...
- Stability and Reliability: Reliable communication with retries and circuit breaker
- Security: Secured communication with TLS
- Performance: Latency aware load balancing with warm cache
- Observability: Metrics measurement and distributed tracing without instrumenting application
- Manageability: Routing rule and rate limiting enforcement
- Testability: Fault injection to test resilience of the services
Installation
Currently, the installation scripts are in Github, they will be moved to ONAP Gerrit once the requested repo is created.
Download installation scripts with git clonefrom ONAP Gerrit:
| Code Block | ||||
|---|---|---|---|---|
| ||||
git clone https://github.com/zhaohuabing/istio-install-scripts.gitgerrit.onap.org/r/msb/service-mesh |
Kubernetes Master
We need Kubernetes1.9 or newer to enable automatic sidecar injection, so we don't have to modify every individual ONAP kubernetes yaml deployment files to add the sidecar container, which would be inconvenient.
...
Webhook and other needed features have already been configured in the install scripts to enable Istio sidecar injection.
Create the Kubernetes master by running this script:
| Code Block | ||||
|---|---|---|---|---|
| ||||
cd istioservice-mesh/install-scripts/ ./1_install_k8s_master.sh |
This script will create a Kubernetes master node with Kubeadm and install calico network plugin. Some other needed tools such as Docker, Kubectl and Helm will also be installedHelm will be installed as well.
From the output of the script, you should see a command on how to join a node to the created Kubernets cluster. Note that this is an example, the token and cert-hash of your installation will be different, please copy & paste the command to somewhere, we will need it later.
...
In the transition phase, the Istio sidecar injector policy is configured as "disabled" when installing Istio. So the sidecar injector will not inject the sidecar into pods by default. Add the `sidecar.istio.io/inject annotation` with value `true` to the pod template spec to enable injection.
Note: when all ONAP projects are ready for Istio integration, the Istio sidecar injector policy could be configured as "enabled", the annotation in the pod will not be necessary any more.
Enable Istio sidecar injection webhook.
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl create namespace onap
kubectl label namespace onap istio-injection=enabled |
Confirm that auto sidecar injection has been enabled on onap namespace.
Example:
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ include "common.fullname" . }}
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: multicloud-vio
template:
metadata:
labels:
| ||||
| Code Block | ||||
| ||||
kubectl get namespace -L istio-injection NAME STATUS AGE ISTIO-INJECTION default Active 20m istio-system Active 10m kube-public Active 20m kube-system Active 20m onap Active app: {{ include 8s"common.name" . }} enabled release: {{ .Release.Name }} |
Start a local helm repository server and add it to helm repository list:
| Code Block | ||||
|---|---|---|---|---|
| ||||
helm serve &
helm repo add local http://127.0.0.1:8879 |
name: {{ include "common.name" . }}
annotations:
sidecar.istio.io/inject: "{{.Values.istioSidecar}}" |
Note: when all ONAP projects are ready for Istio integration, the Istio sidecar injector policy could be configured as "enabled", then the annotation in the pod will not be necessary any more.
Enable Istio sidecar injection webhook.Download OOM Gerrit repository and build the helm charts.
| Code Block | ||||
|---|---|---|---|---|
| ||||
gitkubectl create clone -b beijing http://gerrit.onap.org/r/oom cd oom/kubernetes make all namespace onap kubectl label namespace onap istio-injection=enabled |
Confirm that auto sidecar injection has been enabled on onap namespaceConfirm that ONAP charts have been successfully created.
| Code Block | ||||
|---|---|---|---|---|
| ||||
helm search onapkubectl get namespace -L istio-injection NAME STATUS AGE CHART VERSIONISTIO-INJECTION default APP VERSION Active DESCRIPTION local/onap 20m istio-system Active 10m kube-public 2.0.0Active 20m kube-system Active beijing 20m onap Open Network Automation Platform (ONAP) local/aafActive 8s enabled 2.0.0 |
Start a local helm repository server and add it to helm repository list:
| Code Block | ||||
|---|---|---|---|---|
| ||||
helm serve & helm repo add local http://127.0.0.1:8879 |
Download OOM Gerrit repository and build the helm charts.
| Code Block | ||||
|---|---|---|---|---|
| ||||
git clone -b beijing http://gerrit.onap.org/r/oom
cd oom/kubernetes
make all |
Confirm that ONAP charts have been successfully created.
