2. Agenda
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 2
• Istio Introduction
• Setup
• Shopping Portal Microservice Deployment
• Canary Deployment
• Routing Rules based on User Agent and Weight
• Distributed Tracing
• Visualizing Metrics
3. Microservice In Kubernetes Clusters
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 3
INGRESS
MS App1 Service
Endpoints
MS App2 Service
Endpoints
MS App1 Pod
MS App1 Pod
MS App1 Pod
MS App2 Pod
MS App2 Pod
MS App2 Pod
• No Retries
• No Timeout
• No Routing decisions
• No intelligent load
balancing
• No Encryption
• No Access Controls
• No Log Tracing
• No Access Control
Load balancer
4. Microservice In Istio
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 4
Virtual Service
Load balancer Gateway
MS App1 Service
Endpoints
Destination Rules
MS App2 Service
Endpoints
Destination Rules
MS App2
Envoy Proxy
POD
MS App1
Envoy Proxy
POD
Pilot Mixer Citadel
Policy, Telemetry TLSConfig Data
Control Plane API
• Specify retries
• Specify Timeout
• Routing decisions
• Intelligent load balancing
• Encryption
• Access Controls
• Log Tracing
• Access Control
Benefits of Istio
5. Istio Setup
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 5
Follow below sets to install Istio:
• wget https://github.com/istio/istio/releases/download/1.0.2/istio-1.0.2-linux.tar.gz
• tar -xzvf istio-1.0.2-linux.tar.gz
• cd istio-1.0.2
• echo 'export PATH="$PATH:/home/ubuntu/istio-1.0.2/bin"' >> ~/.profile
• type "istioctl" to confirm path is setup properly
If you are using minikube make sure you have enabled ingress, metric-server & heapster.
6. Istio Setup
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 6
Apply CRDS:
• kubectl apply -f ~/istio-1.0.2/install/kubernetes/helm/istio/templates/crds.yaml
Option 1: With no mutual TLS authentication
• kubectl apply -f ~/istio-1.0.2/install/kubernetes/istio-demo.yaml
Option 2: or with mutual TLS authentication
• kubectl apply -f ~/istio-1.0.2/install/kubernetes/istio-demo-auth.yaml
Installation Verification
kubectl get pods -n istio-system kubectl get svc -n istio-system
7. Shopping Portal Demo Microservice
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 7
This Demo Application deployment consist of four components
• UI – Build using Angular
• MYSQL – Database for storing and retrieving data
• Product Review Microservice
• Endpoint exposed to get reviews based on product
• Product Microservice
• Endpoints exposed to fetch product and get product details, when product
specific details are fetched it internally calls product review microservice to
get review.
Note: Deployment architecture diagram in next slide.
8. Shopping Portal - Istio
/ui
/productms
/productreview
Gateway
Virtual Service
UI Pod
UI Pod
UI Pod
UI
Service
Product Pod
Product Pod
Product Pod
Product
Service
Review Pod
Review Pod
Review Pod
Review
Service
MySQL
Pod
Deployment / Replica / Pod
N1
N2
N2
N4
N1
N3
N4
N3
NodesIstio Sidecar - Envoy
Destination
Rule
Destination
Rule
Destination
Rule
Load Balancer
Kubernetes Objects
Istio Objects
Firewall
Pilot Mixer CitadelIstio Control Plane
Service Call
Kube DNS
EndPoints
EndPoints
EndPoints
Internal
Load Balancers
9. Installing the sidecar
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 9
Each pod in the mesh must be running in Istio compatible sidecar. There are multiple way to inject sidecar Manually or
Automatic.
• Manual Injection using command: $ istioctl kube-inject -f samples/sleep/sleep.yaml | kubectl apply -f –
• In our application we will be creating namespace which has Istio-injection enabled. So every deployment which
happens within that namespaces has sidecar deployed automatically.
• Below namespace configuration is present on Git
$ kubectl create -f https://raw.githubusercontent.com/meta-magic/kubernetes_workshop/master/yaml/istio/shopping-ns.yaml
• Use below command to create namespace
10. Create MySQL POD
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 10
Deploy below configuration YAML using kubectl. This will create MYSQL Pod, Service, Persistence volume.
• kubectl create -f https://raw.githubusercontent.com/meta-magic/kubernetes_workshop/master/yaml/mysqlfiles/mysql-secret.yaml
• kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/mysqlfiles/mysql-pv.yaml
• kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/mysqlfiles/mysql-pvc.yaml
• kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/mysqlfiles/mysql-dep.yaml
• kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/mysqlfiles/mysql-svc.yaml
• Use below commands to see pods and service running.
• kubectl get pods,svc –n shoppingportal
You can see 2 container
running in mysql POD. One
is mysql container and other
is envoy proxy
11. Deploy Product Microservice
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 11
We will be deploying two version of Product Microservice i.e. v1 (stable) and v2 (canary). As we are having multiple
version we need to provide destination rules. When we deploy virtual-service we will be adding routing rules to direct
traffic to v2 based on some rules.
• Deploy below configuration YAML using kubectl. This will create Product Microservice Pod, Service.
kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/istio/product/product-v1.yaml
kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/istio/product/product-v2.yaml
kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/istio/product/product-destination.yaml
kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/istio/product/product-service.yaml
• Use below command to see number of POD and service running.
