Connect, secure, control, and observe services.

Overview

Istio

Go Report Card GoDoc

Istio logo

An open platform to connect, manage, and secure microservices.

  • For in-depth information about how to use Istio, visit istio.io
  • To ask questions and get assistance from our community, visit discuss.istio.io
  • To learn how to participate in our overall community, visit our community page

In this README:

In addition, here are some other documents you may wish to read:

You'll find many other useful documents on our Wiki.

Introduction

Istio is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio's control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes.

Istio is composed of these components:

  • Envoy - Sidecar proxies per microservice to handle ingress/egress traffic between services in the cluster and from a service to external services. The proxies form a secure microservice mesh providing a rich set of functions like discovery, rich layer-7 routing, circuit breakers, policy enforcement and telemetry recording/reporting functions.

    Note: The service mesh is not an overlay network. It simplifies and enhances how microservices in an application talk to each other over the network provided by the underlying platform.

  • Istiod - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components:

    • Pilot - Responsible for configuring the proxies at runtime.

    • Citadel - Responsible for certificate issuance and rotation.

    • Galley - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio.

  • Operator - The component provides user friendly options to operate the Istio service mesh.

Repositories

The Istio project is divided across a few GitHub repositories:

  • istio/api. This repository defines component-level APIs and common configuration formats for the Istio platform.

  • istio/community. This repository contains information on the Istio community, including the various documents that govern the Istio open source project.

  • istio/istio. This is the main code repository. It hosts Istio's core components, install artifacts, and sample programs. It includes:

    • istioctl. This directory contains code for the istioctl command line utility.

    • operator. This directory contains code for the Istio Operator.

    • pilot. This directory contains platform-specific code to populate the abstract service model, dynamically reconfigure the proxies when the application topology changes, as well as translate routing rules into proxy specific configuration.

    • security. This directory contains security related code, including Citadel (acting as Certificate Authority), citadel agent, etc.

  • istio/proxy. The Istio proxy contains extensions to the Envoy proxy (in the form of Envoy filters) that support authentication, authorization, and telemetry collection.

Issue management

We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata:

  • Epic. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. Each issue is ultimately part of an epic.

  • Milestone. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we think the issue should get addressed.

  • Priority. Each issue has a priority which is represented by the column in the Prioritization project. Priority can be one of P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the milestone cannot be considered achieved if the issue isn't resolved.

Issues
  • the pod doesn't run in remote cluster when using 'Install Istio with an External Control Plane' plan

    the pod doesn't run in remote cluster when using 'Install Istio with an External Control Plane' plan

    Pre-instructions:My K8s cluster doesn't support LoadBalancer

    istioctl version 1.12.6
    
    kubectl version 1.21.5
    
    

    1、Set up a gateway in the external cluster

    cat <<EOF > controlplane-gateway.yaml
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      namespace: istio-system
    spec:
      components:
        ingressGateways:
          - name: istio-ingressgateway
            enabled: true
            k8s:
              service:
                ports:
                  - port: 15021
                    targetPort: 15021
                    name: status-port
                  - port: 15012
                    targetPort: 15012
                    name: tls-xds
                  - port: 15017
                    targetPort: 15017
                    name: tls-webhook
    EOF
    

    the istio-ingressgateway in external cluster :

    [[email protected] istio-1.12.6]# kubectl get svc -n istio-system 
    NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                           AGE
    istio-ingressgateway   NodePort    10.233.44.128   <none>        15021:31222/TCP,15012:30956/TCP,15017:31263/TCP   142m
    istiod                 ClusterIP   10.233.25.55    <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP             142m
    

