Basically we are going to learn and understand what is Service Mesh by exploring a local Kubernetes, APIs, injecting sidecars and playing with Istio samples; in other words, we are going to try solving below questions:
- Is Service Mesh a kind of Distributed Application?
- Why Istio is required in a Containerized Platform?
- Why Deployment Container Patterns (sidecar, ambassador, adapter) are important?
- How we have to implement:
- Monitoring
- Observability
- Security
Tested with:
- Ansible 2.3+
- Minishift v1.11.0+4459917
- Kubernetes 3.7
- istio 0.2.7
- VirtualBox 5.1.30
- macOS High Sierra, version 10.13.2 (17C88)
- Chilcano's Ansible Roles:
- Minishift (https://galaxy.ansible.com/chilcano/minishift)
- Weave Scope (https://galaxy.ansible.com/chilcano/weave-scope)
- Istio (https://galaxy.ansible.com/chilcano/istio)
sudoaccess in your Host for installing packages.
Download from Github the sample playbooks and create the inventory:
$ git clone https://github.com/chilcano/ansible-minishift-istio-security
$ cd ansible-minishift-istio-security
$ echo $(hostname) > ./inventory
Install the Chilcano's Ansible Roles:
$ sudo ansible-galaxy install -r requirements.yml
Where requirements.yml is:
- src: chilcano.minishift
- src: chilcano.istio
- src: chilcano.weave-scope$ ansible-playbook -i inventory install-minishift.yml -e vm=openshift1 --ask-become-pass
- The Minishift Ansible Role will download and install all components required to get an OpenShift Cluster running in a VM.
- The
-e vm=openshift1means thatopenshift1is the name of the Minishift instance. - The Ansible Playbook executed (
install-minishift.yml) and the Ansible Role used (chilcano.minishift) will login in the recently created OpenShift instance through theocclient. Once done, you can login to OpenShift Web Console by usinghttp://openshift1:8443. It's very important to accept and trust all TLS/SSL Certificates.
$ ansible-playbook -i inventory install-weavescope.yml -e vm=openshift1 --ask-become-pass
- An OpenShift running instance is required, also an Kubernetes account and permissions. By default this Ansible Role will use
system:adminaccount. - The Weave Scope Ansible Role will download and apply the Kubernetes Deployment YAML file to deploy Weave Scope as an app in the OpenShift.
- The installation of Weave Scope is not mandatory. It's a good tool to monitor, manage and visualize the OpenShift Cluster, Pods and Containers.
In order to get access to Weave Scope from browser, we should forward the Weave Scope's port to the Host's port.
Considering the Weave Scope App listens, by default, on the port 4040, then to forward to host's port on 4040 to use next command:
$ oc port-forward -n weave-scope "$(oc get -n weave-scope pod --selector=weave-scope-component=app -o jsonpath='{.items..metadata.name}')" 4040:4040
Forwarding from 127.0.0.1:4040 -> 4040
Forwarding from [::1]:4040 -> 4040
Handling connection for 4040
Handling connection for 4040
Handling connection for 4040
Handling connection for 4040
...
To forward to host's port on 4041, send logs to log file and run it on background to use the next command:
$ oc port-forward -n weave-scope "$(oc get -n weave-scope pod --selector=weave-scope-component=app -o jsonpath='{.items..metadata.name}')" 4041:4040 > openshift-scope.log &
[1] 3087
$ tail -f openshift-scope.log
Forwarding from 127.0.0.1:4041 -> 4040
Forwarding from [::1]:4041 -> 4040
Handling connection for 4041
Handling connection for 4041
Handling connection for 4041
Handling connection for 4041
Handling connection for 4041
...
To kill the oc port-forward ... command, to do this:
$ killall oc
Or
$ kill 3087
Once done, open your browser with this URL and you could visualize all Pods, Containers, Controllers, etc. of your OpenShift Cluster.
$ ansible-playbook -i inventory install-istio.yml -e vm=openshift1 --ask-become-pass
- The Istio Ansible Role will download and deploy Istio, Istio addons (prometheus, graphana, zipkin and servicegraph) on an OpenShift running locally.
- Also the Istio Ansible Role will deploy the BookInfo App in OpenShift and will execute
istioctlto inject sidecars (Envoy Proxy - https://www.envoyproxy.io) in every Pod. - Once deployed the BookInfo we have to wait for few seconds in order to use the
BookInfoApp. To check that, follow next commands:
$ minishift status
Minishift: Running
Profile: openshift1
OpenShift: Running (openshift v3.7.0+7ed6862)
DiskUsage: 29% of 17.9G
$ eval $(minishift oc-env)
$ oc project bookinfo
Now using project "bookinfo" on server "https://192.168.99.101:8443".
$ oc status
In project bookinfo on server https://192.168.99.101:8443
svc/details - 172.30.229.55:9080
pod/details-v1-1464079269-2g4zf runs istio/examples-bookinfo-details-v1:0.2.3, docker.io/istio/proxy_debug:0.2.7
svc/productpage - 172.30.99.163:9080
pod/productpage-v1-3915871613-mc87n runs istio/examples-bookinfo-productpage-v1:0.2.3, docker.io/istio/proxy_debug:0.2.7
svc/ratings - 172.30.96.18:9080
pod/ratings-v1-327106889-p8hz7 runs istio/examples-bookinfo-ratings-v1:0.2.3, docker.io/istio/proxy_debug:0.2.7
svc/reviews - 172.30.179.156:9080
pod/reviews-v3-1994447391-r9mfn runs istio/examples-bookinfo-reviews-v3:0.2.3, docker.io/istio/proxy_debug:0.2.7
pod/reviews-v1-3806695627-6swvd runs istio/examples-bookinfo-reviews-v1:0.2.3, docker.io/istio/proxy_debug:0.2.7
pod/reviews-v2-3096629009-jq6tp runs istio/examples-bookinfo-reviews-v2:0.2.3, docker.io/istio/proxy_debug:0.2.7
View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
$ oc get pods
NAME READY STATUS RESTARTS AGE
details-v1-1464079269-n75st 0/2 PodInitializing 0 7m
productpage-v1-3915871613-hl68p 0/2 PodInitializing 0 7m
ratings-v1-327106889-4c6cs 0/2 PodInitializing 0 7m
reviews-v1-3806695627-44qkz 0/2 PodInitializing 0 7m
reviews-v2-3096629009-d7r76 0/2 PodInitializing 0 7m
reviews-v3-1994447391-dd7vs 0/2 PodInitializing 0 7m- If all Pods have
Runningas status, then you can use the BookInfo App with Istio (Service Mesh). Just open you browser with this URLhttp://istio-ingress-istio-system.192.168.99.101.nip.io/productpage. Where the IP address foropenshift1is192.168.99.101, change it if required.
Sometimes the OpenShift's VM can not be running because you have rebooted your computer or have stoppet the VM from VirtualBox, oVirt, VMWare, etc.
In that case, in order to re-install everything you just need trigger the $ minishift start command, and to do easier you can use the previous playbook used to create the OpenShift's VM with the action_to_trigger param set to install or external param do=install from command line. Although, the default value for action_to_trigger is install, that is useful if you want to trigger other actions like install, fresh_install or clean.
$ ansible-playbook -i inventory install-minishift.yml -e vm=openshift1 -e do=install --ask-become-pass
If you have cloned this repository https://github.com/chilcano/ansible-minishift-istio-security then you will see other playbooks:
$ ansible-playbook -i inventory install-minishift-weavescope-istio.yml -e vm=openshift2 --ask-become-pass
$ ansible-playbook -i inventory remove-weavescope-istio.yml -e vm=openshift2 --ask-become-pass
$ ansible-playbook -i inventory remove-minishift.yml -e vm=openshift2 --ask-become-pass
- OpenShift, BookInfo App, Istio and Weave Scope.
- Exploring OpenShift with Weave Scope.
- BookInfo App deployed on OpenShift.
- Tracing with Zipkin.
- Exploring metrics with Grafana.
- Viewing the flows with ServiceGraph.
- Selecting
istio-systemnamespace.
- Selecting
bookinfonamespace.
- Exploring in depth the Service Mesh.
- Catch up on the Istio and service mesh excitement from Kubecon 2017! (by Lin Sun)
- Istio Workshop (includes Istio installation for Google Cloud and AWS)
- https://github.com/retroryan/istio-workshop (by Ryan Knight)
- https://github.com/ZackButcher/istio-workshop (by Zack Butcher)
- https://github.com/ipedrazas/istioworkshop-cc (by Ivan Pedrazas)
- Deep Dive Envoy and Istio Workshop (by Christian Posta)
- Istio Traffic Management – Diving Deeper (by Ricardo Lourenco)