├── .gitignore
├── LICENSE
├── README.md
├── code
├── cleanup-bookinfo.sh
├── cleanup-istio.sh
├── fluentd-istio.yaml
├── logging-stack.yaml
└── target
├── img
├── adersberger-istio-by-example.012.png
├── adersberger-istio-by-example.key
├── adersberger-istio-by-example
│ ├── adersberger-istio-by-example.001.png
│ ├── adersberger-istio-by-example.002.png
│ ├── adersberger-istio-by-example.003.png
│ ├── adersberger-istio-by-example.004.png
│ ├── adersberger-istio-by-example.005.png
│ ├── adersberger-istio-by-example.006.png
│ ├── adersberger-istio-by-example.007.png
│ ├── adersberger-istio-by-example.008.png
│ ├── adersberger-istio-by-example.009.png
│ ├── adersberger-istio-by-example.010.png
│ ├── adersberger-istio-by-example.011.png
│ ├── adersberger-istio-by-example.012.png
│ ├── adersberger-istio-by-example.013.png
│ ├── adersberger-istio-by-example.014.png
│ ├── adersberger-istio-by-example.015.png
│ ├── adersberger-istio-by-example.016.png
│ ├── adersberger-istio-by-example.017.png
│ └── adersberger-istio-by-example.018.png
├── arch.svg
├── book.png
├── bookinfo-arch.png
├── bookinfo-withistio.png
├── conceptmap.png
├── docker-mac.png
├── docker.png
├── final-slide.png
├── hands-on.jpg
├── header-slide.png
├── istio-arch.png
├── kiali-graph.png
├── kube-dash-screen.png
├── molecules.jpg
├── playground.jpg
├── purple-3054804.jpg
├── release-patterns.jpg
├── setup-istio-observability.png
├── setup-istio.png
├── ship.jpg
├── slapper.gif
├── slapper.png
├── snail.jpg
└── withistio.svg
├── istio-by-example.code-workspace
├── logo.png
└── slides
├── adersberger-istio-by-example-lightning.md
├── adersberger-istio-by-example.md
├── adersberger-istio-playground.md
└── adersberger-istio-playground.pdf
/.gitignore:
--------------------------------------------------------------------------------
1 | # External dependencies
2 | code/istio-*
3 |
4 | # Compiled class file
5 | *.class
6 |
7 | # Log file
8 | *.log
9 |
10 | # BlueJ files
11 | *.ctxt
12 |
13 | # Mobile Tools for Java (J2ME)
14 | .mtj.tmp/
15 |
16 | # Package Files #
17 | *.jar
18 | *.war
19 | *.ear
20 | *.zip
21 | *.tar.gz
22 | *.rar
23 |
24 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
25 | hs_err_pid*
26 |
27 | # General
28 | .DS_Store
29 | .AppleDouble
30 | .LSOverride
31 |
32 | # Icon must end with two \r
33 | Icon
34 |
35 | # Thumbnails
36 | ._*
37 |
38 | # Files that might appear in the root of a volume
39 | .DocumentRevisions-V100
40 | .fseventsd
41 | .Spotlight-V100
42 | .TemporaryItems
43 | .Trashes
44 | .VolumeIcon.icns
45 | .com.apple.timemachine.donotpresent
46 |
47 | # Directories potentially created on remote AFP share
48 | .AppleDB
49 | .AppleDesktop
50 | Network Trash Folder
51 | Temporary Items
52 | .apdisk
53 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2018 Josef Adersberger
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | 
4 | 
5 | 
6 |
7 | # Istio Playground
8 | * current Istio version on the playground: [1.0.1](https://istio.io/about/notes/1.0)
9 | * [Slidedeck](https://github.com/adersberger/istio-by-example/blob/master/slides/)
10 | * [Istio Toys](https://istio.io/docs/tasks/)
11 | * Plan B Kubernetes cluster: [use GKE (account required)](https://istio.io/docs/setup/kubernetes/quick-start-gke-dm), [use Katacoda](https://katacoda.com/courses/istio), [use Minikube](https://meteatamel.wordpress.com/2018/04/24/istio-101-with-minikube)
12 |
13 | # Prerequisites
14 | * [git client](https://git-scm.com)
15 | * text editor ([VS.code](https://code.visualstudio.com) recommended)
16 | * current [Docker Desktop](https://www.docker.com/products/docker-desktop) version with Kubernetes support, at least 8GB Memory configured, and kubectl installed
17 | * bash (no hard requirement but makes it easier to follow the tutorial)
18 |
19 | # References
20 | * Istio networking abstactions: https://istio.io/docs/reference/config/istio.networking.v1alpha3/
21 | * Istio workshop by Christian Posta: http://blog.christianposta.com/istio-workshop/slides/#/69
22 | * Istio and Kubernetes (by Kelsey Hightower): https://youtu.be/s4qasWn_mFc
23 | * Istio canaries and kubernetes: https://www.slideshare.net/RedHatDevelopers/istio-canaries-and-kubernetes
24 |
25 | # Maintainer
26 |
27 | Josef Adersberger (@adersberger)
28 |
29 | # License
30 |
31 | The software and documentation is provided under the MIT open source license,
32 | read the `LICENSE` file for details.
33 |
--------------------------------------------------------------------------------
/code/cleanup-bookinfo.sh:
--------------------------------------------------------------------------------
1 | exec istio-*/samples/bookinfo/platform/kube/cleanup.sh
--------------------------------------------------------------------------------
/code/cleanup-istio.sh:
--------------------------------------------------------------------------------
1 | kubectl delete -f istio-*/install/kubernetes/istio-demo.yaml
2 |
3 | kubectl label namespace default istio-injection-
4 |
--------------------------------------------------------------------------------
/code/fluentd-istio.yaml:
--------------------------------------------------------------------------------
1 | # Configuration for logentry instances
2 | apiVersion: "config.istio.io/v1alpha2"
3 | kind: logentry
4 | metadata:
5 | name: newlog
6 | namespace: istio-system
7 | spec:
8 | severity: '"info"'
9 | timestamp: request.time
10 | variables:
11 | source: source.labels["app"] | source.workload.name | "unknown"
12 | user: source.user | "unknown"
13 | destination: destination.labels["app"] | destination.workload.name | "unknown"
14 | responseCode: response.code | 0
15 | responseSize: response.size | 0
16 | latency: response.duration | "0ms"
17 | monitored_resource_type: '"UNSPECIFIED"'
18 | ---
19 | # Configuration for a fluentd handler
20 | apiVersion: "config.istio.io/v1alpha2"
21 | kind: fluentd
22 | metadata:
23 | name: handler
24 | namespace: istio-system
25 | spec:
26 | address: "fluentd-es.logging:24224"
27 | ---
28 | # Rule to send logentry instances to the fluentd handler
29 | apiVersion: "config.istio.io/v1alpha2"
30 | kind: rule
31 | metadata:
32 | name: newlogtofluentd
33 | namespace: istio-system
34 | spec:
35 | match: "true" # match for all requests
36 | actions:
37 | - handler: handler.fluentd
38 | instances:
39 | - newlog.logentry
40 | ---
41 |
--------------------------------------------------------------------------------
/code/logging-stack.yaml:
--------------------------------------------------------------------------------
1 | # Logging Namespace. All below are a part of this namespace.
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: logging
6 | ---
7 | # Elasticsearch Service
8 | apiVersion: v1
9 | kind: Service
10 | metadata:
11 | name: elasticsearch
12 | namespace: logging
13 | labels:
14 | app: elasticsearch
15 | spec:
16 | ports:
17 | - port: 9200
18 | protocol: TCP
19 | targetPort: db
20 | selector:
21 | app: elasticsearch
22 | ---
23 | # Elasticsearch Deployment
24 | apiVersion: extensions/v1beta1
25 | kind: Deployment
26 | metadata:
27 | name: elasticsearch
28 | namespace: logging
29 | labels:
30 | app: elasticsearch
31 | annotations:
32 | sidecar.istio.io/inject: "false"
33 | spec:
34 | template:
35 | metadata:
36 | labels:
37 | app: elasticsearch
38 | spec:
39 | containers:
40 | - image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.3.2
41 | name: elasticsearch
42 | resources:
43 | # need more cpu upon initialization, therefore burstable class
44 | limits:
45 | cpu: 1000m
46 | requests:
47 | cpu: 100m
48 | env:
49 | - name: discovery.type
50 | value: single-node
51 | ports:
52 | - containerPort: 9200
53 | name: db
54 | protocol: TCP
55 | - containerPort: 9300
56 | name: transport
57 | protocol: TCP
58 | volumeMounts:
59 | - name: elasticsearch
60 | mountPath: /data
61 | volumes:
62 | - name: elasticsearch
63 | emptyDir: {}
64 | ---
65 | # Fluentd Service
66 | apiVersion: v1
67 | kind: Service
68 | metadata:
69 | name: fluentd-es
70 | namespace: logging
71 | labels:
72 | app: fluentd-es
73 | spec:
74 | ports:
75 | - name: fluentd-tcp
76 | port: 24224
77 | protocol: TCP
78 | targetPort: 24224
79 | - name: fluentd-udp
80 | port: 24224
81 | protocol: UDP
82 | targetPort: 24224
83 | selector:
84 | app: fluentd-es
85 | ---
86 | # Fluentd Deployment
87 | apiVersion: extensions/v1beta1
88 | kind: Deployment
89 | metadata:
90 | name: fluentd-es
91 | namespace: logging
92 | labels:
93 | app: fluentd-es
94 | annotations:
95 | sidecar.istio.io/inject: "false"
96 | spec:
97 | template:
98 | metadata:
99 | labels:
100 | app: fluentd-es
101 | spec:
102 | containers:
103 | - name: fluentd-es
104 | image: gcr.io/google-containers/fluentd-elasticsearch:v2.2.0
105 | env:
106 | - name: FLUENTD_ARGS
107 | value: --no-supervisor -q
108 | resources:
109 | limits:
110 | memory: 500Mi
111 | requests:
112 | cpu: 100m
113 | memory: 200Mi
114 | volumeMounts:
115 | - name: config-volume
116 | mountPath: /etc/fluent/config.d
117 | terminationGracePeriodSeconds: 30
118 | volumes:
119 | - name: config-volume
120 | configMap:
121 | name: fluentd-es-config
122 | ---
123 | # Fluentd ConfigMap, contains config files.
124 | kind: ConfigMap
125 | apiVersion: v1
126 | data:
127 | forward.input.conf: |-
128 | # Takes the messages sent over TCP
129 |
130 | type forward
131 |
132 | output.conf: |-
133 |
134 | type elasticsearch
135 | log_level info
136 | include_tag_key true
137 | host elasticsearch
138 | port 9200
139 | logstash_format true
140 | # Set the chunk limits.
141 | buffer_chunk_limit 2M
142 | buffer_queue_limit 8
143 | flush_interval 5s
144 | # Never wait longer than 5 minutes between retries.
145 | max_retry_wait 30
146 | # Disable the limit on the number of retries (retry forever).
147 | disable_retry_limit
148 | # Use multiple threads for processing.
149 | num_threads 2
150 |
151 | metadata:
152 | name: fluentd-es-config
153 | namespace: logging
154 | ---
155 | # Kibana Service
156 | apiVersion: v1
157 | kind: Service
158 | metadata:
159 | name: kibana
160 | namespace: logging
161 | labels:
162 | app: kibana
163 | spec:
164 | ports:
165 | - port: 5601
166 | protocol: TCP
167 | targetPort: ui
168 | selector:
169 | app: kibana
170 | ---
171 | # Kibana Deployment
172 | apiVersion: extensions/v1beta1
173 | kind: Deployment
174 | metadata:
175 | name: kibana
176 | namespace: logging
177 | labels:
178 | app: kibana
179 | annotations:
180 | sidecar.istio.io/inject: "false"
181 | spec:
182 | template:
183 | metadata:
184 | labels:
185 | app: kibana
186 | spec:
187 | containers:
188 | - name: kibana
189 | image: docker.elastic.co/kibana/kibana-oss:6.3.2
190 | resources:
191 | # need more cpu upon initialization, therefore burstable class
192 | limits:
193 | cpu: 1000m
194 | requests:
195 | cpu: 100m
196 | env:
197 | - name: ELASTICSEARCH_URL
198 | value: http://elasticsearch:9200
199 | ports:
200 | - containerPort: 5601
201 | name: ui
202 | protocol: TCP
203 | ---
204 |
--------------------------------------------------------------------------------
/code/target:
--------------------------------------------------------------------------------
1 | GET http://localhost/productpage
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example.012.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example.012.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example.key:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example.key
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.001.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.002.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.003.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.004.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.004.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.005.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.005.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.006.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.006.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.007.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.007.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.008.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.008.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.009.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.009.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.010.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.010.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.011.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.011.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.012.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.012.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.013.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.013.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.014.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.014.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.015.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.015.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.016.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.016.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.017.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.017.png
--------------------------------------------------------------------------------
/img/adersberger-istio-by-example/adersberger-istio-by-example.018.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/adersberger-istio-by-example/adersberger-istio-by-example.018.png
--------------------------------------------------------------------------------
/img/book.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/book.png
--------------------------------------------------------------------------------
/img/bookinfo-arch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/bookinfo-arch.png
--------------------------------------------------------------------------------
/img/bookinfo-withistio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/bookinfo-withistio.png
--------------------------------------------------------------------------------
/img/conceptmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/conceptmap.png
--------------------------------------------------------------------------------
/img/docker-mac.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/docker-mac.png
--------------------------------------------------------------------------------
/img/docker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/docker.png
--------------------------------------------------------------------------------
/img/final-slide.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/final-slide.png
--------------------------------------------------------------------------------
/img/hands-on.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/hands-on.jpg
--------------------------------------------------------------------------------
/img/header-slide.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/header-slide.png
--------------------------------------------------------------------------------
/img/istio-arch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/istio-arch.png
--------------------------------------------------------------------------------
/img/kiali-graph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/kiali-graph.png
--------------------------------------------------------------------------------
/img/kube-dash-screen.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/kube-dash-screen.png
--------------------------------------------------------------------------------
/img/molecules.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/molecules.jpg
--------------------------------------------------------------------------------
/img/playground.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/playground.jpg
--------------------------------------------------------------------------------
/img/purple-3054804.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/purple-3054804.jpg
--------------------------------------------------------------------------------
/img/release-patterns.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/release-patterns.jpg
--------------------------------------------------------------------------------
/img/setup-istio-observability.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/setup-istio-observability.png
--------------------------------------------------------------------------------
/img/setup-istio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/setup-istio.png
--------------------------------------------------------------------------------
/img/ship.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/ship.jpg
--------------------------------------------------------------------------------
/img/slapper.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/slapper.gif
--------------------------------------------------------------------------------
/img/slapper.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/slapper.png
--------------------------------------------------------------------------------
/img/snail.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/img/snail.jpg
--------------------------------------------------------------------------------
/img/withistio.svg:
--------------------------------------------------------------------------------
1 |
2 |
1378 |
--------------------------------------------------------------------------------
/istio-by-example.code-workspace:
--------------------------------------------------------------------------------
1 | {
2 | "folders": [
3 | {
4 | "path": "."
