Mastering Service Mesh: Enhance, secure, and observe cloud-native applications with Istio, Linkerd, and Consul

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Understand how to use service mesh architecture to efficiently manage and safeguard microservices-based applications with the help of examples

Key Features

  • Manage your cloud-native applications easily using service mesh architecture
  • Learn about Istio, Linkerd, and Consul – the three primary open source service mesh providers
  • Explore tips, techniques, and best practices for building secure, high-performance microservices

Book Description

Although microservices-based applications support DevOps and continuous delivery, they can also add to the complexity of testing and observability. The implementation of a service mesh architecture, however, allows you to secure, manage, and scale your microservices more efficiently. With the help of practical examples, this book demonstrates how to install, configure, and deploy an efficient service mesh for microservices in a Kubernetes environment.

You'll get started with a hands-on introduction to the concepts of cloud-native application management and service mesh architecture, before learning how to build your own Kubernetes environment. While exploring later chapters, you'll get to grips with the three major service mesh providers: Istio, Linkerd, and Consul. You'll be able to identify their specific functionalities, from traffic management, security, and certificate authority through to sidecar injections and observability.

By the end of this book, you will have developed the skills you need to effectively manage modern microservices-based applications.

What you will learn

  • Compare the functionalities of Istio, Linkerd, and Consul
  • Become well-versed with service mesh control and data plane concepts
  • Understand service mesh architecture with the help of hands-on examples
  • Work through hands-on exercises in traffic management, security, policy, and observability
  • Set up secure communication for microservices using a service mesh
  • Explore service mesh features such as traffic management, service discovery, and resiliency

Who this book is for

This book is for solution architects and network administrators, as well as DevOps and site reliability engineers who are new to the cloud-native framework. You will also find this book useful if you're looking to build a career in DevOps, particularly in operations. Working knowledge of Kubernetes and building microservices that are cloud-native is necessary to get the most out of this book.

Table of Contents

  1. Monolithic Versus Microservices
  2. Cloud-Native Applications
  3. Service Mesh Architecture
  4. Service Mesh Providers
  5. Service Mesh Interface and SPIFFE
  6. Building Your Own Kubernetes Environment
  7. Understanding the Istio Service Mesh
  8. Installing a Demo Application
  9. Installing Istio
  10. Exploring Istio Traffic Management Capabilities
  11. Exploring Istio Security Features
  12. Enabling Istio Policy Controls
  13. Exploring Istio Telemetry Features
  14. Understanding the Linkerd Service Mesh
  15. Installing Linkerd
  16. Exploring the Reliability Features of Linkerd
  17. Exploring the Security Features of Linkerd
  18. Exploring the Observability Features of Linkerd
  19. Understanding the Consul Service Mesh
  20. Installing Consul
  21. Exploring the Service Discovery Features of Consul
  22. Exploring Traffic Management in Consul

