Istio

Istio中文

1. 先来说说什么是服务网格？当单体应用向分布式微服务架构过渡时，开发人员和运维人员都会面临一些复杂性挑战。服务网格就是用于描述这些应用程序的微服务网络及其之间的交互。随着服务网格的大小和复杂性的增长，它变得越来越难以理解和管理。它需要包括服务发现、负载均衡、故障恢复、指标监控，同时，它通常也需要具有更复杂的运维要求，如A/B测试、金丝雀发布、速率限制、访问控制和端到端身份验证。而这些作为服务网格具体实现的Istio解决了这些问题。

2. Microservices architectures enhance the ability for modern software teams to deliver applications at scale, but as an application’s footprint grows, the challenge is to maintain a network between services --- 微服务架构增强了现代软件团队大规模交付应用程序的能力，但是随着应用程序覆盖面的增长，挑战在于如何维护服务之间的网络

3. A service mesh is an infrastructure layer that allows your service instances to communicate with one another. The service mesh also lets you configure how your service instances perform critical actions such as service discovery, load balancing, data encryption, and authentication and authorization. (服务网格是一种基础结构层，允许您的服务实例相互通信。 服务网格还允许您配置服务实例如何执行关键操作，例如服务发现，负载平衡，数据加密以及身份验证和授权。) 对服务网格的需求包括：服务发现、负载均衡、故障恢复、指标和监控，以及A/B测试、金丝雀发布、限速、访问控制、端对端身份验证等。

4. Along with health checks, Istio includes a number of other traffic-management tasks, including circuit breaking, which limits the impact of networking issues like latency spikes; and traffic shifting, to let you move traffic across multiple versions of a service. (除了运行状况检查之外，Istio还包括许多其他流量管理任务，包括电路中断，它限制了诸如延迟峰值之类的网络问题的影响；以及流量转移，以允许您跨服务的多个版本移动流量。)

5. Istio能够连接、保护、控制、观察这些微服务。Istio provides many features on Traffic management, such as circuit breakers, timeouts and retries, A/B testing, canary and stage rollouts, out-of-box failure recovery : Istio提供了有关流量管理的许多功能，例如断路器，超时和重试，A / B测试，金丝雀和阶段部署，开箱即用的故障恢复

6. Istio supports spanning a service mesh over a variety of network topologies : Istio支持跨多种网络拓扑扩展服务网格

7. 断路器(circuit breakers) : 熔断

8. it is possible to add service mesh capabilities to applications running in your cluster by building out Istio-specific objects that work with existing application resources.(通过构建与现有应用程序资源一起使用的特定于Istio的对象，可以向群集中运行的应用程序添加服务网格功能。)

9. The era of service meshes ushers in a new layer of intelligent network services that are changing the architecture of modern applications and the confidence with which they are delivered (服务网格时代催生了新的智能网络服务层，这些层正在改变现代应用程序的体系结构以及交付它们的信心)

10. service meshes provide a developer-driven, services-first network (服务网格提供了开发人员驱动，服务至上的网络)

11. given the declarative policy-based control service meshes provide, it’s fair to liken a service mesh to a cloud native SDN (鉴于提供了基于策略的声明式控制服务网格，可以将服务网格比喻为云原生SDN)

12. The two benefits of creating client libraries are that resources consumed are locally accounted for each and every service, and that developers are empowered to self-service their choice of an existing library or building a new language-specific library (创建客户端库的两个好处是，消耗的资源在本地用于每项服务，并且开发人员有权自行选择现有库或构建特定于语言的新库)

13. Organization staff we’ve spoken to are adopting service meshes primarily for the observability that they bring through instrumentation of network traffic (我们与之交谈的组织人员之所以采用服务网格，主要是因为它们通过网络流量检测带来的可观察性)

14. Service meshes use Sidecars to instrument applications with infrastructure-related functionality (服务网格使用Sidecars为应用程序提供与基础设施相关的功能)

15. Cloud Native Approach to Uniform Observability (云原生方法实现统一可观察性)

16. Observable software is typically instrumented to capture and expose information (telemetry/measurements), allowing you to reason over complex software <可观察的软件通常用于捕获和公开信息（遥测/测量），从而使您能够推理复杂的软件>

17. Modern monitoring systems are often infused with analytics for identifying anomalous behavior, predicting capacity breaches, and so on (现代监控系统通常会注入用于识别异常行为，预测容量破坏等的分析功能)

18. Envoy is high performance revers proxy written in C++ language by Lyft. Envoy used to interconnect services in Service Mesh.Here follow are common terminology that used by Envoy proxy.

    1. Downstream: Hosts that send request to the envoy proxy.

    2. Upstream: Host that receive request from the envoy proxy.

    3. Listener: Named network location that can connect to an envoy proxy through a downstream.

19. one of Istio’s key features is the ability to issue an identity to every workload in the service mesh (Istio的主要功能之一是能够向服务网格中的每个工作负载发布身份)

20. locality-based load-balancing settings (基于位置的负载平衡设置) /Originates a TLS connection to the destination endpoint (发起到目标端点的TLS连接)

21. MeshNetworks describes a set of networks that the mesh is deployed across with the addresses of the ingress gateways of each networks (mesh networks描述一组网络，mesh与每个网络的入口网关地址一起部署)

22. Using Helm charts with Istio Gateways ?? So Helm seems like a great tool to easily install services, but my cluster is using Istio Gateways/VirtualServices for ingress traffic, and every helm chart uses default Ingress resources instead.