5 | }
6 | ],
7 | "settings": {}
8 | }
--------------------------------------------------------------------------------
/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/logo.png
--------------------------------------------------------------------------------
/slides/adersberger-istio-by-example-lightning.md:
--------------------------------------------------------------------------------
1 | background-color: 283D8F
2 |
3 | 
4 |
5 | ^ Hey! I'm Josef and this my talk on Istio - by example!
6 |
7 | ---
8 |
9 | # Why?
10 |
11 | ^
12 | You might ask why another Istio talk...
13 | The answer is...
14 |
15 | ---
16 |
17 | 
18 |
19 | ^
20 | Istio and service meshes are a hype right now
21 | Our job is to ground this hype by providing real-life use cases
22 | So what is Istio in 20 seconds?
23 |
24 | ---
25 |
26 | 
27 |
28 | ^
29 | microservice applications do have a lot of crosscutting concerns to address to be cloud native
30 |
31 | ---
32 | 
33 |
34 | ^
35 | these concerns can be addressed by libraries
36 |
37 | ---
38 | # Library Bloat
39 | 
40 |
41 | ^
42 | but this leads to a library bloat
43 |
44 | ---
45 |
46 | 
47 |
48 | ^
49 | so the idea is to move those concerns from the application side to the infrastructure side
50 |
51 | ---
52 |
53 | 
54 |
55 | ^
56 | and this is where Istio comes up:
57 | It unburdens cloud native applications to address crosscutting concerns by themselves.
58 |
59 | ---
60 | #Setting the sails with Istio
61 | 
62 |
63 | ^
64 | now let's dig into Istio - example by example
65 | first task is to setup a Istio mesh
66 |
67 | ---
68 | # Baby step: Install a (local) Kubernetes cluster
69 |
70 | 
71 |
72 | ^
73 | it all begins with a k8s cluster
74 |
75 | ---
76 | # Step 1: Deploy Istio and a Sample Application
77 |
78 | 
79 |
80 | [Video](https://asciinema.org/a/mHs3nesM9oOwOiESleaWwe5Jw)
81 |
82 | ^
83 | then you've to deploy Istio itself and a sample application
84 |
85 | ---
86 | # Step 2: Deploy Istio Observability Stack
87 |
88 | 
89 |
90 | [Video](https://asciinema.org/a/oZMovBrx0TpP2AS7UNTLslI6P)
91 |
92 | ^
93 | along with Istio you've to deploy an Observability stack
94 |
95 | ---
96 | # Stimulate!
97 | ```zsh
98 | wget -P /usr/local/bin https://github.com/adersberger/slapper/releases/download/0.1/slapper
99 |
100 | slapper -rate 4 -targets ./target -workers 2 -maxY 15s
101 | ```
102 |
103 | ^
104 | now let's stimulate the sample application and have a look on what we can observe
105 | with this stack in place you're now able to play around with Istio
106 | I'm coming to an end by flipping through the toys you can use
107 |
108 | ---
109 | # Canary Releases: A/B Testing
110 |
111 | ```yaml
112 | apiVersion: config.istio.io/v1alpha2
113 | kind: RouteRule
114 | metadata:
115 | name: reviews-test-v2
116 | spec:
117 | destination:
118 | name: reviews
119 | precedence: 2
120 | match:
121 | request:
122 | headers:
123 | cookie:
124 | regex: "^(.*?;)?(user=jason)(;.*)?$"
125 | route:
126 | - labels:
127 | version: v2
128 | ```
129 | ```zsh
130 | istioctl create -f route-rule-reviews-test-v2.yaml
131 | ```
132 | ---
133 | # Canary Releases: Rolling Upgrade
134 |
135 | ```yaml
136 | apiVersion: config.istio.io/v1alpha2
137 | kind: RouteRule
138 | metadata:
139 | name: reviews-default
140 | spec:
141 | destination:
142 | name: reviews
143 | precedence: 1
144 | route:
145 | - labels:
146 | version: v1
147 | weight: 50
148 | - labels:
149 | version: v3
150 | weight: 50
151 | ```
152 | ```zsh
153 | istioctl create -f route-rule-reviews-50-v3.yaml
154 | ```
155 | ---
156 | # Canary Releases: Blue/Green
157 | ```yaml
158 | apiVersion: config.istio.io/v1alpha2
159 | kind: RouteRule
160 | metadata:
161 | name: reviews-default
162 | spec:
163 | destination:
164 | name: reviews
165 | precedence: 1
166 | route:
167 | - labels:
168 | version: v3
169 | weight: 100
170 | ```
171 | ```zsh
172 | istioctl replace -f route-rule-reviews-v3.yaml
173 | ```
174 |
175 | ---
176 | # Security: Access Control
177 | ```yaml
178 | apiVersion: "config.istio.io/v1alpha2"
179 | kind: denier
180 | metadata:
181 | name: denyreviewsv3handler
182 | spec:
183 | status:
184 | code: 7
185 | message: Not allowed
186 | ---
187 | apiVersion: "config.istio.io/v1alpha2"
188 | kind: checknothing
189 | metadata:
190 | name: denyreviewsv3request
191 | spec:
192 | ---
193 | apiVersion: "config.istio.io/v1alpha2"
194 | kind: rule
195 | metadata:
196 | name: denyreviewsv3
197 | spec:
198 | match: source.labels["layer"]=="inner" && destination.labels["layer"] == "outer"
199 | actions:
200 | - handler: denyreviewsv3handler.denier
201 | instances: [ denyreviewsv3request.checknothing ]
202 | ```
203 | ^
204 | https://medium.com/@szihai_37982/how-to-write-istio-mixer-policies-50dc639acf75
205 |
206 | ---
207 |
208 | # Security: Egress
209 | ```yaml
210 | apiVersion: networking.istio.io/v1alpha3
211 | kind: ExternalService
212 | metadata:
213 | name: google-ext
214 | spec:
215 | hosts:
216 | - www.google.com
217 | ports:
218 | - number: 443
219 | name: https
220 | protocol: http
221 | ---
222 | apiVersion: networking.istio.io/v1alpha3
223 | kind: DestinationRule
224 | metadata:
225 | name: google-ext
226 | spec:
227 | name: www.google.com
228 | trafficPolicy:
229 | tls:
230 | mode: SIMPLE # initiates HTTPS when talking to www.google.com
231 | ```
232 |
233 | ---
234 | # Resiliency: Circuit Breaker
235 | ```yaml
236 | apiVersion: networking.istio.io/v1alpha3
237 | kind: DestinationRule
238 | metadata:
239 | name: httpbin
240 | spec:
241 | name: httpbin
242 | trafficPolicy:
243 | connectionPool:
244 | tcp:
245 | maxConnections: 100
246 | http:
247 | http1MaxPendingRequests: 1
248 | maxRequestsPerConnection: 1
249 | outlierDetection:
250 | http:
251 | consecutiveErrors: 1
252 | interval: 1s
253 | baseEjectionTime: 3m
254 | maxEjectionPercent: 100
255 | ```
256 | ---
257 | # Resiliency: Latency Injection
258 | ```yaml
259 | apiVersion: config.istio.io/v1alpha2
260 | kind: RouteRule
261 | metadata:
262 | name: ratings-delay
263 | spec:
264 | destination:
265 | name: reviews
266 | route:
267 | - labels:
268 | version: v1
269 | httpFault:
270 | delay:
271 | percent: 10
272 | fixedDelay: 5s
273 | ```
274 | ---
275 | # Resiliency: Error Injection
276 | ```yaml
277 | apiVersion: config.istio.io/v1alpha2
278 | kind: RouteRule
279 | metadata:
280 | name: ratings-abort
281 | spec:
282 | destination:
283 | name: ratings
284 | route:
285 | - labels:
286 | version: v1
287 | httpFault:
288 | abort:
289 | percent: 10
290 | httpStatus: 400
291 | ```
292 | ---
293 |
294 | #https://github.com/adersberger/istio-by-example
295 |
296 | ---
297 | 
--------------------------------------------------------------------------------
/slides/adersberger-istio-by-example.md:
--------------------------------------------------------------------------------
1 | footer: Istio by Example, @adersberger, KubeCon & CloudNativeCon EU 2018
2 | background-color: 283D8F
3 |
4 | 
5 |
6 | [.hide-footer]
7 |
8 | ---
9 |
10 | # Why?
11 |
12 | ---
13 |
14 | 
15 |
16 | ^ because it's the hottest shit on earth
17 |
18 | [.hide-footer]
19 |
20 | ---
21 |
22 | # Atomic Architecture
23 | 
24 |
25 | ---
26 |
27 | 
28 |
29 | [.hide-footer]
30 |
31 | ---
32 | 
33 |
34 | [.hide-footer]
35 | ---
36 | # Library Bloat
37 | 
38 |
39 | [.hide-footer]
40 |
41 | ---
42 |
43 | 
44 |
45 | [.hide-footer]
46 |
47 | ---
48 |
49 | 
50 |
51 | [.hide-footer]
52 |
53 | ---
54 |
55 | 
56 |
57 | [.hide-footer]
58 |
59 | ---
60 |
61 | 
62 |
63 | [.hide-footer]
64 |
65 | ---
66 | #Setting the sails with Istio
67 | 
68 |
69 | ---
70 | Features
71 |
72 |
73 | | Traffic Management | Resiliency | Security | Observability |
74 | | --- | --- | --- | --- |
75 | | Request Routing | Timeouts | mTLS | Metrics |
76 | | Load Balancing | Circuit Breaker | Access Control | Logs |
77 | | Traffic Shifting | Health Checks (active, passive) | Workload Identity | Traces|
78 | | Traffic Mirroring | Retries | RBAC | |
79 | | Service Discovery | Rate Limiting | | |
80 | | Ingress, Egress | Delay & Fault Injection | | |
81 |
82 | ---
83 | 
84 |
85 | ^
86 | * Pilot: Watches services and transforms this information in a canonicla platform-agnostic model. The envoy configuration is then derived from this canonical model. Exposes the Rules API to add traffic management rules (used by Istioctl).
87 | * Envoy: Sidecar proxy per microservice that handles ingress/egress traffic
88 | * Mixer: Policy / precondition checks and telemetry. Highly scalable. Envoy caches policy rules and buffers telemetry data locally.
89 | https://istio.io/blog/2017/mixer-spof-myth.html
90 | * Ingress/Egress: Inbound and outbound gateway. Nothing more than a Pod with an Envoy.
91 | * Istio Auth: CA for service-to-service authx and encryption. Certs are delivered as a secret volume mount. Workload identity is provided by SPIFFE.
92 | https://istio.io/docs/concepts/security/mutual-tls.html
93 |
94 | [.hide-footer]
95 |
96 | ---
97 | # Deploy Istio & Sample App
98 |
99 | ```zsh, [.highlight: 1,5,8,10,11]
100 | curl -L https://git.io/getLatestIstio | sh -
101 | cd istio-*
102 | export PATH=$PWD/bin:$PATH
103 | # deploy istio with mTLS enabled by default
104 | kubectl apply -f install/kubernetes/istio-auth.yaml
105 | # ... lengthy copy & paste code to deploy sidecar auto-deployment
106 | # label default namespace to be auto-sidecarred
107 | kubectl label namespace default istio-injection=enabled
108 | # deploy and open sample application
109 | kubectl apply -f istio-*/samples/bookinfo/kube/bookinfo.yaml
110 | open http://localhost/productpage
111 | ```
112 | ^
113 | kubectl describe ingress
114 |
115 | ---
116 |
117 | # Ingress
118 |
119 | ```zsh
120 | apiVersion: extensions/v1beta1
121 | kind: Ingress
122 | metadata:
123 | name: gateway
124 | annotations:
125 | kubernetes.io/ingress.class: "istio"
126 | spec:
127 | rules:
128 | - http:
129 | paths:
130 | - path: /productpage
131 | backend:
132 | serviceName: productpage
133 | servicePort: 9080
134 | - path: /login
135 | backend:
136 | serviceName: productpage
137 | servicePort: 9080
138 | - path: /logout
139 | backend:
140 | serviceName: productpage
141 | servicePort: 9080
142 | - path: /api/v1/products.*
143 | backend:
144 | serviceName: productpage
145 | servicePort: 9080
146 | ```
147 | [.hide-footer]
148 |
149 | ---
150 |
151 | # Sample Application: BookInfo[^1]
152 |
153 | 
154 |
155 | [^1]: Istio BookInfo Sample (https://istio.io/docs/guides/bookinfo.html)
156 |
157 | ^
158 | The BookInfo sample application deployed is composed of four microservices:
159 |
160 | 1) The productpage microservice is the homepage, populated using the details and reviews microservices.