Author(s): Anjali Khatri, Vikram Khatri
Publisher: Packt Publishing
Year: 2020

Language: English
Pages: 626

Cover
Title Page
Copyright and Credits
About Packt
Foreword
Contributors
Table of Contents
Preface
Section 1: Cloud-Native Application Management
Chapter 1: Monolithic Versus Microservices
Early computer machines
Hardware virtualization
Software virtualization
Container orchestration
Monolithic applications
Brief history of SOA and ESB
API Gateway
Drawbacks of monolithic applications
Microservices applications
Early pioneers
What is a microservice?
Evolution of microservices
Microservices architecture
Benefits and drawbacks of microservices
Future of microservices
Summary
Questions
Further reading
Chapter 2: Cloud-Native Applications
An introduction to CNAs
Container runtime
Container orchestration platforms
Cloud-native infrastructure
Summary
Questions
Further reading
Section 2: Architecture
Chapter 3: Service Mesh Architecture
Service mesh overview
Who owns the service mesh?
Basic and advanced service mesh capabilities
Emerging trends
Shifting Dev responsibilities to Ops
Service mesh rules
Observability
Routing
Automatic scaling
Separation of duties
Trust
Automatic service registration and discovery 
Resiliency
Service mesh architecture
Summary
Questions
Further reading
Chapter 4: Service Mesh Providers
Introducing service mesh providers
Istio
Linkerd
Consul
Other providers
A quick comparison
Support services
Summary
Questions
Further reading
Chapter 5: Service Mesh Interface and SPIFFE
SMI
SMI specifications
SPIFFE
Summary
Questions
Further reading
Section 3: Building a Kubernetes Environment
Chapter 6: Building Your Own Kubernetes Environment
Technical requirements
Downloading your base VM 
Building an environment for Windows
Downloading our virtualization software
Setting the network address 
Performing finalization checks
Building an environment for macOS
Downloading our virtualization software
Setting the network address
Performing finalization checks
Performing prerequisite tasks
Building Kubernetes using one VM
Installing Kubernetes
Running kubeadm
Configuring kubectl
Installing the Calico network for pods
Creating an admin account
Installing kubectl on client machines
Performing finalization checks
Installing Helm and Tiller
Installing without security
Installing with Transport Layer Security (TLS)
Installing the Kubernetes dashboard
Running the Kubernetes dashboard
Get an authentication token
Exploring the Kubernetes dashboard
Additional steps
Installing the Metrics Server 
Installing VMware Octant 
Installing Prometheus and Grafana 
Uninstalling Kubernetes and Docker
Powering the VM up and down
Summary
Questions
Further reading
Section 4: Learning about Istio through Examples
Chapter 7: Understanding the Istio Service Mesh
Technical requirements 
Introducing the Istio service mesh
Istio's architecture
Control plane
Galley
Pilot
Service discovery
Traffic management
Gateway
Virtual service
Routing rules
Fault injection
Abort rules
Service entry
Destination rule
Load balancing
Circuit breaker
Blue/green deployment
Canary deployment
Namespace isolation
Mixer
Configuration of Mixer
Attributes
Handlers
Rules
Citadel
Certificate and key rotation
Authentication  
Strong identity
RBAC for a strong identity
Authorization
Enabling  mTLS to secure service communication
Secure N-to-N mapping of services
Policies
Implementing authentication
Implementing authorization
Data plane
Sidecar proxy
Istio's Envoy sidecar proxy
What is Envoy?
Envoy architecture
Deployment
Observability
Summary
Questions
Further reading
Chapter 8: Installing a Demo Application
Technical requirements
Exploring Istio's BookInfo application
BookInfo application architecture
Deploying the Bookinfo application in Kubernetes
Enabling a DNS search for Kubernetes services in a VM
Understanding the BookInfo application
Exploring the BookInfo application in a Kubernetes environment
Summary
Questions
Further reading
Chapter 9: Installing Istio
Technical requirements
Getting ready
Performing pre-installation tasks
Downloading the source code
Validating the environment before installation
Choosing an installation profile
Installing Istio
Installing Istio using the helm template
Installing Istio using Helm and Tiller
Installing Istio using a demo profile
Verifying our installation
Installing a load balancer
Enabling Istio
Enabling Istio for an existing application
Enabling Istio for new applications
Setting up horizontal pod scaling
Summary
Questions
Further reading
Chapter 10: Exploring Istio Traffic Management Capabilities
Technical requirements
Traffic management
Creating an Istio gateway
Finding the Ingress gateway IP address
Creating a virtual service
Running using pod's transient IP address
Running using a service IP address
Running using Node Port
Creating a destination rule
Traffic shifting
Identity-based traffic routing
Canary deployments
Fault injection
Injecting HTTP delay faults
Injecting HTTP abort faults
Request timeouts
Circuit breaker
Managing traffic
Managing Ingress traffic patterns
Managing Egress traffic patterns
Blocking access to external services
Allowing access to external services
Routing rules for external services
Traffic mirroring
Cleaning up
Summary
Questions
Further reading
Chapter 11: Exploring Istio Security Features
Technical requirements
Overview of Istio's security
Authentication
Testing the httpbin service
Generating keys and certificates
Installing the step CLI
