{"id":1202,"date":"2020-08-11T08:45:03","date_gmt":"2020-08-11T15:45:03","guid":{"rendered":"http:\/\/blog.nillsf.com\/?p=1202"},"modified":"2020-08-11T09:35:59","modified_gmt":"2020-08-11T16:35:59","slug":"taking-the-open-service-mesh-for-a-test-drive","status":"publish","type":"post","link":"https:\/\/nillsf.com\/index.php\/2020\/08\/11\/taking-the-open-service-mesh-for-a-test-drive\/","title":{"rendered":"Taking the Open Service Mesh for a test drive"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">It caugt me a little by surprise last week when Microsoft released a Service Mesh:<\/p>\n\n\n\n<blockquote class=\"twitter-tweet\"><p lang=\"en\" dir=\"ltr\">We are beyond excited to introduce Open Service Mesh (OSM), a lightweight and extensible <a href=\"https:\/\/twitter.com\/hashtag\/servicemesh?src=hash&amp;ref_src=twsrc%5Etfw\">#servicemesh<\/a> that implements <a href=\"https:\/\/twitter.com\/SMI_spec?ref_src=twsrc%5Etfw\">@SMI_spec<\/a> and runs on <a href=\"https:\/\/twitter.com\/kubernetesio?ref_src=twsrc%5Etfw\">@kubernetesio<\/a> <a href=\"https:\/\/twitter.com\/EnvoyProxy?ref_src=twsrc%5Etfw\">@EnvoyProxy<\/a>! Check out what we&#8217;ve been up to here:<a href=\"https:\/\/t.co\/l6fy4OUorO\">https:\/\/t.co\/l6fy4OUorO<\/a><\/p>\u2014 Open Service Mesh (@openservicemesh) <a href=\"https:\/\/twitter.com\/openservicemesh\/status\/1291056373631983619?ref_src=twsrc%5Etfw\">August 5, 2020<\/a><\/blockquote> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n\n\n\n<p class=\"wp-block-paragraph\">The Open Service Mesh (OSM) is an implementation of a service mesh according to the Service Mesh Interface (SMI) spec, using the Envoy proxy as a sidecar. If all of this means nothing to you, stay tuned as I&#8217;ll walk you through all those terms in this blog show you OSM in action.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, let&#8217;s start with the beginning, and discuss what a service mesh is.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is a service mesh?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I still remember the first time I heard about service meshes. The year was 2018, and it was a hot August afternoon in Mountain View. I had just moved to the US a month ago, and was looking to integrate better in the tech community here. That afternoon, I jumped on my bike to attend <a href=\"https:\/\/www.meetup.com\/microservices-apis-integration-meetup\/events\/253654859\/\">a meetup <\/a>in Mountain View at the headquarters of  WSO2. The title of that meetup was &#8220;Introduction to Istio and onto 1.0&#8221;, and I had no idea what I was walking into. Dan Curuli from Google presented on Istio and the problems it solved. He made such a great presentation that I wrote <a href=\"https:\/\/blog.nillsf.com\/index.php\/2018\/08\/31\/istio-meetup-report\/\">a blog post the next post to share some of my lessons learnt<\/a>. Since then, service meshes and Istio has grown in popularity, and I am happy to have learnt about it first hand from Dan.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what is a service mesh? A service mesh is <em>an infrastructure component that helps managing inter-service communication<\/em>. In other words, it&#8217;s a transparent piece of technology that offloads certain logic of inter-service communication out of your application code and into the service mesh. A good example of that logic is for instance retry logic when calling an API. Without a service mesh, you&#8217;d have to code that into your actual code. With a service mesh, you&#8217;ll be able to offload that retry logic into the service mesh and leverage a retry policy in the service mesh (<a href=\"https:\/\/istio.io\/latest\/docs\/concepts\/traffic-management\/#retries\">example in Istio<\/a>).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A service mesh is typically used in a Kubernetes environment, although you can use it on non-Kubernetes environments as well. In a Kubernetes cluster, a service mesh is typically implemented using the <em>sidecar <\/em>pattern. A sidecar is a container that gets added to an application pod to add additional functionality, in this case the service mesh functionality.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"811\" height=\"401\" src=\"\/wp-content\/uploads\/2020\/08\/image-6.png\" alt=\"\" class=\"wp-image-1203\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-6.png 811w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-6-300x148.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-6-768x380.png 768w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><figcaption>The traffic flows through the service mesh sidecars, which add functionality to the application.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This sidecar proxy can be a number of things. Envoy is a popular option as a sidecar, and it is the sidecar that is used by Istio (and the open service mesh as well). Envoy is a proxy originally developed by Lyft. Envoy is similar in functionality to Nginx or HAProxy for instance. However, Envoy has some distinct advantages, including high performance processing and a centralized configuration management system. Enjoy isn&#8217;t the only sidecar that can be used, other options include nginx or linkerd2. Often, each service mesh will have a default\/preferred sidecar proxy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are a number of popular service meshes out there. Istio is the most popular one. Istio is a project originally created by Google, IBM and Lyft. Although it&#8217;s the most popular service mesh, there is<a href=\"https:\/\/arstechnica.com\/information-technology\/2020\/07\/google-says-trademarks-should-be-open-source-too-ibm-disagrees\/\"> a little commotion right now in the open source community<\/a> around how Google created a new foundation called the Open Usage Commons to donate Istio to, rather than donating Istio to the CNCF. Istio isn&#8217;t the only service mesh. Other popular meshes include Linkerd, Consul and Maesh. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The service mesh space is still in early stages. Each service mesh has its own advantages and disadvantages. However, switching from one mesh to another isn&#8217;t very straightforward. This is because each mesh has its own configuration language syntax. This is the problem that the SMI spec tries to solve. Let&#8217;s explore the SMI spec in the next section.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The SMI spec<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Service Mesh Interface (SMI) specification (spec) is a standard interface for service meshes running on Kubernetes. If you&#8217;re familiar with the Ingress resource in Kubernetes, SMI is to service mesh, what Ingress is to reverse proxy. By that I mean it&#8217;s a standardized way to configure multiple backend implementations. This has the benefit that you don&#8217;t have the learn the specifics about a particular implementation, and you can simply use the SMI-spec to configure your service mesh.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft initially created the SMI spec in May of 2019 and donated the spec to the CNCF in April of 2020. Right now, 4 meshes implement the SMI spec:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Istio ( via adaptor )<\/li><li>Linkerd<\/li><li>Consul Connect ( via adaptor )<\/li><li>Maesh<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">And there&#8217;s a new mesh joining these 4 meshes: the Open Service Mesh. Let&#8217;s have a look at Open Service Mesh:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Open Service Mesh<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Open Service Mesh (OSM) is a new service mesh that uses Envoy sidecar proxies and leverages the SMI spec for configuration. Although the service mesh is only a couple days young (publicly), it implements a couple of features already (taken from the website of OSM):<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Easily and transparently configure&nbsp;<strong>traffic shifting<\/strong>&nbsp;for deployments<\/li><li>Secure end-to-end service to service communication by&nbsp;<strong>enabling mTLS<\/strong> (mTLS or mutual TLS enables encryption between services with source and destination certificates)<\/li><li>Define and execute fine grained&nbsp;<strong>access control policies<\/strong>&nbsp;for services<\/li><li>Observability and insights into application metrics for&nbsp;<strong>debugging and monitoring<\/strong>&nbsp;services<\/li><li>Integrate with external&nbsp;<strong>certificate management<\/strong>&nbsp;services\/solutions with a pluggable interface<\/li><li>Onboard applications onto the mesh by enabling&nbsp;<strong>automatic sidecar injection<\/strong>&nbsp;of Envoy proxy<\/li><li><strong>Flexible<\/strong>&nbsp;enough to handle both simple and complex scenarios through SMI and Envoy XDS APIs <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">So why don&#8217;t go ahaed and install OSM in a Kubernetes cluster?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Getting started with OSM<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I&#8217;ll install OSM on an existing cluster I&#8217;ve got in Azure. OSM requires a kubernetes cluster running v1.15.0 or higher and a config that points to that cluster. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"116\" src=\"\/wp-content\/uploads\/2020\/08\/image-10.png\" alt=\"\" class=\"wp-image-1210\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-10.png 675w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-10-300x52.png 300w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Next step is to download the osm binary. I&#8217;ll download the v0.2.0, but I highly encourage you to <a href=\"https:\/\/github.com\/openservicemesh\/osm\/releases\">check out GitHu<\/a>b to download the latest version.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/openservicemesh\/osm\/releases\/download\/v0.2.0\/osm-v0.2.0-linux-amd64.tar.gz\ntar -xvzf osm-v0.2.0-linux-amd64.tar.gz\nsudo mv linux-amd64\/osm \/usr\/local\/bin\/osm\nrm -rf linux-amd64<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And then, we have one step remaining, installing osm:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>osm install<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Which results in OSM being installed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"906\" height=\"588\" src=\"\/wp-content\/uploads\/2020\/08\/image-11.png\" alt=\"\" class=\"wp-image-1211\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-11.png 906w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-11-300x195.