Istio on Kubernetes: Enter the

Service Mesh
[email protected]

@rafabene

Link http://bit.ly/istio-kubernetes
@rafabene 1
Rafael Benevides
Director of Developer Experience at Red Hat
[email protected]
@rafabene

Java Certifications:
SCJA / SCJP / SCWCD / SCBCD / SCEA
JBoss Certifications:
JBCD / JBCAA
Red Hat Certifications:
OpenShift / Containers / Ansible
Other Certifications:
SAP Netweaver / ITIL / IBM Software Quality
 bit.ly/javamicroservicesbook bit.ly/reactivemicroservicesbook

Free eBooks from developers.redhat.com

Microservices Introductory
Materials

Demo: bit.ly/msa-instructions
Slides: bit.ly/microservicesdeepdive
Video Training: bit.ly/microservicesvideo
Kubernetes for Java Developers

Advanced Materials

bit.ly/istio-tutorial bit.ly/faas-tutorial
learn.openshift.com/servicemesh learn.openshift.com/serverless

http://bit.ly/istio-kubernetes
@rafabene
 bit.ly/mono2microdb

@rafabene
 bit.ly/istio-book

@rafabene
https://quarkus.io/
 Raffle Rules (applicable in the real)
1. Follow: @rhdevelopers

2. With selfie of the booth

3. With hashtag #REDHATnoTDC

@rafabene
 Raffle Rules (applicable in the real)
1. Follow: @rafabene
2. With picture of the session
3. Mention @rafabene
4. With hashtag #VDBUH2019

@rafabene
 Your Journey to Awesomeness

Self-Service, Automation CI & CD Advanced Microservices

Re-Org to
On-Demand, Deployment Deployment
DevOps
Elastic Pipeline Techniques
Infrastructure

@rafabene
 Monolith

MyApp

@rafabene
 Modules

@rafabene
 Microservices

@rafabene
 Microservices

@rafabene
 Microservices

@rafabene
 Microservices

@rafabene
 Microservices

@rafabene
 Network of Services - Mesh

@rafabene
 Microservices own their Data

@rafabene
 Multiple Points of Entry

@rafabene
 Multiple Pipelines

@rafabene
 Microservices Principles
1. Deployment Independence - updates to an individual microservice have no
negative impact to any other component of the system. Optimized for
Replacement
2. Organized around business capabilities
3. Products not Projects
4. API Focused
5. Smart endpoints and dumb pipes
6. Decentralized Governance
7. Decentralized Data Management
8. Infrastructure Automation (infrastructure as code) 2 Pizza Team
9. Design for failure
10. Evolutionary Design

@rafabene
 Old School New School

Love Thy Mono

@rafabene
 Microservices == Distributed Computing

OS OS
JVM JVM

Service A Service C

OS
JVM

Service B

@rafabene
 Fallacies of Distributed Computing

• The Network is Reliable

• Latency is zero
• Bandwidth is infinite
• Topology does not change
• There is one administrator
• Transport cost is zero
• The network is homogeneous
https://en.wikipedia.org/wiki/Fallacies_of_distributed_computing

@rafabene
 Failure of a Service

@rafabene
 Cascading Failure

@rafabene
 Microservices embedding Capabilities

Container Container
JVM JVM
Service A Service C
Discovery Discovery
Load-balancer Load-balancer
Resiliency Resiliency
Metrics Metrics
Tracing Tracing
Container
JVM
Service B
Discovery
Load-balancer
Resiliency
Metrics
Tracing

@rafabene
 History of Microservices

AWS EC2 Java EE6 DropWizard Hystrix Eureka Spring Boot Kubernetes
2006 2009 May 2011 March 2012 July 2012 Sept 2013 June 2014 2
0
1
Continuous Agile DevOps NETFLIX Vert.x Ribbon Microservices Docker Microservices 5
Integration Manifesto 2009 to AWS June March Assess March Defined
via XP Feb 2010 2011 2012 Thoughtworks 2013 Thoughtworks
1999 2001 Radar Fowler, Lewis
March 2012 March 2014

