1 / 45

Stretching your application from OpenStack into Public Cloud

Learn how to extend applications across multiple clouds using Istio service mesh for policy, traffic routing rules, and secure service-to-service communication. Explore Istio components, Kubernetes on OpenStack, and Istio multicluster architecture.

mheald
Download Presentation

Stretching your application from OpenStack into Public Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Stretching your application from OpenStack into Public Cloud Istio service mesh paves the way John Joyce, Principal Engineer Tim Swanson, Sr. Tech Lead

  2. Agenda Introduction of Istio and Service Mesh Kubernetes on OpenStack Multicluster Architecture Deployment Details Deployment in Action Mesh Routing Demo Future Improvements References Q&A

  3. Introduction

  4. Extending an Application across Multiple Clouds Public Cloud OpenStack Application Service microservice microservice microservice microservice

  5. Stretching Istio’s Service Mesh Across Multiple Clouds Set policy, traffic routing rules Public Cloud OpenStack Application Service Application Service Istio Service Mesh

  6. What is Istio* • A uniform way to connect, manage, and secure microservices. • Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic. • Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection. • A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. • Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress. • Secure service-to-service authentication with strong identity assertions between services in a cluster. *Directly from https://istio.io/about/intro.html

  7. What is a Service Mesh • Infrastructure layer for service-to-service communication • A mesh of proxies • Proxies injected as sidecars • Supports numerous protocols (HTTP 1/2, gRPC, TCP, UDP) • Can inspect API transactions at Layer 7 or layer 3/4. • Intelligent routing rules can be applied between endpoints Business Logic Accounts DB Web UI Billing DB API API API API Proxy Gateway/ Ingress Proxy Proxy Proxy External Requests Proxy Istio’sMulticluster enhancement allows cloud boundaries anywhere in above mesh

  8. Istio Architecture Source: https://istio.io/docs/concepts/what-is-istio/overview.html

  9. Istio Components: • Envoy – a proxy injected in every application Pod (as a sidecar) • Envoy is a separate open source project in the CNCF • Pilot – Serves as a control plane for the proxies to configure them and provide them their routing rules • Citadel (previously istio-auth) – Propagates certificates and keys to all the pods to secure both control plane and app exchanges • Mixer – Provides telemetry collection as well as sophisticated receive side policy checks.

  10. Kubernetes on Openstack

  11. Openstack API Create K8s cluster k8s Admin

  12. Openstack API Use K8s cluster k8s User Masters Minions K8s cluster

  13. Kubernetes Openstack Cloud Provider • Performs Openstack API operations based on kubernetes events • Main Scenario: • K8s loadbalancer service is created • Openstack LBaaSloadbalancer created and endpoints are setup Istio Ingress Depends on Kubernetes LoadBalancer

  14. apiVersion: v1 kind: Service metadata: name: istio-ingress namespace: istio-system labels: istio: ingress spec: type: LoadBalancer ... selector: istio: ingress Neutron Router Load Balancer K8s Service VIP Create Service VIP LB endpoints Openstack Cloud provider Masters Minions K8s cluster

  15. LoadBalancers Created for 2 k8s LB Services Created by Kubernetes’ Openstack Cloud Provider Hosting 2 k8s services of type “LoadBalancer” LoadBalancer VMs K8s cluster VMs

  16. Multicloud Topologies With OpenStack VPN/CoLo VPN/CoLo VPN/CoLo Internet Edge Infra. Internet Edge Infra. Internet Edge Infra. Data Center Infra. Data Center Infra. Data Center Infra. TOR(s) TOR(s) TOR(s) Neutron Router + VPNaaS *Also, provider networks Neutron Router Virtual Router Neutron Router VM VM VM OpenStack OpenStack OpenStack Hardware Based Multicloud Networking Virtual Router Based Multicloud Networking VPNaaS Based Multicloud Networking

  17. IstioMulticluster Architecture

  18. Service and Endpoint Discovery Pilot is configured to watch multiple K8s API servers* K8s Clusters KubeAPI Server Controller created in Pilot for each cluster which gathers all service & endpoint data Istio-Pilot KubeAPI Server Istio-Citadel Istio-Mixer OpenStack Cloud Istio-Citadel * Configuration via file based clusterregistry format

  19. Envoy xDS propagation Envoy Pilot Envoy Discovery Micro Service Micro Service Rules Services() ServiceInstances() Kube API Server Kube API Server Istio Rules Service Registry Services and Endpoints Envoy xDS Requests (grpc/REST-JSON) Envoy xDS Responses (grpc/REST-JSON)

  20. Creating the Stretched Mesh K8s Clusters xDS Data & Telemetry Envoy configured with Pilot & Mixer endpoints for xDS (Discovery Services) Istio-Pilot Envoy Envoy Istio-Mixer APP POD APP POD Envoy Proxy sidecar OpenStack Cloud APP Pods can be Deployed in any cloud uService Application Pods

  21. Certificate Management with Istio-Citadel OpenStack GKE • Common CA Root Cert • Istio-Citadel provided a common root cert and any intermediate certs required to establish trust chain. • Common root Cert allows the apps to authenticate each other across cloud boundaries • Run in all clusters Istio-citadel Istio-citadel Certs to Envoy Certs to Envoy Envoy Envoy Micro Service Micro Service

  22. Deployment Details

  23. Environment Requirements • Must have IP reachability between the clusters • For Istio control plane interactions between Pilot, Mixer and Citadel and Envoy Sidecars • For application pods to reach each other • Solution doesn’t dictate a certain approach to achieve this reachability but generally a VPN would be needed based on current capabilities. • Application relies on Kube-DNS to resolve service naming so special attention is needed during app deployment: • Use of headless or selectorless services typically required • Could be designated to a special purpose DNS server

  24. Istio Control Plane Deployment Istio-Pilot Istio-Citadel Istio-Mixer Istio-ingress OpenStack Cloud Istio-Citadel Istio control plane pods setup only in one Cluster

  25. Bookinfo Application Microservice Architecture V1 = No stars V2 = Black stars V3 = Red stars Pods in GKE Pods in OpenStack

  26. Bookinfo Application Flow End User Request For Product page Reviews V1 Productpage Ratings Reviews V2 Response to user Productpage, reviews ratings, details Get Reviews Pods in GKE Get Ratings Reviews V3 Get Details Pods in OpenStack Details

  27. Deployment in action

  28. Mesh Routing Demo

  29. Future Improvements

  30. Future Improvements: • Usability Improvements • Increased test coverage • Solutions that don’t require a VPN between the Clouds • Solutions to address service naming and DNS integration • Scale and Performance improvements.

  31. Q & A

  32. References: • Initial PR to enable Multicluster: https://github.com/istio/istio/pull/2880 • Installation documentation: https://github.com/istio/istio.github.io/pull/1139 • Multicloud Design Document: https://tinyurl.com/y7scozvb • Zero VPN design document: https://tinyurl.com/zerovpn • Bring Your own Service Name Design Document: https://tinyurl.com/svc-name • Get involved: istio environments working group: istio-environments@googlegroups.com

More Related