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-11-768x498.png 768w\" sizes=\"auto, (max-width: 906px) 100vw, 906px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">That was very un-exciting. But now that we have OSM installed, we can explore a demo application, which will be a lot more exciting!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Running a demo application with OSM<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Basic setup<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The team behind OSM has been kind enough to create a full demo application (for those familiar with Istio, you might see a common theme here). Let&#8217;s walk through this. We&#8217;ll create a couple of namespaces and deploy a couple of applications:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/github.com\/openservicemesh\/osm\/raw\/main\/img\/book-thief-app-topology.jpg\" alt=\"Bookstore Application Topology\"\/><figcaption>The outline of the demo application.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s get started with this. First, we&#8217;ll need to clone the repo of osm locally and navigate into the directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/openservicemesh\/osm.git\ncd osm<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we&#8217;ll create 4 namespaces and onboard those 4 namespaces to OSM:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done\nfor i in bookstore bookbuyer bookthief bookwarehouse; do osm namespace add $i; done<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then we&#8217;ll deploy the 4 applications. Their configuration is in the <code>docs\/example\/manifests\/apps\/<\/code> directory. Let&#8217;s have a look at what&#8217;s in that directory. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"771\" height=\"145\" src=\"\/wp-content\/uploads\/2020\/08\/image-12.png\" alt=\"\" class=\"wp-image-1213\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-12.png 771w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-12-300x56.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-12-768x144.png 768w\" sizes=\"auto, (max-width: 771px) 100vw, 771px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">As you can, there&#8217;s 4 YAML files defining the applications, and then a traffic-split.yaml file. I assume this is containing the configuration for the service mesh. Let&#8217;s explore what&#8217;s in that file. <a href=\"https:\/\/github.com\/openservicemesh\/osm\/blob\/main\/docs\/example\/README.md#checkpoint-what-got-installed\"><\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: split.smi-spec.io\/v1alpha2\nkind: TrafficSplit\nmetadata:\n  name: bookstore-split\n  namespace: bookstore\nspec:\n  service: bookstore.bookstore # &lt;root-service>.&lt;namespace>\n  backends:\n  - service: bookstore-v1\n    weight: 100<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And indeed, this is SMI configuration. As you can see here as well, there&#8217;s no specific configuration that mentions OSM, this is following the smi-spec.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s deploy everything that&#8217;s contained in that folder and see what happens.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl create -f docs\/example\/manifests\/apps\/<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"406\" src=\"\/wp-content\/uploads\/2020\/08\/image-26-1024x406.png\" alt=\"\" class=\"wp-image-1229\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-26-1024x406.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-26-300x119.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-26-768x304.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-26.png 1226w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Objects created by creating the application.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This has created a whole number of objects in Kubernetes. To see the actual application that is deployed, we can setup port forwarding and explore the application itself. It&#8217;s recommended to do this in a different terminal window, so you keep using the primary window for the tutorial.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp .env.example .env\n.\/scripts\/port-forward-all.sh<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This will make the following endpoints available on your localhost:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"http:\/\/localhost:8080\/\">http:\/\/localhost:8080<\/a>&nbsp;&#8211;&nbsp;<strong>Bookbuyer<\/strong><\/li><li><a href=\"http:\/\/localhost:8081\/\">http:\/\/localhost:8081<\/a>&nbsp;&#8211;&nbsp;<strong>bookstore-v1<\/strong><\/li><li><a href=\"http:\/\/localhost:8083\/\">http:\/\/localhost:8083<\/a>&nbsp;&#8211;&nbsp;<strong>bookthief<\/strong><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This is what these services look like right now:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/wp-content\/uploads\/2020\/08\/image-14-1024x566.png\" alt=\"\" class=\"wp-image-1215\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-14-1024x566.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-14-300x166.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-14-768x425.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-14.png 1186w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>The front-ends deployed without traffic.