istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.14/blog/2021/proxyless-grpc/index.html

194 lines
37 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="gRPC Proxyless Service Mesh"><meta name=description content="Introduction to Istio support for gRPC's proxyless service mesh features."><meta name=author content="Steven Landow (Google)"><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="gRPC Proxyless Service Mesh"><meta property="og:type" content="website"><meta property="og:description" content="Introduction to Istio support for gRPC's proxyless service mesh features."><meta property="og:url" content="/v1.14/blog/2021/proxyless-grpc/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.14 / gRPC Proxyless Service Mesh</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.14/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.14/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.14/feed.xml><link rel="shortcut icon" href=/v1.14/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.14/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.14/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.14/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.14/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.14/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.14/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.14/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.14/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.14/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.14/favicons/favicon.svg><link rel=icon type=image/png href=/v1.14/favicons/favicon.png><link rel=mask-icon href=/v1.14/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.14/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.14/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.14/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.14",docTitle="gRPC Proxyless Service Mesh",iconFile="/v1.14/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.14/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.14/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.14/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.14/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.14/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.14/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.14/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.14/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.14/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.14/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>gRPC Proxyless Service Mesh</h1><p>Introduction to Istio support for gRPC's proxyless service mesh features.</p></div><p class=post-author>Oct 28, 2021 <span>|</span> By Steven Landow - Google</p><div><p>Istio dynamically configures its Envoy sidecar proxies using a set of discovery APIs, collectively known as the
<a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration>xDS APIs</a>.
These APIs aim to become a <a href="https://blog.envoyproxy.io/the-universal-data-plane-api-d15cec7a?gi=64aa2eea0283">universal data-plane API</a>.
The gRPC project has significant support for the xDS APIs, which means you can manage gRPC workloads
without having to deploy an Envoy sidecar along with them. You can learn more about the integration in a
<a href="https://www.youtube.com/watch?v=cGJXkZ7jiDk">KubeCon EU 2021 talk from Megan Yahya</a>. The latest updates on gRPC&rsquo;s
support can be found in their <a href="https://github.com/grpc/proposal/search?q=xds">proposals</a> along with implementation
status.</p><p>Istio 1.11 adds experimental support for adding gRPC services directly to the mesh. We support basic service
discovery, some VirtualService based traffic policy, and mutual TLS.</p><h2 id=supported-features>Supported Features</h2><p>The current implementation of the xDS APIs within gRPC is limited in some areas compared to Envoy. The following
features should work, although this is not an exhaustive list and other features may have partial functionality:</p><ul><li>Basic service discovery. Your gRPC service can reach other pods and virtual machines registered in the mesh.</li><li><a href=/v1.14/docs/reference/config/networking/destination-rule/><code>DestinationRule</code></a>:<ul><li>Subsets: Your gRPC service can split traffic based on label selectors to different groups of instances.</li><li>The only Istio <code>loadBalancer</code> currently supported is <code>ROUND_ROBIN</code>, <code>consistentHash</code> will be added in
future versions of Istio (it is supported by gRPC).</li><li><code>tls</code> settings are restricted to <code>DISABLE</code> or <code>ISTIO_MUTUAL</code>. Other modes will be treated as <code>DISABLE</code>.</li></ul></li><li><a href=/v1.14/docs/reference/config/networking/virtual-service/><code>VirtualService</code></a>:<ul><li>Header match and URI match in the format <code>/ServiceName/RPCName</code>.</li><li>Override destination host and subset.</li><li>Weighted traffic shifting.</li></ul></li><li><a href=/v1.14/docs/reference/config/security/peer_authentication/><code>PeerAuthentication</code></a>:<ul><li>Only <code>DISABLE</code> and <code>STRICT</code> are supported. Other modes will be treated as <code>DISABLE</code>.</li><li>Support for auto-mTLS may exist in a future release.</li></ul></li></ul><p>Other features including faults, retries, timeouts, mirroring and rewrite rules may be supported in a future release.
