Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Build and deploy cloud native Java microservice...

Build and deploy cloud native Java microservices on Kubernetes with Istio service mesh

Istio is one of the most popular services mesh solutions available these days. In this deep dive session, let us see how to build and deploy Java microservices to the cloud using Istio, Kubernetes, JHipster, and Spring Cloud.

Istio moves the responsibility of service discovery, load balancing, circuit breaking, monitoring, etc from the application to the platform(Kubernetes) thus letting the developers focus on the business code. But setting it up could be a daunting task for beginners and pros alike. In this session, we will take a deep dive into how Istio works and will learn how to use different features of istio, like load balancing, canary deployments, A/B testing, and so on.

What you will learn:

What is a service mesh, how does Istio work, and what features does it offer
How to build Java microservices quickly using JHipster
How to add Istio support to your Java microservices
Setup Istio on a Kubernetes installation (for example on Google Cloud)
Setup observability and monitoring for the Kubernetes + Istio cluster
Deploy microservices to Kubernetes
How to use different Istio features like load balancing, canary deployments, A/B testing, routing, and traffic splits
Security options for Java + Spring + Istio

Deepu K Sasidharan

October 10, 2022
Tweet

More Decks by Deepu K Sasidharan

Other Decks in Programming

Transcript

  1. @deepu105 @oktaDev Build and deploy cloud native Java microservices on

    Kubernetes with Istio service mesh Deepu K Sasidharan @deepu105 | deepu.tech
  2. @deepu105 @oktaDev Hi, I’m Deepu K Sasidharan ➔ JHipster co-lead

    developer ➔ Java Champion ➔ Creator of KDash, JDL Studio ➔ Developer Advocate @ Auth0 by Okta ➔ Polyglot dev, OSS aficionado, author, speaker @deepu105 deepu.tech deepu105 deepu05
  3. @deepu105 @oktaDev What does Istio do? • Secure service-to-service communication

    • Service discovery  • Automatic load balancing  • Routing, circuit breaking, retries, fail-overs, fault injection • Policy layer for access control, rate limiting, A/B testing, canary rollouts, traffic splits, and quotas • Automatic Metrics, logs, and traces 
  4. @deepu105 @oktaDev Prerequisite - Kubernetes Cluster Create GCP Project :

    $ gcloud config set compute/region europe-west1 $ gcloud config set compute/zone europe-west1-b $ gcloud projects create istio-demo - Enable billing via GUI $ gcloud config set project istio-demo $ gcloud services enable container.googleapis.com Create GKE Cluster : $ gcloud container clusters create hello-hipster \ --num-nodes 4 \ --machine-type n1-standard-2 Set Credentials: $ gcloud container clusters get-credentials hello-hipster
  5. @deepu105 @oktaDev Prerequisite - Istio Install Istio : $ cd

    ~/ $ export ISTIO_VERSION=1.15.1 $ curl -L https://istio.io/downloadIstio | sh - $ cd istio-$ISTIO_VERSION $ export PATH=$PWD/bin:$PATH
  6. @deepu105 @oktaDev Prerequisite - Istio Install Istio in GKE cluster

    : $ istioctl install --set profile=demo -y Get Ingress Gateway External IP: $ kubectl get svc istio-ingressgateway -n istio-system Note: The ingress IP is required later while deploying our apps
  7. @deepu105 @oktaDev Prerequisite - Addons Install Istio Addons in GKE

    cluster : $ cd istio-$ISTIO_VERSION $ kubectl apply -f samples/addons/grafana.yaml $ kubectl apply -f samples/addons/prometheus.yaml $ kubectl apply -f samples/addons/kiali.yaml $ kubectl apply -f samples/addons/extras/zipkin.yaml
  8. @deepu105 @oktaDev JHipster in the wild Most popular Rapid Application

    Development platform for Java web applications and microservices ▪ 20k+ stars, 40k projects and 600+ contributors on GitHub ▪ 2M+ installations & 20k+ app generations per month ▪ 300k+ overall users ▪ 300+ companies using JHipster ▪ 150+ plugins
  9. @deepu105 @oktaDev What can you actually do with JHipster? ▪

    Generate simple monolith web applications ▪ Generate complete microservice architectures ▪ Generate domain model (entities) ▪ Generate CI/CD pipelines ▪ Deploy to the cloud or containers ▪ And lot more
  10. @deepu105 @oktaDev Code quality & developer experience ▪ Developer experience

    oriented ▪ Production grade code quality (Look at our sonar scores) − ▪ Best practices on any combinations selected ▪ Fully working CRUD apps out of the box ▪ Production grade security ▪ You would only have to do business logic code and UX design
  11. @deepu105 @oktaDev Install JHipster $ npm install -g generator-jhipster $

    jhipster download microservice-ecommerce-store-istio-deployment.jdl or $ git clone https://github.com/oktadev/okta-java-spring-k8s-istio-microservices-example.git Note: I’m using JHipster version v7.9.3
  12. @deepu105 @oktaDev JDL JHipster Domain Language JDL : http://bit.ly/istio-jdl Reference

    : https://www.jhipster.tech/jdl/ Studio : https://start.jhipster.tech/jdl-studio/ Samples : https://github.com/jhipster/jdl-samples
  13. @deepu105 @oktaDev Build & Push images $ ./gradlew bootJar -Pprod

    jib -Djib.to.image=deepu105/store $ ./gradlew bootJar -Pprod jib -Djib.to.image=deepu105/invoice $ ./gradlew bootJar -Pprod jib -Djib.to.image=deepu105/product $ ./gradlew bootJar -Pprod jib -Djib.to.image=deepu105/notification
  14. @deepu105 @oktaDev Manual sidecar injection Command: $ istioctl kube-inject -f

    kubernetes/my-deployment.yaml Result: spec: containers: - image: deepu105/my-app:1.0 ... - image: docker.io/istio/proxyv2:1.15.1 name: istio-proxy ... initContainers: ... - image: docker.io/istio/proxyv2:1.15.1 name: istio-init ...
  15. @deepu105 @oktaDev Automatic sidecar injection Command: $ kubectl label namespace

