Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Istio: Using nginMesh as the service proxy

496 vues

Publié le

With microservices and containers becoming mainstream, container orchestrators provide much of what the cluster (nodes and containers) needs. With container orchestrators' core focus on scheduling, discovery, and health at an infrastructure level, microservices are left with unmet, service-level needs, such as:

- Traffic management, routing, and resilient and secure communication between services
- Policy enforcement, rate-limiting, circuit breaking
- Visibility and monitoring with metrics, logs, and traces
- Load balancing and rollout/canary deployment support

Service meshes provide for these needs. In this session, we will dive into Istio - its components, capabilities, and extensibility. Istio envelops and integrates with other open source projects to deliver a full-service mesh. We'll explore these integrations and Istio's extensibility in terms of choice of proxies and adapters, such as nginMesh.

Publié dans : Technologie
  • Soyez le premier à commenter

Istio: Using nginMesh as the service proxy

  1. 1. IstioIstio   February 2018 Lee Calcote as the service proxyas the service proxynginMeshnginMesh calcotestudios.com/talks the extensible service meshthe extensible service mesh
  2. 2. Lee CalcoteLee Calcote linkedin.com/in/leecalcote @lcalcote gingergeek.com lee@calcotestudios.com clouds, containers, functions, applications and their management calcotestudios.com/talks github.com/leecalcote
  3. 3. MicroservicesMicroservices The more, the more merrier?The more, the more merrier?
  4. 4. BenefitsBenefits The first few services are relatively easy     Democratization of language and technology choice   Faster delivery, service teams running independently, rolling updates @lcalcote ChallengesChallenges The next 10 or so may introduce pain     Language and framework specific libraries     Distributed environments, ephemeral infrastructure, out-moded tooling
  5. 5. Which is why...Which is why...  I have a container I have a container orchestrator.orchestrator. @lcalcote
  6. 6. CoreCore CapabilitiesCapabilities Cluster Management Host Discovery Host Health Monitoring Scheduling Orchestrator Updates and Host Maintenance Service Discovery Networking and Load-Balancing Stateful services Multi-tenant, multi-region AdditionalAdditional Key CapabilitiesKey Capabilities Application Health & Performance Monitoring Application Deployments Application Secrets @lcalcote
  7. 7. What do we need?What do we need? • Observability • Logging • Metrics • Tracing • Traffic Control • Resiliency • Efficiency • Security • Policy @lcalcote a Service Mesha Service Mesh
  8. 8. What is a Service Mesh?What is a Service Mesh? a dedicated layer for managing service-to-service communication @lcalcote so, a microservices platform? obviously. Orchestrators don't bring all that you need and neither do service meshes, but they do get you closer. Missing: application lifecycle management, but not by much partially. a services-first networka services-first network Missing: distributed debugging; provide nascent visibility (topology)
  9. 9. @lcalcote DEVDEV OPSOPS Layer 5Layer 5 where Dev and Ops meet Problem: too much infrastructure code in services
  10. 10. Why use a Service Mesh?Why use a Service Mesh? to avoid... Bloated service code Duplicating work to make services production-ready load balancing, auto scaling, rate limiting, traffic routing, ... Inconsistency across services retry, tls, failover, deadlines, cancellation, etc, for each language, framework silo'ed implementations lead to fragmented, non-uniform policy application and difficult debugging Diffusing responsibility of service management @lcalcote
  11. 11. Help with ModernizationHelp with Modernization @lcalcote   Can modernize your IT inventory without: Rewriting your applications Adopting microservices, regular services are fine Adopting new frameworks Moving to the cloud Address the long-tail of IT services Get there for free
