Infrastructure Solutions blog
source link: https://community.arm.com/arm-community-blogs/b/infrastructure-solutions-blog/posts/deploying-tetrate-istio-distribution-for-arm-neoverse-based-aws-graviton-processors
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This blog post provides some needed background concerning the recent Tetrate and Arm Neoverse announcement. It then shows you how to deploy Tetrate Istio Distribution on an AWS Graviton2-based Amazon EKS cluster.
How Arm Neoverse Powers Service Mesh
The core idea behind a service mesh is to interconnect various services of an application and provide an infrastructure and management layer. Each service is assigned an identical proxy that handles communication tasks for the service it is assigned to. The sidecar proxy helps to address the need for security, observability, upgradability, and so forth. The service mesh allows the application to focus only on the business logic needed for the application.
The Istio open-source project is the leading implementation of the service mesh approach. It offers features like service discovery, load balancing, security, mTLS encryption, and authentication. Istio uses the Envoy proxy, a CNCF open-source project, which acts as a sidecar to each service instance. In a typical cloud native or microservices-based application, a sidecar container attaches itself to each service or a Kubernetes pod of the application. This sidecar provides monitoring and security to the services. It intercepts all services traffic, and this traffic and the proxy instances comprise the data plane of the service mesh. Istio is the control plane, managing proxies to route traffic, implementing policies, gathering metrics, and configuring the data plane.
Tetrate is a service mesh company that is a top contributor to the open-source Istio project. It helps organizations in adopting Istio/Envoy via with three offerings:
- Tetrate Istio Distribution (TID) is a set of free Istio releases vetted by Tetrate, including other features. (Each Istio release includes an extended version of the Envoy proxy.)
- Tetrate Istio Subscription (TIS) is a paid service that provides support for Istio releases.
- Tetrate Service Bridge (TSB) is commercial software that provides a management plane for Envoy and Istio. Istio is configured at the cluster level. TSB works at higher levels of abstraction, such as workspaces, which can span multiple clusters located in different regions or running on different clouds and/or on-premises.
Tetrate is launching support for Arm Neoverse technology, including Neoverse-based Kubernetes clusters in AWS. AWS Graviton2 processors are built using 64-bit Arm Neoverse cores to deliver the best price/performance for cloud workloads running in Amazon EC2. These optimized instances provide up to 40% better price/performance over comparable, current-generation x86-based instances for a wide variety of workloads. The instances include Amazon EC2 general purpose instances (M6g, M6gd, T4g), compute-optimized instances (C6g, C6gd, C6gn), and memory-optimized instances (R6g, R6gd, X2gd).
Deploying Tetrate Istio Distribution to AWS Graviton2
In the steps below, we demonstrate how seamless it is to deploy Tetrate Istio Distribution on an AWS Graviton2-based Amazon EKS cluster. Following are the main components covered in this section:
- Istio multi-arch binary from Tetrate installation and invocation of istioctl on the EKS cluster
- Components of Istio installed on the Kubernetes cluster – Istio core, Istiod, Istio ingress and egress
- Kiali - a dashboard and management console to visualize and troubleshoot different components Istio service mesh
- Sample Bookinfo application - comprising multiple services that interact with each other
- Dashboards to observe traffic splitting, metrics, application versions and so on.
Configurations
Pre-requisites:
- AWS Account access
- Tetrate Istio Distribution binary
- Kubectl binary
Provision an Amazon EKS cluster with a managed node groups consisting of 3 nodes based on M6g EC2 instance. Once the cluster is up and running, we can verify all the nodes are up using kubectl as shown in Figure 1.
kubectl get nodes -o wide
kubectl get nodes -o wide
Figure 1. EKS worker nodes based on AWS Graviton2 EC2 instances
Download the Tetrate Istio Distribution binary from this location and unzip it as shown in Figure 2.
Figure 2. Tetrate Istio Distribution installation
Add the istioctl binary to your PATH and install Istio with the demo profile. This command installs Istio with all the default features including – Istio core, Istiod, Istio ingress and egress gateways.
Figure 3. Istioctl installation on Arm-based EKS cluster
Note: If you do not have access to an Arm-based client, you can simply create a t4g instance in AWS and use that for installing TID and interacting with the cluster.
Once the installation is completed successfully, we see the Istio namespace and pods created in our cluster.
Figure 4. Istio namespace created in the cluster
Figure 5. Kubernetes pods related to Istio
To visualize the service-to-service (also sidecar proxy-to-sidecar proxy) communications of an application, we install an open-source dashboard call Kiali. It also helps us in debugging any issues with the application.
To install Kiali, add the following helm repo: https://kiali.org/helm-charts.
Install the Kiali operator using the following command:
helm install \ > --set cr.create=true \ > --set cr.namespace=istio-system \ > --namespace kiali-operator \ > --create-namespace \ > kiali-operator \ > kiali/kiali-operator
Figure 6. Kiali dashboard installation
Once the installation is successful, verify all the components of Kiali with the following command:
kubectl get all -n kiali-operator
Before we install a demo application on our cluster, we must enable sidecar injection with the following command:
kubectl label namespace default istio-injection=enabled
Install the Bookinfo application using this yaml file on the kubernetes cluster. Once the application is running execute the following command to verify its working.
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"We see the following response:
We can access the application remotely via several methods – by creating a NodePort, ClusterIP or can create ingress gateway. In this blog, we are using the existing Istio infrastructure and gateway. Use the following command to deploy the Bookinfo application gateway:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.13/samples/bookinfo/networking/bookinfo-gateway.yaml
For Kiali to display metrics of the Bookinfo application, we need to deploy Prometheus on the kubernetes cluster. It will gather all the metrics from the application and send them to Kiali. To install prometheus on the cluster, use the following command:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.13/samples/addons/prometheus.yaml
Now let’s take a look at the Kiali dashboard below. In this dashboard we see the different components of Bookinfo application and how they communicate with each other.
Figure 7. Kiali dashboard showing different components of Bookinfo application
In Figure 8, we can also see the different services and the namespace each service belongs to.
Figure 8. Multiple services in the Kubernetes cluster
The following section shows the different versions of the application managed by Istio service mesh.
Figure 9. Different versions of Bookinfo application in the cluster
Conclusion
As shown in this blog, Tetrate Istio Distribution service mesh can be installed seamlessly on an AWS Graviton2-based Amazon EKS cluster. If you have any questions, comments, or concerns please feel free to reach out to us at Tetrate and Arm.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK