Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Istio: Using nginMesh as the service proxy

Lee Calcote
February 01, 2018

Istio: Using nginMesh as the service proxy

With microservices and containers becoming mainstream, container orchestrators provide much of what the cluster (nodes and containers) needs. With container orchestrators' core focus on scheduling, discovery, and health at an infrastructure level, microservices are left with unmet, service-level needs, such as:

- Traffic management, routing, and resilient and secure communication between services
- Policy enforcement, rate-limiting, circuit breaking
- Visibility and monitoring with metrics, logs, and traces
- Load balancing and rollout/canary deployment support

Service meshes provide for these needs. In this session, we will dive into Istio - its components, capabilities, and extensibility. Istio envelops and integrates with other open source projects to deliver a full-service mesh. We'll explore these integrations and Istio's extensibility in terms of choice of proxies and adapters, such as nginMesh.

Lee Calcote

February 01, 2018
Tweet

More Decks by Lee Calcote

Other Decks in Technology

Transcript

  1. Istio Istio February 2018 Lee Calcote as the service proxy

    as the service proxy nginMesh nginMesh calcotestudios.com/talks the extensible service mesh the extensible service mesh
  2. Lee Calcote Lee Calcote linkedin.com/in/leecalcote @lcalcote gingergeek.com [email protected] clouds, containers,

    functions, applications and their management calcotestudios.com/talks github.com/leecalcote
  3. Benefits Benefits The first few services are relatively easy Democratization

    of language and technology choice Faster delivery, service teams running independently, rolling updates @lcalcote Challenges Challenges The next 10 or so may introduce pain Language and framework specific libraries Distributed environments, ephemeral infrastructure, out-moded tooling
  4. Which is why... Which is why... I have a container

    I have a container orchestrator. orchestrator. @lcalcote
  5. Core Core Capabilities Capabilities Cluster Management Host Discovery Host Health

    Monitoring Scheduling Orchestrator Updates and Host Maintenance Service Discovery Networking and Load-Balancing Stateful services Multi-tenant, multi-region Additional Additional Key Capabilities Key Capabilities Application Health & Performance Monitoring Application Deployments Application Secrets @lcalcote
  6. What do we need? What do we need? • Observability

    • Logging • Metrics • Tracing • Traffic Control • Resiliency • Efficiency • Security • Policy @lcalcote a Service Mesh a Service Mesh
  7. What is a Service Mesh? What is a Service Mesh?

    a dedicated layer for managing service-to-service communication @lcalcote so, a microservices platform? obviously. Orchestrators don't bring all that you need and neither do service meshes, but they do get you closer. Missing: application lifecycle management, but not by much partially. a services-first network a services-first network Missing: distributed debugging; provide nascent visibility (topology)
  8. @lcalcote DEV DEV OPS OPS Layer 5 Layer 5 where

    Dev and Ops meet Problem: too much infrastructure code in services
  9. Why use a Service Mesh? Why use a Service Mesh?

    to avoid... Bloated service code Duplicating work to make services production-ready load balancing, auto scaling, rate limiting, traffic routing, ... Inconsistency across services retry, tls, failover, deadlines, cancellation, etc, for each language, framework silo'ed implementations lead to fragmented, non-uniform policy application and difficult debugging Diffusing responsibility of service management @lcalcote
  10. Help with Modernization Help with Modernization @lcalcote Can modernize your

    IT inventory without: Rewriting your applications Adopting microservices, regular services are fine Adopting new frameworks Moving to the cloud Address the long-tail of IT services Get there for free
  11. What is Istio? What is Istio? An open platform to

    connect, manage, and secure microservices @lcalcote Observability Resiliency Traffic Control Security Policy Enforcement istio.io github.com/istio @IstioMesh
  12. Observability Observability is what gets people hooked on service metrics

    @lcalcote Goals Goals Metrics without instrumenting apps Consistent metrics across fleet Trace flow of requests across services Portable across metric backend providers You get a metric! You get a metric! Everyone gets a metric!
  13. Traffic Control Traffic Control control over chaos @lcalcote Traffic splitting

    L7 tag based routing? Traffic steering Look at the contents of a request and route it to a specific set of instances. Ingress and egress routing Resilency Resilency Systematic fault injection Timeouts and Retries with timeout budget Circuit breakers and Health checks Control connection pool size and request load content-based traffic steering
  14. Istio Istio Architecture Architecture @lcalcote Control Plane Data Plane Touches

    every packet/request in the system. Responsible for service discovery, health checking, routing, load balancing, authentication, authorization and observability. Provides policy and configuration for services in the mesh. Takes a set of isolated stateless sidecar proxies and turns them into a distributed system. Does not touch any packets/requests in the system.
  15. Istio Istio Architecture Architecture @lcalcote Pilot Auth Mixer Control Plane

