ServiceMesh(3)
Before the article:
What problems Does ServiceMesh Solve?
What is Istio, ServiceMesh most popular landing
Istio is the product delivery of ServiceMesh:
-
It helps build connections between microservices, helps r&d teams better manage and monitor microservices, and makes system architectures more secure
-
It helps to decouple microservices hierarchically so that the decoupled proxy layer can focus more on providing infrastructure capabilities, such as:
(1) Service Discovery
(2) Load balancing
(3) Failure recovery
(4) Service Metrics
(5) Monitoring
(6) A/B testing
(7) Greyscale publishing (Canary Rollouts)
(8) Speed limit
(9) Access Control
(10) End-to-end authentication
, and other functions.
- It enables both the business engineering and infrastructure teams to work more efficiently, to focus on their own work, and to empower each other better
Today we’ll talk about Istio’s core architecture design.
About the Istio architecture, the website uses the following sentence:
Logically, Istio is divided into:
-
Data plane
-
Control plane
These are the two words that are at the heart of the Istio architecture, but they are the words that people are most misled about.
Data plane and control plane, not ServiceMesh and Istio, are mature concepts in computer networks, packet routing and forwarding:
-
Data plane: Used for fast forwarding
-
Control plane: Provides necessary information for fast forwarding
_ Voiceover: _ The above two pictures show the router architecture.
Its design principles are:
-
In a routing device, forwarding is the most important work, it has the highest priority, the design of data plane (Data plane) is the core of efficient forwarding, how to process the most packets in the shortest time, often using efficient memory management, queue management, timeout management and other technologies to achieve in the hardware
-
Control plane (Control plane) is not, it to implement routing protocol, device management, IGMP, ARP protocol, it is more inclined to control and application, often implemented by software
Voice-over:
Internet GroupManagement Protocol (IGMP) __, a multicast Protocol;
Address ResolutionProtocol (ARP) __; Address ResolutionProtocol (ARP) __;
The core architecture of Istio is very similar to that of a router:
-
Service (small red box at the top) that interacts with the proxy through local communication
-
The data plane, consisting of a series of proxies (two small red boxes in the middle layer), has the following core responsibilities:
(1) Efficient forwarding;
(2) Receiving and implementing strategies from mixer;
- Control plane (bottom red box), the core is control and application, the core responsibilities are:
(1) Manage and configure sidecar agents;
(2) Implement strategies and collect data from sidecar agents through Mixer;
Voice-over:
(1) Sidecar proxy: envoy is used in the original text, and envoy indicates proxy;
In a mixer, the mixer was called a mixer. In a mixer, the mixer was called a mixer.
(3) Pilot, Galley, Citadel
As shown in the architecture diagram, there are five core components in this two-tier architecture.
The data plane has one core component:
Envoy (proxy)
Envoy’s core responsibility is to forward efficiently, and more specifically, it has the following capabilities:
(1) Service discovery
(2) Load balancing
(3) Secure transmission
(4) Multi-protocol support, such as HTTP/2, gRPC
(5) Circuit breakers
(6) Health examination
(7) Percentage routing
(8) Fault injection
(9) System measurement
Most of the capabilities are available in the RPC framework, or better understood, with a focus on circuit breakers and fault injection.
Circuit breaker design
It is the software architecture design, a service to protect, or degrade the design idea.
For example, if the system detects that a large number of timeouts occur on an interface, the circuit breaker policy terminates the invocation of the interface (the circuit breaker is on). After a period of time, the system tries to invoke the interface again. If the interface does not time out, the invocation is slowly resumed (the circuit breaker is off).
Fault injection design
In software architecture design, it is a method of intentionally introducing faults to expand the test coverage and guarantee the robustness of the system. It is mainly used for testing.
In most domestic Internet companies, fault injection is not considered in the architecture design. It is often used in the development and debugging of operating system kernel and router. It can be used to simulate some very difficult exceptions such as memory allocation failure and disk I/O error to ensure the test coverage.
The control plane has four core components:
Mixer
Some of Mixer’s core capabilities are:
(1) Cross-platform, as the adapter of other components, to achieve Istio cross-platform capability;
(2) Communicate with Envoy, real-time various strategies
(3) And Envoy to collect various data
At the core of Mixer’s design is “pluginization,” a model that enables Istio to accommodate a wide range of complex host environments, as well as back-end infrastructure.
Pilot
Pilot as a very important control plane component, its core capabilities are:
(1) Provide the Envoy with the ability to find services;
(2) Provide various intelligent routing management capabilities for Envoy, such as A/B testing and grayscale publishing;
(3) Provide various elastic management capabilities for Envoy, such as timeout, retry, and disconnect strategies;
The core of Pilot design is “standardization”, which translates various flow control commands into configurations that an Envoy can recognize, and when running, diffuses these commands to all the envoys. The advantage of Pilot abstractions these capabilities into a generic configuration is that any Envoy that conforms to this standard can plug into Pilot.
The subtext is that any third party can implement its own proxy, which can be integrated with Pilot as long as it complies with the relevant API standards.
Citadel
Citadel component, which provides end-user authentication and service-to-service access control. In short, this is a security-related component.
Galley
The Gally component, which is a configuration fetch, verify, process, distribute component, is designed to decouple the user configuration from the underlying platform (for example, K8S) from Istio.
** Lace: ** Why are 80% of Chinese users wrong about Istio’s layer 2 architecture?
Many friends ask me, through what channel to learn the latest technical knowledge, my answer is always, English website.
All information in this article is from Istio1.1.
I searched Istio on Baidu, 80% of the information, and translated the two-layer architecture as:
-
Panel data
-
The control panel
You can search “IsTIO Control Panel”
I was extremely confused at first, because “data plane” and “control plane” are very mature translations. The router uses this two-layer architecture, and the ServiceMesh uses the same architectural design for decoupling, so there should be no need for creative translation.
Then I understood:
-
Control plane
-
Control Panel
Half-english programmer, second-hand technical documents, really harm, alas.
conclusion
Istio adopts a two-layer architecture with five modules to decouple microservice ServiceMesh:
- Data plane, mainly responsible for efficient forwarding
(1) Envoy module: proxy;
- Control plane, mainly responsible for control and application
Mixer module: Support cross-platform, standardized API adapter;
(3) Pilot module: control and configure most of the strategies of envoy;
(4) Citadel module: security-related;
(5) Galley module: decoupled from the configuration of the underlying platform (such as K8S);
Separation of Implementation and Control, Classical Architecture Design Approach, GOT?
The idea is more important than the conclusion.
Related articles:
What problem does ServiceMesh Solve?
What on Earth is Istio?