    2、export EXTERNAL_ISTIOD_ADDR=external.sample.com configure external.sample.com 100.76.x.x in /etc/hosts,100.76.x.x is node's IP. 3、export SSL_SECRET_NAME=external-credential external-credential is configured by kubectl create -n istio-system secret tls external-credential --key=external.sample.com.key --cert=external.sample.com.crt like https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ 4、Set up the remote config cluster

    cat <<EOF > remote-config-cluster.yaml
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      namespace: external-istiod
    spec:
      profile: external
      values:
        global:
          istioNamespace: external-istiod
          configCluster: true
        pilot:
          configMap: true
        istiodRemote:
          injectionURL: https://external.sample.com:31263/inject/:ENV:cluster=cluster1:ENV:net=network1
        base:
          validationURL: https://external.sample.com:31263/validate
    EOF
    
    

    the port '31263' is nodePort of istio-ingressgateway 5、Set up the control plane in the external cluster

    cat <<EOF > external-istiod.yaml
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      namespace: external-istiod
    spec:
      profile: empty
      meshConfig:
        rootNamespace: external-istiod
        defaultConfig:
          discoveryAddress: external.sample.com:30956
          proxyMetadata:
            XDS_ROOT_CA: /etc/ssl/certs/ca-certificates.crt
            CA_ROOT_CA: /etc/ssl/certs/ca-certificates.crt
      components:
        pilot:
          enabled: true
          k8s:
            overlays:
            - kind: Deployment
              name: istiod
              patches:
              - path: spec.template.spec.volumes[100]
                value: |-
                  name: config-volume
                  configMap:
                    name: istio
              - path: spec.template.spec.volumes[100]
                value: |-
                  name: inject-volume
                  configMap:
                    name: istio-sidecar-injector
              - path: spec.template.spec.containers[0].volumeMounts[100]
                value: |-
                  name: config-volume
                  mountPath: /etc/istio/config
              - path: spec.template.spec.containers[0].volumeMounts[100]
                value: |-
                  name: inject-volume
                  mountPath: /var/lib/istio/inject
            env:
            - name: INJECTION_WEBHOOK_CONFIG_NAME
              value: ""
            - name: VALIDATION_WEBHOOK_CONFIG_NAME
              value: ""
            - name: EXTERNAL_ISTIOD
              value: "true"
            - name: CLUSTER_ID
              value: cluster1
            - name: SHARED_MESH_CONFIG
              value: istio
      values:
        global:
          caAddress: external.sample.com:30956
          istioNamespace: external-istiod
          operatorManageWebhooks: true
          configValidation: false
          meshID: mesh1
    EOF
    

    6、Create the Istio Gateway, VirtualService, and DestinationRule configuration

    cat <<EOF > external-istiod-gw.yaml
    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: external-istiod-gw
      namespace: external-istiod
    spec:
      selector:
        istio: ingressgateway
      servers:
        - port:
            number: 15012
            protocol: https
            name: https-XDS
          tls:
            mode: SIMPLE
            credentialName: external-credential
          hosts:
          - external.sample.com
        - port:
            number: 15017
            protocol: https
            name: https-WEBHOOK
          tls:
            mode: SIMPLE
            credentialName: external-credential
          hosts:
          - external.sample.com
    ---
    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
       name: external-istiod-vs
       namespace: external-istiod
    spec:
        hosts:
        - external.sample.com
        gateways:
        - external-istiod-gw
        http:
        - match:
          - port: 15012
          route:
          - destination:
              host: istiod.external-istiod.svc.cluster.local
              port:
                number: 15012
        - match:
          - port: 15017
          route:
          - destination:
              host: istiod.external-istiod.svc.cluster.local
              port:
                number: 443
    ---
    apiVersion: networking.istio.io/v1alpha3
    kind: DestinationRule
    metadata:
      name: external-istiod-dr
      namespace: external-istiod
    spec:
      host: istiod.external-istiod.svc.cluster.local
      trafficPolicy:
        portLevelSettings:
        - port:
            number: 15012
          tls:
            mode: SIMPLE
          connectionPool:
            http:
              h2UpgradePolicy: UPGRADE
        - port:
            number: 443
          tls:
            mode: SIMPLE
    EOF
    
    

    Finally,deploy sleep application in remote cluster

    kubectl create  namespace sample
    kubectl label  namespace sample istio-injection=enabled
    kubectl apply -f [samples/sleep/sleep.yaml](https://raw.githubusercontent.com/istio/istio/release-1.14/samples/sleep/sleep.yaml) -n sample
    

    but, the pod is not running:

    [[email protected] istio-1.12.6]# kubectl get po -n sample
    No resources found in sample namespace.
    
    [[email protected] istio-1.12.6]# kubectl get event -n sample
    LAST SEEN   TYPE      REASON              OBJECT                        MESSAGE
    5s          Warning   FailedCreate        replicaset/sleep-557747455f   Error creating: Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": Post "https://external.sample.com:31263/inject/:ENV:cluster=cluster1:ENV:net=network1?timeout=10s": context deadline exceeded
    15s         Normal    ScalingReplicaSet   deployment/sleep              Scaled up replica set sleep-557747455f to 1
    
    opened by suwliang3 0
  • Refact authenticator

    Refact authenticator

    Please provide a description of this PR:

    It is to merge the two different methods of Authenticator and wrapped a AuthenticateRequest which can contain HTTP request or grpc context.

    size/L release-notes-none 
    opened by hzxuzhonghu 2
  • Make xds cache not cache the dependentConfigs, instead start up a thr…

    Make xds cache not cache the dependentConfigs, instead start up a thr…

    …ead which will cleanup in background

    Please provide a description of this PR:

    This is to resolve caching dependentConfigs, which costs too much memory.

    Will fix /add tests if this make sense

    size/M release-notes-none 
    opened by hzxuzhonghu 3
  • [e2e]reorg telemetry tests

    [e2e]reorg telemetry tests

    Please provide a description of this PR:

    part of https://github.com/istio/istio/issues/39623

    • move most of tests to common folder
    • move utilities to package tests/integration/telemetry/util
    size/L release-notes-none 
    opened by zirain 0
  • Build issue in proxy

    Build issue in proxy

    Bug Description

    There's a build failure in istio proxy with -Wall and -Werror

    ./extensions/common/istio_dimensions.h:60:39: error: unnecessary parentheses in declaration of 'connection_security_policy' [-Werror=parentheses] 60 | #define DEFINE_FIELD(name) std::string(name);

    Changing this to #define DEFINE_FIELD(name) std::string name;

    should fix this.

    Version

    not required
    

    Additional Information

    No response

    Affected product area

    • [ ] Docs
    • [ ] Installation
    • [ ] Networking
    • [ ] Performance and Scalability
    • [ ] Extensions and Telemetry
    • [ ] Security
    • [ ] Test and Release
    • [ ] User Experience
    • [ ] Developer Infrastructure
    • [ ] Upgrade
    • [ ] Multi Cluster
    • [ ] Virtual Machine
    • [ ] Control Plane Revisions

    Is this the right place to submit this?

    • [X] This is not a security vulnerability
    • [X] This is not a question about how to use Istio
    area/networking/envoy 
    opened by VivekSubr 1
Releases(1.14.1)
Owner
Istio
Connect, secure, control, and observe services.
Istio
An open platform to connect, manage, and secure microservices.

Istio An open platform to connect, manage, and secure microservices. For in-depth information about how to use Istio, visit istio.io To ask questions

Baalaji 0 Feb 6, 2022
A microservice gateway developed based on golang.With a variety of plug-ins which can be expanded by itself, plug and play. what's more,it can quickly help enterprises manage API services and improve the stability and security of API services.

Goku API gateway is a microservice gateway developed based on golang. It can achieve the purposes of high-performance HTTP API forwarding, multi tenant management, API access control, etc. it has a powerful custom plug-in system, which can be expanded by itself, and can quickly help enterprises manage API services and improve the stability and security of API services.

Eolink 201 Jul 1, 2022
A code generator that turns plain old Go services into RPC-enabled (micro)services with robust HTTP APIs.

Frodo is a code generator and runtime library that helps you write RPC-enabled (micro) services and APIs.

