Posted on

Traffic Management With Istio (5): Deploy Custom Gateway and Manage Its Certificates With Cert-Manager

Istio Gateway supports multiple custom ingress gateways. It opens a series of ports to host incoming connections at the edge of the grid and can use different load balancers to isolate different ingress traffic flows. Cert-manager can be used to obtain certificates by using any signature key pair stored in the Kubernetes Secret resource. This article provides instructions on the steps for manually creating a custom ingress gateway and how to use cert-manager to automatically configure certificates in the gateway.

Generate a Signature Key Pair

CA Issuer does not automatically create and manage signature key pairs. The key pairs are either provided by the user or a new signature key pair for a self-signed CA is generated by a tool, such as OpenSSL. For example, you can generate keys and certificates of type x509 by using the following command:

Posted on

Traffic Management With Istio (3): Traffic Comparison Analysis Based on Istio

Traffic Mirroring

Traffic mirroring, also known as traffic shadowing, provides a powerful way to bring changes to production at the lowest possible risk. The mirror sends a copy of real-time traffic to the mirroring service. Mirrored traffic goes outside of the critical request path of the main services.

In non-production or test environments, trying to access all possible combinations of test cases for a service is unrealistic. In some cases, the work of writing these test cases may not match actual production needs. In the ideal case, you can use real-time production use and traffic to help improve the functional regions you miss in the test environment.

Posted on

Traffic Management With Istio (2): Grayscale Release of Applications by Istio Management

In the process of project iteration, you will inevitably need to go online. Going online means deploying or re-deploying; deploying means modifying; and modifying means risk.

Gray is between black and white. Grayscale release refers to a release process involving a smooth transition. Grayscale release can ensure overall system stability. You can find problems and make adjustments at the initial gray scale to minimize the degree of impact. What we often call AB testing or canary release are other forms of grayscale release.

Posted on

Traffic Management With Istio (1): Unified Management of TCP Ingress Traffic Routing Based on Istio Rules

The Istio traffic management model basically allows for the decoupling of traffic from infrastructure scaling, allowing operations personnel to specify the rules to apply to traffic using Pilot instead of specifying which pods/VMS should receive traffic. Decoupling traffic from infrastructure scaling allows Istio to provide a variety of traffic management functions independent of application code. The Envoy sidecar proxy implements these functions.

In a typical mesh, you often have one or more finalizing external TLS connections at the end to guide traffic into the mesh's load balancer (known as a gateway); the traffic then flows through internal services after the sidecar gateway. The following figure illustrates the use of gateways in a mesh: