由於 Open-Match 在 service 與 service 之間，是建議使用 gRPC 進行連線的，但在 kubernetes pods 上使用 gRPC 時，並沒有辦法自動地進行負載平衡，建立好的連線無法在各個 pods 之前切換，這時我們可以利用 Istio service mesh，來幫助我們達成目標，特別是當我們的 MMF, Director & Frontend，需要能有負載平衡的與核心溝通時。今天讓我們簡單的看一下 Istio 的概觀，與最最基本的使用方法，想有更多瞭解可以參考這篇 淺談 Istio。

What is Istio

Istio is an open source service mesh that layers transparently onto existing distributed applications.

Istio 是因應微服務後，產生的網路層溝通問題，而發展出的 service mesh 架構，會在服務與服務之間進行 proxy，並且有助於服務發現與降低服務依賴。以下為 Istio 所提供的主要特性：

• 自動在 HTTP, gRPC, WebSocket, 與 TCP 連線時進行 load balance
• 可彈性地調整連線的 routing rules, re-try 次數限制, 呼叫頻率限制, 錯誤轉導等
• 提供像是快速插拔的設定 API，完成配置的熱更新
• 完整追蹤 cluster 的資訊流動，並提供 metrics logs 用於狀況查詢與分析
• 自動提供 service-to-service 安全憑證溝通方式

Download Istio cli tool

官方有提供快速安裝工具 istioctl，以工具安裝的話，可以省去針對 istio 設定的問題，裏面有一些預設好的參數，方便初學者與輕度使用者使用。

~ curl -L https://istio.io/downloadIstio | sh - /
cd istio-1.11.3 /
export PATH=$PWD/bin:$PATH

確認工具有加到 PATH

~ istioctl -h

Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.

Usage:
  istioctl [command]

Available Commands:
  admin          Manage control plane (istiod) configuration
  analyze        Analyze Istio configuration and print validation messages
  authz          (authz is experimental. Use `istioctl experimental authz`)
  bug-report     Cluster information and log capture support tool.
  completion     generate the autocompletion script for the specified shell
  dashboard      Access to Istio web UIs
  experimental   Experimental commands that may be modified or deprecated
  help           Help about any command
  install        Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
  kube-inject    Inject Istio sidecar into Kubernetes pod resources
  manifest       Commands related to Istio manifests
  operator       Commands related to Istio operator controller.
  profile        Commands related to Istio configuration profiles
  proxy-config   Retrieve information about proxy configuration from Envoy [kube only]
  proxy-status   Retrieves the synchronization status of each Envoy in the mesh [kube only]
  tag            Command group used to interact with revision tags
  upgrade        Upgrade Istio control plane in-place
  validate       Validate Istio policy and rules files
  verify-install Verifies Istio Installation Status
  version        Prints out build version information

Install

~ istioctl install --set profile=demo

This will install the Istio 1.11.3 demo profile with ["Istio core" "Istiod" "Ingress gateways" "Egress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete

Label

針對 namespace 啟用 istio-injection

~ kubectl label namespace default istio-injection=enabled

namespace/default labeled

Test deploy

部署個 redis

~ helm repo add bitnami https://charts.bitnami.com/bitnami /
helm install helm-redis bitnami/redis

NAME: helm-redis
LAST DEPLOYED: Sat Sep 25 23:20:41 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None

check injection

~ kubectl get pods

NAME                    READY   STATUS    RESTARTS   AGE
helm-redis-master-0     2/2     Running   0          3m6s
helm-redis-replicas-0   2/2     Running   0          3m6s
helm-redis-replicas-1   2/2     Running   0          2m30s
helm-redis-replicas-2   2/2     Running   0          2m5s

istio-proxy

~ kubectl get pods helm-redis-master-0 -o jsonpath='{.spec.containers[*].name}'

redis istio-proxy

可以看到在我們完成部署後，原先 Pods 內的 containers 從 1/1 變成 2/2，這個多出來的 container 便是 Istio proxy container，負責跟 Istio Control Plane 進行溝通，完成服務發現、health check、 load balance 等工作。