人生在世，看得透，又看得远者prevail everywhere.

ppt.cc/fRZTnx ppt.cc/fSZ3cx ppt.cc/fLOuCx ppt.cc/fE9Nux ppt.cc/fL5Kyx ppt.cc/fVjECx ppt.cc/fIr1ax ppt.cc/fEnHsx ppt.cc/f71Yqx tecmint.com linuxcool.com linux.die.net linux.it.net.cn ostechnix.com unix.com ubuntugeek.com runoob.com man.linuxde.net bit.ly/2EzoUDo bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2X6vadl bit.ly/2viLpHU linuxprobe.com linuxtechi.com howtoforge.com linuxstory.org systutorials.com ghacks.net linuxopsys.com v.gd/2P9wTx v.gd/FtfpqE v.gd/eMfHsm v.gd/Ub7mqv v.gd/RReVk0

Sunday 2 December 2018

Istio

Connect, secure, control, and observe services. https://istio.io

An open platform to connect, manage, and secure microservices.

In addition, here are some other documents you may wish to read:

Istio Community - describes how to get involved and contribute to the Istio project
Istio Developer's Guide - explains how to set up and use an Istio development environment
Project Conventions - describes the conventions we use within the code base
Creating Fast and Lean Code - performance-oriented advice and guidelines for the code base

You'll find many other useful documents on our Wiki.

Introduction

Istio is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio's control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes, Mesos, etc.

Visit istio.io for in-depth information about using Istio.

Istio is composed of these components:

Envoy - Sidecar proxies per microservice to handle ingress/egress traffic between services in the cluster and from a service to external services. The proxies form a secure microservice mesh providing a rich set of functions like discovery, rich layer-7 routing, circuit breakers, policy enforcement and telemetry recording/reporting functions.

Note: The service mesh is not an overlay network. It simplifies and enhances how microservices in an application talk to each other over the network provided by the underlying platform.
Mixer - Central component that is leveraged by the proxies and microservices to enforce policies such as authorization, rate limits, quotas, authentication, request tracing and telemetry collection.
Pilot - A component responsible for configuring the proxies at runtime.
Citadel - A centralized component responsible for certificate issuance and rotation.
Node Agent - A per-node component responsible for certificate issuance and rotation.
Galley- Central component for validating, ingesting, aggregating, transforming and distributing config within Istio.

Istio currently supports Kubernetes and Consul-based environments. We plan support for additional platforms such as Cloud Foundry, and Mesos in the near future.

Repositories

The Istio project is divided across a few GitHub repositories.

istio/istio. This is the main repository that you are currently looking at. It hosts Istio's core components and also the sample programs and the various documents that govern the Istio open source project. It includes:
- security. This directory contains security related code, including Citadel (acting as Certificate Authority), node agent, etc.
- pilot. This directory contains platform-specific code to populate the abstract service model, dynamically reconfigure the proxies when the application topology changes, as well as translate routing rules into proxy specific configuration.
- istioctl. This directory contains code for the istioctl command line utility.
- mixer. This directory contains code to enforce various policies for traffic passing through the proxies, and collect telemetry data from proxies and services. There are plugins for interfacing with various cloud platforms, policy management services, and monitoring services.
istio/api. This repository defines component-level APIs and common configuration formats for the Istio platform.
istio/proxy. The Istio proxy contains extensions to the Envoy proxy (in the form of Envoy filters), that allow the proxy to delegate policy enforcement decisions to Mixer.

from https://github.com/istio/istio
-----

Istio compatible service mesh using NGINX.

Important Project Notice

This project is no longer under active development. It will be preserved here for the foreseeable future for reference. Please note that the last version released works with Istio 0.7.

NGINX Architecture with Istio Service Mesh

This repository provides an implementation of a NGINX based service mesh (nginMesh). nginMesh is compatible with Istio. It leverages NGINX as a sidecar proxy.

What is Service Mesh and Istio?

Please check https://istio.io for a detailed explanation of the service mesh.

Production Status

The current version of nginMesh is designed to work with Istio release 0.7.1. It should not be used in production environments.

Demo

Recorded demo of nginMesh depoyment.

Architecture

The diagram below depicts how an NGINX sidecar proxy is implemented. The sidecar uses the open source version of NGINX compiled with modules for tracing and monitoring.

The diagram below is an alternative architectural view -

To learn more about the sidecar implementation, see this document.

Quick Start

Below are instructions to quickly install and configure nginMesh. Currently, only Kubernetes environment is supported.

Prerequisites

Make sure you have a cluster with Kubernetes 1.9 or newer. Please see Prerequisites for setting up a kubernetes cluster.

Install Istio and nginMesh

nginMesh requires installation of Istio first.