Some of these features are awaiting implementation in gRPC, and others require work in Istio to support. The status
of xDS features in gRPC can be found <a href=https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md>here</a>. The
status of Istio&rsquo;s support will exist in future official docs.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.14/img/icons.svg#callout-warning"/></svg></div><div class=content>This is feature is <a href=/v1.14/docs/releases/feature-stages/>experimental</a>. Standard Istio features will become supported
over time along with improvements to the overall design.</div></aside></div><h2 id=architecture-overview>Architecture Overview</h2><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:44.32692307692307%><a data-skipendnotes=true href=/v1.14/blog/2021/proxyless-grpc/architecture.svg title="Diagram of how gRPC services communicate with the istiod"><img class=element-to-stretch src=/v1.14/blog/2021/proxyless-grpc/architecture.svg alt="Diagram of how gRPC services communicate with the istiod"></a></div><figcaption>Diagram of how gRPC services communicate with the istiod</figcaption></figure><p>Although this doesn&rsquo;t use a proxy for data plane communication, it still requires an agent for initialization and
communication with the control-plane. First, the agent generates a <a href=https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md#xdsclient-and-bootstrap-file>bootstrap file</a>
at startup the same way it would generate bootstrap for Envoy. This tells the <code>gRPC</code> library how to connect to <code>istiod</code>,
where it can find certificates for data plane communication, and what metadata to send to the control plane. Next, the
agent acts as an <code>xDS</code> proxy, connecting and authenticating with <code>istiod</code> on the application&rsquo;s behalf. Finally, the
agent fetches and rotates certificates used in data plane traffic.</p><h2 id=changes-to-application-code>Changes to application code</h2><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.14/img/icons.svg#callout-tip"/></svg></div><div class=content>This section covers gRPCs XDS support in Go. Similar APIs exist for other languages.</div></aside></div><p>To enable the xDS features in gRPC, there are a handful of required changes your application must make. Your gRPC version should be at least <code>1.39.0</code>.</p><h3 id=in-the-client>In the client</h3><p>The following side-effect import will register the xDS resolvers and balancers within gRPC. It should be added in your
<code>main</code> package or in the same package calling <code>grpc.Dial</code>.</p><pre><code class=language-go data-expandlinks=true data-repo=istio>import _ &#34;google.golang.org/grpc/xds&#34;
</code></pre><p>When creating a gRPC connection the URL must use the <code>xds:///</code> scheme.</p><pre><code class=language-go data-expandlinks=true data-repo=istio>conn, err := grpc.DialContext(ctx, &#34;xds:///foo.ns.svc.cluster.local:7070&#34;)
</code></pre><p>Additionally, for (m)TLS support, a special <code>TransportCredentials</code> option has to be passed to <code>DialContext</code>.
The <code>FallbackCreds</code> allow us to succeed when istiod doesnt send security config.</p><pre><code class=language-go data-expandlinks=true data-repo=istio>import &#34;google.golang.org/grpc/credentials/xds&#34;
...
creds, err := xds.NewClientCredentials(xds.ClientOptions{
FallbackCreds: insecure.NewCredentials()
})
// handle err
conn, err := grpc.DialContext(
ctx,
&#34;xds:///foo.ns.svc.cluster.local:7070&#34;,
grpc.WithTransportCredentials(creds),
)
</code></pre><h3 id=on-the-server>On the server</h3><p>To support server-side configurations, such as mTLS, there are a couple of modifications that must be made.</p><p>First, we use a special constructor to create the <code>GRPCServer</code>:</p><pre><code class=language-go data-expandlinks=true data-repo=istio>import &#34;google.golang.org/grpc/xds&#34;
...
server = xds.NewGRPCServer()
RegisterFooServer(server, &amp;fooServerImpl)
</code></pre><p>If your <code>protoc</code> generated Go code is out of date, you may need to regenerate it to be compatible with the xDS server.