161 | 2) The details microservice contains the book information.
162 | 3) The reviews microservice contains the book reviews. It uses the ratings microservice for the star rating. Default: load-balance between versions.
163 | 4) The ratings microservice contains the book rating for a book review.
164 |
165 | The deployment included three versions of the reviews microservice to showcase different behaviour and routing:
166 |
167 | 1) Version v1 doesn’t call the ratings service.
168 | 2) Version v2 calls the ratings service and displays each rating as 1 to 5 black stars.
169 | 3) Version v3 calls the ratings service and displays each rating as 1 to 5 red stars.
170 |
171 | The services communicate over HTTP using DNS for service discovery.
172 |
173 | [.hide-footer]
174 | [.background-color: #898787]
175 |
176 | ---
177 |
178 | # Deploy Observability Add-Ons
179 | ```zsh
180 | #Prometheus
181 | kubectl apply -f istio-*/install/kubernetes/addons/prometheus.yaml
182 | kubectl expose deployment prometheus --name=prometheus-expose
183 | --port=9090 --target-port=9090 --type=LoadBalancer -n=istio-system
184 |
185 | #Grafana
186 | kubectl apply -f istio-*/install/kubernetes/addons/grafana.yaml
187 | kubectl expose deployment grafana --name=grafana-expose
188 | --port=3000 --target-port=3000 --type=LoadBalancer -n=istio-system
189 |
190 | #Jaeger
191 | kubectl apply -n istio-system -f
192 | https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/
193 | master/all-in-one/jaeger-all-in-one-template.yml
194 | kubectl expose deployment jaeger-deployment --name=jaeger-expose
195 | --port=16686 --target-port=16686 --type=LoadBalancer -n=istio-system
196 |
197 | #EFK
198 | kubectl apply -f logging-stack.yaml
199 | kubectl expose deployment kibana --name=kibana-expose
200 | --port=5601 --target-port=5601 --type=LoadBalancer -n=logging
201 | ```
202 | ---
203 |
204 | # Observe Services
205 | ```zsh
206 | # Logs
207 | istioctl create -f fluentd-istio.yaml
208 | # Metrics
209 | istioctl create -f telemetry.yaml
210 | ```
211 | ---
212 |
213 | 
214 |
215 | ^
216 | B. Ibryam and R. Huss, Kubernetes Patterns, https://leanpub.com/k8spatterns
217 |
218 | [.hide-footer]
219 |
220 | ---
221 | # Canary Releases: A/B Testing
222 |
223 | ```yaml
224 | apiVersion: config.istio.io/v1alpha2
225 | kind: RouteRule
226 | metadata:
227 | name: reviews-test-v2
228 | spec:
229 | destination:
230 | name: reviews
231 | precedence: 2
232 | match:
233 | request:
234 | headers:
235 | cookie:
236 | regex: "^(.*?;)?(user=jason)(;.*)?$"
237 | route:
238 | - labels:
239 | version: v2
240 | ```
241 | ```zsh
242 | istioctl create -f route-rule-reviews-test-v2.yaml
243 | ```
244 | ---
245 | # Canary Releases: Rolling Upgrade
246 |
247 | ```yaml
248 | apiVersion: config.istio.io/v1alpha2
249 | kind: RouteRule
250 | metadata:
251 | name: reviews-default
252 | spec:
253 | destination:
254 | name: reviews
255 | precedence: 1
256 | route:
257 | - labels:
258 | version: v1
259 | weight: 50
260 | - labels:
261 | version: v3
262 | weight: 50
263 | ```
264 | ```zsh
265 | istioctl create -f route-rule-reviews-50-v3.yaml
266 | ```
267 | ---
268 | # Canary Releases: Blue/Green
269 | ```yaml
270 | apiVersion: config.istio.io/v1alpha2
271 | kind: RouteRule
272 | metadata:
273 | name: reviews-default
274 | spec:
275 | destination:
276 | name: reviews
277 | precedence: 1
278 | route:
279 | - labels:
280 | version: v3
281 | weight: 100
282 | ```
283 | ```zsh
284 | istioctl replace -f route-rule-reviews-v3.yaml
285 | ```
286 |
287 | ---
288 | # Security: Access Control
289 | ```yaml
290 | apiVersion: "config.istio.io/v1alpha2"
291 | kind: denier
292 | metadata:
293 | name: denyreviewsv3handler
294 | spec:
295 | status:
296 | code: 7
297 | message: Not allowed
298 | ---
299 | apiVersion: "config.istio.io/v1alpha2"
300 | kind: checknothing
301 | metadata:
302 | name: denyreviewsv3request
303 | spec:
304 | ---
305 | apiVersion: "config.istio.io/v1alpha2"
306 | kind: rule
307 | metadata:
308 | name: denyreviewsv3
309 | spec:
310 | match: source.labels["layer"]=="inner" && destination.labels["layer"] == "outer"
311 | actions:
312 | - handler: denyreviewsv3handler.denier
313 | instances: [ denyreviewsv3request.checknothing ]
314 | ```
315 | ^
316 | https://medium.com/@szihai_37982/how-to-write-istio-mixer-policies-50dc639acf75
317 |
318 | ---
319 |
320 | # Security: Egress
321 | ```yaml
322 | apiVersion: networking.istio.io/v1alpha3
323 | kind: ExternalService
324 | metadata:
325 | name: google-ext
326 | spec:
327 | hosts:
328 | - www.google.com
329 | ports:
330 | - number: 443
331 | name: https
332 | protocol: http
333 | ---
334 | apiVersion: networking.istio.io/v1alpha3
335 | kind: DestinationRule
336 | metadata:
337 | name: google-ext
338 | spec:
339 | name: www.google.com
340 | trafficPolicy:
341 | tls:
342 | mode: SIMPLE # initiates HTTPS when talking to www.google.com
343 | ```
344 |
345 | ---
346 | # Resiliency: Circuit Breaker
347 | ```yaml
348 | apiVersion: networking.istio.io/v1alpha3
349 | kind: DestinationRule
350 | metadata:
351 | name: httpbin
352 | spec:
353 | name: httpbin
354 | trafficPolicy:
355 | connectionPool:
356 | tcp:
357 | maxConnections: 100
358 | http:
359 | http1MaxPendingRequests: 1
360 | maxRequestsPerConnection: 1
361 | outlierDetection:
362 | http:
363 | consecutiveErrors: 1
364 | interval: 1s
365 | baseEjectionTime: 3m
366 | maxEjectionPercent: 100
367 | ```
368 | ---
369 |
370 | #https://github.com/adersberger/istio-by-example
371 |
372 | ---
373 | 
374 |
375 | [.hide-footer]
376 |
--------------------------------------------------------------------------------
/slides/adersberger-istio-playground.md:
--------------------------------------------------------------------------------
1 | background-color: 283D8F
2 |
3 | # Istio Playground
4 |
5 | 
6 |
7 | @adersberger @qaware
8 |
9 | ^ Istio service mesh is a thrilling new tech that helps getting a lot of technical stuff out of your microservices (circuit breaking, observability, mutual-TLS, ...) into the infrastructure - for those who are lazy (aka productive) and want to keep their microservices small. Come one, come all to the Istio playground: (1) we provide a ready-to-use Kubernetes cluster (2) we guide you through the installation of Istio (3) we bring a small Spring Cloud sample application (4) we provide assistance in the case you get stuck ... and it's up to you to explore and tinker with Istio on your own paths and with your own pace.