    <namespace> istio-injection=enabled --overwrite=true # To verify $ kubectl get namespace -L istio-injection
  16. @deepu105 @oktaDev Istio Virtual Services apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata:

    name: store-virtualservice namespace: jhipster spec: hosts: - store http: - route: - destination: host: store subset: "v1" weight: 100 retries: attempts: 3 perTryTimeout: 2s
  17. @deepu105 @oktaDev Istio Destination Rules apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata:

    name: store-destinationrule spec: host: store trafficPolicy: loadBalancer: simple: RANDOM connectionPool: tcp: maxConnections: 30 connectTimeout: 100ms http: maxRetries: 5 outlierDetection: consecutive5xxErrors: 5 interval: 30s baseEjectionTime: 60s subsets: - name: v1 labels: version: "v1"
  18. @deepu105 @oktaDev Istio Gateways apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name:

    store-gateway labels: gateway: store-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - store.jhipster.35.240.66.252.nip.io - port: number: 80 name: http2 protocol: HTTP2 hosts: - store.jhipster.35.240.66.252.nip.io
  19. @deepu105 @oktaDev Istio Service Entries apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata:

    name: svc-entry spec: hosts: - ext-svc.example.com ports: - number: 443 name: https protocol: HTTPS location: MESH_EXTERNAL resolution: DNS
  20. @deepu105 @oktaDev Istio Sidecars apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name:

    default namespace: bookinfo spec: egress: - hosts: - "./*" - "istio-system/*"
  21. @deepu105 @oktaDev Deploy to GKE $ cd kubernetes $ ./kubectl-apply.sh

    -f $ watch kubectl get pods -n jhipster // or use KDash 😉
  22. @deepu105 @oktaDev Traffic shift apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name:

    store-destinationrule namespace: jhipster spec: host: store trafficPolicy: ... subsets: - name: v1 labels: version: "v1" - name: v2 labels: version: "v2" apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-gw-virtualservice .. spec: hosts: - store.jhipster.35.240.66.252.nip.io gateways: - store-gateway http: .. - route: - destination: host: store subset: "v1" weight: 50 - destination: host: store subset: "v2" weight: 50
  23. @deepu105 @oktaDev Routing apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-gw-virtualservice

    .. http: .. - match: - uri: prefix: / headers: user-agent: regex: ".*Chrome.*" route: - destination: host: store subset: "v2" - match: - uri: prefix: / route: - destination: host: store subset: "v1"
  24. @deepu105 @oktaDev Fault Injection apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name:

    store-gw-virtualservice .. spec: hosts: - store.jhipster.35.240.66.252.nip.io gateways: - store-gateway http: - match: - uri: prefix: / route: - destination: host: store subset: "v1" fault: delay: percent: 100 fixedDelay: 10s apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-gw-virtualservice .. spec: hosts: - store.jhipster.35.240.66.252.nip.io gateways: - store-gateway http: - match: - uri: prefix: / route: - destination: host: store subset: "v1" fault: abort: percent: 100 httpStatus: 503
  25. @deepu105 @oktaDev Circuit Breaking apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name:

    store-destinationrule spec: host: store trafficPolicy: loadBalancer: simple: RANDOM connectionPool: tcp: maxConnections: 30 connectTimeout: 100ms http: http1MaxPendingRequests: 10 http2MaxRequests: 100 maxRequestsPerConnection: 10 maxRetries: 5 outlierDetection: consecutive5xxErrors: 5 interval: 30s baseEjectionTime: 60s apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: store-virtualservice namespace: jhipster spec: hosts: - store http: - route: - destination: host: store subset: "v1" weight: 100 retries: attempts: 3 perTryTimeout: 2s
  26. @deepu105 @oktaDev Security components • A Certificate Authority (CA) for

    key and certificate management • The configuration API server distributes to the proxies: ◦ authentication policies ◦ authorization policies ◦ secure naming information • Sidecar and perimeter proxies work as Policy Enforcement Points (PEPs) to secure communication between clients and servers. • A set of Envoy proxy extensions to manage telemetry and auditing
  27. @deepu105 @oktaDev Authentication • Peer authentication: used for service-to-service authentication

    to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication. • Request authentication: Used for end-user authentication to verify the credential attached to the request. Enabled using JWT validation, a custom authentication provider or any OpenID Connect providers, for example: ◦ Keycloak ◦ Okta ◦ Auth0 ◦ Firebase Auth ◦ Google Auth
  28. @deepu105 @oktaDev Istio extension ecosystem • Istio Ecosystem Wasm Extensions

    • Proxy-Wasm ABI specification • Proxy-Wasm C++ SDK • Proxy-Wasm Rust SDK • Proxy-Wasm AssemblyScript SDK • WebAssembly Hub • WebAssembly Extensions For Network Proxies (video)
  29. @deepu105 @oktaDev Is a service mesh worth it? + Kubernetes

    Native microservices + Reduced responsibilities for dev(Service discovery, security, telemetry, etc) + No need to write/maintain any code for some of the complex parts of a microservice architecture. + A/B testing, canary releases, and lot more - Complex to debug and develop locally - Slightly higher resource usage (CPU, Memory) - Higher running costs - Business logic related policies might be trickier
  30. @deepu105 @oktaDev Thank You Deepu K Sasidharan @deepu105 | deepu.tech

    https://deepu.tech/tags#java https://developer.auth0.com