@rafabene
 The Cloud is Born

AWS EC2 Java EE6 DropWizard Hystrix Eureka Spring Boot Kubernetes
2006 2009 May 2011 March 2012 July 2012 Sept 2013 June 2014 2
0
1
Continuous Agile DevOps NETFLIX Vert.x Ribbon Microservices Docker Microservices 5
Integration Manifesto 2009 to AWS June March Assess March Defined
via XP Feb 2010 2011 2012 Thoughtworks 2013 Thoughtworks
1999 2001 Radar Fowler, Lewis
March 2012 March 2014

@rafabene
 Fat Jars

AWS EC2 Java EE6 DropWizard Hystrix Eureka Spring Boot Kubernetes
2006 2009 May 2011 March 2012 July 2012 Sept 2013 June 2014 2
0
1
Continuous Agile DevOps NETFLIX Vert.x Ribbon Microservices Docker Microservices 5
Integration Manifesto 2009 to AWS June March Assess March Defined
via XP Feb 2010 2011 2012 Thoughtworks 2013 Thoughtworks
1999 2001 Radar Fowler, Lewis
March 2012 March 2014

@rafabene
 Netflix goes Open Source

AWS EC2 Java EE6 DropWizard Hystrix Eureka Spring Boot Kubernetes
2006 2009 May 2011 March 2012 July 2012 Sept 2013 June 2014 2
0
1
Continuous Agile DevOps NETFLIX Vert.x Ribbon Microservices Docker Microservices 5
Integration Manifesto 2009 to AWS June March Assess March Defined
via XP Feb 2010 2011 2012 Thoughtworks 2013 Thoughtworks
1999 2001 Radar Fowler, Lewis
March 2012 March 2014

@rafabene
 Perfect Storm for Microservices

AWS EC2 Java EE6 DropWizard Hystrix Eureka Spring Boot Kubernetes
2006 2009 May 2011 March 2012 July 2012 Sept 2013 June 2014 2
0
1
Continuous Agile DevOps NETFLIX Vert.x Ribbon Microservices Docker Microservices 5
Integration Manifesto 2009 to AWS June March Assess March Defined
via XP Feb 2010 2011 2012 Thoughtworks 2013 Thoughtworks
1999 2001 Radar Fowler, Lewis
March 2012 March 2014

@rafabene
 What's Wrong with Netflix OSS?

Java Only

Adds a lot of libraries to YOUR code

@rafabene
 Microservices'ilities
API

Tracing Discovery

Monitoring Invocation

MyService

Logging Elasticity

Authentication Resilience

Pipeline

@rafabene
@rafabene
 Microservices'ilities + Kubernetes
API

Tracing Discovery

Monitoring Invocation

MyService

Logging Elasticity

Authentication Resilience

Pipeline

@rafabene
 Microservices'ilities + OpenShift
API

Tracing Discovery

Monitoring Invocation

MyService

Logging Elasticity

Authentication Resilience

Pipeline

@rafabene
 Istio - Sail
(Kubernetes - Helmsman or ship’s pilot)

@rafabene
 Service Mesh Defined

A service mesh is a dedicated infrastructure layer for handling

service-to-service communication. It’s responsible for the reliable delivery
of requests through the complex topology of services that comprise a
modern, cloud native application. In practice, the service mesh is typically
implemented as an array of lightweight network proxies that are deployed
alongside application code, without the application needing to be aware
https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/

@rafabene
 Microservices'ilities + Istio
API

Tracing Discovery

Monitoring Invocation

MyService

Logging Elasticity

Authentication Resilience

Pipeline

@rafabene
 Microservices embedding Capabilities

Container Container
JVM JVM
Service A
Discovery Before Istio Service C
Discovery
Load-balancer Load-balancer
Resiliency Resiliency
Metrics Metrics
Tracing Tracing
Container
JVM
Service B
Discovery
Load-balancer
Resiliency
Metrics
Tracing

@rafabene
 Microservices externalizing Capabilities

Pod Pod
Container Container
JVM JVM
Service A
After Istio Service C

Sidecar Container Sidecar Container

Pod
Container
JVM
Service B

Sidecar Container

@rafabene
 Microservices externalizing Capabilities

Pod Pod
Container Container
JVM JVM
Service A
After Istio
The sidecar intercepts all network traffic
Service C

Sidecar Container Sidecar Container

Pod
Sidecar Container

Container
JVM
Service B

@rafabene
 Envoy is the current sidecar

Pod Pod
Container Container
JVM JVM
Service A Service C

Sidecar Container Sidecar Container

Pod
Sidecar Container

Container
JVM
Service B

@rafabene
 Sidecar

https://www.imz-ural.com/blog/waffles-the-sidecar-dog
@rafabene
 Next Generation Microservices - Service Mesh

