Mastering Service Mesh: Enhance, secure, and observe cloud-native applications with Istio, Linkerd, and Consul 1789615798, 9781789615791
Understand how to use service mesh architecture to efficiently manage and safeguard microservices-based applications wit
1,652 144 8MB
English Pages 626 Year 2020
Table of contents :
Cover
Title Page
Copyright and Credits
About Packt
Foreword
Contributors
Table of Contents
Preface
Section 1: Cloud-Native Application Management
Chapter 1: Monolithic Versus Microservices
Early computer machines
Hardware virtualization
Software virtualization
Container orchestration
Monolithic applications
Brief history of SOA and ESB
API Gateway
Drawbacks of monolithic applications
Microservices applications
Early pioneers
What is a microservice?
Evolution of microservices
Microservices architecture
Benefits and drawbacks of microservices
Future of microservices
Summary
Questions
Further reading
Chapter 2: Cloud-Native Applications
An introduction to CNAs
Container runtime
Container orchestration platforms
Cloud-native infrastructure
Summary
Questions
Further reading
Section 2: Architecture
Chapter 3: Service Mesh Architecture
Service mesh overview
Who owns the service mesh?
Basic and advanced service mesh capabilities
Emerging trends
Shifting Dev responsibilities to Ops
Service mesh rules
Observability
Routing
Automatic scaling
Separation of duties
Trust
Automatic service registration and discovery
Resiliency
Service mesh architecture
Summary
Questions
Further reading
Chapter 4: Service Mesh Providers
Introducing service mesh providers
Istio
Linkerd
Consul
Other providers
A quick comparison
Support services
Summary
Questions
Further reading
Chapter 5: Service Mesh Interface and SPIFFE
SMI
SMI specifications
SPIFFE
Summary
Questions
Further reading
Section 3: Building a Kubernetes Environment
Chapter 6: Building Your Own Kubernetes Environment
Technical requirements
Downloading your base VM
Building an environment for Windows
Downloading our virtualization software
Setting the network address
Performing finalization checks
Building an environment for macOS
Downloading our virtualization software
Setting the network address
Performing finalization checks
Performing prerequisite tasks
Building Kubernetes using one VM
Installing Kubernetes
Running kubeadm
Configuring kubectl
Installing the Calico network for pods
Creating an admin account
Installing kubectl on client machines
Performing finalization checks
Installing Helm and Tiller
Installing without security
Installing with Transport Layer Security (TLS)
Installing the Kubernetes dashboard
Running the Kubernetes dashboard
Get an authentication token
Exploring the Kubernetes dashboard
Additional steps
Installing the Metrics Server
Installing VMware Octant
Installing Prometheus and Grafana
Uninstalling Kubernetes and Docker
Powering the VM up and down
Summary
Questions
Further reading
Section 4: Learning about Istio through Examples
Chapter 7: Understanding the Istio Service Mesh
Technical requirements
Introducing the Istio service mesh
Istio's architecture
Control plane
Galley
Pilot
Service discovery
Traffic management
Gateway
Virtual service
Routing rules
Fault injection
Abort rules
Service entry
Destination rule
Load balancing
Circuit breaker
Blue/green deployment
Canary deployment
Namespace isolation
Mixer
Configuration of Mixer
Attributes
Handlers
Rules
Citadel
Certificate and key rotation
Authentication
Strong identity
RBAC for a strong identity
Authorization
Enabling mTLS to secure service communication
Secure N-to-N mapping of services
Policies
Implementing authentication
Implementing authorization
Data plane
Sidecar proxy
Istio's Envoy sidecar proxy
What is Envoy?
