Open Service Mesh (OSM) is a popular open-source service mesh technology developed by Microsoft. It provides a simple, lightweight, and efficient way to manage and secure microservices-based applications in a cloud-native environment. In this blog post, we will explore the key features of OSM, its benefits, and technical examples that match various business cases.
What is Open Service Mesh (OSM)?
A service mesh is a dedicated infrastructure layer for managing, securing, and monitoring service-to-service communication within a microservices architecture. OSM is an open-source service mesh technology that provides a lightweight and easy-to-use framework for managing and securing microservices communication. It is built on top of Kubernetes and is designed to work with any Kubernetes-based cloud-native platform.
OSM is a cloud-agnostic service mesh that allows users to deploy and manage microservices on any cloud platform, including public cloud, private cloud, and hybrid cloud environments. It provides a seamless way to connect and secure microservices across different clusters and regions.
Azure makes this a seamless operation for integration into AKS we will run the commands in the cli and go through how this is enabled.
Let’s first authenticate to our client if your using your own shell like myself
az login
We will start to with creating a resource group (you can name this as you’d like but remember this is going to house your resources)
az group create --name aks-osm-add --location eastus
az aks create \
--resource-group aks-osm-add \
--name aks-osm-100 \
--enable-addons open-service-mesh \
--generate-ssh-keys
If you want to store these keys for long term storage consider Azure Key Vault or a KMS system because this is development I’m generating my SSH key locally for this.
The output of the creation shows we have the enablement true but to check this even further we can run the following command.
az aks get-credentials --resource-group aks-osm-add --name aks-osm-100
So now this is what we run to verify
Verification of Installation of OSM on your cluster
az aks show --resource-group aks-osm-add --name aks-osm-100 --query 'addonProfiles.openServiceMesh.enabled'
Verify our OSM mesh is running on our AKS cluster
kubectl get deployment -n kube-system osm-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}'
To check on the components the reference documentation is helpful in providing the following commands
kubectl get deployments -n kube-system --selector app.kubernetes.io/name=openservicemesh.io
kubectl get pods -n kube-system --selector app.kubernetes.io/name=openservicemesh.io
kubectl get services -n kube-system --selector app.kubernetes.io/name=openservicemesh.io
If status shows running this can be a number of things but first consider if you have resource quota to run the resources for OSM by the quotas for Azure.
Let’s now verify the configuration of OSM mesh using the kubectl get meshconfig.
kubectl get meshconfig osm-mesh-config -n kube-system -o yaml
We are seeing the configuration from the YAML configuration breaking that down we can see egress is enabled along with the WASM stats as well its important to see the details but as well verify if any changes need to be made.
The enablePermissiveTrafficPolicyMode: true means OSM has permissive traffic policy mode enabled.
- SMI traffic policy enforcement is bypassed
- OSM will automatically discovers services that are a part of the service mesh
- OSM creates traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services
Running the following Sample Application provided from the documentation we are going to explore the capabilities of OSM
https://release-v1-0.docs.openservicemesh.io/docs/getting_started/install_apps/
So we start by creating the namespaces
kubectl create ns bookstore
kubectl create ns bookbuyer
kubectl create ns bookthief
kubectl create ns bookwarehouse
Taking a detour to Install OSM command-line
For GNU/Linux and macOS
system=$(uname -s)
release=v1.0.0
curl -L https://github.com/openservicemesh/osm/releases/download/${release}/osm-${release}-${system}-amd64.tar.gz | tar -vxzf -
./${system}-amd64/osm version
Once this is created we will grab our credentials and explore our new cluster with the open-service-mesh add-on.
If you have trouble with this navigate to portal.azure.com and your AKS Cluster to add these to the OSM
If you are using the OSM CLI the command will look like this below
osm namespace add bookstore bookbuyer bookthief bookwarehouse
This will update to show the namespaces we created a part of our OSM now. This will start injecting all new pods with the Envoy sidecars.
Create Pods/Services/ServiceAccounts
Create the bookbuyer service account and deployment
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookbuyer.yaml
Create the bookthief service account and deployment
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookthief.yaml
Create the bookstore service account, service and deployment
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookstore.yaml
Create the bookwarehouse service account, service and deploment
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/bookwarehouse.yaml
Finally we will create mysql service account, service and stateful set.
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.0/manifests/apps/mysql.yaml
Let’s see what is installed in the first namespace we’ve created
kubectl get pods,deployments,serviceaccounts -n bookbuyer
kubectl get pods,deployments,serviceaccounts -n bookthief
kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookstore
kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookwarehouse
Application UI’s
To access the applications UI’s we will set client port forwarding with the following steps.
git clone https://github.com/openservicemesh/osm.git
Then run the following command
cp .env.example .env
bash <<EOF
./scripts/port-forward-bookbuyer-ui.sh &
./scripts/port-forward-bookstore-ui.sh &
./scripts/port-forward-bookthief-ui.sh &
wait
EOF
In a browser, open up the following urls:
- http://localhost:8080 – bookbuyer
- http://localhost:8083 – bookthief
- http://localhost:8084 – bookstore
Book buyer looks like this similar HTML.
Traffic Policy Setup
To check the traffic policy mode is enable or not we have to remember we referencing the enablePermissiveTrafficPolicyMode key on the osm-mesh-config mesh config resource.
kubectl get meshconfig osm-mesh-config -n kube-system -o jsonpath='{.spec.traffic.enablePermissiveTrafficPolicyMode}{"\n"}'
SMI Traffic Policy Mode
These can be used for the following via the documentation.
- SMI access control policies to authorize traffic access between service identities
- SMI traffic specs policies to define routing rules to associate with access control policies
- SMI traffic split policies to direct client traffic to multiple backends based on weights
kubectl patch meshconfig osm-mesh-config -n kube-system -p '{"spec":{"traffic":{"enablePermissiveTrafficPolicyMode":false}}}' --type=merge
We have to disable the permissive traffic policy mode for this next process to deploy SMI access control policies.
Deploy SMI Access Control Policies
We will start by applying the SMI Traffic Target and SMI Traffic Specs resources to define access control and routing policies for the applications to communicate.
Deploy SMI TrafficTarget and HTTPRouteGroup policy
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/access/traffic-access-v1.yaml
This has changed further with values that have increased from our bookbuyer incrementing.
This is because the SMI Traffic Target SMI HTTPRouteGroup resource deployed only allow bookbuyer to communicate with bookstore
Allow Booktheif Application to Access the Mesh
We will apply the updated YAML file to the below image
This can be applied via the command below
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/access/traffic-access-v1-allow-bookthief.yaml
So we can see the traffic bookstore is configured on this update and the others are unchanged.
Book thief is now incrementing
Now let’s apply the original traffic target object without the bookthief listed as allowed source
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/access/traffic-access-v1.yaml
Our counter will stop communicating on the Book Thief App let’s go back to our Book Thief tab
However, our BookBuyer is still open communicating with increments above the values listed on the app of Book Thief
Now let’s also check back to make sure our Book Thief is not incrementing and communicating.
Added the time stamp to show that the changes haven’t updated even as time has progressed in this area.
Run the following command to clean up your resources (or you’ll have a surprise bill coming soon!)
az group delete --name aks-osm-add
Summary
Key Features of Open Service Mesh (OSM)
OSM has several key features that make it an ideal choice for managing and securing microservices-based applications. These include:
- Lightweight and efficient – OSM is designed to be lightweight and efficient, which means that it has a minimal impact on the performance of microservices.
- Easy to deploy – OSM is easy to deploy and manage, thanks to its integration with Kubernetes. It can be installed and configured in a few simple steps, using Kubernetes YAML files.
- Advanced traffic management – OSM provides advanced traffic management features, such as traffic splitting, routing, and load balancing, to ensure that microservices are always available and responsive.
- Secure communication – OSM provides end-to-end encryption of microservices communication, ensuring that data is protected from unauthorized access.
- Observability – OSM provides advanced monitoring and observability features, such as metrics and logging, to help developers diagnose and troubleshoot issues in real-time.
OSM simplifies multi-cluster deployment by providing a single service mesh that spans multiple clusters and regions. It allows organizations to deploy and manage
Open source in service mesh will continue to add features and enable communication securely as you build your services this can be a alternative to other service mesh that you’ve consider with a easy native integration in Azure.