  12. 12. What is Istio?What is Istio? An open platform to connect, manage, and secure microservices @lcalcote Observability Resiliency Traffic Control Security Policy Enforcement istio.io github.com/istio@IstioMesh
  13. 13. ObservabilityObservability is what gets people hooked on service metrics @lcalcote GoalsGoals Metrics without instrumenting apps Consistent metrics across fleet Trace flow of requests across services Portable across metric backend providers You get a metric!  You get a metric!  Everyone gets a metric!
  14. 14. Traffic ControlTraffic Control control over chaos @lcalcote Traffic splitting L7 tag based routing? Traffic steering Look at the contents of a request and route it to a specific set of instances. Ingress and egress routing ResilencyResilency   Systematic fault injection Timeouts and Retries with timeout budget Circuit breakers and Health checks Control connection pool size and request load   content-based traffic steering
  15. 15. IstioIstio ArchitectureArchitecture
  16. 16. IstioIstio ArchitectureArchitecture @lcalcote ControlPlaneDataPlane Touches every packet/request in the system. Responsible for service discovery, health checking, routing, load balancing, authentication, authorization and observability. Provides policy and configuration for services in the mesh. Takes a set of isolated stateless sidecar proxies and turns them into a distributed system. Does not touch any packets/requests in the system.
  17. 17. IstioIstio ArchitectureArchitecture @lcalcote Pilot Auth Mixer ControlPlaneDataPlane istio-system namespace policycheck Foo Pod Proxy sidecar Service Foo tlscerts discovery&config Foo Container Bar Pod Proxy sidecar Service Bar Bar Container Out-of-band telemetry propagation telemetry   reports Control flow during request processing application traffic application traffic application namespace telem etry reports
  18. 18. What's Pilot for?What's Pilot for? @lcalcote provides service discovery to sidecars manages sidecar configuration Pilot Auth Control Plane the head of the ship Mixer istio-system namespace system of record for service mesh }provides abstraction from underlying platforms
  19. 19. What's Mixer for?What's Mixer for? Point of integration with infrastructure backends Intermediates between Istio and backends, under operator control Enables platform & environment mobility Responsible for policy evaluation and telemetry reporting Provides granular control over operational policies and telemetry Has a rich configuration model Intent-based config abstracts most infrastructure concerns @lcalcote Pilot Auth Mixer Control Plane istio-system namespace an attribute-processing and routing machine operator-focused 1. Precondition checking 2. Quota management 3. Telemetry reporting
  20. 20. What's Auth for?What's Auth for? @lcalcote Verifiable identity Issues certs Certs distributed to service proxies Mounted as a Kubernetes secret Secure naming / addressing Traffic encryption Pilot Auth Control Plane security at scale Mixer istio-system namespace security by default Orchestrate Key & Certificate: Generation Deployment Rotation Revocation  
  21. 21. Service Proxy SidecarService Proxy Sidecar A C++ based L4/L7 proxy Low memory footprint In production at Lyft @lcalcote Capabilities: API driven config updates no reloads Zone-aware load balancing w/ failover Traffic routing and splitting Health checks, circuit breakers, timeouts, retry budgets, fault injection… HTTP/2 & gRPC Transparent proxying Designed for observability   the included battery DataPlane Pod Proxy sidecar App Container
  22. 22. Extensibility of IstioExtensibility of Istio @lcalcote
  23. 23. AppOptics @lcalcote Uses pluggable adapters to extend its functionality Adapters run within the Mixer process Adapters are modules that interface to infrastructure backends (logging, metrics, quotas, etc.) Multi-interface adapters are possible (e.g. AppOptics adapter exposing logs & metrics) Mixer AdaptersMixer Adapters sending telemetry Papertrail Prometheus Grafana Fluentd Statsd