Envoy architecture
Deployment
Observability
Summary
Questions
Further reading
Chapter 8: Installing a Demo Application
Technical requirements
Exploring Istio's BookInfo application
BookInfo application architecture
Deploying the Bookinfo application in Kubernetes
Enabling a DNS search for Kubernetes services in a VM
Understanding the BookInfo application
Exploring the BookInfo application in a Kubernetes environment
Summary
Questions
Further reading
Chapter 9: Installing Istio
Technical requirements
Getting ready
Performing pre-installation tasks
Downloading the source code
Validating the environment before installation
Choosing an installation profile
Installing Istio
Installing Istio using the helm template
Installing Istio using Helm and Tiller
Installing Istio using a demo profile
Verifying our installation
Installing a load balancer
Enabling Istio
Enabling Istio for an existing application
Enabling Istio for new applications
Setting up horizontal pod scaling
Summary
Questions
Further reading
Chapter 10: Exploring Istio Traffic Management Capabilities
Technical requirements
Traffic management
Creating an Istio gateway
Finding the Ingress gateway IP address
Creating a virtual service
Running using pod's transient IP address
Running using a service IP address
Running using Node Port
Creating a destination rule
Traffic shifting
Identity-based traffic routing
Canary deployments
Fault injection
Injecting HTTP delay faults
Injecting HTTP abort faults
Request timeouts
Circuit breaker
Managing traffic
Managing Ingress traffic patterns
Managing Egress traffic patterns
Blocking access to external services
Allowing access to external services
Routing rules for external services
Traffic mirroring
Cleaning up
Summary
Questions
Further reading
Chapter 11: Exploring Istio Security Features
Technical requirements
Overview of Istio's security
Authentication
Testing the httpbin service
Generating keys and certificates
Installing the step CLI
Generating private key, server, and root certificates
Mapping IP addresses to hostname
Configuring an Ingress gateway using SDS
Creating secrets using key and certificate
Enabling httpbin for simple TLS
Enabling bookinfo for simple TLS
Rotating virtual service keys and certificates
Enabling an Ingress gateway for httpbin using mutual TLS
Verifying the TLS configuration
Node agent to rotate certificates and keys for services
Enabling mutual TLS within the mesh
Converting into strict mutual TLS
Redefining destination rules
Enabling mTLS at the namespace level
Verifying the TLS configuration
Authorization
Namespace-level authorization
Service-level authorization at the individual level
Service-level authorization for databases
Advanced capabilities
Summary
Questions
Further reading
Chapter 12: Enabling Istio Policy Controls
Technical requirements
Introduction to policy controls
Enabling rate limits
Defining quota and assigning to services
Defining rate limits
Defining quota rules
Controlling access to a service
Denying access
Creating attribute-based white/blacklists
Creating an IP-based white/blacklist
Summary
Questions
Further reading
Chapter 13: Exploring Istio Telemetry Features
Technical requirements
Telemetry and observability
Configuring UI access
Collecting built-in metrics
Collecting new metrics
Database metrics
Distributed tracing
Trace sampling
Tracing backends
Adapters for the backend
Exploring prometheus
Sidecar proxy metrics
Prometheus query
Prometheus target collection health
Prometheus configuration
Visualizing metrics through Grafana
Service mesh observability through Kiali
Tracing with Jaeger
Cleaning up
Summary
Questions
Further reading
Section 5: Learning about Linkerd through Examples
Chapter 14: Understanding the Linkerd Service Mesh
Technical requirements
Introducing the Linkerd Service Mesh
Linkerd architecture
Control plane
Using the command-line interface (CLI)
Data plane
Linkerd proxy
Architecture
Configuring a service
Ingress controller
Observability
Grafana and Prometheus
Distributed tracing
Exporting metrics
Injecting the debugging sidecar
Reliability
Traffic split
Fault injection
Service profiles
Retries and timeouts
Load balancing
Protocols and the TCP proxy
Security
Automatic mTLS
Summary
Questions
Further reading
Chapter 15: Installing Linkerd
Technical requirements
Installing the Linkerd CLI
Installing Linkerd
Validating the prerequisites
Installing the Linkerd control plane
Separating roles and responsibilities
Cluster administrator
Application administrator
Ingress gateway
Accessing the Linkerd dashboard
Deploying the Linkerd demo emoji app
Installing a demo application
Deploying the booksapp application
Summary
Questions
Further reading
Chapter 16: Exploring the Reliability Features of Linkerd
Technical requirements
Overview of the reliability of Linkerd
Configuring load balancing
Setting up a service profile
Retrying failed transactions
Retry budgets
Implementing timeouts
Troubleshooting error code
Summary
Questions
Further reading
Chapter 17: Exploring the Security Features of Linkerd
Technical requirements
Setting up mTLS on Linkerd
Validating mTLS on Linkerd
Using trusted certificates for the control plane
Installing step certificates
Creating step root and intermediate certificates
Redeploying control plane using certificates
Regenerating and rotating identity certificates for microservices
Securing the ingress gateway
TLS termination
Testing the application in the browser
Testing the application through curl
Summary
Questions
Further reading
Chapter 18: Exploring the Observability Features of Linkerd
Technical requirements
Gaining insight into the service mesh
Insights using CLI
Insight using Prometheus
Insights using Grafana
External Prometheus integration
Cleaning up
Summary
Questions
Further reading
Section 6: Learning about Consul through Examples
Chapter 19: Understanding the Consul Service Mesh
Technical requirements
Introducing the Consul service mesh
The Consul architecture
Data center
Client/server
Protocols
RAFT
Consensus protocol
Gossip protocol
Consul's control and data planes
Configuring agents
Service discovery and definitions
Consul integration
Monitoring and visualization
Telegraf
Grafana
Traffic management
Service defaults
Traffic routing
Traffic split
Mesh gateway
Summary
Questions
Further reading
Chapter 20: Installing Consul
Technical requirements
Installing Consul in a VM
Installing Consul in Kubernetes
Creating persistent volumes
Downloading the Consul Helm chart
Installing Consul
Connecting Consul DNS to Kubernetes
Consul server in a VM
Summary
Questions
Further reading
Chapter 21: Exploring the Service Discovery Features of Consul
Technical requirements
Installing a Consul demo application
Defining Ingress for the Consul dashboard
Service discovery
Using the Consul web console
Implementing mutual TLS
Exploring intentions
Exploring the Consul key-value store
Securing Consul services with ACL
Monitoring and metrics
Registering an external service
Summary
Questions
Further reading
Chapter 22: Exploring Traffic Management in Consul
Technical requirements
Overview of traffic management in Consul
Implementing L7 configuration
Deploying a demo application
Traffic management in Consul
Directing traffic to a default subset
Canary deployment
Round-robin traffic
Shifting traffic permanently
Path-based traffic routing
Checking Consul services
Mesh gateway
Summary
Questions
Further reading
Assessment
Other Books You May Enjoy
Index
![Introducing Istio Service Mesh for Microservices: Build and Deploy Resilient, Fault-Tolerant Cloud Native Applications [2 ed.]
9781492052609](https://dokumen.pub/img/200x200/introducing-istio-service-mesh-for-microservices-build-and-deploy-resilient-fault-tolerant-cloud-native-applications-2nbsped-9781492052609.jpg)
![Introducing Istio Service Mesh for Microservices: Build and Deploy Resilient, Fault-Tolerant Cloud Native Applications [2 ed.]
9781492052609](https://dokumen.pub/img/200x200/introducing-istio-service-mesh-for-microservices-build-and-deploy-resilient-fault-tolerant-cloud-native-applications-2nbsped-9781492052609-q-6224956.jpg)
![Linkerd: Up and Running: A Guide to Operationalizing a Kubernetes-native Service Mesh [1 ed.]
9781098142315, 1098142314](https://dokumen.pub/img/200x200/linkerd-up-and-running-a-guide-to-operationalizing-a-kubernetes-native-service-mesh-1nbsped-9781098142315-1098142314.jpg)