• kubectl get pods,svc –n shoppingportal
Two version of product microservice deployed
each containing 2 container. One is product
microservice container and other is envoy proxy
12. Deploy Review Microservice
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 12
• Deploy below configuration YAML using kubectl. This will create Product Review Microservice Pod, Service.
kubectl create -f https://raw.githubusercontent.com/metamagic/kubernetes_workshop/master/yaml/istio/productreview/productreview-v1.yaml
kubectl create -f https://raw.githubusercontent.com/meta-magic/kubernetes_workshop/master/yaml/istio/productreview/productreview-service.yaml
• Use below command to see number of POD and service running.
kubectl get pods,svc –n shoppingportal
You can see 2 container
running in Product Review
POD. One is product
microservice container and
other is envoy proxy
13. Deploy UI
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 13
We will be deploying two version of UI i.e. v1 (stable) and v2 (canary). As we are having multiple version we need to
provide destination rules. When we deploy virtual-service we will be adding routing rules to direct traffic to v2 based on
some rules.
• Deploy below configuration YAML using kubectl. This will create UI Pod, Service.
kubectl create -f https://raw.githubusercontent.com/meta-magic/kubernetes_workshop/master/yaml/istio/ui/ui-v1.yaml
kubectl create -f https://raw.githubusercontent.com/meta-magic/kubernetes_workshop/master/yaml/istio/ui/ui-v2.yaml
kubectl create -f https://raw.githubusercontent.com/meta-magic/kubernetes_workshop/master/yaml/istio/ui/ui-destination.yaml
kubectl create -f https://raw.githubusercontent.com/meta-magic/kubernetes_workshop/master/yaml/istio/ui/ui-service.yaml
• Use below command to see number of POD and service running.
kubectl get pods,svc –n shoppingportal
Two version of UI deployed each containing 2
container. One is UI container and other is
envoy proxy
14. Ingress using an Istio Gateway
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 14
Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing
HTTP/TCP connections. The specification describes a set of ports that should be exposed, the type of
protocol to use.
Let’s see how you can configure a Gateway on port 80 for HTTP traffic.
Note: Unlike Kubernetes Ingress Resources, does not include any traffic routing configuration. Traffic routing
for ingress traffic is instead configured using Istio routing rules
15. Virtual Service: Configure routes for traffic entering via the Gateway
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 15
A Virtual Service defines a set of traffic routing rules to apply when a host is addressed. Each routing rule
defines matching criteria for traffic of a specific protocol. If the traffic is matched, then it is sent to a
named destination service
Request from any host
Route any http request with ”/ui..” to UI
service
Route any http request with
”/productms..” to Product service
Route any http request with
”/productreviewms..” to Product service
16. Demo – Version 1
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 16
Before you start demo, we need to get IP and Port of Ingress gateway. So use below command to get IP and Port.
kubectl get svc –n Istio-system
Note: As I am using minikube external-ip address is coming as Pending. But on cloud you will be getting actual
hostname or IP.
• Open the below link in browser and checkout UI
http://192.168.99.100:31380/ui/#/catlogue
• To Test product and product review microservice endpoints use below curl commands
• curl http://192.168.99.100:31380/productms/product/catalogue
• curl http://192.168.99.100:31380/productreviewms/productreview/1
17. Canary Deployment: Traffic routing based on User Agent
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 17
The idea behind canary deployment (or rollout) is to introduce a new version of a service by first testing it
using a small percentage of user traffic.
Any request to UI coming from Firefox browser will be
redirected to canary deployment version of UI. If request is
from any other browser it will be redirected to stable
version.
Any request to Product Microservice with header as "end-
user:metamagic" will be redirected to canary deployment
of product microservice. If header doesn’t matched request
will be redirected to stable version.
18. Canary Deployment: Traffic routing based on Weight
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 18
The idea behind canary deployment (or rollout) is to introduce a new version of a service by first testing it
using a small percentage of user traffic.
80% of request send to stable and 20% to canary
deployment
80% of request send to stable and 20% to canary
deployment
20. Distributed Tracing: Using Istio + Jaeger
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 20
This task shows you how Istio-enabled applications can be configured to collect trace spans. When we
installed Istio, by default Tracing is enabled.
Enable Jaeger console using port forwarding
kubectl port-forward -n istio-system $(kubectl get pod -n istio-system -l app=jaeger -o jsonpath='{.items[0].metadata.name}') 16686:16686
21. Envoy and Open Tracing
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 21
Open Tracing is vendor neutral and therefore we also have to supply a tracer implementation. In our
microservice example "Product and Product review" we are using JAEGER tracing. Envoy uses B3
propagation which is not enabled in Jaeger by default and has to be registered explicitly. Check Product
MS code which explains how to enable.
Open Jager Console: http://localhost:16686/search
25. Visualizing Metrics with Grafana
10/19/2018 (C) COPYRIGHT METAMAGIC GLOBAL INC., NEW JERSEY, USA 25
• This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic. As part of this task,
you will install the Grafana Istio add-on and use the web-based interface for viewing service mesh traffic
data.
• Verify that the Prometheus and Grafana service is running in your cluster
• Open the Istio Dashboard via the Grafana UI
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') 3000:3000 &