  24. 24. Swapping Proxies - Envoy, Linkerd, Nginx, Conduit @lcalcote Forms of ExtensionsForms of Extensions
  25. 25. Why use another service proxy?Why use another service proxy? Based on your operational expertise and need for battle-tested proxy. You may be looking for caching, WAF or other functionality available in NGINX Plus. If you're already running Linkerd and want to start adopting Istio control APIs like CheckRequest. @lcalcote Conduit not currently designed a general-purpose proxy, but lightweight and focused with extensibility via gRPC plugin.
  26. 26. nginMeshnginMesh https://github.com/nginmesh Currently Support for rules, policies, mtls encryption, monitoring & tracing Compatible with Mixer adaptors Transparent sidecar injection Compatible with Istio 0.3.0 @lcalcote Roadmap Support for gRPC traffic Support for ingress proxy Support for Quota Checks Expanding the mesh beyond Kubernetes See sidecar-related limitations as well as supported traffic management rules --> .here Considered beta quality Soliciting feedback and participation from community
  27. 27. Istio &Istio & nginMeshnginMesh Architecture @lcalcote Pilot Auth Mixer ControlPlane agent Translator agent Istio to Nginx (in go) Loadable module Nginx to Mixer (in rust)   config file DataPlane "istio-proxy" container routerules istio-system namespace check report Mixer Module dest module listener tcp http tcp server Out-of-band telemetry propagation Control flow during request processing application traffic application traffic http servers
  28. 28. DemoDemo Let's look at Istio's canonical sample app. @lcalcote
  29. 29. @lcalcote BookInfo Sample AppBookInfo Sample App Reviews v1 Reviews Pod Reviews v2 Reviews v3 Product Pod Details Container Details Pod Ratings Container Ratings Pod Product Container Reviews Service
  30. 30. @lcalcote BookInfo Sample AppBookInfo Sample App Reviews v1 Reviews Pod Reviews v2 Reviews v3 Product Pod Details Container Details Pod Ratings Container Ratings Pod Product Container Nginx sidecar Nginx sidecar Nginx sidecar Nginx sidecarNginx sidecar Reviews Service Nginx sidecar Envoyingress
  31. 31. @lcalcote $ kubectl apply -f istio-nginmesh-0.4.0-v2.yaml $ kubectl apply -f nginmesh-0.4.0-migration/istio/release/install/kubernetes/istio-initializer.yaml deploy Istio and nginMesh kubectl get ns watch kubectl get po,svc -n istio-system kubectl apply -f nginmesh-0.4.0-migration/istio/release/samples/kubernetes/bookinfo.yaml confirm deployment Istio; deploy sample app watch kubectl get po,svc kubectl get svc istio-ingress -n istio-system -o jsonpath='{.spec.ports[0].nodePort}';echo '' confirm sample app DemoDemo running nginMesh
  32. 32. DemoDemo running nginMesh @lcalcote echo "http://$(kubectl get nodes -o template --template='{{range.items}}{{range.status.addresses}}{{if eq . See "reviews" v1, v2 and v3 # From Docker's perspective docker ps | grep nginmesh # From Kubernetes' perspective kubectl get po kubectl describe Verify nginMesh deployment # exec into 'istio-proxy' kubectl exec -it pod -c istio-proxy /bin/bash Connect to Nginx sidecar
  33. 33. @lcalcote #takes every request/response and sends to Mixer control plane See load_module /etc/nginx/modules/ngx_http_istio_mixer_module.so; # Mixer adapters for telemetry docker run --rm istio/fortio load -c 1 -t 10m `echo "http://$(kubectl get nodes -o template --template='{{range.items}}{{range.status.addresses}}{{if eq .type Verify mesh configuration DemoDemo running nginMesh #Deploy new configuration to Nginx istioctl create -f route-rule-all-v1.yaml istioctl delete -f route-rule-all-v1.yaml #A/B testing for a user kubectl apply -f route-rule-reviews-test-v2.yaml #More for user 'lee' kubectl exec -it pod -c istio-proxy /bin/bash more /etc/istio/proxy/conf.d/http_0.0.0.0_9080.conf Apply traffic routing policySee Mixer telemetry
  34. 34. Lee CalcoteLee Calcote Thank you. Questions?Thank you. Questions? clouds, containers, functions, applications and their management linkedin.com/in/leecalcote @lcalcote gingergeek.com calcotestudios.com/talks github.com/leecalcote lee@calcotestudios.com