10 |
11 | ---
12 |
13 | # Our network today
14 |
15 | * Optimize first: Switch network off and on again and use 5GHz networking
16 | * Plan A: Local installation
17 | * Plan B: Use GKE clusters
18 | * Plan C: Use Katacoda
19 | * Plan D: Steamworks
20 |
21 | 
22 |
23 | ---
24 | # Workshop Prerequisites
25 |
26 | * Bash
27 | * git Client
28 | * Text editor (like VS.Code)
29 |
30 | ---
31 | # Baby Step: Grab the Code
32 |
33 | ```sh
34 | git clone https://github.com/adersberger/istio-playground
35 |
36 | cd istio-playground/code
37 | ```
38 |
39 | ---
40 | # Baby Step: Install a (local) Kubernetes Cluster
41 |
42 | 
43 |
44 | https://www.docker.com/community-edition
45 |
46 | * Preferences: enable Kubernetes
47 | * Preferences: increase resource usage to 3 cores and 8 GB memory
48 |
49 | ^
50 | it all begins with a k8s cluster
51 | For minikube users: minikube addons enable ingress
52 |
53 | ---
54 | # The Ultimate Guide to Fix Strange Kubernetes Behavior
55 |
56 | 
57 |
58 | ---
59 | # Setup Kubernetes Environment
60 | ```sh
61 | # Switch k8s context
62 | kubectl config use-context docker-for-desktop
63 | # Deploy k8s dashboard
64 | kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
65 | # Extract id of default service account token (referred as TOKENID)
66 | kubectl describe serviceaccount default
67 | # Grab token and insert it into k8s Dashboard UI auth dialog
68 | kubectl describe secret TOKENID
69 | # Start local proxy
70 | kubectl proxy --port=8001 &
71 | # Open k8s Dashboard
72 | open http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
73 | ```
74 |
75 | ^ attention: on some terminals you have to remove blank lines before pasting the token
76 |
77 | ---
78 | # Deploy Istio
79 |
80 | ```zsh
81 | curl -L https://git.io/getLatestIstio | sh -
82 | cd istio-1.0.1
83 | export PATH=$PWD/bin:$PATH
84 | istioctl version
85 |
86 | # deploy Istio
87 | # (demo setting, default deployment is via Helm)
88 | kubectl apply -f install/kubernetes/istio-demo.yaml
89 | kubectl get pods -n istio-system
90 |
91 | # label default namespace to be auto-sidecarred
92 | kubectl label namespace default istio-injection=enabled
93 | kubectl get namespace -L istio-injection
94 | ```
95 | ^ or manual download if no curl command is available
96 | https://github.com/istio/istio/releases.
97 | Hint: Since Istio release 0.8 you can substitute `istioctl` with `kubectl`. We're still using `istioctl` for clarity purposes.
98 |
99 | ---
100 |
101 | # Deploy Sample Application (BookInfo)
102 |
103 | ```zsh
104 | kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
105 | kubectl get pods
106 | istioctl create -f samples/bookinfo/networking/bookinfo-gateway.yaml
107 | istioctl get gateways
108 | open http://localhost/productpage
109 | ```
110 |
111 | ---
112 |
113 | #Hands-on
114 | 
115 |
116 | ---
117 |
118 | # Why?
119 |
120 | ---
121 |
122 | 
123 |
124 | ---
125 |
126 | 
127 |
128 | ^
129 | Istio and service meshes are a hype right now - but this sustainable kind of hype driven by the fact the things are getting easier and less complex.
130 |
131 | ---
132 |
133 | # Atomic Architecture
134 | 
135 |
136 | ---
137 |
138 | 
139 |
140 | ^
141 | microservice applications do have a lot of crosscutting concerns to address to be cloud native
142 |
143 | ---
144 | 
145 |
146 | ^
147 | these concerns can be addressed by libraries
148 |
149 | ---
150 | # Library Bloat
151 | 
152 |
153 | ^
154 | but this leads to a library bloat
155 |
156 | ---
157 |
158 | 
159 |
160 | [.hide-footer]
161 |
162 | ---
163 |
164 | 
165 |
166 | [.hide-footer]
167 |
168 | ---
169 |
170 | 
171 |
172 | ^
173 | so the idea is to move those concerns from the application side to the infrastructure side
174 |
175 | ---
176 |
177 | 
178 |
179 | ^
180 | and this is where Istio comes up:
181 | It unburdens cloud native applications to address crosscutting concerns by themselves. Messaging will be addressed by Knative or NATS.
182 |
183 | ---
184 | #Setting the Sails with Istio 1.0.1
185 | 
186 |
187 | ^
188 | now let's dig into Istio - example by example
189 | first task is to setup a Istio mesh
190 |
191 | ---
192 | 
193 |
194 | ^
195 | * Envoy: Sidecar proxy per microservice that handles inbound/outbound traffic within each Pod. Extended version of Envoy project.
196 | * Gateway: Inbound gateway / ingress. Nothing more than an managed Envoy.
197 | * Mixer: Policy / precondition checks and telemetry. Highly scalable. Envoy caches policy checks within the sidecare (level 1) and within envoy instances (level 2), buffers telemetry data locally and centrally, and can be run in multiple instances. Mixer includes a flexible plugin model.
198 | https://istio.io/blog/2017/mixer-spof-myth.html
199 | * Pilot: Pilot converts high level routing rules that control traffic behavior into Envoy-specific configurations, and propagates them to the sidecars at runtime.
200 | Watches services and transforms this information in a canonical platform-agnostic model (abstracting away from k8s, Nomad, Consul etc). The envoy configuration is then derived from this canonical model. Exposes the Rules API to add traffic management rules.
201 | * Citadel: CA for service-to-service authx and encryption. Certs are delivered as a secret volume mount. Workload identity is provided in SPIFFE format.
