Istio, seen as the leading service mesh model, was released its 1.0 in July 2018. It has generated massive interest, judging from conference talks and blogs. Have you ever wondered how I can develop a cloud-native microservice deployed on Istio and be confident about its performance? In other words, what is the programming model for developing such a cloud-native microservice? Eclipse MicroProfile comes to rescue. In this session, we will look closely on MicroProfile specifications and demonstrate how MicroProfile can help microservice performing well on Istio and utilize Istio features with a live demo. After this session, you should understand Istio and MicroProfile and be able to design a simple microservice using MicroProfile and deploy to Istio.
XpertSolvers: Your Partner in Building Innovative Software Solutions
MicroProfile as the Istio Programming Model | Virtual Eclipse Community Meetup
1. Istio’s Programming Model – Eclipse
MicroProfile
Emily Jiang – Liberty Architect for CDI and MicroProfile, IBM
twitter: emilyfhjiang
Heiko Rupp –Platform Architect for Middleware monitoring, Red Hat
twitter: pilhuhn
1
2. What does MicroProfile do?
• Vendor-neutral programming model, designed in the
open, for Java microservices
• Provide core capabilities for building fault tolerant,
scalable microservices
• Increasing the rate and pace of innovation beyond
Java EE
Invite developers to join the MicroProfile community and influence the future http://microprofile.io/
3. What is Service Mesh?
A dedicated infrastructure layer to
make service to service
communication fast, safe and
reliable
8. What does MicroProfile do?
• Vendor-neutral programming model, designed in the open, for Java
microservices
• Provide core capabilities for building fault tolerant, scalable, microservices
• Increasing the rate and pace of innovation beyond Java EE
Standardizing microservices in enterprise Java via the MicroProfile community
Config
Fault
Tolerance
Health
Check
Metrics
Security
(JWT)
Open
Tracing
Open API
Rest
Client
externalize
configuration
to improve
portability
build robust
behavior to
cope with
unexpected
failures
ensure
services are
running and
meeting
SLAs
understand
the
interactions
between
services
while running
provides role
based
access
control
(RBAC) for
microservice
endpoints
Tracing the
microservice
s invocation
chain
Easily
document
microservcie
APIs
Simplify the
creation of
rest clients
Invite developers to join the MicroProfile community and influence the future http://microprofile.io/
9. MicroProfile and Istio
Capability Istio MicroProfile
Routing
Load balancing
√
Config microservices specify config
properties
Inject config to
microservices
Health Check of Istio
services
Use k8s liveness
and readiness
probe
Provide health
status
Metrics √ √
Distributed Tracing Display tracing
correlation
Auto-propagate 7
headers required by
Istio
API √
Security √ √
mTLS √
RBAC √ √
11. MicroProfile Service Mesh working group
Work in MicroProfile community
Define the specification in microprofile-service-mesh
(https://github.com/eclipse/microprofile-service-mesh)
Sample microservices
https://github.com/eclipse/microprofile-service-mesh-service-a/
https://github.com/eclipse/microprofile-service-mesh-service-b
20. Fault Tolerance difference
• Http request only
(Retry,Timeout,
CircuitBreaker), Connection
pool (tcp and http)
• Apply to all communications
• Fine-grained to individual
method
See http://microprofile.io/
Graphic shows the community members for MicroProfile who are contributing to the technical direction and development of core capabilities that MicroProfile offers. These form the essential building blocks of microservices and are currently absent from the Java EE specification. By taking a community driven approach to their development, the broader Java developer community can increase the rate and pace of innovation, and prove the technology through the community prior to offering the capabilities to Oracle to standardizes as part of a future Java EE specification.
As MicroProfile is an open source Eclipse project, multiple vendors provide implementations of the MicroProfile specification following the tradition of Java EE itself which provides a vendor neutral specification for enterprise application development. This helps optimize the portability of apps built using the MicroProfile specification and avoids vendor lock-in.
If we were to reimagine the network that connects our microservices, what would we want out of it?
Think of the kernel’s TCP/IP stack today.
Do we care where in the planet an IP address is or how to route to it? No
How about discovering MAC address associated with the IP or the next hop router? Nope.
