Azure Kubernetes Service and Istio Service-Mesh integration

Introduction:-

In last few month I got an opportunity to work with Micro service orchestration platform and I found that Open-Source community is continuously enhancing the managing and deployment of micro services with various mechanism. Service-Mesh is one of the architecture which makes the whole application management, deployment ,upgrade more flexible.So In this document I like to provide my experience on implementing Istio in production on Microsoft Azure Kubernetes environment.

Scope:-

The scope of this document is to provide an introduction to Istio , Istio Architecture and advantages of Istio in while managing the application life-cycle. I will also try to explain the one of common scenario as an use case which depicts the feature of Istio over application life cycle for upgrade without downtime .

Service Mesh:-

A service mesh is a configurable infrastructure layer for a micro-services application. Istio, backed by Google, IBM, and Lyft, is currently the best‑known service mesh architecture. Kubernetes, which was originally designed by Google, is currently the only container orchestration framework supported by Istio.

Architecture of Istio:-

Istio Architecture & Canary Deployment Scenario

Istio architecture can be splitted into two main components

Control plane:-

The control plane manages and configures the proxies to route traffic.

Data plain:-

The data plane is composed of a set of intelligent proxies (Envoy )deployed as sidecars. These proxies mediate and control all network communication between micro-services. They also collect and report telemetry on all mesh traffic.

Envoy:-

Envoy is a high-performance proxy developed in C++ to mediate all inbound and outbound traffic for all services in the service mesh. Envoy proxies are the only Istio components that interact with data plane traffic. Envoy proxies are deployed as sidecars to services, logically augmenting the services with Envoy’s many built-in features.

So when Istio is implemented in kubernetes environment one can observe that an extra container is added to the pod which is basically named istio proxy (envoy) , which servers the request based on implemented policy.Following are the built-in features comes with Envoy.

· Dynamic service discovery

· Load balancing

· TLS termination

· HTTP/2 and gRPC proxies

· Circuit breakers

· Health checks

· Staged rollouts with %-based traffic split

· Fault injection

· Rich metrics

This sidecar deployment allows Istio to enforce policy decisions and extract rich telemetry which can be sent to monitoring systems to provide information about the behavior of the entire mesh.

Istiod:-

Istiod provides service discovery, configuration and certificate management.

Istiod converts high level routing rules that control traffic behavior into Envoy-specific configurations, and propagates them to the sidecars at runtime. Pilot abstracts platform-specific service discovery mechanisms and synthesizes them into a standard format that any sidecar conforming with the Envoy API can consume.

Installation:-

The following procedure need to be following while implementing Istio. In my deployment I used Istio version 1.6 .First of all you need to login to the AKS cluster to perform the the installation.

In AKS environment you need to perform the following commands

(i)az account set — subscription subsid

(ii) az aks get-credentials — resource-group RG-Name — name AKS-ClusterName

Istio can be download from github (https://github.com/istio/istio/releases) in the bastion host. There is basic configure which required for Istio initial configuration to initialize istio control-plain.

To configure dashboard basic authentication parameter need to configure. Once this

Once this is done ,istioctl cli can be used to install Istio platform

$ ./istioctl manifest apply -f istio.aks.yaml — set installPackagePath=”/opt/infraapp/istio-1.6.10/manifests”

? Istio core installed

? Istiod installed

? Ingress gateways installed

? Addons installed

? Installation complete

Once the installation complete , Istio Ingress gateway service can be checked by the below command .So from now on wards this Ingress gateway will be used to have the feature of Istio instead on AKS default Ingress gateway.

All the System services related to Istio can be found by the below command

All the System POD related to Istio can be found by the below command

Various dashboard that build in comes with Istio can be accessed by

Application deployment on Istio Enabled Kubernetes:-

To deploy an app in kubernetes environment it is recommended to maintain separate namespaces .

To make the container controlled by Istio we have level that , so that sidecar /proxy container/Envoy will be automatically added as a container to the application container

Application deployment template

Once the application is deployed the red marked line can provides that now there is another container injected automatically with the application container ,which is basically the Istio proxy, the details shown below

Canary deployment scenario:-

In this scenario I going to show how seamlessly I can upgrade an application hosted in kubernetes from version 1 to version 2 and same way I can introduce the traffic shaping by providing the weight 50% between v1 and v2 , so that our new version can be tested as well by end-users hit,

So in case of successfully testing we can put the weight to 100% to new application version and remove the old version . In case of unsuccessful testing criteria we can roll back immediately to older vesion

Gateway traffic shaping rules :-

The traffic shaping rules can be deployed by

$kubectl apply -f Application_deployment_V2_V1_traffic_shaping.yml, please note that before applying the rules we need to deploy the two version of application image given as below.

Application deployment V2:-

Below template can be deployed by

$kubectl apply -f Application_deployment_V2.yml

Application deployment V1:-

$kubectl apply -f Application_deployment_V1.yml

Now If I browser the application it can be seen that traffic are shaped on between two version in in Kiali console

Conclusion:-

The kubernetes and Istio (Service Mesh )is a tight combo , bleeding age way to manage application life cycle ,provides various features like this without baring any extra cost and the rapid speed for the application deployment, upgrade by adding more features to the application without any major downtime ,ultimately enhance the business to achieve goal.Istio can be integrated with any managed (AKS,EKS,GKE) and unmanaged kubernetes environment.

13 + years of experience on system integratiin on Linux and 4 years in cloud/devops & ansible LinkedIn:-https://www.linkedin.com/in/indranil-banerjee-894a5016