Deploy a Microservice into Istio service mesh

Before going to deploy the service into istio let’s first understand what is service mesh.

The service mesh is a dedicated infrastructure layer for handling service to service communication.
Basically, it’s a way to control how different micro services deployed on Kubernetes will manage secure communication and traffic between them with lots of cross-cutting concerns like logging, security, etc.

Istio service mesh comes with lot’s of feature like –

• circuit-breaking
• load balancing
• service discovery
• number of retries

we will not talk about the feature here, Let’s jump over to how we can deploy here so we categories the deployment process in 3 phases.

• Download and install Istio on cluster
• Deploy the micro-service
• Setup the Gateway

Download and install Istio on cluster

For downloading the latest version we can refer to the release page. Just download the tar.gz file and unzip it. In the directory, we will find istioctl client which we can use

• To customise the configuration of service mesh istio
• Retrieve the information about proxy configuration ..

Now set the istioctl client to your machine path and for installation we need to choose the configuration profile. There are a set of configuration profiles, we are going to use a demo profile which enables the components according to default settings.

use the following command for installing the demo configuration profile.

istioctl install --set profile=demo

As we know, istio automatically injects Envoy sidecar proxies using mutating webhook admission controllers when we deploy services in a particular namespace. To enable this feature we need to enable the istio-injection in a particular namespace where we will deploy the application.

kubectl label namespace default istio-injection=enabled

Deploy the micro-service

Now let’s deploy the sample application by applying the following yaml file.

apiVersion: v1
kind: Service
metadata:
  name: sample
  namespace: default
  labels:
    app: sample
spec:
  selector:
    app: sample
  ports:
    - name: http
      port: 8081
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sample
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sample
      version: 'v1'
  template:
    metadata:
      labels:
        app: sample
        version: 'v1'
    spec:
      initContainers:
        - name: init-ds
          image: busybox:latest
          command:
            - '/bin/sh'
            - '-c'
            - |
              while true
              do
                if [ $? -eq 0 ]; then
                  echo "DB is UP"
                  break
                fi
                echo "DB is not yet reachable;sleep for 10s before retry"
                sleep 10
              done
      containers:
        - name: sample-app
          image: lokesh/bundle123:latest
          imagePullPolicy: Always
          env:
            - name: SPRING_PROFILES_ACTIVE
              value: prod
            - name: SPRING_SLEUTH_PROPAGATION_KEYS
              value: 'x-request-id,x-ot-span-context'
            - name: JAVA_OPTS
              value: ' -Xmx256m -Xms256m'
          resources:
            requests:
              memory: '256Mi'
              cpu: '50m'
            limits:
              memory: '512Mi'
              cpu: '1'
          ports:
            - name: http
              containerPort: 8081
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sample
spec:
  hosts:
    - "*"
  gateways:
    - sample-gateway
  http:
    - match:
        - uri:
            exact: /getStudents
        - uri:
            exact: /accounts/create
        - uri:
            exact: /istio/auth
        - uri:
            prefix: /getTeacher
      route:
        - destination:
            host: sample
            port:
              number: 8081

Here we have applied Service, Deployment and virtual service resources. Here the new thing is the virtual service so virtual Service provides a rich way of specifying different traffic rules where clients send their requests from the destination workloads that actually implement them.

Verify the services by applying the following command.

kubectl get service 
kubectl get pods

You will get two docker containers in the service sample pod. The one is for sample service and the other is for envoy proxy. The sidecar proxies intercept the incoming and outgoing requests of the service. This enables istio for the routing, telemetry collection, and policy enforcement for a whole mesh. If we want to take advantage of full istio features then services must be running with sidecar proxy.

Setup the Gateway

Now we need to set up the gateway so that the service can be accessible from outside. Apply the following yaml file to create a gateway of sample application.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: sample-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"

Set the GATEWAY_URL environment variable in your shell to the public IP/port of the Istio Ingress gateway but before setting GATEWAY_URL we need to set the INGRESS_PORT and INGRESS_HOST because GATEWAY_URL is the combination of INGRESS_PORT and INGRESS_HOST.

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export INGRESS_HOST=$(minikube ip)
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
echo $GATEWAY_URL

Now you have successfully deployed the sample application into istio service mesh. If you have any queries or want to know more about it you can add the comment. I am happy to answer them.

Reference

• https://istio.io/latest/
• https://github.com/open-policy-agent/opa-istio-plugin