Do we care about packet loss or congestion control? Heck no.
Essentially, the kernel provides a reliable communication fabric at Layer 4. It frees you from having to deal with discovery, failure recovery, flow control, and a host of other issues that you may not even be aware of.
Isn’t this a nice property to have at the services layer, that is, layer-7? We seem to be having some similar issues: discovery, resiliency, routing, etc. and other issues specific such as load balancing, monitoring, policy enforcement, authentication and authorization, etc.
Service mesh data plane: Touches every packet/request in the system. Responsible for service discovery, health checking, routing, load balancing, authentication/authorization, and observability.
Service mesh control plane: Provides policy and configuration for all of the running data planes in the mesh. Does not touch any packets/requests in the system. The control plane turns all of the data planes into a distributed system.
Our service mesh is built using Envoy sidecars. If you look at the big picture, its very similar to a SDN (software defined networking).
The sidecars on the data plane carry traffic. Traffic is transparently intercepted using iptable rules in the pod namespace.
The Istio control plane takes care of managing and configuring the data plane.
The Pilot is responsible for providing service discovery to envoys and managing their configuration as well.
The mixer handles policy enforcement, while Istio-auth takes care of authentication and authorization.
We’ll talk about the mixer and Istio-auth later.
See http://microprofile.io/
Graphic shows the community members for MicroProfile who are contributing to the technical direction and development of core capabilities that MicroProfile offers. These form the essential building blocks of microservices and are currently absent from the Java EE specification. By taking a community driven approach to their development, the broader Java developer community can increase the rate and pace of innovation, and prove the technology through the community prior to offering the capabilities to Oracle to standardizes as part of a future Java EE specification.
As MicroProfile is an open source Eclipse project, multiple vendors provide implementations of the MicroProfile specification following the tradition of Java EE itself which provides a vendor neutral specification for enterprise application development. This helps optimize the portability of apps built using the MicroProfile specification and avoids vendor lock-in.
Service mesh data plane: Touches every packet/request in the system. Responsible for service discovery, health checking, routing, load balancing, authentication/authorization, and observability.
Service mesh control plane: Provides policy and configuration for all of the running data planes in the mesh. Does not touch any packets/requests in the system. The control plane turns all of the data planes into a distributed system.
Our service mesh is built using Envoy sidecars. If you look at the big picture, its very similar to a SDN (software defined networking).
The sidecars on the data plane carry traffic. Traffic is transparently intercepted using iptable rules in the pod namespace.
The Istio control plane takes care of managing and configuring the data plane.
The Pilot is responsible for providing service discovery to envoys and managing their configuration as well.
The mixer handles policy enforcement, while Istio-auth takes care of authentication and authorization.
We’ll talk about the mixer and Istio-auth later.
MicroProfile Fault Tolerance offers Retry, Timeout, Bulkhead, CircuitBreaker, Fallback
Istio offers Failure handling: Timeout, retries, limits on number of concurrent connections, circuit breakers
Istio can not offer fallback
Microservices need both of them sometimes
How to set up a ecosystem of MicroProfile Fault Tolerance with Istio
Use MicroProfile Fault Tolerance without Istio’s Fault Handling
Use Istio’s Fault Handling with MicroProfile Fault Tolerance fallback
MicroProfile Fault Tolerance is configurable and flexible
The Fault Tolerance policies except fallback can be switched off via a configuration property called MP_Fault_Tolerance_NonFallback_Enabled with the value of false.
Unique feature from MicroProfile Fault Tolerance where other Fault Tolerance third party libraries cannot offer easily
MicroProfile FT triggers plugin to generate Istio config rules. For http invocation, set MP_Fault_Tolerance_NonFallback_Enabled to false
Istio config rules will be automatically treated as a config source understood by MicroProfile config. Any value change in the file will be able to feed back to the application.
For http traffic, Istio manages all FT except Retry where MP FT will provide
For other traffic, Istio pretends it manages it but it is not capable. Devops can config the rules by changing the parameters. All the changes will be translated to FT properties and then MP FT obeys the order.
For Devops, it is seemless.