Build and deploy cloud native Java microservices on Kubernetes with Istio service mesh

Transcript

1. @deepu105 @oktaDev Build and deploy cloud native Java microservices on

   Kubernetes with Istio service mesh Deepu K Sasidharan @deepu105 | deepu.tech

2. @deepu105 @oktaDev Hi, I’m Deepu K Sasidharan ➔ JHipster co-lead

   developer ➔ Java Champion ➔ Creator of KDash, JDL Studio ➔ Developer Advocate @ Auth0 by Okta ➔ Polyglot dev, OSS aficionado, author, speaker @deepu105 deepu.tech deepu105 deepu05

3. @deepu105 @oktaDev Cloud Native Microservices with a service mesh

4. @deepu105 @oktaDev What does Istio do? • Secure service-to-service communication

   • Service discovery  • Automatic load balancing  • Routing, circuit breaking, retries, fail-overs, fault injection • Policy layer for access control, rate limiting, A/B testing, canary rollouts, traffic splits, and quotas • Automatic Metrics, logs, and traces 

5. @deepu105 @oktaDev Istio architecture

6. @deepu105 @oktaDev Prepare cluster

7. @deepu105 @oktaDev Prerequisite - Kubernetes Cluster Create GCP Project :

   $ gcloud config set compute/region europe-west1 $ gcloud config set compute/zone europe-west1-b $ gcloud projects create istio-demo - Enable billing via GUI $ gcloud config set project istio-demo $ gcloud services enable container.googleapis.com Create GKE Cluster : $ gcloud container clusters create hello-hipster \ --num-nodes 4 \ --machine-type n1-standard-2 Set Credentials: $ gcloud container clusters get-credentials hello-hipster

8. @deepu105 @oktaDev GKE Cluster

9. @deepu105 @oktaDev Prerequisite - Istio Install Istio : $ cd

   ~/ $ export ISTIO_VERSION=1.15.1 $ curl -L https://istio.io/downloadIstio | sh - $ cd istio-$ISTIO_VERSION $ export PATH=$PWD/bin:$PATH

10. @deepu105 @oktaDev Prerequisite - Istio Install Istio in GKE cluster

    : $ istioctl install --set profile=demo -y Get Ingress Gateway External IP: $ kubectl get svc istio-ingressgateway -n istio-system Note: The ingress IP is required later while deploying our apps

11. @deepu105 @oktaDev Prerequisite - Addons Install Istio Addons in GKE

    cluster : $ cd istio-$ISTIO_VERSION $ kubectl apply -f samples/addons/grafana.yaml $ kubectl apply -f samples/addons/prometheus.yaml $ kubectl apply -f samples/addons/kiali.yaml $ kubectl apply -f samples/addons/extras/zipkin.yaml

12. @deepu105 @oktaDev Istio pods

13. @deepu105 @oktaDev Bootstrap a demo application with JHipster

14. @deepu105 @oktaDev JHipster in the wild Most popular Rapid Application

    Development platform for Java web applications and microservices ▪ 20k+ stars, 40k projects and 600+ contributors on GitHub ▪ 2M+ installations & 20k+ app generations per month ▪ 300k+ overall users ▪ 300+ companies using JHipster ▪ 150+ plugins

15. @deepu105 @oktaDev What can you actually do with JHipster? ▪

    Generate simple monolith web applications ▪ Generate complete microservice architectures ▪ Generate domain model (entities) ▪ Generate CI/CD pipelines ▪ Deploy to the cloud or containers ▪ And lot more

16. @deepu105 @oktaDev Code quality & developer experience ▪ Developer experience

    oriented ▪ Production grade code quality (Look at our sonar scores) − ▪ Best practices on any combinations selected ▪ Fully working CRUD apps out of the box ▪ Production grade security ▪ You would only have to do business logic code and UX design

17. @deepu105 @oktaDev Let’s build

18. @deepu105 @oktaDev Microservice with Istio on Kubernetes

19. @deepu105 @oktaDev Install JHipster $ npm install -g generator-jhipster $

    jhipster download microservice-ecommerce-store-istio-deployment.jdl or $ git clone https://github.com/oktadev/okta-java-spring-k8s-istio-microservices-example.git Note: I’m using JHipster version v7.9.3

