Istio is an open-source service mesh platform used to connect, secure, and manage microservices in a distributed system. It provides features like traffic management, load balancing, observability, and security to enhance the capabilities of microservices.
Today we will do a use case demo for traffic management feature of Istio Service Mesh.
Use Case:
We have three microservices: microA, microB and microC. All the three micros are having methods with path '/consult' to consult respective information. We need to invoke all the three microservices from a single endpoint but based on different URI paths. For example: 1. to invoke microA: http://endpoint:80/microA/consult/ this returns:
{
"responseCode": 200
"responseMsg": "Hello World from microservice A !"
}
2. to invoke microB: http://endpoint:80/microB/consult/
this returns:
{
"responseCode": 200
"responseMsg": "Hello World from microservice B !"
}
3. to invoke microC: http://endpoint:80/microC/consult/
this returns:
{
"responseCode": 200
"responseMsg": "Hello World from microservice C !"
}
Solution:
Istio Service Mesh - Traffic Management feature
Code Repo:
Prerequisites:
I am assuming we already have pods created for microservices A,B and C in the namespace demo-istio. Also these pods are exposed with the ClusterIP service of kubernetes, which are also created in the namespace demo-istio.
Steps:
1. Create a folder myIstioDemo and enter the folder once created
mkdir myIstioDemo cd myIstioDemo
2. Install istioctl in your machine
brew install istioctl
3. Download Istio inside the folder myIstioDemo
curl -L https://istio.io/downloadIstio | sh -
or
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.13.3 sh - (to download any specific version of Istio)
4. Copy config.yml that is in the istio-config github repository, inside the bin folder of downloaded istio (./myIstioDemo/istio-1.18.0/bin)
5. Execute command to install istio from config.yml
cd ./myIstioDemo/istio-1.18.0/bin
istioctl install -y -f config.yml
6. [OPTIONAL] If add-ons like kiali, jaeger, prometheus is needed it can be installed for their configuration yml that is inside './myIstioDemo/istio-1.18.0/samples/addons'
kubectl apply -f kiali.yaml
kubectl apply -f jaeger.yaml
kubectl apply -f prometheus.yaml
7. [OPTONAL] Create namespace. In this case we will create a namespace "demo-istio" in the kubernetes cluster
kubectl create namespace demo-istio
8. If it is a new kubernetes cluster then we should first install AWS Load Balancer Controller add-on
Depending on the version of kubernetes you can change the apiVersion of the manifest (if necessary)
9. Deploy components of files located in the istio-config github repository in the order mentioned below:
kubectl apply -f virtual-service.yml
By defining rules within the VirtualService, you can control how the incoming traffic is distributed among different destination services in your service mesh.
kubectl apply -f internal-tls.yml
By enforcing internal TLS in Istio, organizations can protect their service-to-service communication against eavesdropping, tampering, and unauthorized access. It adds an additional layer of security within the service mesh architecture.
kubectl apply -f internal-gateway.yml
By configuring an Internal Gateway, you can control access to services within the mesh and define rules for traffic routing, load balancing, TLS termination, and other features. Internal Gateways are useful in scenarios where you want to expose services within the service mesh to other services or components running within the same mesh, while keeping the traffic isolated from external networks.
kubectl apply -f ingress.yml
By configuring the Ingress Gateway, you can control how external requests are routed to different services within the service mesh based on criteria such as hostnames, paths, or headers. The Ingress Gateway works in conjunction with VirtualServices to define the desired routing behavior for incoming traffic. It provides a centralized entry point for external access and allows you to implement various traffic management and security features.
10. Inject necessary sidecars (additional containers) into pods deployed in that namespace 'demo-istio'
kubectl label namespace demo-istio istio-injection=enabled --overwrite
Injecting these sidecars automatically makes it easy to manage and control Istio features without having to manually modify pod deployments.
11. Test with URLs http://endpoint:80/microA/consult/
Reference URLs:
Install istioctl on Windows
Istio configuration for Traffic Management
Comments