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Allowing traffic<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If the services could communicate to each other, we should see counters increase. However, right now there&#8217;s no traffic allowed between the three services, meaning no books are being bought\/stolen. We can change this by applying an access control policy. An example policy is stored in the <code>docs\/example\/manifests\/access\/ <\/code>directory. Let&#8217;s have a look at this before we create it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kind: TrafficTarget\napiVersion: access.smi-spec.io\/v1alpha2\nmetadata:\n  name: bookstore-v1\n  namespace: bookstore\nspec:\n  destination:\n    kind: ServiceAccount\n    name: bookstore-v1\n    namespace: bookstore\n  rules:\n  - kind: HTTPRouteGroup\n    name: bookstore-service-routes\n    matches:\n    - buy-a-book\n    - books-bought\n  sources:\n  - kind: ServiceAccount\n    name: bookbuyer\n    namespace: bookbuyer\n  #- kind: ServiceAccount\n    #name: bookthief\n    #namespace: bookthief\n---\napiVersion: specs.smi-spec.io\/v1alpha3\nkind: HTTPRouteGroup\nmetadata:\n  name: bookstore-service-routes\n  namespace: bookstore\nspec:\n  matches:\n  - name: books-bought\n    pathRegex: \/books-bought\n    methods:\n    - GET\n    headers:\n    - host: \"bookstore.bookstore\"\n    - \"user-agent\": \".*-http-client\/*.*\"\n    - \"client-app\": \"bookbuyer\"\n  - name: buy-a-book\n    pathRegex: \".*a-book.*new\"\n    methods:\n    - GET\n    headers:\n    - host: \"bookstore.bookstore\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">There&#8217;s a couple of things in this definition:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>First, the bookthief service account isn&#8217;t allowed anything since that portion is commented out.<\/li><li>Secondly, you can see we are creating two objects: a HTTPRouteGroup and a TrafficTarget. <ul><li> A&nbsp;<code>TrafficTarget<\/code>&nbsp;associates a set of traffic definitions (rules) with a service identity which is allocated to a group of pods. <\/li><li>A <code>HTTPRouteGroup<\/code> is used to describe HTTP\/1 and HTTP\/2 traffic. It enumerates the routes that can be served by an application. <\/li><\/ul><\/li><li>In our case, what we&#8217;re seeing is:<ul><li>We&#8217;re creating a <code>TrafficGroup<\/code> to the destination bookstore-v1, matching two <code>HTTPRouteGroups<\/code>. <\/li><li>The source right now is just the service account bookbuyer, not the thief (since he is commented out).<\/li><li>Below that, we create the <code>HTTPRouteGroups<\/code>, explaining the traffic flows.<\/li><\/ul><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s create this now:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl create -f docs\/example\/manifests\/access\/<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once the access policy is created, you should see the counters increment, meaning book are getting bought and sold, but none being stolen just yet.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"661\" src=\"\/wp-content\/uploads\/2020\/08\/image-15-1024x661.png\" alt=\"\" class=\"wp-image-1216\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-15-1024x661.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-15-300x194.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-15-768x496.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-15-1536x991.png 1536w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-15-2048x1322.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Counters increment as traffic starts flowing.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s now enable our book thief. To do this, will comment out those three lines from the <code>docs\/example\/manifests\/access\/traffic-access.yaml<\/code> file. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kind: TrafficTarget\napiVersion: access.smi-spec.io\/v1alpha2\nmetadata:\n  name: bookstore-v1\n  namespace: bookstore\nspec:\n  destination:\n    kind: ServiceAccount\n    name: bookstore-v1\n    namespace: bookstore\n  rules:\n  - kind: HTTPRouteGroup\n    name: bookstore-service-routes\n    matches:\n    - buy-a-book\n    - books-bought\n  sources:\n  - kind: ServiceAccount\n    name: bookbuyer\n    namespace: bookbuyer\n  - kind: ServiceAccount\n    name: bookthief\n    namespace: bookthief<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We can then apply this new TrafficTarget using:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl apply -f docs\/example\/manifests\/access\/traffic-access.yaml<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1009\" height=\"64\" src=\"\/wp-content\/uploads\/2020\/08\/image-17.png\" alt=\"\" class=\"wp-image-1218\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-17.png 1009w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-17-300x19.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-17-768x49.png 768w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><figcaption>Allowing the thief to also access the bookstore<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And pretty soon, we&#8217;ll see our bookthief in action.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"660\" src=\"\/wp-content\/uploads\/2020\/08\/image-18-1024x660.png\" alt=\"\" class=\"wp-image-1219\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-18-1024x660.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-18-300x193.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-18-768x495.