Shulou(Shulou.com)05/31 Report--

In this issue, Xiaobian will bring you about how to integrate services deployed in VM into Istio. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

Istio was designed primarily for Kubernetes services. However, in the actual scenario, there are still many services deployed on VM, Istio wants to become the de facto standard of Service Mesh, and there is no doubt that services that support VM deployment are needed.

Istio 1.6 adds the WorkloadEntry custom resource, which provides first-class support for VMs.

Istio 1.7 adds the ability to securely boot the identity of services running in VMs. Finally, Istio 1.7 adds Sidecar packages to support CentOS/Red Hat and existing Debian/Ubuntu.

Istio 1.8 adds an intelligent DNS proxy, which is an Istio sidecar proxy written by Go. Istio agents on sidecar will come with a cached DNS proxy dynamically programmed by Istiod. DNS queries from applications are transparently intercepted and serviced by Istio proxies in pods or VMs that intelligently respond to DNS query requests, enabling seamless multi-cluster access from virtual machines to the service grid.

Istio 1.8 also adds the WorkloadGroup custom resource, which is a collection describing service instances deployed on VMs and is designed to emulate the existing Sidecar Injection and Deployment specification model for Kubernetes workloads to boot Istio agents.

The automatic registration of VM instances through WorkloadGroup is currently in pre-alpha state.

WorkloadEntry

WorkloadEntry is used to describe non-Pod endpoints, bringing VMs into mesh. At this point the VM becomes a first-class citizen like a Pod and can be configured with MUTUAL_TLS.

To create a WorkloadEntry and attach it to a ServiceEntry, do the following:

apiVersion: networking.istio.io/v1alpha3

kind: WorkloadEntry

metadata:

name: vm1

namespace: ns1

spec:

address: 1.1.1.1

labels:

app: foo

instance-id: vm-78ad2

class: vm

---

apiVersion: networking.istio.io/v1alpha3

kind: ServiceEntry

metadata:

name: svc1

namespace: ns1

spec:

hosts:

- svc1.internal.com

ports:

- number: 80

name: http

protocol: HTTP

resolution: STATIC

workloadSelector:

labels:

app: foo

This creates a new WorkloadEntry with a set of labels and addresses, as well as a ServiceEntry that uses WorkloadSelector to select all endpoints with the desired labels, including, in this case, the WorkloadEntry created for the VM.

Note that ServiceEntry can reference Pods and WorkloadEntries using the same selector. Istio can now do the same for VMs and pods without having to separate them.

VM auto-registration

WorkloadGroup is mainly used for automatic registration of WorkloadEntry, which is more practical in actual scenarios. In fact, the services we deploy in VM are generally configured to automatically scale, which requires that our services must be automatically registered in mesh.

How to achieve automatic registration of that?

First we need to do some preparation:

Enable automatic registration when installing istiod.

$ istioctl install --set values.pilot.env.PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION=true

Deploy an east-west gateway. Used to expose istiod services so that sidecars on VMs can communicate with istiod.

Then we create the following WorkloadGroup:

apiVersion: networking.istio.io/v1alpha3

kind: WorkloadGroup

metadata:

name: python-http

namespace: vm

spec:

metadata:

annotations: {}

labels:

app: python-http

template:

ports: {}

serviceAccount: my-vm

This way we automatically create a WorkloadEntry in the mesh after each instance of python-http is started on vm. The WorkloadEntry created contains the ip and metadata of the VM instance. At this point we can create a ServiceEntry and select our WorkloadEntry via the label selector. Other services in the mesh can then access our python-http service via hosts in ServiceEntry.

apiVersion: networking.istio.io/v1beta1

kind: ServiceEntry

metadata:

name: vm-workload-svc

namespace: vm

spec:

hosts:

- vmservice.example.com

location: MESH_INTERNAL

ports:

- number: 80

name: http

protocol: HTTP

targetPort: 9090

resolution: STATIC

workloadSelector:

labels:

app: python-http

For detailed VM installation procedures, refer to the official documentation.

intelligent DNS

In fact, VM auto-registration is completed, and seamless access from virtual machines to service grids cannot be achieved through hostnames. For example, if we deploy the Istio sidecar agent on the VM, we will not be able to access services in the grid and Kubernetes cluster through the hostname (e.g. httpbin.default.svc.cluster.local). We need intelligent DNS.

In Istio 1.8, Sidecar now has a DNS proxy that caches endpoints in the mesh and endpoints created by ServiceEntry resources. Through the Iptables rule, intercept dns requests to sidecar local dns server. If the host name can be resolved in the cache, the resolution result will be returned directly. If it cannot be found, it will be delegated to the system DNS as a normal DNS proxy. This allows services on vm to access services in mesh by hostname.

Smart DNS is not enabled by default. When we install istio, we can enable this feature by using the following parameters:

--set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE=true

When a VM connects to the Istio control plane, it connects through an "east-west gateway." The gateway is really just an Istio gateway specifically designed for intra-grid traffic, and now East-West gateways are recommended for deployment in Istio 1.8. Once the connection is established from VM Sidecar to the Istio control plane, the appropriate WorkloadEntry resource is created and VM Sidecar can resolve all services in the cluster. Deploying services from VMs provides direct access to httpbin.default.svc.cluster.local. DNS names are resolved by proxies and routed to the appropriate service in the grid through the East-West Gateway.

The above is how to integrate services deployed in VM into Istio shared by Xiaobian. If you happen to have similar doubts, you may wish to refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.