Code Independent (Polyglot)

• Intelligent Routing and Load-Balancing

• A/B Tests
• Smarter Canary Releases
• Chaos: Fault Injection
• Resilience: Circuit Breakers
• Observability: Metrics and Tracing
• Fleet wide policy enforcement

@rafabene
 Istio Data Plane vs Control Plane

Data Pod Pod Pod

Plane Container Container Container
JVM JVM JVM

HTTP1.1, HTTP2, Service A HTTP1.1, HTTP2, Service B HTTP1.1, HTTP2, Service C

gRPC, TCP w/TLS gRPC, TCP w/TLS gRPC, TCP w/TLS

Envoy Sidecar Envoy Sidecar Envoy Sidecar

Control
Plane Istio Pilot Istio Mixer Istio Citadel

istioctl, API, config Quota, Telemetry mTLS, SPIFFE

Rate Limiting, ACL

@rafabene
 Polyglot Microservices Platform circa 2019

Config Server Jaeger Istio

NETFLIX Ribbon

@rafabene
 Observability

@rafabene
@rafabene
 Kiali.io
New Service Graph

@rafabene
@rafabene
 Prometheus

@rafabene
 How to add an Istio-Proxy (sidecar)?

istioctl kube-inject -f NormalDeployment.yaml

OR
kubectl label namespace myspace istio-injection=enabled
To "see" the sidecar:
kubectl describe deployment customer

@rafabene
 Traffic Control

@rafabene
 Blue/Green
Deployment

@rafabene
 Blue/Green Deployment

BUILD
SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Blue/Green Deployment

BUILD
SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Blue/Green Deployment

BUILD
SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Blue/Green Deployment

BUILD
SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Blue/Green Deployment

SCM BUILD

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Blue/Green Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Blue/Green Deployment

SCM
x

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Blue/Green Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Demo
Blue/Green

- Only Recommendation-v2
- Only Recommendation-v1
- Both (Delete Rule)

@rafabene
 Canary
Deployment

@rafabene
@rafabene
 Canary Resuscitator

http://www.openculture.com/2018/05/the-device-invented-to-resuscitate-canaries-in-coal-mines-circa-1896.html
Thanks to Paolo Antinori!
@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canary Deployment

SCM

DEVELOPMENT QA STAGING PRODUCTION ROUTER USERS

@rafabene
 Canaries with Kubernetes

Pod
Container
JVM
50%
Service A
v1

Route/
Service
Ingress Pod
Container
JVM

Service A 50%
v2

@rafabene
 Canaries with Istio

Pod
Container
JVM
90%
Service A
v1

Route/
Service
Ingress Pod
Container
JVM

Service A 10%
v2

@rafabene
 Demo Canary

- 90/10
- 75/25
- Based on User-Agent

@rafabene
 Dark
Launch

@rafabene
 Dark Launches with Istio
Pod
Container
JVM
100%
Service A
v1

Mirror
requests
Route/
Service
Ingress
Pod
Container
JVM

Service A 100%
v2

@rafabene
 Demo Dark
Launch

@rafabene
 Service Resiliency

• Retry
• Kiali

@rafabene
 Chaos Testing

@rafabene
 By Netflix - https://github.com/Netflix/SimianArmy/blob/master/assets/SimianArmy.png, Apache License 2.0,
@rafabene https://commons.wikimedia.org/w/index.php?curid=63503083
 Demo Caos

- 503
- Delay

@rafabene
 Access Control

Pod Pod Pod

Customer Preference Recommendation

istio-proxy ✓ istio-proxy ✓ istio-proxy

@rafabene
 Most Communication Inbound & Internal

@rafabene
 Outbound/Egress Blocked By Default

✓
@rafabene
 Demo Egress

- Access http://worldclockapi.com

@rafabene
 bit.ly/istio-book

@rafabene
 https://learn.openshift.com/servicemesh

@rafabene
 Demo
bit.ly/istio-tutorial
@rafabene
 Workshp
bit.ly/the-istio-workshop
@rafabene
 The End
(but Serverless is coming)

@rafabene
 @RAFABENE

@rafabene