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-18-1536x990.png 1536w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-18-2048x1320.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>The thief is now able to access the bookstore service.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s do a quick recap of what we&#8217;ve done up to this point:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>We&#8217;ve setup OSM in our cluster.<\/li><li>We created 4 namespaces, and onboarded those to the OSM mesh.<\/li><li>We created an application, and saw that traffic was blocked by default.<\/li><li>We created a traffic policy using the TrafficTarget and HTTPRouteGroup object to allow specific traffic in our mesh.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">In the second part of the demo, we&#8217;ll create a new version of our bookstore (bookstore-v2), and we&#8217;ll be able to direct traffic from one service to another.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Traffic splitting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In this section we&#8217;ll deploy a new version of the bookstore, and slowly direct all the traffic towards it. To start, let&#8217;s deploy the second version of the bookstore.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl apply -f docs\/example\/manifests\/bookstore-v2\/<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In the terminal window where we&#8217;re doing the port-forwarding, we&#8217;ll need to stop the script and start that again to also port-forward to the second version of the bookstore.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can see the counters increase, but you&#8217;ll be able to see that the second bookstore isn&#8217;t selling any copies. This is because the TrafficSplit is configured to direct 100% of the traffic to the primary bookstore. We can verify this by inspecting that object:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl get trafficsplit bookstore-split -n bookstore<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"389\" src=\"\/wp-content\/uploads\/2020\/08\/image-19-1024x389.png\" alt=\"\" class=\"wp-image-1220\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-19-1024x389.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-19-300x114.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-19-768x292.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-19.png 1176w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>All traffic going to bookstore-v1<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can redirect some traffic to the v2 by applying the <code>docs\/example\/manifests\/split-v2\/traffic-split-v2.yaml<\/code> file. Let&#8217;s first have a look at what&#8217;s in that file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: split.smi-spec.io\/v1alpha2\nkind: TrafficSplit\nmetadata:\n  name: bookstore-split\n  namespace: bookstore\nspec:\n  service: bookstore.bookstore # &lt;root-service>.&lt;namespace>\n  backends:\n  - service: bookstore-v1\n    weight: 0\n  - service: bookstore-v2\n    weight: 100<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">As you can see, this redirects 100% of the traffic to the v2. Let&#8217;s apply this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl apply -f docs\/example\/manifests\/split-v2\/traffic-split-v2.yaml<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And immediately you should see only the v2 counters increase:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"662\" src=\"\/wp-content\/uploads\/2020\/08\/image-20-1024x662.png\" alt=\"\" class=\"wp-image-1221\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-20-1024x662.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-20-300x194.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-20-768x496.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-20-1536x993.png 1536w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-20-2048x1324.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Bookstore-v2 getting all the traffic.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We could also do partial traffic splitting, and for instance do a 50\/50 split. Do configure this, let&#8217;s quickly make a change using:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl edit trafficsplit bookstore-split -n bookstore<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"456\" src=\"\/wp-content\/uploads\/2020\/08\/image-21-1024x456.png\" alt=\"\" class=\"wp-image-1222\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-21-1024x456.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-21-300x134.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-21-768x342.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-21.png 1178w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And with this 50\/50 split, we should see both bookstores increasing at about the same rate:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"659\" src=\"\/wp-content\/uploads\/2020\/08\/image-22-1024x659.png\" alt=\"\" class=\"wp-image-1223\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-22-1024x659.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-22-300x193.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-22-768x494.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-22-1536x988.png 1536w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-22-2048x1317.