Download and install Istio 0.7.1:

curl -L https://git.io/getLatestIstio | ISTIO_VERSION=0.7.1 sh -

Download nginMesh release 0.7.1:

curl -L https://github.com/nginxinc/nginmesh/releases/download/v0.7.1/nginmesh-0.7.1.tar.gz | tar zx

Deploy Istio:

kubectl create -f istio-0.7.1/install/kubernetes/istio.yaml

Ensure the following Kubernetes services are deployed: istio-pilot, istio-mixer, istio-ingress:

kubectl get svc  -n istio-system

istio-ingress            LoadBalancer   10.47.252.40    35.237.173.47   80:32171/TCP,443:32198/TCP                   19h
istio-mixer              ClusterIP      10.47.251.225   <none>          9091/TCP,15004/TCP,9093/TCP,9094/TCP,9102/TCP,9125/UDP,42422/TCP    19h
istio-pilot              ClusterIP      10.47.254.118   <none>          15003/TCP,15005/TCP,15007/TCP,15010/TCP,8080/TCP,9093/TCP,443/TCP   19h
istio-sidecar-injector   ClusterIP      10.47.242.139   <none>          443/TCP                                       9h

Ensure the following Kubernetes pods are up and running: istio-pilot-* , istio-mixer-* , istio-ingress-* and istio-initializer-*:

kubectl get pods -n istio-system

istio-ca-86f55cc46f-nprhw                1/1       Running   0          19h
istio-ingress-5bb556fcbf-c7tgt           1/1       Running   0          19h
istio-mixer-86f5df6997-fvzjx             3/3       Running   0          19h
istio-pilot-67d6ddbdf6-xhztz             2/2       Running   0          19h
istio-sidecar-injector-5b8c78fd6-8dvq6   1/1       Running   0          9h

Enable automatic sidecar injection:

nginmesh-0.7.1/install/kubernetes/install-sidecar.sh

Verify that the istio-injection label is not applied to the default namespace:

kubectl get namespace -L istio-injection

NAME           STATUS        AGE       ISTIO-INJECTION
default        Active        1h        
istio-system   Active        1h        
kube-public    Active        1h        
kube-system    Active        1h

Deploy a Sample Application

In this section we deploy the Bookinfo application, which is taken from the Istio samples. Please see Bookinfo for more details.

Label the default namespace with istio-injection=enabled:

kubectl label namespace default istio-injection=enabled

Deploy the application:

kubectl apply -f  istio-0.7.1/samples/bookinfo/kube/bookinfo.yaml

Confirm that all application services are deployed: productpage, details, reviews, ratings:

kubectl get services

NAME                       CLUSTER-IP   EXTERNAL-IP   PORT(S)              AGE
details                    10.0.0.31    <none>        9080/TCP             6m
kubernetes                 10.0.0.1     <none>        443/TCP              7d
productpage                10.0.0.120   <none>        9080/TCP             6m
ratings                    10.0.0.15    <none>        9080/TCP             6m
reviews                    10.0.0.170   <none>        9080/TCP             6m

Confirm that all application pods are running --details-v1-* , productpage-v1-* , ratings-v1-* , reviews-v1-* , reviews-v2-* and reviews-v3-*:

kubectl get pods

NAME                                        READY     STATUS    RESTARTS   AGE
details-v1-1520924117-48z17                 2/2       Running   0          6m
productpage-v1-560495357-jk1lz              2/2       Running   0          6m
ratings-v1-734492171-rnr5l                  2/2       Running   0          6m
reviews-v1-874083890-f0qf0                  2/2       Running   0          6m
reviews-v2-1343845940-b34q5                 2/2       Running   0          6m
reviews-v3-1813607990-8ch52                 2/2       Running   0          6m

Get the public IP of the Istio Ingress controller. If the cluster is running in an environment that supports external load balancers:
```
kubectl get svc -n istio-system | grep -E 'EXTERNAL-IP|istio-ingress'
```
Open the Bookinfo application in a browser using the following link:
```
http://<Public-IP-of-the-Ingress-Controller>/productpage
```

Uninstall the Application

To uninstall application, run:

./istio-0.7.1/samples/bookinfo/kube/cleanup.sh

Uninstall Istio

To uninstall the Istio core components:

kubectl delete -f istio-0.7.1/install/kubernetes/istio.yaml

To uninstall the initializer, run:

nginmesh-0.7.1/install/kubernetes/delete-sidecar.sh

Limitations

nginMesh has the following limitations:

TCP and gRPC traffic is not supported.
Quota Check is not supported.
Only Kubernetes is supported.

All sidecar-related limitations and supported traffic management rules are described here.

from https://github.com/nginxinc/nginmesh