202 | https://istio.io/docs/concepts/security/mutual-tls.html
203 |
204 | [.hide-footer]
205 | ---
206 | # Istio Abstractions
207 |
208 | 
209 |
210 | ^ https://istio.io/docs/concepts/traffic-management/
211 |
212 | ---
213 |
214 | # Sample Application: BookInfo[^1]
215 |
216 | 
217 |
218 | [^1]: Istio BookInfo Sample (https://istio.io/docs/examples/bookinfo)
219 |
220 | ^
221 | The BookInfo sample application deployed is composed of four microservices:
222 |
223 | 1) The productpage microservice is the homepage, populated using the details and reviews microservices.
224 | 2) The details microservice contains the book information.
225 | 3) The reviews microservice contains the book reviews. It uses the ratings microservice for the star rating. Default: load-balance between versions.
226 | 4) The ratings microservice contains the book rating for a book review.
227 |
228 | The deployment included three versions of the reviews microservice to showcase different behaviour and routing:
229 |
230 | 1) Version v1 doesn’t call the ratings service.
231 | 2) Version v2 calls the ratings service and displays each rating as 1 to 5 black stars.
232 | 3) Version v3 calls the ratings service and displays each rating as 1 to 5 red stars.
233 |
234 | The services communicate over HTTP using DNS for service discovery.
235 |
236 | Login is allowed with any combination of username and password.
237 |
238 | [.hide-footer]
239 | [.background-color: #898787]
240 |
241 | ---
242 |
243 | 
244 |
245 | ---
246 | # Bookinfo: Gateway
247 | ```yaml
248 | apiVersion: networking.istio.io/v1alpha3
249 | kind: Gateway
250 | metadata:
251 | name: bookinfo-gateway
252 | spec:
253 | selector:
254 | istio: ingressgateway # use istio default controller
255 | servers:
256 | - port:
257 | number: 80
258 | name: http
259 | protocol: HTTP
260 | hosts:
261 | - "*"
262 | ```
263 |
264 | ---
265 | # Bookinfo: VirtualService
266 | ```yaml
267 | apiVersion: networking.istio.io/v1alpha3
268 | kind: VirtualService
269 | metadata:
270 | name: bookinfo
271 | spec:
272 | hosts:
273 | - "*"
274 | gateways:
275 | - bookinfo-gateway
276 | http:
277 | - match:
278 | - uri:
279 | exact: /productpage
280 | - uri:
281 | exact: /login
282 | - uri:
283 | exact: /logout
284 | - uri:
285 | prefix: /api/v1/products
286 | route:
287 | - destination:
288 | host: productpage
289 | port:
290 | number: 9080
291 | ```
292 | ---
293 | # Bookinfo: DestinationRule
294 | ```yaml
295 | apiVersion: networking.istio.io/v1alpha3
296 | kind: DestinationRule
297 | metadata:
298 | name: productpage
299 | spec:
300 | host: productpage
301 | subsets:
302 | - name: v1
303 | labels:
304 | version: v1
305 | ```
306 |
307 | ---
308 | #Hands-on: Have a look around the YAMLs and Dashboard
309 | 
310 |
311 | ---
312 |
313 | # Expose Istio Observability Tools
314 | ```zsh
315 | #Metrics: Prometheus
316 | kubectl expose deployment prometheus --name=prometheus-expose \
317 | --port=9090 --target-port=9090 --type=LoadBalancer -n=istio-system
318 |
319 | #Metrics: Grafana
320 | kubectl expose deployment grafana --name=grafana-expose \
321 | --port=3000 --target-port=3000 --type=LoadBalancer -n=istio-system
322 | open http://localhost:3000/d/1/istio-dashboard
323 |
324 | #Tracing: Jaeger
325 | kubectl expose deployment istio-tracing --name=tracing-expose \
326 | --port=16686 --target-port=16686 --type=LoadBalancer -n=istio-system
327 | open http://localhost:16686
328 |
329 | #Tracing: ServiceGraph
330 | kubectl expose service servicegraph --name=servicegraph-expose \
331 | --port=8088 --target-port=8088 --type=LoadBalancer -n=istio-system
332 | open http://localhost:8088/force/forcegraph.html
333 | open http://localhost:8088/dotviz
334 | ```
335 |
336 | ---
337 |
338 | # Deploy Missing Observability Feature: Log Analysis (EFK)
339 |
340 | ```zsh
341 | cd .. #go to istio-playground/code
342 | kubectl apply -f logging-stack.yaml
343 | kubectl get pods -n=logging
344 | kubectl expose deployment kibana --name=kibana-expose \
345 | --port=5601 --target-port=5601 --type=LoadBalancer -n=logging
346 | istioctl create -f fluentd-istio.yaml
347 | ```
348 |
349 | ^ see https://istio.io/docs/tasks/telemetry/fluentd
350 |
351 | ---
352 |
353 | # Deploy Missing Observability Feature: Log Analysis (EFK)
354 |
355 | ```zsh
356 | open http://localhost:5601/app/kibana
357 | ```
358 |
359 | * Perform some requests to the BookInfo application
360 | * Use `*` as the index pattern
361 | * Select `@timestamp` as the time filter field name
362 |
363 | ---
364 | # fluentd-istio.yaml (1/3)
365 | ```zsh
366 | # Configuration for logentry instances
367 | apiVersion: "config.istio.io/v1alpha2"
368 | kind: logentry
369 | metadata:
370 | name: newlog
371 | namespace: istio-system
372 | spec:
373 | severity: '"info"'
374 | timestamp: request.time
375 | variables:
376 | source: source.labels["app"] | source.service | "unknown"
377 | user: source.user | "unknown"
378 | destination: destination.labels["app"] | destination.service | "unknown"
379 | responseCode: response.code | 0
380 | responseSize: response.size | 0
381 | latency: response.duration | "0ms"
382 | monitored_resource_type: '"UNSPECIFIED"'
383 | ```
384 | ---
385 | # fluentd-istio.yaml (2/3)
386 | ```zsh
387 | # Configuration for a fluentd handler
388 | apiVersion: "config.istio.io/v1alpha2"
389 | kind: fluentd
390 | metadata:
391 | name: handler
392 | namespace: istio-system
393 | spec:
394 | address: "fluentd-es.logging:24224"
395 | ```
396 | ---
397 | # fluentd-istio.yaml (3/3)
398 | ```zsh
399 | # Rule to send logentry instances to the fluentd handler
400 | apiVersion: "config.istio.io/v1alpha2"
401 | kind: rule
402 | metadata:
403 | name: newlogtofluentd
404 | namespace: istio-system
405 | spec:
406 | match: "true" # match for all requests
407 | actions:
408 | - handler: handler.fluentd
409 | instances:
410 | - newlog.logentry
411 | ```
412 |
413 | ---
414 |
415 | # Stimulate!