Your generated <code>RegisterFooServer</code> function should look like the following:</p><pre><code class=language-go data-expandlinks=true data-repo=istio>func RegisterFooServer(s grpc.ServiceRegistrar, srv FooServer) {
s.RegisterService(&amp;FooServer_ServiceDesc, srv)
}
</code></pre><p>Finally, as with the client-side changes, we must enable security support:</p><pre><code class=language-go data-expandlinks=true data-repo=istio>creds, err := xds.NewServerCredentials(xdscreds.ServerOptions{FallbackCreds: insecure.NewCredentials()})
// handle err
server = xds.NewGRPCServer(grpc.Creds(creds))
</code></pre><h3 id=in-your-kubernetes-deployment>In your Kubernetes Deployment</h3><p>Assuming your application code is compatible, the Pod simply needs the annotation <code>inject.istio.io/templates: grpc-agent</code>.
This adds a sidecar container running the agent described above, and some environment variables that gRPC uses to find
the bootstrap file and enable certain features.</p><p>For gRPC servers, your Pod should also be annotated with <code>proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}'</code>
to make sure the in-agent xDS proxy and bootstrap file are ready before your gRPC server is initialized.</p><h2 id=example>Example</h2><p>In this guide you will deploy <code>echo</code>, an application that already supports both server-side and client-side
proxyless gRPC. With this app you can try out some supported traffic policies enabling mTLS.</p><h3 id=prerequisites>Prerequisites</h3><p>This guide requires the Istio (1.11+) control plane <a href=/v1.14/docs/setup/install/>to be installed</a> before proceeding.</p><h3 id=deploy-the-application>Deploy the application</h3><p>Create an injection-enabled namespace <code>echo-grpc</code>. Next deploy two instances of the <code>echo</code> app as well as the Service.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl create namespace echo-grpc
$ kubectl label namespace echo-grpc istio-injection=enabled
$ kubectl -n echo-grpc apply -f samples/grpc-echo/grpc-echo.yaml
</code></pre><p>Make sure the two pods are running:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n echo-grpc get pods
NAME READY STATUS RESTARTS AGE
echo-v1-69d6d96cb7-gpcpd 2/2 Running 0 58s
echo-v2-5c6cbf6dc7-dfhcb 2/2 Running 0 58s
</code></pre><h3 id=test-the-grpc-resolver>Test the gRPC resolver</h3><p>First, port-forward <code>17171</code> to one of the Pods. This port is a non-xDS backed gRPC server that allows making
requests from the port-forwarded Pod.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n echo-grpc port-forward $(kubectl -n echo-grpc get pods -l version=v1 -ojsonpath=&#39;{.items[0].metadata.name}&#39;) 17171 &amp;
</code></pre><p>Next, we can fire off a batch of 5 requests:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;, &#34;count&#34;: 5}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39; | grep Hostname
Handling connection for 17171
[0 body] Hostname=echo-v1-7cf5b76586-bgn6t
[1 body] Hostname=echo-v2-cf97bd94d-qf628
[2 body] Hostname=echo-v1-7cf5b76586-bgn6t
[3 body] Hostname=echo-v2-cf97bd94d-qf628
[4 body] Hostname=echo-v1-7cf5b76586-bgn6t
</code></pre><p>You can also use Kubernetes-like name resolution for short names:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join
(&#34;&#34;)&#39; | grep Hostname
[0 body] Hostname=echo-v1-7cf5b76586-ltr8q
$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r
&#39;.output | join(&#34;&#34;)&#39; | grep Hostname
[0 body] Hostname=echo-v1-7cf5b76586-ltr8q
$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r
&#39;.output | join(&#34;&#34;)&#39; | grep Hostname
[0 body] Hostname=echo-v2-cf97bd94d-jt5mf
</code></pre><h3 id=creating-subsets-with-destination-rule>Creating subsets with destination rule</h3><p>First, create a subset for each version of the workload.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: echo-versions
namespace: echo-grpc
spec:
