To give you the latest on the Istio service mesh, Tetrate hosted a live Ask Me Anything about Istio webinar on Dec. 16, 2021, with Istio engineers Zack Butcher, Weston Carlson, and Vikas Choudhary; Zack Butcher is an Istio contributor and member of its steering committee. These were our top takeaways.
- VM integration. The most significant features of Istio’s 1.8 release may be its smart DNS proxy and the addition of the WorkloadGroup, both important steps for multi-cluster and for making VMs first class citizens in a service mesh. As Nick Nellis explains in his deep dive, Trying out Istio’s DNS Proxy, the DNS proxy enables seamless integration of services across multiple clusters and VMs. WorkloadGroups, which are collections of non-Kubernetes workload instances, enable bootstrapping of workload proxies and lay a foundation for defining individual endpoints in a mesh much more granularly, and for automating VM registration. We should expect to see wider adoption of VMs into the service mesh, and even better VM support, cert issuance to VMs, and health checking for the workload entry in 1.9. Zack Butcher: “Cert issuance is kind of the final gap to close, really, before VMs are fully first-class workloads in the mesh.”
- Wasm. With the sunset of Mixer and Wasm support merged into the Envoy master branch, expect to see some hot and exciting action coming out of WebAssembly.
- Third-party CAs via k8s CSR API. An experimental feature in 1.8 enables the integration of third-party CAs with the Istio ecosystem, leveraging the Kubernetes certificate signing request (CSR) API. Istiod acts as the Registration Authority to authenticate the workloads which are making cert requests and creating and approving the corresponding k8s CSR resource. This lets the Istio community benefit from the vast k8s ecosystem. For example, the cert-manager implementing k8s CSR API gives us the ability to use any CA that supports cert-manager. We often see Vault, for example, used with Istio to load up CA certs for the Citadel, for handling secrets, or used as an intermediary for their certificates in Kubernetes.
- Managing gateways with multiple revisions. This allowed separation of the control plane (Istiod) upgrade from the gateway upgrades.
- Helm installation option. In response to user demand, Istio 1.8 reintroduces official support for Helm v3 for installations and upgrades. This is mainly for customers who are already using Helm and need to upgrade. In previous versions, the installation was done with the istioctl command line tool or Istio Operator. With version 1.8, Istio supports in-place and canary upgrades with Helm in addition to the Operator and CLI-based installation methods. Operator would still be the recommended approach for fresh install of Istio.
- Convince your boss. Istio lets you solve horizontal problems across an organization’s networking layer. The end goal of Istio is to provide this common layer that you can use to deliver horizontal features that are cross cutting across every application– and to empower your application developers to build application features. You want to free developers from worrying about these cross cutting horizontal concerns, and to empower the teams that do care about those things to do them. Automation and the empowerment of small teams to enact organization-wide change enable customer speed and agility.
- Multi-cluster. For multi-cluster setups Tetrate recommends avoiding cross-talk between k8s apiservers and Istiods across clusters. A multi-cluster setup should be behind gateways that expose services to be consumed by remote clusters in a very controlled way. You’d want your control plane and each cluster isolated from each other.
- Wrapper app tools. We recommend using a wrapper application tool such as Scuttle that makes it easy to run containers alongside Istio sidecars so that the app doesn’t start until Envoy is ready and the sidecar shuts down when the app exits. It’s an incredibly useful tool for addressing lifecycle mismatches in the platform.
Tetrate is a top contributor to Istio and pushing Istio to run everywhere is an important part of Tetrate’s founding mission. Follow @Tetrateio and #TetrateAMA on Twitter for service mesh tips and learning opportunities.