| Code Block | ||||
|---|---|---|---|---|
| ||||
helm search onap NAME ONAP Application Authorization Framework local/aai 2.0.0 CHART VERSION ONAP APP VERSION Active and Available InventoryDESCRIPTION local/clamponap 2.0.0 beijing Open Network Automation Platform ONAP Clamp(ONAP) local/cliaaf 2.0.0 ONAP CommandApplication LineAuthorization InterfaceFramework local/consulaai 2.0.0 ONAP Active and ConsulAvailable AgentInventory local/dcaegen2clamp 2.0.0 ONAP DCAE Gen2Clamp local/dmaapcli 2.0.0 ONAP Command DMaaPLine componentsInterface local/esr consul 2.0.0 ONAP ExternalConsul System RegisterAgent local/logdcaegen2 2.0.0 ONAP LoggingDCAE ElasticStackGen2 local/msbdmaap 2.0.0 ONAP MicroServicesDMaaP Buscomponents local/multicloudesr 2.0.0 ONAP External multicloudSystem brokerRegister local/nbilog 2.0.0 ONAP NorthboundLogging InterfaceElasticStack local/oofmsb 2.0.0 ONAP OptimizationMicroServices FrameworkBus local/policymulticloud 2.0.0 ONAP Policymulticloud Administration Pointbroker local/portalnbi 2.0.0 ONAP WebNorthbound PortalInterface local/postgresoof 2.0.0 ONAP PostgresOptimization ServerFramework local/robot policy 2.0.0 AONAP helmPolicy Chart for kubernetes-ONAP Robot local/sdnc-promAdministration Point local/portal 2.0.0 ONAP SDNC Policy Driven Ownership Management local/sniro-emulator Web Portal local/postgres 2.0.0 ONAP MockPostgres Sniro EmulatorServer local/sorobot 2.0.0 A helm Chart for kubernetes-ONAP Service OrchestratorRobot local/uui sdnc-prom 2.0.0 ONAP uui local/vfc SDNC Policy Driven Ownership Management local/sniro-emulator 2.0.0 ONAP VirtualMock Function Controller (VF-C)Sniro Emulator local/vidso 2.0.0 ONAP VirtualService Infrastructure DeploymentOrchestrator local/vnfsdkuui 2.0.0 ONAP VNF SDK |
Install local/onap chart. Local/onap chart will do some initialization setup which is needed for onap components, such as creating service accounts.
| Code Block | ||||
|---|---|---|---|---|
| ||||
cd oom/kubernetes
helm install local/onap -n common --namespace onap -f onap/resources/environments/disable-allcharts.yaml |
In Casablanca, MSB project is working with VF-C and MultiCloud to verify Istio integration, so we are focusing on these three projects right now. More projects will engage later.
...
| language | bash |
|---|---|
| theme | RDark |
...
uui
local/vfc 2.0.0 ONAP Virtual Function Controller (VF-C)
local/vid 2.0.0 ONAP Virtual Infrastructure Deployment
local/vnfsdk 2.0.0 ONAP VNF SDK |
Install local/onap chart. Local/onap chart will do some initialization setup which is needed for onap components, such as creating service accounts.
| Code Block | ||||
|---|---|---|---|---|
| ||||
cd oom/kubernetes
helm install local/onap -n common --namespace onap -f onap/resources/environments/disable-allcharts.yaml |
In Casablanca, MSB project is working with VF-C and MultiCloud as pilot projects, we would like to roll out it to the other ONAP projects after verifying the integration and Istio features.
| Code Block | ||||
|---|---|---|---|---|
| ||||
helm install local/msb -n msb --namespace onap
helm install local/vfc -n vfc --namespace onap
helm install local/multicloud -n multicloud --namespace onap |
Note that you can also install other ONAP projects with helm install if they are needed. But Istio sidecar will not be injected to their Pods by default.
Confirm that ONAP microservices have been started
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl get all -n onap
NAME READY STATUS RESTARTS AGE
pod/msb-kube2msb-77ccb675dd-rhfn7 1/1 Running 0 3h
pod/msb-msb-consul-646987f5cf-qms5v 2/2 Running 0 3h
pod/msb-msb-discovery-7647f6476f-cl6xw 3/3 Running 0 3h
pod/msb-msb-eag-d678c65d6-fmfn6 3/3 Running 0 3h
pod/msb-msb-iag-647d5f998c-dc766 3/3 Running 0 3h
pod/multicloud-multicloud-5679bd9876-tzxzw 2/2 Running 0 1h
pod/multicloud-multicloud-ocata-774579596-f7smf 3/3 Running 0 1h
pod/multicloud-multicloud-vio-8c7dbc8d5-lfcw6 3/3 Running 0 1h
pod/multicloud-multicloud-windriver-85b595675d-5vx45 3/3 Running 0 1h
pod/vfc-vfc-catalog-79764dfd8f-rkx6f 2/2 Running 1 2d
pod/vfc-vfc-ems-driver-75bc68b946-6r6r6 1/1 Running 1 2d
