User:Lindug/sandbox

= Istio =

Background
Istio is a networking management control plane to dynamically monitor and control routing and access between services. The project was founded by Google and IBM in 2017 and incorporates lessons learned from both companies' experiences operating polyglot application stacks in production. Istio provides its functionality by deploying an out-of-process proxy (sidecar) alongside an existing application and forces the applications' calls to route through the proxy. These sidecars are then populated with routes and policies defined by a user from the Istio control plane. Since all traffic is now forced through the application's proxy, Istio can introspect protocol layer metrics, shape next hop routes, and automatically provide TLS encrypted communication between the these enabled applications. By leveraging a sidecar, Istio features do not require maintenance of language specific libraries and supports developers in the exploration of different architectures and programming stacks.

Network Traffic Control
Istio configures request routing with VirtualServices. These rules specify specific hosts as a list of FQDNs. The network traffic is then manipulated within the client's local Envoy before being sent to the downstream destination. Services reaching outside of Istio's mesh can be specified with a ServiceEntry, while inbound connections enter though an Istio Gateway

Traffic Splitting
Istio can balance requests by percentage based on arbitrary labels applied to a host and different subsets. This feature enables developers to send a proportion of traffic to one version of an application. Alternatively regex is supported to selectively direct a subset of users based on request data such as cookies or specific user-agents.

Timeouts & Retries
Istio sets default timeouts for destinations but allows these to be overridden. Timeouts enable developers to fail early or late depending on their circumstance and can be leveraged to fallback to alternate error or fault scenarios.

Retries can be specified with a number of attempts and time between each attempt. A small number of retries can aid navigation through latency spikes or busy services that might otherwise fail the entire request.

HTTP Fault Injection
Istio's fault injection capabilities allow for greater control over service timeouts and dependency testing. With Timeouts&Retries developers can ensure sane thresholds a request's total time. This approach forces protocol-specific features like retries into the network layer.

Istio can also be used to test how a service behaves when dependencies are offline or timing out requests. This is especially important when making requests to external services that may have unpredictable latency periods.

Envoy
Envoy is a C++11 out-of-process L7 proxy that is designed to run alongside an application server. All traffic destined for a given application service must pass through the Envoy proxy before it is forwarded to the Envoy at the eventual destination. Envoy manipulates a payload by passing through a series of configurable listener, network, and HTTP filters.

Istio provides configuration to Envoy through a myriad of APIs conjointly referred to as xDS. Envoy acts as the heart in the Istio control plane.

Pilot
Pilot asynchronously configures the Envoy sidecar proxy that is deployed alongside an application. It leverages Envoy's xDS APIs to provide service discovery endpoints and specific rule sets to affect traffic shaping behavior.

Mixer
Mixer handles policy/quota enforcement and telemetry collection. It enforces quotas such as number of allowed calls to a service or policies with precondition match checks. Certain Mixer adapters force traffic egressing Envoy to first route through Mixer, however most precondition checks will be read from a cache. Telemetry information is also gathered from calls to Mixer, but these are often buffered and infrequent.

Mixer is highly configurable and offers a number of adapters for various metrics aggregation services and policy agents. A current list is provided in the Istio documentation.

Citadel
Citadel provides SPIFFE formatted certificate and key pairs to handle new Certificate Signing Requests or Kubernetes service accounts. These certificates are provided to Envoy along with the private key and are rotated on a period basis. These keys are leveraged for Mutual-TLS communication between Envoy and the services it proxies.

History

 * July 31 2018 - 1.0 production release
 * October 10 2017 - 0.2 First LTS release
 * May 24 2017 - First public release