    Data Plane istio-system namespace policy check Foo Pod Proxy sidecar Service Foo tls certs discovery & config Foo Container Bar Pod Proxy sidecar Service Bar Bar Container Out-of-band telemetry propagation telemetry reports Control flow during request processing application traffic application traffic application namespace telem etry reports
  16. What's Pilot for? What's Pilot for? @lcalcote provides service discovery

    to sidecars manages sidecar configuration Pilot Auth Control Plane the head of the ship Mixer istio-system namespace system of record for service mesh }provides abstraction from underlying platforms
  17. What's Mixer for? What's Mixer for? Point of integration with

    infrastructure backends Intermediates between Istio and backends, under operator control Enables platform & environment mobility Responsible for policy evaluation and telemetry reporting Provides granular control over operational policies and telemetry Has a rich configuration model Intent-based config abstracts most infrastructure concerns @lcalcote Pilot Auth Mixer Control Plane istio-system namespace an attribute-processing and routing machine operator-focused 1. Precondition checking 2. Quota management 3. Telemetry reporting
  18. What's Auth for? What's Auth for? @lcalcote Verifiable identity Issues

    certs Certs distributed to service proxies Mounted as a Kubernetes secret Secure naming / addressing Traffic encryption Pilot Auth Control Plane security at scale Mixer istio-system namespace security by default Orchestrate Key & Certificate: Generation Deployment Rotation Revocation
  19. Service Proxy Sidecar Service Proxy Sidecar A C++ based L4/L7

    proxy Low memory footprint In production at Lyft @lcalcote Capabilities: API driven config updates no reloads Zone-aware load balancing w/ failover Traffic routing and splitting Health checks, circuit breakers, timeouts, retry budgets, fault injection… HTTP/2 & gRPC Transparent proxying Designed for observability the included battery Data Plane Pod Proxy sidecar App Container
  20. AppOptics @lcalcote Uses pluggable adapters to extend its functionality Adapters

    run within the Mixer process Adapters are modules that interface to infrastructure backends (logging, metrics, quotas, etc.) Multi-interface adapters are possible (e.g. AppOptics adapter exposing logs & metrics) Mixer Adapters Mixer Adapters sending telemetry Papertrail Prometheus Grafana Fluentd Statsd
  21. Why use another service proxy? Why use another service proxy?

    Based on your operational expertise and need for battle-tested proxy. You may be looking for caching, WAF or other functionality available in NGINX Plus. If you're already running Linkerd and want to start adopting Istio control APIs like CheckRequest. @lcalcote Conduit not currently designed a general-purpose proxy, but lightweight and focused with extensibility via gRPC plugin.
  22. nginMesh nginMesh https://github.com/nginmesh Currently Support for rules, policies, mtls encryption,

    monitoring & tracing Compatible with Mixer adaptors Transparent sidecar injection Compatible with Istio 0.3.0 @lcalcote Roadmap Support for gRPC traffic Support for ingress proxy Support for Quota Checks Expanding the mesh beyond Kubernetes See sidecar-related limitations as well as supported traffic management rules --> . here Considered beta quality Soliciting feedback and participation from community
  23. Istio & Istio & nginMesh nginMesh Architecture @lcalcote Pilot Auth

    Mixer Control Plane agent Translator agent Istio to Nginx (in go) Loadable module Nginx to Mixer (in rust) config file Data Plane "istio-proxy" container route rules istio-system namespace check report Mixer Module dest module listener tcp http tcp server Out-of-band telemetry propagation Control flow during request processing application traffic application traffic http servers
  24. @lcalcote BookInfo Sample App BookInfo Sample App Reviews v1 Reviews

    Pod Reviews v2 Reviews v3 Product Pod Details Container Details Pod Ratings Container Ratings Pod Product Container Reviews Service
  25. @lcalcote BookInfo Sample App BookInfo Sample App Reviews v1 Reviews

    Pod Reviews v2 Reviews v3 Product Pod Details Container Details Pod Ratings Container Ratings Pod Product Container Nginx sidecar Nginx sidecar Nginx sidecar Nginx sidecar Nginx sidecar Reviews Service Nginx sidecar Envoy ingress
  26. @lcalcote $ kubectl apply -f istio-nginmesh-0.4.0-v2.yaml $ kubectl apply -f

    nginmesh-0.4.0-migration/istio/release/install/kubernetes/istio-initializer.yaml deploy Istio and nginMesh kubectl get ns watch kubectl get po,svc -n istio-system kubectl apply -f nginmesh-0.4.0-migration/istio/release/samples/kubernetes/bookinfo.yaml confirm deployment Istio; deploy sample app watch kubectl get po,svc kubectl get svc istio-ingress -n istio-system -o jsonpath='{.spec.ports[0].nodePort}';echo '' confirm sample app Demo Demo running nginMesh
  27. Demo Demo running nginMesh @lcalcote echo "http://$(kubectl get nodes -o

    template --template='{{range.items}}{{range.status.addresses}}{{if eq . See "reviews" v1, v2 and v3 # From Docker's perspective docker ps | grep nginmesh # From Kubernetes' perspective kubectl get po kubectl describe Verify nginMesh deployment # exec into 'istio-proxy' kubectl exec -it pod -c istio-proxy /bin/bash Connect to Nginx sidecar
  28. @lcalcote #takes every request/response and sends to Mixer control plane

    See load_module /etc/nginx/modules/ngx_http_istio_mixer_module.so; # Mixer adapters for telemetry docker run --rm istio/fortio load -c 1 -t 10m \ `echo "http://$(kubectl get nodes -o template --template='{{range.items}}{{range.status.addresses}}{{if eq .type Verify mesh configuration Demo Demo running nginMesh #Deploy new configuration to Nginx istioctl create -f route-rule-all-v1.yaml istioctl delete -f route-rule-all-v1.yaml #A/B testing for a user kubectl apply -f route-rule-reviews-test-v2.yaml #More for user 'lee' kubectl exec -it pod -c istio-proxy /bin/bash more /etc/istio/proxy/conf.d/http_0.0.0.0_9080.conf Apply traffic routing policy See Mixer telemetry
  29. Lee Calcote Lee Calcote Thank you. Questions? Thank you. Questions?

    clouds, containers, functions, applications and their management linkedin.com/in/leecalcote @lcalcote gingergeek.com calcotestudios.com/talks github.com/leecalcote [email protected]