服务网格技术是对发现服务解耦后的微服务架构之后,进一步对通信、负载、流量控制、可观测性这些业务之外的功能进行解耦,并基于容器化技术,利用边车模式设计的新一代微服务架构。
https://istio.io/latest/about/service-mesh/
A service mesh is a dedicated infrastructure layer that you can add to your applications. It allows you to transparently add capabilities like observability, traffic management, and security, without adding them to your own code. The term “service mesh” describes both the type of software you use to implement this pattern, and the security or network domain that is created when you use that software.
特征:
- 使用边车模式(在应用中增加一层)
- 负载、安全、可观测性质等和业务无关的治理功能进行解耦
- 对业务开发人员几乎透明
相关产品:
阿里:AMS
百度:CMS
Google 的开源:Istio
AMS、CMS都是基于 Istio 来的。
实践好文:https://zhuanlan.zhihu.com/p/383011285
Istio
- 开源的服务治理框架
- 提供几乎透明的安全、链接管理、流量管理、可观测性的服务
Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes. Its powerful control plane brings vital features, including:
Secure service-to-service communication in a cluster with TLS encryption, strong identity-based authentication and authorization
Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic
Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection
A pluggable policy layer and configuration API supporting access controls, rate limits and quotas
Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress
安装(mac)
前置环境:
安装 K8S
1. 安装 Kubectl,命令行工具 , brew install kubectl
2. 安装 minikube,用来管理集群, brew install minikube
3. minikube start 启动一个单节点集群环境
4. 查看集群信息,kubectl cluster-info
采用 Install with Istioctl 方式进行。
https://istio.io/latest/docs/setup/getting-started/#download
应用配置样例:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
# The selector matches the ingress gateway pod labels.
# If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 8080
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
服务发现机制和流量控制
https://istio.io/latest/docs/concepts/traffic-management/
基于配置化的方式使用。
virtual Service:
* 配合 routing rules 使用,路由配置。
* 服务发现和路由规则
* 路由规则的集合
* 一个 mesh 可以有多个 virtual service
A virtual service lets you configure how requests are routed to a service within an Istio service mesh, building on the basic connectivity and discovery provided by Istio and your platform. Each virtual service consists of a set of routing rules that are evaluated in order, letting Istio match each given request to the virtual service to a specific real destination within the mesh. Your mesh can require multiple virtual services or none depending on your use case.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v3
- kind : 表明当前模块类型
- hosts : 扇出地址,IP、DNS、域名
- http : 声明该协议下的路由规则
routing rules
- match :匹配规则,优先级和声明顺序有关
- headers :声明从header 中获取键值
- 匹配方式: exact , prefix, regex.
- route :声明路由
- destination:声明实际的目标地址(比如一开始的 hosts 可以是一些代指,这里可以写真正的地址)
- weight : 声明权重
- headers :声明从header 中获取键值
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- bookinfo.com
http:
- match:
- uri:
prefix: /reviews
route:
- destination:
host: reviews
- match:
- uri:
prefix: /ratings
route:
- destination:
host: ratings
对于destination routing rules 的配置,可以参考:https://istio.io/latest/docs/reference/config/networking/destination-rule/
可以配置负载策略、版本控制等等。主管扇出
Gateway
声明 gateway 模块(负责向外网暴露服务),同时需要声明一个 virtual service 配合执行扇出操作。
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ext-host-gwy
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- ext-host.example.com
tls:
mode: SIMPLE
credentialName: ext-host-cert
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: virtual-svc
spec:
hosts:
- ext-host.example.com
gateways:
- ext-host-gwy
service entries
详细学习:https://www.cnblogs.com/wangguishe/p/16844936.html
手动管理一些不在体系内,无法自动注册的服务。
After you add the service entry, the Envoy proxies can send traffic to the service as if it was a service in your mesh.
- Redirect and forward traffic for external destinations, such as APIs consumed from the web, or traffic to services in legacy infrastructure.
- Define retry, timeout, and fault injection policies for external destinations.
- Run a mesh service in a Virtual Machine (VM) by adding VMs to your mesh.
However, you can’t use Istio features to control the traffic to destinations that aren’t registered in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc-entry
spec:
hosts:
- ext-svc.example.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
#resolution: STATIC
#endpoints:
#- address: 2.2.2.2
#- address: 3.3.3.3
- spec :说明该单元为配置单元
- location:说明服务位置,MESH_EXTERNAL,表明服务不在 mesh 中
- resolution : 解析器,如 DNS、STATIC(IP:Port)
Sidecars
用来对管理一个 mesh(workload instance,之前的都是服务级别的配置) 访问内部或则外部服务规则。
Envoy proxy to accept traffic on all the ports of its associated workload, and to reach every workload in the mesh when forwarding traffic
- Fine-tune the set of ports and protocols that an Envoy proxy accepts.
- Limit the set of services that the Envoy proxy can reach.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: bookinfo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
- egress : 控制
Istio 中的请求处理流程
todo
部署/启动应用
主要是通过 K8S 进行。
- 打标签,允许注入: kubectl label namespace default istio-injection=enabled
- 选择yaml文件部署:kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
- kubectl get services/node/pod 查看启动的服务
- 进入容器尝试请求:curl -sS productpage:9080/productpage | grep -o “
.* ”
todo:学习 K8S 的使用。