Leveraging Istio Pilot for NonK8s

Transcript

1. Leveraging Istio's Pilot Adapters for Non-Kubernetes Platforms July 2018 OSCON,

   Portland Nimesh Bhatia (IBM) | Christopher M Luciano (IBM)

2. Agenda • The case for Istio • Basics of Istio

   • Pilot for Multi Environment Support § Consul and Eureka § Demo

3. Milestone 1 - Solve the problem Users Developers My Special

   Application Advantages • Quick to start • Solve the problem • Easy to manage • Simple deployment Challenges • Longer release cycles • Hard to maintain • Slows down agility • Scaling get challenging with growth Monolith Application – v 0.01 approach

4. Milestone 2 – Lay foundation for growth • Distributed Architecture

   • Decoupled Components • Standard Interface • Build Faster • Continuous Delivery • Iterate Often Micro Service Micro Service Micro Service Micro Service Micro Service Micro Service Microservices Application Architecture My Special Application

5. Milestone 3 – Stable, Scalable, & Secure for Web scale

   • A/B Testing • Canary deployments • Rate limiting • Circuit Breaking • Fault injection • Security • Policy management Control Plane Data Plane Service Discovery Telemetry Service Registry Access Control Routing Rules Resiliency Features Service A Envoy Service B Envoy Service C Envoy

6. IBM Code Istio is an open platform to connect, manage,

   and secure microservices.

7. IBM Code Istio Components

8. Envoy Intelligent proxy deployed as a sidecar • Intercept &

   manages network traffic • Security/Identity • TLS termination • Low memory footprint • Language Agnostic

9. Pilot Pod Service 1 Pod Service 2 Envoy Envoy Pilot

   Provides service discovery and asynchronously configures the Envoy sidecar

10. Pod Pilot Pod Service 1 Service 2 Envoy Envoy Mixer

    Mixer Enforces access control and usage policy, and provides telemetry collection

11. Citadel / Istio Auth Enforces access control and usage policy

12. Istio Metrics • Metrics without instrumenting apps • Consistent metrics

    across fleet • Trace flow of requests across services • Portable across metric backend providers

13. Multi Environment Support using Pilot § Not all applications run

    on Kubernetes § Istio Pilot can run standalone outside Kubernetes § Pilot supports • integration with VMs • Service discovery systems like Consul and Eureka Pilot Platform Adapter Abstract Model Envoy APIs Envoy Proxy Envoy Proxy Envoy Proxy

14. Consul § Consul is an open source service discovery tool

    § Consul provides service discovery APIs § Pilot’s adaptor can be configured to use Consul service discovery data Consul Pilot Platform Adapter Abstract Model Envoy APIs Envoy Proxy Envoy Proxy Envoy Proxy Service Discovery Data

15. Eureka § Eureka is REST based service for cloud services

    discovery § It can provide load balancing (using Ribbon) and failover for mid-tier services § Pilot provides adapter to integrate with Eureka § Istio Sidecar enables quick integration with non-Java services Eureka Pilot Platform Adapter Abstract Model Envoy APIs Envoy Proxy Envoy Proxy Envoy Proxy Service Discovery Data

16. IBM Code 1. Circuit Breaking 2. Failure Injection DEMOS

17. Demo – Book Review Application Flow

18. VirtualServices for Traffic Management apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name:

    reviews-v2-launch spec: hosts: name: reviews.service.consul http: - match - headers: user-agent: regex: “(iPod|iPhone|iPad)” route: - destination: host: reviews.service.consul subset: v2 - route: - destination: host: reviews.service.consul subset: v1

19. DestinationRule apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: productpage spec: host:

    productpage.service.consul trafficPolicy: connectionPool: tcp: maxConnections: 1 http: http1MaxPendingRequests: 1 maxRequestsPerConnection: 1 outlierDetection: http: consecutiveErrors: 1 interval: 1s baseEjectionTime: 3m maxEjectionPercent: 100

20. IBM Code Demo: Circuit Breakers

21. Fault injection apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings spec:

    hosts: - ratings.service.consul http: - match: - headers: cookie: regex: "^(.*?;)?(user=jason)(;.*)?$" fault: delay: percent: 100 fixedDelay: 2s route: - destination: host: ratings.service.consul subset: v1 - route: - destination: host: ratings.service.consul subset: v1 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews.service.consul http: - route: - destination: host: reviews.service.consul subset: v2 timeout: 1s

22. reviews ratings Envoy Envoy 2 sec latency reviews ratings

23. IBM Code Demo: Failure Injection

24. IBM Code Future Pilot Enhancements

25. Galley • Galley Functions • Validate • Produce/Transform Configuration •

    Schedule & Distribute

26. Mesh Config Protocol (MCP)

27. Pilot Adapter Decomposition Pilot MCP Client Envoy APIs Envoy Proxy

    Envoy Proxy Envoy Proxy Galley K8s Config File-based config Pilot Adapter Services Endpoints

28. Thanks! Nimesh Bhatia @nimeshbhatia Christopher M Luciano @cmluciano_

29. Backup

30. Istio & Spiffe Service 1 Service 2 Istio Certificate Authority

    SAN: "spiffe://myorg.com/ns/prod/sa/foo" - Namespace: prod - Service account: foo SAN: "spiffe://myorg.com/ns/prod/sa/bar" - Namespace: prod - Service account: bar Issue & Mount Keys Issue & Mount Keys

31. Istio & Spiffe Service 1 Service 2 SAN: "spiffe://myorg.com/ns/prod/sa/foo" -

    Namespace: prod - Service account: foo SAN: "spiffe://myorg.com/ns/prod/sa/bar" - Namespace: prod - Service account: bar Istio Certificate Authority Mutual TLS & Secure Naming

32. 2 second latency trace

33. 2 second latency with 1 sec timeout