solo.io Istio 1.7, 21 Aug 2020

Previous Meeting

Next Meeting

⏯

youtube image

►

From YouTube: Istio 1.7 improved VM support part 1

Description

A service mesh is only as valuable as the number of workloads it manages! In this video we see how to extend the service mesh to include VM based workloads and how Istio 1.7 brings new capabilities for bootstrapping identity and making the VM services a first-class citizen in the service mesh.

A

Thanks for stopping by our youtube channel, this is christian posta from solo.io and in this quick video we're going to take a look at some of the support for vms based vm based services in istio.

A

Specifically, some of the functionality that's coming out in istio 1.7, which we can see is almost out it'll, it'll it'll come out very shortly, but it's also based on enhancements that came in istio 1.6.

A

So if we come back here and look at the release announcement for 1.6, we can see that there was this workload entry resource that was that was added and this workload. Entry resource allows us to capture the details about a specific vm and treat it as a first-class citizen with the rest of the services in the mesh that might run in kubernetes.

A

So we're going to build on that and what we're going to look at specifically is the bootstrapping process of getting the istio sidecar running on a vm and using some of the new features in istio 1.7. Specifically, here's the release, notes before it's actually published here, how we can bootstrap the identity of the vm from a service account that runs inside of kubernetes.

A

So we can use this token. It's a short-lived token, give it to the sidecar basically and you let it connect up to the istio control plane and use that identity that comes from a service account in kubernetes to ultimately get issued its certificates and and connect up to the rest of the service mesh.

A

So when the docs are released again when windows 7 is coming out, it's very very shortly.

A

We will have a page that looks like this and that will walk you through these different steps, and so what I'm going to demo to you is um based on the the steps that we see here so so, for example, here we're getting the token from that server for that service account we're grabbing the root ca for sdod and and setting up the rest of it. So let's go ahead and take a look at our demo here.

A

First thing: we're going to show is our kubernetes cluster, so we do have sdo 1.7 running here. In our kubernetes cluster, we also have services that are injected with the istio sidecar running in the default namespace here so part of the demo. Getting this, the vm functionality in place is to connect up to a vm which we'll do here running in gke and start to go through the steps that were outlined in that dock, and actually we have a tmux session here right, yeah, all right, so this is our vm.

A

Now what we're going to do is in this demo we're going to first we're going to prepare the namespaces for our demo here. Let's take a look at it. Actually, so what we're doing here is we're going to create the namespace where we want to store the record of the the vms that we're using, and we also want to create a service account that will ultimately be the source of identity for the services that run inside of the vm. So we created this namespace created this service account. That's all good.

A

The next thing that we want to do is create the bootstrapping file, so this includes the token. This includes the root ca and some of the environment variables that we'll we'll need here. So if we look at our work folder here, we we have a couple of uh helper scripts that we'll take a look at that in a second. But what we have here in that we that we generated was basically like, I said, the root search.

A

So if we look at the root, this is the root cert that comes uh when istio boots strapped itself. This is what is using as the the signing certificate for all of the workload identities we can see. We have our istio token.

A

This is that short-lived token, that was generated from the token review api in kubernetes, based on the service account, and we have a few other environment variable based things here, so what we want to do with that set of files. If we look at it again, what we want to do with this set of files is transfer these files over to the vm, because this is what's going to be used to bootstrap the the environment and the sidecar and onboard proxy.

A

So again, the steps in that we're taking to create these files they're all going to be in the documentation. So I'm not going to go into that too deeply.

A

Okay, so now, let's go ahead and transfer those files over to the vm.

A

Give that a second we see our work director got created, sent over so now. If we do this, we should see work and we do let's do open it up and go into it.

A

So now we have our files here same files that we just took a look at earlier. The first thing that we're going to do is we're going to run this prep vm script that I have here and what this is going to do is basically put the certificate and the token in the correct location on the vm so that the proxy sidecar can find it we'll install it here. We can see we're using istio, 1.7 release candidate, 3, we'll install the proxy and then finish setting up some of the other variables again.

A

These steps are listed in the docs right here. So again we won't go into it that deeply, but we're going to run it so we're going to prepare the vm here.

A

We'll give that a few moments, so this is doing an update and hopefully doesn't take too long for here, but you can see. That is the first step in our document uh upgrade, and then we start putting the things where they need to go.

A

Give that a second all right that looks good installed, the sidecar installed the um environment variables and the certificates and so forth. Okay, that looks good now. If we look in our list of services that are running on or available to run on this particular vm, we should see the istio service here. I'm not sure why it's in a failed state, let's continue with the demo and see if that sorts itself out.

A

Let's try that, let's, let's start it. um So if we start, if we come back here, then it looks a little bit better okay, so it was just not started. uh We can see our istio service is here and it is running just fine.

A

If we want to tail the logs, we can run um but run this command, and we see some things have happened. The logs have come up. We can even take a look at the error. Log and uh take a look to see, um looks like we had some trouble connecting to the uh xds for some reason, um but let's continue on with the demo we'll see, I think it actually did connect. I think it uh either just from a previous run or installed for a second, but it should.

A

It should connect correctly all right now for this demo, I did happen to set up dns mask so that we can call into the kubernetes cluster directly.

A

um If I look at the dns mask file here, the most important part is this: where we're going to try to resolve the service, the cluster.local um domain names and we'll return this this ip address, also always which happens to be the the sitter range for the kubernetes services that get created um so just to verify that let's come over here. Let's look at the service.

A

uh These are 10.44. whatever right. um So that's what we got into the dns mask to make that work, and so that should be good. The next thing, the last thing that we want to see is um that's the envoy is running and it is running so that looks good and then part of the magic of istio and the running side. Car is redirecting the traffic, whether that's inbound or outbound, from this bm through the proxy right. So we do expect tables, look at the nat table.

A

We do expect rules here that will match on particular inbound ports in this case, as well as the the kubernetes services any of the kubernetes services, and and should route them into the proxy so that we get to take advantage of envoys, powerful routing capabilities and so forth.

A

So what we have here is a running envoy.

A

We have the rules set up so that if we make a call to some of the services in the service mesh from this vm that they should complete successfully, the last sanity check we do want to do here is: let's take a look at the configuration from envoy and verify that a service like let's say http bin service does indeed exist and the config here and we do see it.

A

So it means the proxy was able to connect up to the control plane that if we take a look at uh bar run secrets, it's still, I believe we can see that we were able to connect up to the control plane. We were able to get configuration dynamically. So we can. We know about the http pin services. We also were able to generate uh keys and workload certificate.

A

So if we do uh curl localhost search, we can see that the certs were all set up correctly, using that that short lived token and things look to be as though they're in a good shape here. If we try to do a curl, we'll do attach v, just in case things go wrong, uh you should be band dot, uh the default service.cluster.

A

local, I believe that's on 8, 000 and headers. If we call this from the vm, we should get the expected response, which is the http bin response, and you can see that it is using the spiffy identifier of this vm, which we set up once the sidecar was installed and communicated with the pro with the control plane got it.

A

Certificates was assigned an identity based on the service, account remember that we had set up and uh and now and the traffic works so going from the vm to the rest of the service mesh, the the proxy the sidecar proxy on the vm handles that communication.

A

Now this videos actually got a little longer than I thought it would so we're going to stop here and in the next video we'll take a look at running a service on the vm and then from the service mesh. The rest of service mesh, we're going to call into this vm, and you should see that the mechanism of the you know making calls to services within the mesh is the same, and it's consistent, whether you're on the vm or whether you're in the service mesh so stay tuned to the next video.