Generating private key, server, and root certificates
Mapping IP addresses to hostname
Configuring an Ingress gateway using SDS
Creating secrets using key and certificate
Enabling httpbin for simple TLS
Enabling bookinfo for simple TLS
Rotating virtual service keys and certificates
Enabling an Ingress gateway for httpbin using mutual TLS
Verifying the TLS configuration
Node agent to rotate certificates and keys for services
Enabling mutual TLS within the mesh
Converting into strict mutual TLS
Redefining destination rules
Enabling mTLS at the namespace level
Verifying the TLS configuration
Authorization
Namespace-level authorization
Service-level authorization at the individual level
Service-level authorization for databases
Advanced capabilities
Summary
Questions
Further reading
Chapter 12: Enabling Istio Policy Controls
Technical requirements
Introduction to policy controls
Enabling rate limits
Defining quota and assigning to services
Defining rate limits
Defining quota rules
Controlling access to a service
Denying access
Creating attribute-based white/blacklists
Creating an IP-based white/blacklist
Summary
Questions
Further reading
Chapter 13: Exploring Istio Telemetry Features
Technical requirements
Telemetry and observability
Configuring UI access
Collecting built-in metrics
Collecting new metrics
Database metrics
Distributed tracing
Trace sampling
Tracing backends
Adapters for the backend
Exploring prometheus 
Sidecar proxy metrics
Prometheus query
Prometheus target collection health
Prometheus configuration
Visualizing metrics through Grafana
Service mesh observability through Kiali
Tracing with Jaeger
Cleaning up
Summary
Questions
Further reading
Section 5: Learning about Linkerd through Examples
Chapter 14: Understanding the Linkerd Service Mesh
Technical requirements
Introducing the Linkerd Service Mesh
Linkerd architecture
Control plane
Using the command-line interface (CLI)
Data plane
Linkerd proxy
Architecture
Configuring a service
Ingress controller
Observability
Grafana and Prometheus
Distributed tracing
Exporting metrics
Injecting the debugging sidecar
Reliability
Traffic split
Fault injection
Service profiles
Retries and timeouts
Load balancing
Protocols and the TCP proxy
Security
Automatic mTLS
Summary
Questions
Further reading
Chapter 15: Installing Linkerd
Technical requirements
Installing the Linkerd CLI
Installing Linkerd
Validating the prerequisites
Installing the Linkerd control plane
Separating roles and responsibilities
Cluster administrator
Application administrator
Ingress gateway
Accessing the Linkerd dashboard
Deploying the Linkerd demo emoji app
Installing a demo application
Deploying the booksapp application
Summary
Questions
Further reading
Chapter 16: Exploring the Reliability Features of Linkerd
Technical requirements
Overview of the reliability of Linkerd 
Configuring load balancing
Setting up a service profile
Retrying failed transactions
Retry budgets
Implementing timeouts
Troubleshooting error code
Summary
Questions
Further reading
Chapter 17: Exploring the Security Features of Linkerd
Technical requirements
Setting up mTLS on Linkerd
Validating mTLS on Linkerd
Using trusted certificates for the control plane
Installing step certificates
Creating step root and intermediate certificates
Redeploying control plane using certificates
Regenerating and rotating identity certificates for microservices
Securing the ingress gateway
TLS termination
Testing the application in the browser
Testing the application through curl
Summary
Questions
Further reading
Chapter 18: Exploring the Observability Features of Linkerd
Technical requirements
Gaining insight into the service mesh
Insights using CLI
Insight using Prometheus
Insights using Grafana
External Prometheus integration
Cleaning up
Summary
Questions
Further reading
Section 6: Learning about Consul through Examples
Chapter 19: Understanding the Consul Service Mesh
Technical requirements
Introducing the Consul service mesh
The Consul architecture
Data center 
Client/server
Protocols
RAFT
Consensus protocol
Gossip protocol
Consul's control and data planes
Configuring agents
Service discovery and definitions
Consul integration
Monitoring and visualization
Telegraf
Grafana
Traffic management
Service defaults
Traffic routing
Traffic split
Mesh gateway
Summary
Questions
Further reading
Chapter 20: Installing Consul
Technical requirements
Installing Consul in a VM
Installing Consul in Kubernetes
Creating persistent volumes 
Downloading the Consul Helm chart
Installing Consul
Connecting Consul DNS to Kubernetes
Consul server in a VM
Summary
Questions
Further reading
Chapter 21: Exploring the Service Discovery Features of Consul
Technical requirements
Installing a Consul demo application
Defining Ingress for the Consul dashboard
Service discovery
Using the Consul web console
Implementing mutual TLS
Exploring intentions
Exploring the Consul key-value store
Securing Consul services with ACL
Monitoring and metrics
Registering an external service
Summary
Questions
Further reading
Chapter 22: Exploring Traffic Management in Consul
Technical requirements
Overview of traffic management in Consul 
Implementing L7 configuration
Deploying a demo application
Traffic management in Consul
Directing traffic to a default subset
Canary deployment
Round-robin traffic
Shifting traffic permanently
Path-based traffic routing
Checking Consul services
Mesh gateway
Summary
Questions
Further reading
Assessment
Other Books You May Enjoy
Index