ✔ Egress gateways installed ✔ Ingress gateways installed ✔ Installation complete Making this installation the default for injection and validation.
In get pods output we see 2 container Application and envoy container. Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later
[root@kubernetesM istio-1.17.1]# kubectl label namespace default istio-injection=enabled namespace/default labeled [root@kubernetesM istio-1.17.1]# kubectl get ns NAME STATUS AGE default Active 10h istio-system Active 2m8s kube-flannel Active 9h kube-node-lease Active 10h kube-public Active 10h kube-system Active 10h [root@kubernetesM istio-1.17.1]# kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 10h
Deploy the application
[root@kubernetesM kube]# kubectl apply -f /root/istio-1.17.1/samples/bookinfo/platform/kube/bookinfo.yaml service/details created serviceaccount/bookinfo-details created deployment.apps/details-v1 created service/ratings created serviceaccount/bookinfo-ratings created deployment.apps/ratings-v1 created service/reviews created serviceaccount/bookinfo-reviews created deployment.apps/reviews-v1 created deployment.apps/reviews-v2 created deployment.apps/reviews-v3 created service/productpage created serviceaccount/bookinfo-productpage created deployment.apps/productpage-v1 created
[root@kubernetesM kube]# kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE details ClusterIP 10.108.90.152 <none> 9080/TCP 20s kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 10h productpage ClusterIP 10.96.106.253 <none> 9080/TCP 20s ratings ClusterIP 10.110.103.143 <none> 9080/TCP 20s reviews ClusterIP 10.99.25.114 <none> 9080/TCP 20s [root@kubernetesM kube]# kubectl get pods NAME READY STATUS RESTARTS AGE details-v1-698b5d8c98-gq2hc 0/2 PodInitializing 0 34s productpage-v1-bf4b489d8-8vfcn 0/2 Init:0/1 0 34s ratings-v1-5967f59c58-66mpv 0/2 Init:0/1 0 34s reviews-v1-9c6bb6658-g9d6g 0/2 PodInitializing 0 34s reviews-v2-8454bb78d8-vh8j4 0/2 PodInitializing 0 34s reviews-v3-6dc9897554-c5rds 0/2 Init:0/1 0 34s [root@kubernetesM kube]# kubectl get pods NAME READY STATUS RESTARTS AGE details-v1-698b5d8c98-gq2hc 2/2 Running 0 2m22s productpage-v1-bf4b489d8-8vfcn 1/2 Running 0 2m22s ratings-v1-5967f59c58-66mpv 2/2 Running 0 2m22s reviews-v1-9c6bb6658-g9d6g 2/2 Running 0 2m22s reviews-v2-8454bb78d8-vh8j4 2/2 Running 0 2m22s reviews-v3-6dc9897554-c5rds 2/2 Running 0 2m22s
[root@kubernetesM kube]# kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
Run this command to see if the app is running inside the cluster and serving HTML pages by checking for the page title in the response:
[root@kubernetesM addons]# kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
Associate this application with the Istio gateway:
[root@kubernetesM networking]# kubectl apply -f /root/istio-1.17.1/samples/bookinfo/networking/bookinfo-gateway.yaml gateway.networking.istio.io/bookinfo-gateway created virtualservice.networking.istio.io/bookinfo created [root@kubernetesM networking]# istioctl analyze ✔ No validation issues found when analyzing namespace: default.
Determine Ingress IP and Ports and Gateway URL
[root@kubernetesM networking]# kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.103.36.111 <pending> 15021:32746/TCP,80:32550/TCP,443:31628/TCP,31400:31292/TCP,15443:31665/TCP 16m
[root@kubernetesM networking]# export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
[root@kubernetesM networking]# export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
[root@kubernetesM networking]# export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
[root@kubernetesM networking]# export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
[root@kubernetesM networking]# export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
[root@kubernetesM networking]# export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
[root@kubernetesM networking]# export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
[root@kubernetesM networking]# echo "$GATEWAY_URL"
192.168.0.41:32550
[root@kubernetesM networking]# echo "http://$GATEWAY_URL/productpage"
http://192.168.0.41:32550/productpage
Our Microservices are using ISTIO Mesh to communicate with each other.
Thank you for reading my blog. please reach out to me for any queries and suggeestions.