23. Gateways are concerned with exposing names over trust boundaries (网关涉及在信任边界上公开名称)

24. Telemetry reports are generated as a service proxy processes requests

25. Reports are generated as Envoy is processing requests and are sent asynchronously to Mixer’s report API (exposed by istio-telemetry) out of band of the request : 报告是在Envoy处理请求时生成的，并在请求的范围外异步发送到Mixer的report API（通过遥测技术公开）
26. In most situations, the services communicate over some application layer protocol, such as HTTP, gRPC, Redis <在大多数情况下，服务通过某些应用程序层协议进行通信，例如HTTP，gRPC，Redis>; we want to see the rate of application level requests and not the rate of data <我们要查看应用程序级别请求的速率，而不是数据的速率>
27. Google, IBM, and Microsoft rely on Istio as the default service mesh that is offered in their respective Kubernetes cloud services
28. Service Mesh allows you to decouple the application’s protocol from the protocol used on the wire. In other words, the application can speak one protocol, but the bytes that actually go out on the wire are in another
29. Istio makes possible imposing a limit on external interactions and controlling all routes between the cluster and an external network
30. Furthermore, it supports setting up policy rules for controlling campaigns between different microservices --- 此外，它支持设置策略规则以控制不同微服务之间的活动
31. Mixer is an optional control plane component that provides the ability to collect metrics, logs, and any information about network interactions. It also monitors compliance with policy rules and compliance with the rate limits --- Mixer是可选的控制平面组件，它提供了收集指标，日志以及有关网络交互的任何信息的功能。 它还监视对策略规则的遵守情况以及对速率限制的遵守情况
32. Sidecar containers connect to the Pilot via the GRPC protocol optimizing the pushdown model of changes inside the cluster --- Sidecar容器通过GRPC协议连接到Pilot，从而优化了集群内部更改的下推模型。
33. fault isolation and fail over : 故障隔离和故障转移/Location-aware routing : 位置感知路由

34. Istio 1.5 reorganizes the control plane into one service and reimplements extensibility:

    1. istiod: Provides proxy sidecar loading, mesh calculation, security and validation.

    2. Data plane : Mixer Adapater plugins are reimplemented within the mesh as Envoy plugins.

35. A failure domain is a physical or logical section of the computing environment that is negatively affected when a critical device or service experiences problems. 故障域是计算环境的物理或逻辑部分，当关键设备或服务遇到问题时会受到负面影响。
    For an Istio deployment, failure domains could encompass multiple availability zones of your platform : 对于Istio部署，故障域可能包含平台的多个可用性区域

36. Clients check the server’s identity against their secure naming information to determine if the server is authorized to run the service : 客户端根据其安全命名信息检查服务器的身份，以确定服务器是否被授权运行该服务。

37. Micro-segmentation is a security technique that creates secure zones in cloud deployments and allows organizations to isolate workloads from one another and secure them individually : 微分段是一种安全技术，可在云部署中创建安全区域，并允许组织将工作负载彼此隔离并分别保护它们。

38. Istio works well with other common infrastructure and monitoring components such as Jaeger, Grafana, Kiali and Prometheus.
    

39. Istio’s traffic routing rules let you easily control the flow of traffic and API calls between services --- Istio的流量路由规则使您可以轻松控制服务之间的流量和API调用。

Tenancy models

1. Istio uses namespaces as a unit of tenancy within a mesh. <Namespace tenancy>

2. ff

Service Discovery

1. To do service discovery, Istio relies on communication between the Kubernetes API, Istio’s own control plane, managed by the traffic management component Pilot, and its data plane, managed by Envoy sidecar proxies. Pilot interprets data from the Kubernetes API server to register changes in Pod locations. It then translates that data into a canonical Istio representation and forwards it onto the sidecar proxies.
2. Kubernetes service and endpoint manifested as a ServiceEntry
3. Virtual service comes along with the Gateway : 虚拟服务随网关一起提供 <Only external facing service>
4. Request routing is configured in a service mesh using the VirtualService and DestinationRule components.
   1. Service X tries to connect to service Y using a fully qualified domain name
   2. The service Y FQDN is looked up by a virtual service to determine whether it needs to be handled.
   3. If so, then DestinationRule is matched to determine the end Kubernetes services
   4. Lastly, the call is forwarded to the required service Y.
5. DestinationRule resolves a request destination location into a network address in the Kubernetes cluster.

Blogs

1. Istio学习笔记

2. Istio流量管理实现机制深度解析

3. Deploying Istio with Kubernetes

4. Kubernetes Service Mesh: A Comparison of Istio, Linkerd and Consul

5. Istio the Easy Way

6. Canary Deployment using Istio with Helm

7. Understanding Istio Ingress Gateway in Kubernetes

8. Istio step-by-step series

9. Istio Ingress vs. Kubernetes Ingress (Greate/have diagram/Automatic (re)configuration)

10. Which One is the Right Choice for the Ingress Gateway of Your Service Mesh? Kubernetes Ingress, Istio Gateway or API Gateway? (Greate)

11. 史上最详测评：6 大 Service Mesh 横向对比！
12. A standard interface for service meshes on Kubernetes

13. Life of a packet through Istio by Matt Turner (Important)

14. Istio and Kubernetes in production. Part 2. Tracing
15. Everything We Learned Running Istio In Production — Part 1 <Great--Helm charts>

16. List of applications incompatible with Istio

17. Redhat Istio demo

18. 总结 istio 常见的 10 个异常及解决方案

Envoy

1. Gentle Introduction to the Envoy Proxy and Load-balancing
2. 详解Istio实践之熔断和限流工作原理
3. Getting Started With Istio 2020-01