host: echo.echo-grpc.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
EOF
</code></pre><h3 id=traffic-shifting>Traffic shifting</h3><p>Using the subsets defined above, you can send 80 percent of the traffic to a specific version:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: echo-weights
namespace: echo-grpc
spec:
hosts:
- echo.echo-grpc.svc.cluster.local
http:
- route:
- destination:
host: echo.echo-grpc.svc.cluster.local
subset: v1
weight: 20
- destination:
host: echo.echo-grpc.svc.cluster.local
subset: v2
weight: 80
EOF
</code></pre><p>Now, send a set of 10 requests:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;, &#34;count&#34;: 10}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39; | grep ServiceVersion
</code></pre><p>The response should contain mostly <code>v2</code> responses:</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>[0 body] ServiceVersion=v2
[1 body] ServiceVersion=v2
[2 body] ServiceVersion=v1
[3 body] ServiceVersion=v2
[4 body] ServiceVersion=v1
[5 body] ServiceVersion=v2
[6 body] ServiceVersion=v2
[7 body] ServiceVersion=v2
[8 body] ServiceVersion=v2
[9 body] ServiceVersion=v2
</code></pre><h3 id=enabling-mtls>Enabling mTLS</h3><p>Due to the changes to the application itself required to enable security in gRPC, Istio&rsquo;s traditional method of
automatically detecting mTLS support is unreliable. For this reason, the initial release requires explicitly enabling
mTLS on both the client and server.</p><p>To enable client-side mTLS, apply a <code>DestinationRule</code> with <code>tls</code> settings:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: echo-mtls
namespace: echo-grpc
spec:
host: echo.echo-grpc.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre><p>Now an attempt to call the server that is not yet configured for mTLS will fail.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39;
Handling connection for 17171
ERROR:
Code: Unknown
Message: 1/1 requests had errors; first error: rpc error: code = Unavailable desc = all SubConns are in TransientFailure
</code></pre><p>To enable server-side mTLS, apply a <code>PeerAuthentication</code>.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.14/img/icons.svg#callout-warning"/></svg></div><div class=content>The following policy forces STRICT mTLS for the entire namespace.</div></aside></div><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &lt;&lt;EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: echo-mtls
namespace: echo-grpc
spec:
mtls:
mode: STRICT
EOF
</code></pre><p>Requests will start to succeed after applying the policy.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39;
Handling connection for 17171
[0] grpcecho.Echo(&amp;{xds:///echo.echo-grpc.svc.cluster.local:7070 map[] 0 5s false })
[0 body] x-request-id=0
[0 body] Host=echo.echo-grpc.svc.cluster.local:7070
[0 body] content-type=application/grpc
[0 body] user-agent=grpc-go/1.39.1
[0 body] StatusCode=200
[0 body] ServiceVersion=v1
[0 body] ServicePort=17070
[0 body] Cluster=
[0 body] IP=10.68.1.18
[0 body] IstioVersion=
[0 body] Echo=
[0 body] Hostname=echo-v1-7cf5b76586-z5p8l
</code></pre><h2 id=limitations>Limitations</h2><p>The initial release comes with several limitations that may be fixed in a future version:</p><ul><li>Auto-mTLS isn&rsquo;t supported, and permissive mode isn&rsquo;t supported. Instead we require explicit mTLS configuration with
<code>STRICT</code> on the server and <code>ISTIO_MUTUAL</code> on the client. Envoy can be used during the migration to <code>STRICT</code>.</li><li><code>grpc.Serve(listener)</code> or <code>grpc.Dial("xds:///...")</code> called before the bootstrap is written or xDS proxy is ready can
cause a failure. <code>holdApplicationUntilProxyStarts</code> can be used to work around this, or the application can be more
robust to these failures.</li><li>If the xDS-enabled gRPC server uses mTLS then you will need to make sure your health checks can work around this.