pod/vfc-vfc-generic-vnfm-driver-69bf778bfd-pscjn 2/2 Running 0 2d
pod/vfc-vfc-huawei-vnfm-driver-8574569f4c-8jwc4 2/2 Running 1 2d
pod/vfc-vfc-juju-vnfm-driver-6dfd876bb8-bh7dq 2/2 Running 0 2d
pod/vfc-vfc-multivim-proxy-58c7bd47dc-7qdtd 1/1 Running 0 2d
pod/vfc-vfc-nokia-v2vnfm-driver-7b77c469bd-krfrw 1/1 Running 0 2d
pod/vfc-vfc-nokia-vnfm-driver-98fbdb5b5-p9zqw 2/2 Running 0 2d
pod/vfc-vfc-nslcm-74956bb876-v9kbt 2/2 Running 0 2d
pod/vfc-vfc-resmgr-57dc4c98b5-dzp7f 2/2 Running 0 2d
pod/vfc-vfc-vnflcm-6f9dc7df44-hncf4 2/2 Running 1 2d
pod/vfc-vfc-vnfmgr-5585c688c6-7qrnp 2/2 Running 0 2d
pod/vfc-vfc-vnfres-54bc985599-9zkqn 2/2 Running 0 2d
pod/vfc-vfc-workflow-6db56f95b9-np8tg 1/1 Running 1 2d
pod/vfc-vfc-workflow-engine-7fb49fd974-kcb8q 1/1 Running 1 2d
pod/vfc-vfc-zte-sdnc-driver-585d449797-87nhp 1/1 Running 0 2d
pod/vfc-vfc-zte-vnfm-driver-59d4756fbc-rpn9v 2/2 Running 0 2d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/msb-consul NodePort 10.96.255.198 <none> 8500:30285/TCP 3h
service/msb-discovery NodePort 10.105.163.81 <none> 10081:30281/TCP 3h
service/msb-eag NodePort 10.100.221.66 <none> 80:30282/TCP,443:30284/TCP 3h
service/msb-iag NodePort 10.96.179.117 <none> 80:30280/TCP,443:30283/TCP 3h
service/multicloud NodePort 10.102.72.237 <none> 9001:30291/TCP 1h
service/multicloud-ocata NodePort 10.99.131.129 <none> 9006:30293/TCP 1h
service/multicloud-vio NodePort 10.111.175.58 <none> 9004:30292/TCP 1h
service/multicloud-windriver NodePort 10.110.92.61 <none> 9005:30294/TCP 1h
service/vfc-catalog ClusterIP 10.99.98.115 <none> 8806/TCP 2d
service/vfc-ems-driver ClusterIP 10.96.189.14 <none> 8206/TCP 2d
service/vfc-generic-vnfm-driver ClusterIP 10.109.48.184 <none> 8484/TCP 2d
service/vfc-huawei-vnfm-driver ClusterIP 10.104.208.38 <none> 8482/TCP,8483/TCP 2d
service/vfc-juju-vnfm-driver ClusterIP 10.96.182.14 <none> 8483/TCP 2d
service/vfc-multivim-proxy ClusterIP 10.107.106.216 <none> 8481/TCP 2d
service/vfc-nokia-v2vnfm-driver ClusterIP 10.107.12.32 <none> 8089/TCP 2d
service/vfc-nokia-vnfm-driver ClusterIP 10.102.179.150 <none> 8486/TCP 2d
service/vfc-nslcm ClusterIP 10.106.43.164 <none> 8403/TCP 2d
service/vfc-resmgr ClusterIP 10.98.174.184 <none> 8480/TCP 2d
service/vfc-vnflcm ClusterIP 10.108.132.123 <none> 8801/TCP 2d
service/vfc-vnfmgr ClusterIP 10.108.59.102 <none> 8803/TCP 2d
service/vfc-vnfres ClusterIP 10.111.85.161 <none> 8802/TCP 2d
service/vfc-workflow ClusterIP 10.97.184.206 <none> 10550/TCP 2d
service/vfc-workflow-engine ClusterIP 10.109.175.61 <none> 8080/TCP 2
service/vfc-zte-sdnc-driver ClusterIP 10.103.94.142 <none> 8411/TCP 2d
service/vfc-zte-vnfm-driver ClusterIP 10.108.146.237 <none> 8410/TCP 2d |
You can open the MSB portal http://Node_IP:30280/iui/microservices/default.html in the browser to see all the registered services.
Explore Istio Features
Distributed Tracing
First, let's generate some traffics in the application, access the following URLs with curl command or open them in the browser
http://node_ip:30280/api/multicloud/v0/swagger.json
http://node_ip:30280/api/multicloud-vio/v0/swagger.json
http://node_ip:30280/api/multicloud-ocata/v0/swagger.json
Then open your browser at http://tracing_node_ip:tracing_node_port/, you should see something similar to the following:
Note
- Tracing_node_port can be found by 'kubctl get svc -n istio-system'.
- ONAP microservices need to propagate the appropriate HTTP headers so that when the proxies send span information, the spans can be correlated correctly into a single trace.
Service Graph
Istio provides a Servicegraph service which generates and visualizes graph representations of the services in the mesh.
Open your browser at http://node_ip:30088/dotviz or http://node_ip:30088/force/forcegraph.html, you should see the service graph:
Metrics Visualization
Istio automatically gathers telemetry for services in a mesh. A Prometheus adapter is plugged into Mixer to serve the generated metric data. A Grafana addon is pre-configured with a Prometheus data source and has an Istio dashboard installed for the metric visualization.
Open your browser at http://node_ip:30300, you should see the Grafana Istio dashboard:
