Welcome to this blog about Istio, the industry standard when it comes to a service mesh. In today’s world of microservices and containerized applications, managing traffic, implementing security, and observing your applications can sometimes be overwhelming. That’s where Istio comes to the rescue.
Hamid Komairi, Zico Van Ongeval, Dries Zutterman
In this blog, we will delve deeper into what Istio is and showcase that you can accomplish quite a lot with minimal configuration, using a demo application called “microshop” which you can download from this repository as well if you want to play around with it.
What is a service mesh?
A service mesh is a dedicated infrastructure layer that facilitates secure and reliable communication between the microservices in a distributed application. It uses small sidecar components that act as proxies that work alongside your individual microservices to handle things like load balancing, security and observability. By abstracting these functions into sidecars, service meshes relieve the individual applications, providing more flexibility and control within distributed applications.
What is Istio?
According to the Istio official website, Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes.
To get a better understanding of what Istio is capable of we are going to take a look at some of its features using a demo application.
Within the microshop namespace, we have the different components of our application. It consists of 3 microservices: a log service, a user service and a product service that is deployed on 2 different pods. Notice the Istio-proxy container in each Pod which indicates that Istio utilizes the sidecar pattern. In this pattern, each microservice is paired with a separate, lightweight proxy (the “sidecar”) that handles communication, monitoring, and security tasks alongside the main application, ensuring efficient and uniform management of microservice interactions.
The purple elements you can see on the diagram are Istio specific components, we have an ingress gateway who handles all the incoming traffic from the outside world and then we have the VirtualServices who handle the traffic to the different (micro)services it self. This is also the place where you can implement features like traffic shifting (canary deployments, blue-green deployments, circuit-breaking, etc.) and traffic mirroring.
Example of distributing 50% of traffic to Products V1 and 50% to Products V2:
On the other hand, we have the istio-system namespace. Here you can find different components that come with Istio to manage your service mesh, including Kiali for visualising your mesh, Jaeger for tracing and monitoring your microservice applications and Prometheus for performance related dashboards.
These can be accessed using the istioctl command line interface.
istioctl dashboard kiali
istioctl dashboard Jaeger
istioctl dashboard Prometheus
Client credential flow
We also implemented a client credential flow that acts as a shield for specific types of requests. In this demo we used Auth0 as our trusted token issuer.
With this setup, we’ve allowed GET requests to the user and product services and simultaneously blocked all other unauthorized requests, again with minimal configuration within Istio.
mTLS for interservice communication
Another feature we want to demonstrate is the implementation of mTLS between the different services. We will provide you with a snippet to accomplish this using a default policy for your applications and a screenshot from Kiali to visualise this.
In this blog, we’ve given you a glimpse of Istio and its potential in simplifying the management of distributed applications. Using our demo microshop app we’ve shown how Istio’s sidecar magic can boost security, reliability, and observability.
We hope to have spiked your interest about Istio and service mesh technology. The world of distributed systems is evolving, and Istio is your reliable companion on this exciting journey. So, why not give it a try for your projects and unlock the power of cloud-native architectures?
Let's get in touch. We would love to connect with you!
© 2023 I8C. All rights reserved.
Terms Privacy Cookies