416 | ```zsh
417 | slapper -rate 4 -targets ./target -workers 2 -maxY 15s
418 | ```
419 |
420 | Download from: https://github.com/adersberger/slapper/releases/tag/0.1
421 |
422 | ^
423 | now let's stimulate the sample application and have a look on what we can observe
424 | with this stack in place you're now able to play around with Istio
425 | I'm coming to an end by flipping through the toys you can use. Key bindings:
426 | q, ctrl-c - quit
427 | r - reset stats
428 | k - increase rate by 100 RPS
429 | j - decrease rate by 100 RPS
430 |
431 | ---
432 | # Slapper[^2] in action
433 | 
434 |
435 | [^2]: Key bindings:
436 | q, ctrl-c - quit
437 | r - reset stats
438 | k - increase rate by 100 RPS
439 | j - decrease rate by 100 RPS
440 |
441 | ---
442 | #Hands-on
443 | 
444 |
445 | ---
446 | # Observability Outlook: Kiali
447 |
448 | 
449 |
450 | ---
451 | # Observability Outlook: Kiali (macOS setup)
452 | ```zsh
453 | brew install gettext
454 | brew link --force gettext
455 | # follow k8s setup guide: https://www.kiali.io/gettingstarted
456 | kubectl expose deployment kiali --name=kiali-expose \
457 | --port=20001 --target-port=20001 --type=LoadBalancer -n=istio-system
458 | open http://localhost:20001
459 | # login with admin/admin
460 | ```
461 | ---
462 | # Release Patterns
463 |
464 | 
465 |
466 | ^
467 | B. Ibryam and R. Huss, Kubernetes Patterns, https://leanpub.com/k8spatterns
468 | (1) Blue/Green: Two deployments in parallel for fast rollbacks. Switch traffic to new version but undeploy old version later when you are confident that the new version works.
469 | (2) Rolling Upgrades: Gradually shifting traffic from one version to another version
470 | (3) Canary Releases: First perform an A/B test between the old and the new version. If this is successful perform a rolling upgrade ending with a blue/green deployment. (champions league of deployment patterns)
471 |
472 |
473 | [.hide-footer]
474 |
475 | ---
476 |
477 | # Sample Application Recap
478 |
479 | 
480 |
481 | ---
482 | # Sample Desination Rule
483 |
484 | ```yaml
485 | apiVersion: networking.istio.io/v1alpha3
486 | kind: DestinationRule
487 | metadata:
488 | name: reviews
489 | spec:
490 | host: reviews
491 | subsets:
492 | - name: v1
493 | labels:
494 | version: v1
495 | - name: v2
496 | labels:
497 | version: v2
498 | - name: v3
499 | labels:
500 | version: v3
501 | ```
502 |
503 | ---
504 | # Canary Releases: A/B Testing
505 |
506 | ```yaml
507 | apiVersion: networking.istio.io/v1alpha3
508 | kind: VirtualService
509 | metadata:
510 | name: reviews
511 | spec:
512 | hosts:
513 | - reviews
514 | http:
515 | - match:
516 | - headers:
517 | end-user:
518 | exact: jason
519 | route:
520 | - destination:
521 | host: reviews
522 | subset: v2
523 | - route:
524 | - destination:
525 | host: reviews
526 | subset: v1
527 | ```
528 | ^
529 | Send all traffic for the user "jason" to the reviews:v2, meaning they'll only see the black stars.
530 | Difference to Kubernetes: Istio is on Service-level, Kubernetes more on Pod-level
531 |
532 | ---
533 | # Canary Releases: A/B Testing
534 |
535 | ```zsh
536 |
537 | cd istio-1.0.1
538 |
539 | istioctl create -f samples/bookinfo/networking/virtual-service-all-v1.yaml
540 |
541 | istioctl create -f samples/bookinfo/networking/destination-rule-all.yaml
542 |
543 | istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml
544 |
545 | #open BookInfo application and login as user jason (password jason)
546 | open http://localhost/productpage
547 | ```
548 |
549 | * login as "jason" / "jason" leads to v2 (black stars)
550 | * anonymous user leads to v1 (no stars)
551 |
552 | ---
553 | # Canary Releases: Rolling Upgrade
554 |
555 | ```yaml
556 | apiVersion: networking.istio.io/v1alpha3
557 | kind: VirtualService
558 | metadata:
559 | name: reviews
560 | spec:
561 | hosts:
562 | - reviews
563 | http:
564 | - route:
565 | - destination:
566 | host: reviews
567 | subset: v1
568 | weight: 50
569 | - destination:
570 | host: reviews
571 | subset: v3
572 | weight: 50
573 | ```
574 | ```zsh
575 | istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml
576 | ```
577 | ^
578 | The rule above ensures that 50% of the traffic goes to reviews:v1 (no stars), or reviews:v3 (red stars).
579 |
580 | ---
581 | # Canary Releases: Blue/Green
582 | ```yaml
583 | apiVersion: networking.istio.io/v1alpha3
584 | kind: VirtualService
585 | metadata:
586 | name: reviews
587 | spec:
588 | hosts:
589 | - reviews
590 | http:
591 | - route:
592 | - destination:
593 | host: reviews
594 | subset: v3
595 | ```
596 | ```zsh
597 | istioctl replace -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml
598 | istioctl get routerules
599 | ```
600 | ---
601 | #Hands-on
602 | 
603 |
604 | ---
605 | Time to Play!
606 |
607 |
608 | | Traffic Management | Resiliency | Security | Observability |
609 | | --- | --- | --- | --- |
610 | | Request Routing | Timeouts | mTLS | Metrics |
611 | | Load Balancing | Circuit Breaker | Role-Based Access Control | Logs |
612 | | Traffic Shifting | Health Checks (active, passive) | Workload Identity | Traces|
613 | | Traffic Mirroring | Retries | Authentication Policies | |
614 | | Service Discovery | Rate Limiting | CORS Handling | |
615 | | Ingress, Egress | Delay & Fault Injection | TLS Termination, SNI | |
616 | | API Specification | Connection Pooling | | |
617 | | Multicluster Mesh | | | |
618 |
619 | https://istio.io/docs/tasks
620 | https://istio.io/about/feature-stages
621 |
622 | ---
623 | #Hands-on
624 | 
625 |
626 | ---
627 |
628 | 
629 |
630 | ---
631 | #FAQ
632 |
633 | *Q: How does the Envoy proxy intercept requests?*
634 | A: With IPtable rules (alls rules pointing to envoy)
635 | *Q: How does the auto-sidecar magic work?*
636 | A: With an Istio admission controller enhancing the deployments
637 | *Q: How can I list all Istio custom resource definitions and commands?*
638 | A: `kubectl api-resources`
639 | *Q: I can't see any metrics, logs, traces. What should I do?*
640 | A: Restart `istio-telemetry` Deploment or `kubectl replace -f fluentd-istio.yaml`
--------------------------------------------------------------------------------
/slides/adersberger-istio-playground.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adersberger/istio-playground/1b923db3f57901c3fdd7a1d77babbeae8f1e6612/slides/adersberger-istio-playground.pdf
--------------------------------------------------------------------------------