ISTIO is one of big trends these days. Red Hat will support Service Mesh from OpenShift 4.0. This presentation contains interactive demo using chat application.
2. Who am I?
Jooho Lee
Senior Technical Account Manager in Toronto Red Hat
OpenShift User Group Administrator in Facebook
Ansible User Group Administrator in Facebook
3. Routing & Load Balancing
Service Discovery
Failures, Timeouts and Retries
Monitoring, Metrics and Tracing
Logging
Back Pressure and Shadowing
A/B Testing
Rate Limiting
Authentication and Authorization
Security
Access Control
Circuit Breaking
Feature Lists
5. Netflix OSS
● A set of frameworks to solve microservice problems at scale
○ Hystrix, Zuul, Eureka, Zipkin, Ribbon, Atlas
● Only Java support
➔ Different frameworks for different languages
◆ Spring, Node, Go?
➔ Inconsistent
➔ Built right into the apps
For Polyglot Programming?
7. Main Components
● Envoy
○ Deployed as a sidecar to intercept all inbound and outbound traffic, Istio uses the many
features of Envoy Proxy in a transparent, agnostic way
● Mixer
○ Mixer acts on request attributes from each envoy. This allows for advanced access control,
usage and telemetry
● Pilot
○ Pilot abstracts and controls. Using your defined rules around traffic management, routing
and resiliency, it converts and sends the config to the Envoy proxies
● Citadel
○ Key and cert management for secure service to service and end user authentication.
8. Control Plane -ISTIO-SYSTEM
Egress Gateway Ingress Gateway
Sidecar-Injector Statsd-Prom-BridgeCleanup-Secrets
CitadelGalleyPilot Policy Telemetry
Mixer
Grafana
Grafana-post
TracingPrometheus Service Graph
12. The I to O of ISTIO
Show me some cool things!
● Install ISTIO!!
● Demo 1 - Base Deployment (Get Ready)
● Demo 2 - Smart Canaries - Routing Based on Headers
● Demo 3 - Smart Canaries - Egress Traffic
● Demo 4 - Smart Canaries - Canary Deployment
● Demo 5 - Service Resiliency - Load Balancing
● Demo 6 - Service Resiliency - Pod Ejection
● Demo 7 - Service Resiliency - Timeout
● Demo 8 - Chaos Testing - Retry + Fault Inject
● Demo 9 - Service Resiliency - Circuit Breaker
● Demo 10 - Monitoring - Tracing, Metrics
13. Demo 1 - Base Deployment
API-Server (Auth)
Server
Client(ETC)
Client(Android)
Client(Apple)
Redis
CDN
Please Connect
⇒chat-client.apps.toronto.openshiftworkshop.com
14. Next
● Allow Egress(CDN) from chat server
API-Server (Auth)
Server
Client(ETC)
Client(Android)
Client(Apple)
Check
● Refresh page
○ Check the log on top left
● Go to chat room
○ Refresh page
■ Messages gone
Redis
CDN
Demo 2 - Smart Canaries, Routing on Headers
chat-client.apps.toronto.openshiftworkshop.com
15. Next
- Deploy V2 Chat Server
API-Server (Auth)
Server
Client(ETC)
Client(Android)
Client(Apple)
Check
● Refresh page
○ Red Hat Logo is shown
Redis
CDN
Demo 3 - Smart Canaries, Egress Traffic
chat-client.apps.toronto.openshiftworkshop.com
16. Check
● Login → Chat Room
○ Check Server Version
○ 90/10 Distribution
○ All messages remained
API-Server (Auth)
Server (v2)
Client(ETC)
Client(Android)
Client(Apple)
Server (v1)
Redis
Next
● Rollback virtual service of chat-server
to initial state
● Scale Out Server v2 to 3
● Load Balancing
Demo 4 - Smart Canaries, Canary Deployment
chat-client.apps.toronto.openshiftworkshop.com
17. Check
● ¼ users -> v1(25%)
● ¾ users ->v2 (75%)
● Add Destination Rule (LB: RANDOM)
○ Randomly pick v1 and v2
API-Server (Auth)
Server (v2)
Client(ETC)
Client(Android)
Client(Apple)
Server (v1)
Redis
Next
● Scale Down Server v2 to 1
● Scale Out API-Server to 2
● Occur 503 on one of API Server
Server (v2)
Server (v2)
Demo 5 - Service Resiliency & Load Balancing
chat-client.apps.toronto.openshiftworkshop.com
18. Check
● POD Ejection
○ The problematic pod will be
ejected from service
Server (v2)Client(ETC)
Client(Android)
Client(Apple)
Server (v1)
Redis
Next
● Long Tasks(5sec)
● Set 1s timeout from chat server to auth
API-Server (Auth) API-Server (Auth)503
Demo 6 - Service Resiliency, Pod Ejection
chat-client.apps.toronto.openshiftworkshop.com
19. Check
● Response time has to be
under 1 secs
Server (v2)
Client(ETC)
Client(Android)
Client(Apple)
Server (v1)
Redis
Next
● Scale Down API Server to 1
● Give fault inject (Server → Auth)
● Set retry policy (Server → Auth)
API-Server (Auth) API-Server (Auth)
Timeout
Long Task
Demo 7 - Service Resiliency, Timeouts
chat-client.apps.toronto.openshiftworkshop.com
20. Check
● No 503 errors
Server (v2)
Client(ETC)
Client(Android)
Client(Apple)
Server (v1)
Redis
Next
● Give fault inject (Server → Auth)
● Set retry policy (Server → Auth)
API-Server (Auth)
503 Fault InjectionRetry
Demo 8 - Chaos Testing, Retry, Fault Injection
chat-client.apps.toronto.openshiftworkshop.com
21. Check
● 503 errors if there are many
requests by circuit breaker
Server (v2)Client(ETC)
Client(Android)
Client(Apple)
Server (v1)
Redis
Next
● Metrics
● Tracing
API-Server (Auth)
503
Demo 9 - Service Resiliency, Circuit Breaker
chat-client.apps.toronto.openshiftworkshop.com
22. Demo 10 - Monitoring and Tracing
http://prometheus-istio-system.apps.toronto.openshiftworkshop.com
23. Demo 10 - Monitoring and Metrics
http://grafana-istio-system.apps.toronto.openshiftworkshop.com