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Splitting traffic between bookstore-v1 and bookstore-v2<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So, let&#8217;s recap what we did here:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>We setup a new bookstore<\/li><li>We first sent 100% of the traffic to the new bookstore. We could see only bookstore-v2 update.<\/li><li>Afterwards we did a 50\/50% traffic split, and we saw that both bookstores received roughly equal portions of traffic.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, in this demo application, let&#8217;s have a look at some of the monitoring that comes built-in with OSM.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Monitoring traffic<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">OSM comes pre-installed with Prometheus, Grafana and Zipkin. These tools allow you to create graphs about your traffic (prometheus\/grafana) and do distributed tracing (Zipkin).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To access Grafana, you can browse to localhost:3000. The default login is admin\/admin. In grafana, open the dashboard management view:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"282\" height=\"410\" src=\"\/wp-content\/uploads\/2020\/08\/image-23.png\" alt=\"\" class=\"wp-image-1224\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-23.png 282w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-23-206x300.png 206w\" sizes=\"auto, (max-width: 282px) 100vw, 282px\" \/><figcaption>Access the Grafana dashboards.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s have a look at the service-to-service data plane metrics.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2020\/08\/image-24.png\" alt=\"\" class=\"wp-image-1225\" width=\"580\" height=\"326\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-24.png 971w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-24-300x169.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-24-768x433.png 768w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><figcaption>Looking at service to service traffic.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can configure this dashboard to show us traffic between different systems\/services. If we configure this to monitor traffic between bookbuyer and bookstore-v1, we&#8217;ll clearly see where we had 100% of traffic flowing and where we had 50% of traffic flowing. Additionally, this default dashboard shows us request latencies and a couple other metrics. Since this is an open tool, you are free to configure this to contain the relevant metrics for you.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2020\/08\/image-25-1024x1002.png\" alt=\"\" class=\"wp-image-1226\" width=\"580\" height=\"567\" srcset=\"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-25-1024x1002.png 1024w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-25-300x294.png 300w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-25-768x752.png 768w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-25-60x60.png 60w, https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-25.png 1186w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><figcaption>The service-to-service dashboard. You can clearly see the traffic shift from buyer to bookstore v1, first at 100%, then at 0% and then at 50%.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We had a look at the open service mesh in this blog post. OSM is a new service mesh, using envoy proxies and follows the SMI-spec completely. We deployed the demo application, and deployed a couple of policies. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I had fun deploying the demo application and playing around with the policies. It was pretty straightforward to configure things, and the built-in monitoring certainly was nice as well.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It caugt me a little by surprise last week when Microsoft released a Service Mesh: We are beyond excited to introduce Open Service Mesh (OSM), a lightweight and extensible #servicemesh that implements @SMI_spec and runs on @kubernetesio @EnvoyProxy! Check out what we&#8217;ve been up to here:https:\/\/t.co\/l6fy4OUorO \u2014 Open Service Mesh (@openservicemesh) August 5, 2020 The [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1226,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3,58,36,5],"tags":[18,141,16,140,142],"class_list":["post-1202","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-kubernetes","category-networking","category-open-source","tag-kubernetes","tag-open-service-mesh","tag-open-source","tag-service-mesh","tag-smi-spec"],"jetpack_featured_media_url":"https:\/\/nillsfblog.blob.core.windows.net\/media\/2020\/08\/image-25.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/1202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/comments?post=1202"}],"version-history":[{"count":6,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/1202\/revisions"}],"predecessor-version":[{"id":1232,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/1202\/revisions\/1232"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/media\/1226"}],"wp:attachment":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/media?parent=1202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/categories?post=1202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/tags?post=1202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}