Either a separate port should be used, or your health-checking client needs a way to get the proper client
certificates.</li><li>The implementation of xDS in gRPC does not match Envoys. Certain behaviors may be different, and some features may
be missing. The <a href=https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md>feature status for gRPC</a> provides more detail. Make sure to test that any Istio
configuration actually applies on your proxyless gRPC apps.</li></ul><h2 id=performance>Performance</h2><h3 id=experiment-setup>Experiment Setup</h3><ul><li>Using Fortio, a Go-based load testing app<ul><li>Slightly modified, to support gRPCs XDS features (PR)</li></ul></li><li>Resources:<ul><li>GKE 1.20 cluster with 3 <code>e2-standard-16</code> nodes (16 CPUs + 64 GB memory each)</li><li>Fortio client and server apps: 1.5 vCPU, 1000 MiB memory</li><li>Sidecar (istio-agent and possibly Envoy proxy): 1 vCPU, 512 MiB memory</li></ul></li><li>Workload types tested:<ul><li>Baseline: regular gRPC with no Envoy proxy or Proxyless xDS in use</li><li>Envoy: standard istio-agent + Envoy proxy sidecar</li><li>Proxyless: gRPC using the xDS gRPC server implementation and <code>xds:///</code> resolver on the client</li><li>mTLS enabled/disabled via <code>PeerAuthentication</code> and <code>DestinationRule</code></li></ul></li></ul><h3 id=latency>Latency</h3><p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75%><a data-skipendnotes=true href=/v1.14/blog/2021/proxyless-grpc/latencies_p50.svg title="p50 latency comparison chart"><img class=element-to-stretch src=/v1.14/blog/2021/proxyless-grpc/latencies_p50.svg alt="p50 latency comparison chart"></a></div><figcaption>p50 latency comparison chart</figcaption></figure><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:75%><a data-skipendnotes=true href=/v1.14/blog/2021/proxyless-grpc/latencies_p99.svg title="p99 latency comparison chart"><img class=element-to-stretch src=/v1.14/blog/2021/proxyless-grpc/latencies_p99.svg alt="p99 latency comparison chart"></a></div><figcaption>p99 latency comparison chart</figcaption></figure></p><p>There is a marginal increase in latency when using the proxyless gRPC resolvers. Compared to Envoy this is a massive
improvement that still allows for advanced traffic management features and mTLS.</p><h3 id=istio-proxy-container-resource-usage>istio-proxy container resource usage</h3><table><thead><tr><th></th><th>Client <code>mCPU</code></th><th>Client Memory (<code>MiB</code>)</th><th>Server <code>mCPU</code></th><th>Server Memory (<code>MiB</code>)</th></tr></thead><tbody><tr><td>Envoy Plaintext</td><td>320.44</td><td>66.93</td><td>243.78</td><td>64.91</td></tr><tr><td>Envoy mTLS</td><td>340.87</td><td>66.76</td><td>309.82</td><td>64.82</td></tr><tr><td>Proxyless Plaintext</td><td>0.72</td><td>23.54</td><td>0.84</td><td>24.31</td></tr><tr><td>Proxyless mTLS</td><td>0.73</td><td>25.05</td><td>0.78</td><td>25.43</td></tr></tbody></table><p>Even though we still require an agent, the agent uses less than 0.1% of a full vCPU, and only 25 MiB of memory,
which is less than half of what running Envoy requires.</p><p>These metrics dont include additional resource usage by gRPC in the application container,
but serve to demonstrate the resource usage impact of the istio-agent when running in this mode.</p></div><nav class=pagenav><div class=left><a title="Introduction to the new Wasm Plugin API and updates to the Wasm-based plugin support in Envoy and Istio." href=/v1.14/blog/2021/wasm-api-alpha/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.14/img/icons.svg#left-arrow"/></svg>Announcing the alpha availability of WebAssembly Plugins</a></div><div class=right><a title="Aeraki provides a framework to allow Istio to support more layer-7 protocols other than HTTP." href=/v1.14/blog/2021/aeraki/ class=next-link>Aeraki — Manage Any Layer-7 Protocol in Istio Service Mesh<svg class="icon right-arrow"><use xlink:href="/v1.14/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.14/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.14/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.14/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.14/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.14/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.14/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.14/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.14/content/en/blog/2021/proxyless-grpc/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2022 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.14.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2021/proxyless-grpc/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2021/proxyless-grpc/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top" tabindex=-1><svg class="icon top"><use xlink:href="/v1.14/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink