top of page

Istio Service Mesh - Traffic Management Demo

Istio is an open-source service mesh platform used to connect, secure, and manage microservices in a distributed system. It provides features like traffic management, load balancing, observability, and security to enhance the capabilities of microservices.

Today we will do a use case demo for traffic management feature of Istio Service Mesh.


Use Case:

We have three microservices: microA, microB and microC. All the three micros are having methods with path '/consult' to consult respective information. We need to invoke all the three microservices from a single endpoint but based on different URI paths. For example: 1. to invoke microA: http://endpoint:80/microA/consult/ this returns:

{

"responseCode": 200

"responseMsg": "Hello World from microservice A !"

}

2. to invoke microB: http://endpoint:80/microB/consult/

this returns:

{

"responseCode": 200

"responseMsg": "Hello World from microservice B !"

}


3. to invoke microC: http://endpoint:80/microC/consult/

this returns:

{

"responseCode": 200

"responseMsg": "Hello World from microservice C !"

}

Solution:

Istio Service Mesh - Traffic Management feature




Code Repo:


Prerequisites:

I am assuming we already have pods created for microservices A,B and C in the namespace demo-istio. Also these pods are exposed with the ClusterIP service of kubernetes, which are also created in the namespace demo-istio.


Steps:

1. Create a folder myIstioDemo and enter the folder once created

mkdir myIstioDemo cd myIstioDemo


2. Install istioctl in your machine

brew install istioctl


3. Download Istio inside the folder myIstioDemo

curl -L https://istio.io/downloadIstio | sh -

or

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.13.3 sh - (to download any specific version of Istio)


4. Copy config.yml that is in the istio-config github repository, inside the bin folder of downloaded istio (./myIstioDemo/istio-1.18.0/bin)


5. Execute command to install istio from config.yml

cd ./myIstioDemo/istio-1.18.0/bin

istioctl install -y -f config.yml


6. [OPTIONAL] If add-ons like kiali, jaeger, prometheus is needed it can be installed for their configuration yml that is inside './myIstioDemo/istio-1.18.0/samples/addons'

kubectl apply -f kiali.yaml

kubectl apply -f jaeger.yaml

kubectl apply -f prometheus.yaml


7. [OPTONAL] Create namespace. In this case we will create a namespace "demo-istio" in the kubernetes cluster

kubectl create namespace demo-istio


8. If it is a new kubernetes cluster then we should first install AWS Load Balancer Controller add-on

Depending on the version of kubernetes you can change the apiVersion of the manifest (if necessary)


9. Deploy components of files located in the istio-config github repository in the order mentioned below:


kubectl apply -f virtual-service.yml

By defining rules within the VirtualService, you can control how the incoming traffic is distributed among different destination services in your service mesh.


kubectl apply -f internal-tls.yml

By enforcing internal TLS in Istio, organizations can protect their service-to-service communication against eavesdropping, tampering, and unauthorized access. It adds an additional layer of security within the service mesh architecture.


kubectl apply -f internal-gateway.yml

By configuring an Internal Gateway, you can control access to services within the mesh and define rules for traffic routing, load balancing, TLS termination, and other features. Internal Gateways are useful in scenarios where you want to expose services within the service mesh to other services or components running within the same mesh, while keeping the traffic isolated from external networks.


kubectl apply -f ingress.yml

By configuring the Ingress Gateway, you can control how external requests are routed to different services within the service mesh based on criteria such as hostnames, paths, or headers. The Ingress Gateway works in conjunction with VirtualServices to define the desired routing behavior for incoming traffic. It provides a centralized entry point for external access and allows you to implement various traffic management and security features.


10. Inject necessary sidecars (additional containers) into pods deployed in that namespace 'demo-istio'

kubectl label namespace demo-istio istio-injection=enabled --overwrite

Injecting these sidecars automatically makes it easy to manage and control Istio features without having to manually modify pod deployments.



Reference URLs:

Install istioctl on Windows

Istio configuration for Traffic Management



41 views0 comments

Comments


bottom of page