Monadic 18 Jun 17, 2022
Services-inoeg - The Kiebitz Backend Services. Still a work-in-progess, use with care!

Kiebitz Services This repository contains Kiebitz's backend services: A storage service that stores encrypted user & operator settings and temporary d

Kiebitz! 0 Jan 19, 2022
Rpcx-framework - An RPC microservices framework based on rpcx, simple and easy to use, ultra fast and efficient, powerful, service discovery, service governance, service layering, version control, routing label registration.

RPCX Framework An RPC microservices framework based on rpcx. Features: simple and easy to use, ultra fast and efficient, powerful, service discovery,

ZYallers 1 Jan 5, 2022
An example microservice demo using kubernetes concepts like deployment, services, persistent volume and claims, secrets and helm chart

Docker vs Kubernetes Docker Kubernetes container tech, isolated env for apps infra management, multiple containers automated builds and deploy apps -

abhijit wakchaure 0 Dec 13, 2021
Automatic Service Mesh and RPC generation for Go micro services, it's a humble alternative to gRPC with Istio.

Mesh RPC MeshRPC provides automatic Service Mesh and RPC generation for Go micro services, it's a humble alternative to gRPC with Istio. In a nutshell

AstraNet Toolkit 68 Apr 19, 2022
Dubbo2istio watches Dubbo ZooKeeper registry and synchronize all the dubbo services to Istio.

Dubbo2Istio Dubbo2istio 将 Dubbo ZooKeeper 服务注册表中的 Dubbo 服务自动同步到 Istio 服务网格中。 Aeraki 根据 Dubbo 服务信息和用户设置的路由规则生成数据面相关的配置,通过 Istio 下发给数据面 Envoy 中的 Dubbo p

Aeraki 25 May 8, 2022
Study Project for the application of micro services and requisition controls

Starting Endpoint GO with Retry Request Install GoLang for Linux Tutorial: LINK

Antenor Pires 3 May 14, 2022
Sample full stack micro services application built using the go-Micro framework.

goTemp goTemp is a full stack Golang microservices sample application built using go-micro. The application is built as a series of services that prov

null 58 Jun 20, 2022
Starter code for writing web services in Go

Ultimate Service Copyright 2018, 2019, 2020, 2021, Ardan Labs [email protected] Ultimate Service 2.0 Video If you are watching the Ultimate Service v

Ardan Labs 2.4k Jun 30, 2022
a microservice framework for rapid development of micro services in Go with rich eco-system

中文版README Go-Chassis is a microservice framework for rapid development of microservices in Go. it focus on helping developer to deliver cloud native a

null 2.5k Jun 29, 2022
This tool generates Go language bindings of services in protobuf definition files for go-kit

protoc-gen-go-kit This tool generates Go language bindings of services in protobuf definition files for go-kit. Installation $ go install github.com/x

X64FUN 1 Nov 9, 2021
An open network for Micro services.

Micro Network The micro network is an open network for Micro services. Note: The network is still in early development. This document serves as a star

Micro 11 Jun 26, 2022
GoLang utility packages to assist with the development of web micro-services.

GoTil Golang utility packages to assist with the development of web micro-services. Installation As a library. go get github.com/ccthomas/gotil Usage

Christopher Thomas 0 Nov 26, 2021
Global Financial Transaction Network Services

Global Financial Transaction Network Services This code was developed at IBM during 2017-2020, and contributed to open source in September 2021. Overv

null 14 Feb 26, 2022
Backend services for the Shiny Sorter image tagging service.

Backend Database The backend database will be MongoDB. Each image will be one object, with the file name, hash, tags, and other metadata. Database Pop

null 0 Jun 19, 2022
Flamingops - Handle your web services consommation with golang

How to use this repo as a template for your project I - Introduction This reposi

Alexandre Delaloy 2 Mar 31, 2022
Go-rifa-microservice - Clean Architecture template for Golang services

Test CI Go Clean template Clean Architecture template for Golang services Overvi

Evandro Martinelli 1 Feb 24, 2022