20. @deepu105 @oktaDev JDL JHipster Domain Language JDL : http://bit.ly/istio-jdl Reference

    : https://www.jhipster.tech/jdl/ Studio : https://start.jhipster.tech/jdl-studio/ Samples : https://github.com/jhipster/jdl-samples

21. @deepu105 @oktaDev JDL Application

22. @deepu105 @oktaDev JDL Entity & Relationship

23. @deepu105 @oktaDev JDL Deployment for Kubernetes with Istio

24. @deepu105 @oktaDev JHipster magic $ jhipster jdl jhipster-istio.jdl --fork

25. @deepu105 @oktaDev Build & Push images $ ./gradlew bootJar -Pprod

    jib -Djib.to.image=deepu105/store $ ./gradlew bootJar -Pprod jib -Djib.to.image=deepu105/invoice $ ./gradlew bootJar -Pprod jib -Djib.to.image=deepu105/product $ ./gradlew bootJar -Pprod jib -Djib.to.image=deepu105/notification

26. @deepu105 @oktaDev Istio sidecar injection

27. @deepu105 @oktaDev Manual sidecar injection Command: $ istioctl kube-inject -f

    kubernetes/my-deployment.yaml Result: spec: containers: - image: deepu105/my-app:1.0 ... - image: docker.io/istio/proxyv2:1.15.1 name: istio-proxy ... initContainers: ... - image: docker.io/istio/proxyv2:1.15.1 name: istio-init ...

28. @deepu105 @oktaDev Automatic sidecar injection Command: $ kubectl label namespace

    <namespace> istio-injection=enabled --overwrite=true # To verify $ kubectl get namespace -L istio-injection

29. @deepu105 @oktaDev Istio Traffic Management

30. @deepu105 @oktaDev Istio Virtual Services apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata:

    name: store-virtualservice namespace: jhipster spec: hosts: - store http: - route: - destination: host: store subset: "v1" weight: 100 retries: attempts: 3 perTryTimeout: 2s

31. @deepu105 @oktaDev Istio Destination Rules apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata:

    name: store-destinationrule spec: host: store trafficPolicy: loadBalancer: simple: RANDOM connectionPool: tcp: maxConnections: 30 connectTimeout: 100ms http: maxRetries: 5 outlierDetection: consecutive5xxErrors: 5 interval: 30s baseEjectionTime: 60s subsets: - name: v1 labels: version: "v1"

32. @deepu105 @oktaDev Istio Gateways apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name:

    store-gateway labels: gateway: store-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - store.jhipster.35.240.66.252.nip.io - port: number: 80 name: http2 protocol: HTTP2 hosts: - store.jhipster.35.240.66.252.nip.io

33. @deepu105 @oktaDev Istio Service Entries apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata:

    name: svc-entry spec: hosts: - ext-svc.example.com ports: - number: 443 name: https protocol: HTTPS location: MESH_EXTERNAL resolution: DNS

34. @deepu105 @oktaDev Istio Sidecars apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name:

    default namespace: bookinfo spec: egress: - hosts: - "./*" - "istio-system/*"

35. @deepu105 @oktaDev Break (30 mins)

36. @deepu105 @oktaDev Code walkthrough

37. @deepu105 @oktaDev Lets deploy

38. @deepu105 @oktaDev Deploy to GKE $ cd kubernetes $ ./kubectl-apply.sh

    -f $ watch kubectl get pods -n jhipster // or use KDash 😉

39. @deepu105 @oktaDev Gateway

40. @deepu105 @oktaDev Telemetry

41. @deepu105 @oktaDev Grafana dashboard

42. @deepu105 @oktaDev Prometheus

43. @deepu105 @oktaDev Zipkin tracing

44. @deepu105 @oktaDev Kiali

45. @deepu105 @oktaDev Request Routing and Canary Testing

46. @deepu105 @oktaDev Traffic shift apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name:

    store-destinationrule namespace: jhipster spec: host: store trafficPolicy: ... subsets: - name: v1 labels: version: "v1" - name: v2 labels: version: "v2" apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-gw-virtualservice .. spec: hosts: - store.jhipster.35.240.66.252.nip.io gateways: - store-gateway http: .. - route: - destination: host: store subset: "v1" weight: 50 - destination: host: store subset: "v2" weight: 50

