Istio 1.5, service mesh simplified

As the recent CNCF survey suggests (page 7), Istio is one of the most popular service mesh technologies on the market today. The biggest obstacle in Istio's production adoption so far has probably been that the complexity and domain knowledge required to operate a mesh was too high. The Istio community has realized this and has taken multiple steps to improve the usability and reduce the complexity of Istio. In Istio 1.5, another step was made toward these goals. Istio's control plane has been rearchitected to be monolithic, called istiod. In this post, you'll learn:

• about the new features of Istio 1.5, highlighting istiod,
• how you can install Istio 1.5 using Backyards (now Cisco Service Mesh Manager) and the open-source Banzai Cloud Istio operator, and
• how you can observe and manage the mesh with Backyards (now Cisco Service Mesh Manager), our multi and hybrid-cloud enabled service mesh platform.

Istio 1.5 introduction

We will introduce istiod first, then list some other notable features of Istio 1.5, and finally discuss some of the known issues of the current 1.5.0 release.

Meet istiod

Prior to Istio 1.5, the Istio control plane had a microservice architecture with the following components:

• Pilot: data-plane configuration server
• Galley: configuration validation
• Sidecar Injector: injecting sidecar containers to data plane components
• Citadel: certificate signing, secret generation
• Mixer: aggregating telemetry

In Istio 1.5, there is only one service called istiod, which is responsible for all of the features mentioned above (except for Mixer, which is dropped in favor of telemetry V2 where telemetry is aggregated in the sidecar proxies instead).Please note, that this architectural change requires a data plane upgrade when upgrading to Istio 1.5!

Please note, that this architectural change requires a data plane upgrade when upgrading to Istio 1.5!

"Why was this change made?" you may ask. To reduce complexity. That's it. There are no added or lost features with this architectural change itself. The only difference is that only one component is responsible now for all of these features. While on its own this architectural change does not add huge benefits to Istio users, it paves the way to simplifying the management of an Istio service mesh in the future:

• With a single component it will be easier to implement multiple Istio control planes in a single cluster
• With multiple control planes, dual control plane upgrade will be a reality
• Performance is already increased as the network communication overhead is reduced between the components
• Easier debugging (you only need to search through logs of one component)

These advantages can be valuable in the future to accelerate the production adoption of Istio.

If you want a head-start in adopting Istio, try out Backyards (now Cisco Service Mesh Manager), our service mesh product built on Istio Contact us, if you'd like to see a demo or use Backyards in production!

Other Istio 1.5 features

• Adding extensibility to data plane sidecar proxies with WebAssembly
• Auto mTLS is enabled by default
• Mixerless telemetry is enabled by default (including TCP protocol support)
• SDS is stable and enabled by default

The full list of changes can be found here. Istio 1.5 issues

1. There is a feature gap between the Mixerless (also called Telemetry V2) and the Mixer telemetry. If you need one of those listed features (e.g. egress gateway or Black hole telemetry), then you should keep using Mixer telemetry for now.
2. In Istio 1.5.0 the multi-cluster scenarios are not working!

For Backyards (now Cisco Service Mesh Manager) customers: the upcoming 1.2 version of Backyards, will support both Istio with telemetry v2, and Mixer telemetry. More importantly, even though multi-cluster is broken in Istio 1.5.0, in Backyards 1.2 it will be a fully functioning feature as it always has been.

Try it out!

The following procedure walks you through the process of:

1. creating a cluster
2. installing Istio using our open-source Banzai Cloud Istio operator
3. installing a preview version of [Backyards 1.2]
4. installing a demo application to showcase Istio 1.5 working with istiod

You can test all this for yourself in less than 10 minutes, which includes the time it takes to install Istio.

Create a cluster

To test Backyards, you'll need a Kubernetes cluster.

I created a Kubernetes cluster on AWS, using Banzai Cloud's lightweight, CNCF-certified Kubernetes distribution, PKE via the Banzai Cloud Pipeline platform. If you'd like to do likewise, create your clusters on any of the several cloud providers we support, or on-premises using the free version of Banzai Cloud's Pipeline platform.

Install Backyards

The easiest way to install Istio 1.5, Backyards (now Cisco Service Mesh Manager), and a demo application on a new cluster is by using the Backyards CLI. You can grab this release candidate build of the Backyards CLI.

This is not a GA release yet, so make sure you download the appropriate release.

1. Make sure that KUBECONFIG is set for the cluster where you want to test Istio 1.5.

2. Run the following command, and watch as Backyards starts a brand new production-ready Istio mesh in just a few minutes! The following command first installs Istio 1.5 using the open-source Banzai Cloud Istio operator, then installs Backyards (now Cisco Service Mesh Manager) itself as well as a demo application. After the installation of each component has finished, the Backyards UI will automatically open and send some traffic to the demo application.

   $ backyards install -a --run-demo

Explore Backyards

The Backyards UI should automatically open in a browser tab and you should see the traffic flowing through the demo microservices. At this point, you can try out any of the supported Backyards features easily. You can validate that istiod is running on your cluster with:

$ kubectl get po -n=istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
istio-ingressgateway-5dd978cf7d-zt4ps   1/1     Running   0          6m54s
istio-operator-operator-0               2/2     Running   0          7m20s
istio-telemetry-5f7b4fd758-vkxm6        2/2     Running   0          7m12s
istiod-5b7bf58755-szlf4                 1/1     Running   0          47s

Switch to multi-component control plane

While istiod has its benefits, Istio 1.5.0 still has issues. To mitigate these problems, in Backyards you can switch to the old multi-component control plane model with ease.

Changing between istiod and the multi-component control plane model requires a data plane upgrade!

Run the following command: 

$ backyards istio install --without-istiod

Then check that multiple Istio control plane components are running on your cluster:

$ kubectl -n=istio-system get po
NAME                                      READY   STATUS    RESTARTS   AGE
istio-citadel-68cf6485c9-2l6xc            1/1     Running   0          9m40s
istio-galley-6dc7dd56b4-fr98j             1/1     Running   0          9m40s
istio-ingressgateway-86dbb78b6d-8l9qz     1/1     Running   0          6m48s
istio-pilot-6b6cb8f4bd-q4qbk              2/2     Running   0          3m40s
istio-sidecar-injector-7b568bcbc8-mhbd4   1/1     Running   0          9m40s
istio-telemetry-6d4fcddbb4-tjvwx          2/2     Running   0          3m44s

The data plane needs to be restarted in this case to function properly:

$ kubectl delete po -n=backyards-demo --all

Cleanup

To remove the demo application, Backyards, and Istio from your cluster, run the following command, which removes all of these components in the correct order:

$ backyards uninstall -a

Takeaway

Istio 1.5 made another step towards reduced complexity, better security, and higher stability which likely predestines Istio to increased production adoption in the future. To accelerate your Istio adoption, make sure to check out Backyards 1.2. It will come with Istio 1.5, istiod by default, telemetry aggregated by mixerless telemetry and much more. Contact us if you'd like to use Backyards in production.