450 likes | 480 Views
Learn how to extend applications across multiple clouds using Istio service mesh for policy, traffic routing rules, and secure service-to-service communication. Explore Istio components, Kubernetes on OpenStack, and Istio multicluster architecture.
E N D
Stretching your application from OpenStack into Public Cloud Istio service mesh paves the way John Joyce, Principal Engineer Tim Swanson, Sr. Tech Lead
Agenda Introduction of Istio and Service Mesh Kubernetes on OpenStack Multicluster Architecture Deployment Details Deployment in Action Mesh Routing Demo Future Improvements References Q&A
Extending an Application across Multiple Clouds Public Cloud OpenStack Application Service microservice microservice microservice microservice
Stretching Istio’s Service Mesh Across Multiple Clouds Set policy, traffic routing rules Public Cloud OpenStack Application Service Application Service Istio Service Mesh
What is Istio* • A uniform way to connect, manage, and secure microservices. • Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic. • Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection. • A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. • Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress. • Secure service-to-service authentication with strong identity assertions between services in a cluster. *Directly from https://istio.io/about/intro.html
What is a Service Mesh • Infrastructure layer for service-to-service communication • A mesh of proxies • Proxies injected as sidecars • Supports numerous protocols (HTTP 1/2, gRPC, TCP, UDP) • Can inspect API transactions at Layer 7 or layer 3/4. • Intelligent routing rules can be applied between endpoints Business Logic Accounts DB Web UI Billing DB API API API API Proxy Gateway/ Ingress Proxy Proxy Proxy External Requests Proxy Istio’sMulticluster enhancement allows cloud boundaries anywhere in above mesh
Istio Architecture Source: https://istio.io/docs/concepts/what-is-istio/overview.html
Istio Components: • Envoy – a proxy injected in every application Pod (as a sidecar) • Envoy is a separate open source project in the CNCF • Pilot – Serves as a control plane for the proxies to configure them and provide them their routing rules • Citadel (previously istio-auth) – Propagates certificates and keys to all the pods to secure both control plane and app exchanges • Mixer – Provides telemetry collection as well as sophisticated receive side policy checks.
Openstack API Create K8s cluster k8s Admin
Openstack API Use K8s cluster k8s User Masters Minions K8s cluster
Kubernetes Openstack Cloud Provider • Performs Openstack API operations based on kubernetes events • Main Scenario: • K8s loadbalancer service is created • Openstack LBaaSloadbalancer created and endpoints are setup Istio Ingress Depends on Kubernetes LoadBalancer
apiVersion: v1 kind: Service metadata: name: istio-ingress namespace: istio-system labels: istio: ingress spec: type: LoadBalancer ... selector: istio: ingress Neutron Router Load Balancer K8s Service VIP Create Service VIP LB endpoints Openstack Cloud provider Masters Minions K8s cluster
LoadBalancers Created for 2 k8s LB Services Created by Kubernetes’ Openstack Cloud Provider Hosting 2 k8s services of type “LoadBalancer” LoadBalancer VMs K8s cluster VMs
Multicloud Topologies With OpenStack VPN/CoLo VPN/CoLo VPN/CoLo Internet Edge Infra. Internet Edge Infra. Internet Edge Infra. Data Center Infra. Data Center Infra. Data Center Infra. TOR(s) TOR(s) TOR(s) Neutron Router + VPNaaS *Also, provider networks Neutron Router Virtual Router Neutron Router VM VM VM OpenStack OpenStack OpenStack Hardware Based Multicloud Networking Virtual Router Based Multicloud Networking VPNaaS Based Multicloud Networking
Service and Endpoint Discovery Pilot is configured to watch multiple K8s API servers* K8s Clusters KubeAPI Server Controller created in Pilot for each cluster which gathers all service & endpoint data Istio-Pilot KubeAPI Server Istio-Citadel Istio-Mixer OpenStack Cloud Istio-Citadel * Configuration via file based clusterregistry format
Envoy xDS propagation Envoy Pilot Envoy Discovery Micro Service Micro Service Rules Services() ServiceInstances() Kube API Server Kube API Server Istio Rules Service Registry Services and Endpoints Envoy xDS Requests (grpc/REST-JSON) Envoy xDS Responses (grpc/REST-JSON)
Creating the Stretched Mesh K8s Clusters xDS Data & Telemetry Envoy configured with Pilot & Mixer endpoints for xDS (Discovery Services) Istio-Pilot Envoy Envoy Istio-Mixer APP POD APP POD Envoy Proxy sidecar OpenStack Cloud APP Pods can be Deployed in any cloud uService Application Pods
Certificate Management with Istio-Citadel OpenStack GKE • Common CA Root Cert • Istio-Citadel provided a common root cert and any intermediate certs required to establish trust chain. • Common root Cert allows the apps to authenticate each other across cloud boundaries • Run in all clusters Istio-citadel Istio-citadel Certs to Envoy Certs to Envoy Envoy Envoy Micro Service Micro Service
Environment Requirements • Must have IP reachability between the clusters • For Istio control plane interactions between Pilot, Mixer and Citadel and Envoy Sidecars • For application pods to reach each other • Solution doesn’t dictate a certain approach to achieve this reachability but generally a VPN would be needed based on current capabilities. • Application relies on Kube-DNS to resolve service naming so special attention is needed during app deployment: • Use of headless or selectorless services typically required • Could be designated to a special purpose DNS server
Istio Control Plane Deployment Istio-Pilot Istio-Citadel Istio-Mixer Istio-ingress OpenStack Cloud Istio-Citadel Istio control plane pods setup only in one Cluster
Bookinfo Application Microservice Architecture V1 = No stars V2 = Black stars V3 = Red stars Pods in GKE Pods in OpenStack
Bookinfo Application Flow End User Request For Product page Reviews V1 Productpage Ratings Reviews V2 Response to user Productpage, reviews ratings, details Get Reviews Pods in GKE Get Ratings Reviews V3 Get Details Pods in OpenStack Details
Future Improvements: • Usability Improvements • Increased test coverage • Solutions that don’t require a VPN between the Clouds • Solutions to address service naming and DNS integration • Scale and Performance improvements.
References: • Initial PR to enable Multicluster: https://github.com/istio/istio/pull/2880 • Installation documentation: https://github.com/istio/istio.github.io/pull/1139 • Multicloud Design Document: https://tinyurl.com/y7scozvb • Zero VPN design document: https://tinyurl.com/zerovpn • Bring Your own Service Name Design Document: https://tinyurl.com/svc-name • Get involved: istio environments working group: istio-environments@googlegroups.com