47. @deepu105 @oktaDev Routing apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-gw-virtualservice

    .. http: .. - match: - uri: prefix: / headers: user-agent: regex: ".*Chrome.*" route: - destination: host: store subset: "v2" - match: - uri: prefix: / route: - destination: host: store subset: "v1"

48. @deepu105 @oktaDev Fault Injection and Circuit Breaking

49. @deepu105 @oktaDev Fault Injection apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name:

    store-gw-virtualservice .. spec: hosts: - store.jhipster.35.240.66.252.nip.io gateways: - store-gateway http: - match: - uri: prefix: / route: - destination: host: store subset: "v1" fault: delay: percent: 100 fixedDelay: 10s apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-gw-virtualservice .. spec: hosts: - store.jhipster.35.240.66.252.nip.io gateways: - store-gateway http: - match: - uri: prefix: / route: - destination: host: store subset: "v1" fault: abort: percent: 100 httpStatus: 503

50. @deepu105 @oktaDev Circuit Breaking apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name:

    store-destinationrule spec: host: store trafficPolicy: loadBalancer: simple: RANDOM connectionPool: tcp: maxConnections: 30 connectTimeout: 100ms http: http1MaxPendingRequests: 10 http2MaxRequests: 100 maxRequestsPerConnection: 10 maxRetries: 5 outlierDetection: consecutive5xxErrors: 5 interval: 30s baseEjectionTime: 60s apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-virtualservice namespace: jhipster spec: hosts: - store http: - route: - destination: host: store subset: "v1" weight: 100 retries: attempts: 3 perTryTimeout: 2s

51. @deepu105 @oktaDev Security

52. @deepu105 @oktaDev Security components • A Certificate Authority (CA) for

    key and certificate management • The configuration API server distributes to the proxies: ◦ authentication policies ◦ authorization policies ◦ secure naming information • Sidecar and perimeter proxies work as Policy Enforcement Points (PEPs) to secure communication between clients and servers. • A set of Envoy proxy extensions to manage telemetry and auditing

53. @deepu105 @oktaDev Security architecture

54. @deepu105 @oktaDev Authentication • Peer authentication: used for service-to-service authentication

    to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication. • Request authentication: Used for end-user authentication to verify the credential attached to the request. Enabled using JWT validation, a custom authentication provider or any OpenID Connect providers, for example: ◦ Keycloak ◦ Okta ◦ Auth0 ◦ Firebase Auth ◦ Google Auth

55. @deepu105 @oktaDev Oauth 2 and OIDC https://napo.io/posts/istio-oidc-authn--authz-with-oauth2-proxy/

56. @deepu105 @oktaDev oauth2-proxy with Istio From https://napo.io/posts/istio-oidc-authn--authz-with-oauth2-proxy/

57. @deepu105 @oktaDev Extending with WebAssembly

58. @deepu105 @oktaDev Istio extension ecosystem • Istio Ecosystem Wasm Extensions

    • Proxy-Wasm ABI specification • Proxy-Wasm C++ SDK • Proxy-Wasm Rust SDK • Proxy-Wasm AssemblyScript SDK • WebAssembly Hub • WebAssembly Extensions For Network Proxies (video)

59. @deepu105 @oktaDev Delete GKE Cluster $ gcloud container clusters delete

    hello-hipster

60. @deepu105 @oktaDev Is a service mesh worth it? + Kubernetes

    Native microservices + Reduced responsibilities for dev(Service discovery, security, telemetry, etc) + No need to write/maintain any code for some of the complex parts of a microservice architecture. + A/B testing, canary releases, and lot more - Complex to debug and develop locally - Slightly higher resource usage (CPU, Memory) - Higher running costs - Business logic related policies might be trickier

61. @deepu105 @oktaDev Thank You Deepu K Sasidharan @deepu105 | deepu.tech

    https://deepu.tech/tags#java https://developer.auth0.com