# Istio

- [Istio](https://istio.io/): Simplify observability, traffic management, security, and policy with the leading service mesh.
	- [Code](https://github.com/istio/istio)

> What is Istio?
>
> Istio is **an open source service mesh** that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to *load balancing*, *service-to-service authentication*, and *monitoring* – with few or no service code changes. Its powerful **control plane** brings vital features, including:
> - Secure service-to-service communication in a cluster with TLS encryption, strong identity-based authentication and authorization
> - Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic
> - Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection
> - A pluggable policy layer and configuration API supporting access controls, rate limits and quotas
> - Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress
>
> Istio is designed for extensibility and can handle a diverse range of deployment needs. Istio’s control plane runs on Kubernetes, and you can add applications deployed in that cluster to your mesh, extend the mesh to other clusters, or even connect VMs or other endpoints running outside of Kubernetes.

# Books

## Istio in Action

- Christian E. Posta, Rinor Maloku. **Istio in Action**. Manning: 2022.
  - [Code](https://github.com/istioinaction/book-source-code)
  - Istio 1.13.0, Docker Desktop 1.21.1
  - PART 1 **Understanding Istio**: 1-3
  - PART 2 **Securing, Observing, And Controlling Your Service's Network Traffic**: 4-9
  - PART 3 **Istio Day-2 Operations**: 10-11
  - PART 4 **Istio In Your Organization**: 12-14

Sample applications:

| app     | implement language | dependencies                                |
| :------ | :----------------- | :------------------------------------------ |
| catalog | NodeJS 14          | express, json-server, faker, lodash         |
| forum   | Go 1.12            | https://github.com/julienschmidt/httprouter |
| webapp  | Go 1.16            | https://github.com/beego/beego              |

- PART 1 **Understanding Istio**: 1-3
- PART 2 **Securing, Observing, And Controlling Your Service's Network Traffic**: 4-9
- PART 3 **Istio Day-2 Operations**: 10-11
- PART 4 **Istio In Your Organization**: 12-14

| #   | Title                                                                       |
| :-- | :-------------------------------------------------------------------------- |
| 1   | Introducing the Istio service mesh                                          |
| 2   | First steps with Istio                                                      |
| 3   | Istio’s data plane: The Envoy proxy                                         |
| 4   | Istio gateways: Getting traffic into a cluster                              |
| 5   | Traffic control: Fine-grained traffic routing                               |
| 6   | Resilience: Solving application networking challenges                       |
| 7   | Observability: Understanding the behavior of your services                  |
| 8   | Observability: Visualizing network behavior with Grafana, Jaeger, and Kiali |
| 9   | Securing microservice communication                                         |
| 10  | Troubleshooting the data plane                                              |
| 11  | Performance-tuning the control plane                                        |
| 12  | Scaling Istio in your organization                                          |
| 13  | Incorporating virtual machine workloads into the mesh                       |
| 14  | Extending Istio on the request path                                         |

## Istio权威指南

- 华为云云原生团队.《Istio权威指南》（上下册 ）, 2023.

> 你好, Istio

服务治理包括:
- 流量管理(Traffic Management)
- 可观测性(Observability)
- 安全(Security)

示例应用: 天气预报
- forecast: Node.js
- recommendation: Java

Istio与Kubernetes:
- Istio在Kubernetes上添加了一层面向应用的服务管理平台和基础设置, 提供了七层流量管理功能.
- Kubernetes Workload: Istio复用了Kubernetes的Service定义, 数据面组件是每个Pod中部署的Sidecar.
- 网络: Istio基于Kubernetes的CNI实现了一个Istio CNI插件, 在Pod创建或销毁的时候执行服务网格拦截流量的规则, 将业务流量转发到数据面代理.

> Istio的架构概述

> 流量治理的原理

> 可观测性和策略控制的原理

> 服务安全的原理

> 服务网格数据面代理Sidecar

> 异构基础设施


> 环境准备

> 可观测性实践

> 灰度发布实践

> 流量治理实践

> 服务安全实践

> 网管流量实践

> 异构基础设施实践

# Concepts

- Traffic Management
	- Introducing Istio traffic management
	- Virtual services
	- Destination rules
	- Gateways
	- Service entries
	- Sidecars
	- Network resilience and testing
- Security
	- High-level architecture
	- Istio identity
	- Identity and certificate management
	- Authentication
	- Authorization
- Observability
	- Metrics
	- Distributed traces
	- Access logs
- Extensibility
	- High-level architecture
	- Example
	- Ecosystem

# Deployment

Architecture:
- **Envoy**: Sidecar proxies per microservice to handle ingress/egress traffic between services in the cluster and from a service to external services. The proxies form a secure microservice mesh providing a rich set of functions like discovery, rich layer-7 routing, circuit breakers, policy enforcement and telemetry recording/reporting functions.
- **Istiod**: The Istio control plane. It provides service discovery, configuration and certificate management.
	- Introducing istiod: simplifying the control plane: https://istio.io/latest/blog/2020/istiod/
	- **Pilot**: Responsible for configuring the proxies at runtime.
	- **Citadel**: Responsible for certificate issuance and rotation.
	- **Galley**: Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio.
- **Operator**: The component provides user friendly options to operate the Istio service mesh.
	- the sidecar injector

![Istio Architecture](https://istio.io/latest/docs/ops/deployment/architecture/arch.svg)


# CLI

- instsall-cni
- istioctl
- operator
- pilot-agent
- pilot-discovery

# Kiali

- [Kiali - The Console for Istio Service Mesh](https://kiali.io/)
![](https://kiali.io/images/documentation/architecture/arch.png)