This is part one of a three-part series where we will dive into the Istio service mesh. Throughout these tutorials, we’ll take a look at the most common use cases for service mesh and how you can implement them using Istio.

Before we dive into Istio, it’s vital to take a step back and understand the background to service mesh, and why it is important.

An introduction to service mesh

In recent years, the adoption of service mesh technology has seen a remarkable surge in the realm of microservices architecture. This innovative approach to managing communication between microservices has gained significant traction for its ability to enhance reliability, observability, and security within complex distributed systems.

According to a survey by the Cloud Native Computing Foundation (CNCF), 70% of respondents are already leveraging the power of a service mesh, while another 16% are in the evaluation stage. The rising adoption of service mesh solutions underscores their growing importance in the world of microservices.

These statistics highlight the widespread recognition of service mesh solutions as indispensable tools in the modern microservices landscape.

At its core, a service mesh serves as a dedicated layer of infrastructure. Think of it as a specialized network that sits between individual services, managing the communication between them. Its primary purpose is to enhance reliability, observability, and security in a distributed system. It also facilitates features such as circuit breaking, retries, and timeouts, which are crucial for maintaining system resilience.

Why do we need service mesh?

The need for a service mesh arises from the inherent complexities of managing microservices at scale. As applications grow in size and complexity, so do the challenges associated with service-to-service communication. A service mesh helps to address these challenges by providing a standardized way to handle tasks like load balancing, service discovery, and fault tolerance, relieving developers from reinventing these wheels for each service.

What are the components of service mesh?

Within a service mesh, there are two major components: the data plane and the control plane. Let’s take a closer look at these components and how they work together:

Data Plane

The data plane is where the communication between services occurs. It consists of a set of lightweight, sidecar proxies (such as Envoy) that are deployed alongside each service.

These proxies intercept and manage traffic, ensuring it adheres to the policies set by the control plane. More recently, Istio has made efforts to remove the sidecar proxy with the goal of reducing the overhead some mesh users face. This has led to the development of the Ambient Mesh, a new mode of operation for Isito that replaces the need for a sidecar proxy.

Control Plane

The control plane component is responsible for configuring and managing the proxies in the data plane. It includes components such as the central controller and the service registry. The central controller is responsible for enforcing policies and making dynamic routing

Istio Architecture

Source: Istio Architecture

An introduction to Istio

Istio is a widely adopted open-source service mesh platform that provides a comprehensive solution for managing microservices in modern applications. At the time of writing this tutorial, Istio just completed its Cloud Native Computing Foundation graduation. Graduated projects are considered stable and are used successfully in production environments.

Offering a robust set of features, Istio incorporates a data plane, which includes sidecar proxies that intercept and manage traffic between services using Envoy, and a control plane responsible for configuring and orchestrating these proxies. Istio excels in security, implementing features like mutual TLS encryption and fine-grained access control. It also offers powerful observability tools, including distributed tracing and metrics gathering, which are crucial for monitoring and troubleshooting.

Prerequisites

This tutorial assumes some familiarity with Kubernetes; experience with Istio is not required. Additionally, you would need the following installed:

Installing Istio on Kubernetes

For the purpose of this demonstration, we will be installing Istio using Isitio CLI, however, Istio can be installed directly from the Civo marketplace.

Creating a cluster

We’ll begin by creating a Kubernetes cluster.

For simplicity, we will be doing it from the CLI:

civo k3s create --create-firewall --nodes 2 -m --save --switch --wait istio-playground -r=Traefik

Using the -r flag, I removed the default ingress controller (Traefik) as we will be using the Istio ingress gateway to expose applications, this to ensure that Traefik does not interfere with Istio’s ingress gateway.

Using the -m flag tells the Civo command line to merge the kubeconfig for the cluster with our existing kube-config

Installing Istio

Installing Istio is straightforward, using istioctl, within your terminal. Run the following command to get Istio installed:

istioctl install 

We can verify the installation by running:

istioctl verify-install

If configured correctly, you should see the following as the final output:

Checked 15 custom resource definitions
Checked 2 Istio Deployments
✔ Istio is installed and verified successfully

Onboarding applications into the Mesh

Now we have Istio up and running, let’s deploy a sample application. In your editor of choice create a file called deployment.yaml and add the following code:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          ports:
            - containerPort: 80

Save the file, and in your terminal, apply the deployment to the cluster:

kubectl apply -f deployment.yaml

Verify the deployment:

kubectl get deploy/whoami

NAME     READY   UP-TO-DATE   AVAILABLE   AGE
whoami   1/1     1            1           89s

We should now have one replica of the whoami deployment.

Integrating the Istio sidecar proxy

The Istio sidecar intercepts and forwards requests to applications. This pattern allows applications to benefit from Istio's advanced features without requiring any code changes within the application itself.

To inject the sidecar, run the following command:

kubectl get deploy/whoami -o yaml | istioctl kube-inject -f - | kubectl apply -f -

In a couple of seconds, the deployment should be updated, and you should have containers within the whoami pod.

NAME                     READY   STATUS    RESTARTS   AGE
whoami-66c7668d9-g7vdk   2/2     Running   0          5m36s

Visualizing the Mesh

While we can verify the sidecar has been injected by looking for an increment in the number of containers within the whoami pod, this isn’t ideal for managing multiple services. As we onboard more applications into the mesh, we’d need a way to view what applications exist and possibly a map that shows service interactions.

Thankfully, Istio ships with a control dashboard called Kiali. This isn’t included in the default installation, so this next section will explore how to install it.

Start by using this command:

kubectl apply -f 
<https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/kiali.yaml>

We would also require the Prometheus add-on, which would enable Istio to collect metrics from applications within the mesh. To do this, use:

kubectl apply -f 
<https://raw.githubusercontent.com/istio/istio/release-1.19/samples/addons/prometheus.yaml>
Note: In this tutorial, we are using version 1.19 of the Prometheus and Kiali add-ons. To get the latest version of Kiali, take a look at this section of the Istio docs. Or, look here for the latest version of the Prometheus add-ons.

With Kiali installed, run the following command to open the dashboard locally:

istioctl dashboard kiali

This should open up the dashboard in your default browser.

Click on the sidebar and navigate to the “applications” section. You should see something like this:

Visualizing the Service Mesh

Troubleshooting Istio Install

Encountering issues? Here are some common problems and their solutions:

  • Issue: Error message when running istioctl install.
    • Solution: Verify that istioctl is properly installed, and ensure its version matches the Istio version you're trying to install.
  • Issue: Kiali dashboard not displaying services.
    • Solution: Confirm that the Prometheus add-on is correctly installed and collecting metrics.

Remember, if your specific issue isn't listed here, it's always a good idea to consult the official documentation or forums.

Cleaning up

In the next part of the series, we will be deploying a fresh set of services, so let’s remove this deployment. To do this, use the command:

kubectl delete deployment/whoami

Summary

In part one of our Istio service mesh series, we explored the essential role of service meshes in modern microservices architectures. From this, we were able to look into how Istio, in particular, bolsters reliability, observability, and security across distributed systems. Shifting from theory to application, we set up Istio on a Kubernetes cluster, integrated an application, and delved into visualization with tools like Kiali.

Check out part 2 of this series to learn more about traffic management using Istio: Traffic Management with Istio.

If you are interested in learning more about security, check out the final part of this series: Istio Security Essentials: Authorization, Headers, and mTLS.

Further resources

To keep learning about the basis of Istio, here are some great resources to check out: