Day22 Istio

由於 Open-Match 在 service 与 service 之间，是建议使用 gRPC 进行连线的，但在 kubernetes pods 上使用 gRPC 时，并没有办法自动地进行负载平衡，建立好的连线无法在各个 pods 之前切换，这时我们可以利用 Istio service mesh，来帮助我们达成目标，特别是当我们的 MMF, Director & Frontend，需要能有负载平衡的与核心沟通时。今天让我们简单的看一下 Istio 的概观，与最最基本的使用方法，想有更多了解可以参考这篇 浅谈 Istio。

What is Istio

Istio is an open source service mesh that layers transparently onto existing distributed applications.

Istio 是因应微服务後，产生的网路层沟通问题，而发展出的 service mesh 架构，会在服务与服务之间进行 proxy，并且有助於服务发现与降低服务依赖。以下为 Istio 所提供的主要特性：

• 自动在 HTTP, gRPC, WebSocket, 与 TCP 连线时进行 load balance
• 可弹性地调整连线的 routing rules, re-try 次数限制, 呼叫频率限制, 错误转导等
• 提供像是快速插拔的设定 API，完成配置的热更新
• 完整追踪 cluster 的资讯流动，并提供 metrics logs 用於状况查询与分析
• 自动提供 service-to-service 安全凭证沟通方式

Download Istio cli tool

官方有提供快速安装工具 istioctl，以工具安装的话，可以省去针对 istio 设定的问题，里面有一些预设好的参数，方便初学者与轻度使用者使用。

~ curl -L https://istio.io/downloadIstio | sh - /
cd istio-1.11.3 /
export PATH=$PWD/bin:$PATH

确认工具有加到 PATH

~ istioctl -h

Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.

Usage:
  istioctl [command]

Available Commands:
  admin          Manage control plane (istiod) configuration
  analyze        Analyze Istio configuration and print validation messages
  authz          (authz is experimental. Use `istioctl experimental authz`)
  bug-report     Cluster information and log capture support tool.
  completion     generate the autocompletion script for the specified shell
  dashboard      Access to Istio web UIs
  experimental   Experimental commands that may be modified or deprecated
  help           Help about any command
  install        Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
  kube-inject    Inject Istio sidecar into Kubernetes pod resources
  manifest       Commands related to Istio manifests
  operator       Commands related to Istio operator controller.
  profile        Commands related to Istio configuration profiles
  proxy-config   Retrieve information about proxy configuration from Envoy [kube only]
  proxy-status   Retrieves the synchronization status of each Envoy in the mesh [kube only]
  tag            Command group used to interact with revision tags
  upgrade        Upgrade Istio control plane in-place
  validate       Validate Istio policy and rules files
  verify-install Verifies Istio Installation Status
  version        Prints out build version information

Install

~ istioctl install --set profile=demo

This will install the Istio 1.11.3 demo profile with ["Istio core" "Istiod" "Ingress gateways" "Egress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete

Label

针对 namespace 启用 istio-injection

~ kubectl label namespace default istio-injection=enabled

namespace/default labeled

Test deploy

部署个 redis

~ helm repo add bitnami https://charts.bitnami.com/bitnami /
helm install helm-redis bitnami/redis

NAME: helm-redis
LAST DEPLOYED: Sat Sep 25 23:20:41 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None

check injection

~ kubectl get pods

NAME                    READY   STATUS    RESTARTS   AGE
helm-redis-master-0     2/2     Running   0          3m6s
helm-redis-replicas-0   2/2     Running   0          3m6s
helm-redis-replicas-1   2/2     Running   0          2m30s
helm-redis-replicas-2   2/2     Running   0          2m5s

istio-proxy

~ kubectl get pods helm-redis-master-0 -o jsonpath='{.spec.containers[*].name}'

redis istio-proxy

可以看到在我们完成部署後，原先 Pods 内的 containers 从 1/1 变成 2/2，这个多出来的 container 便是 Istio proxy container，负责跟 Istio Control Plane 进行沟通，完成服务发现、health check、 load balance 等工作。