Integrations with Open Service Mesh on Azure Kubernetes Service (AKS)
The Open Service Mesh (OSM) add-on integrates with features provided by Azure as well as open source projects.
Integrations with open source projects aren't covered by the AKS support policy.
Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with Web Application Routing, NGINX ingress, or Contour ingress. Open source projects integrating with OSM are not covered by the AKS support policy.
At this time, Azure Gateway Ingress Controller (AGIC) only works for HTTP backends. If you configure OSM to use AGIC, AGIC will not be used for other backends such as HTTPS and mTLS.
Using the Azure Gateway Ingress Controller (AGIC) with the OSM add-on for HTTP ingress
You can't configure Azure Gateway Ingress Controller (AGIC) for HTTPS ingress.
After installing the AGIC ingress controller, create a namespace for the application service, add it to the mesh using the OSM CLI, and deploy the application service to that namespace:
# Create a namespace kubectl create ns httpbin # Add the namespace to the mesh osm namespace add httpbin # Deploy the application export RELEASE_BRANCH=release-v1.2 kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/$RELEASE_BRANCH/manifests/samples/httpbin/httpbin.yaml -n httpbin
Verify that the pods are up and running, and have the envoy sidecar injected:
kubectl get pods -n httpbin
NAME READY STATUS RESTARTS AGE httpbin-7c6464475-9wrr8 2/2 Running 0 6d20h
kubectl get svc -n httpbin
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE httpbin ClusterIP 10.0.92.135 <none> 14001/TCP 6d20h
Next, deploy the following
IngressBackend configurations to allow external clients to access the
httpbin service on port
kubectl apply -f <<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: httpbin namespace: httpbin annotations: kubernetes.io/ingress.class: azure/application-gateway spec: rules: - http: paths: - path: / pathType: Prefix backend: service: name: httpbin port: number: 14001 --- kind: IngressBackend apiVersion: policy.openservicemesh.io/v1alpha1 metadata: name: httpbin namespace: httpbin spec: backends: - name: httpbin port: number: 14001 # targetPort of httpbin service protocol: http sources: - kind: IPRange name: 10.0.0.0/8 EOF
Ensure that both the Ingress and IngressBackend objects have been successfully deployed:
kubectl get ingress -n httpbin
NAME CLASS HOSTS ADDRESS PORTS AGE httpbin <none> * 220.127.116.11 80 6d20h
kubectl get ingressbackend -n httpbin
NAME STATUS httpbin committed
kubectl to display the external IP address of the ingress service.
kubectl get ingress -n httpbin
curl to verify you can access the
httpbin service using the external IP address of the ingress service.
curl -sI http://<external-ip>/get
Confirm you receive a response with
Observability of metrics allows you to view the metrics of your mesh and the deployments in your mesh. With OSM, you can use Prometheus and Grafana for metrics observability, but those integrations aren't covered by the AKS support policy.
You can also integrate OSM with Azure Monitor.
Before you can enable metrics on your mesh to integrate with Azure Monitor:
- Enable Azure Monitor on your cluster
- Enable the OSM add-on for your AKS cluster
- Onboard your application namespaces to the mesh
To enable metrics for a namespace in the mesh use
osm metrics enable. For example:
osm metrics enable --namespace myappnamespace
Create a Configmap in the
kube-system namespace that enables Azure Monitor to monitor your namespaces. For example, create a
monitor-configmap.yaml with the following to monitor the
kind: ConfigMap apiVersion: v1 data: schema-version: v1 config-version: ver1 osm-metric-collection-configuration: |- # OSM metric collection settings [osm_metric_collection_configuration] [osm_metric_collection_configuration.settings] # Namespaces to monitor monitor_namespaces = ["myappnamespace"] metadata: name: container-azm-ms-osmconfig namespace: kube-system
Apply that ConfigMap using
kubectl apply -f monitor-configmap.yaml
To access your metrics from the Azure portal, select your AKS cluster, then select Logs under Monitoring. From the Monitoring section, query the
InsightsMetrics table to view metrics in the enabled namespaces. For example, the following query shows the envoy metrics for the myappnamespace namespace.
InsightsMetrics | where Name contains "envoy" | extend t=parse_json(Tags) | where t.app == "myappnamespace"
Automation and developer tools
OSM can integrate with certain automation projects and developer tooling to help operators and developers build and release applications. For example, OSM integrates with Flagger for progressive delivery and Dapr for building applications. OSM's integration with Flagger and Dapr aren't covered by the AKS support policy.
External authorization allows you to offload authorization of HTTP requests to an external service. OSM can use external authorization by integrating with Open Policy Agent (OPA), but that integration isn't covered by the AKS support policy.
OSM has several types of certificates it uses to operate on your AKS cluster. OSM includes its own certificate manager called Tresor, which is used by default. Alternatively, OSM allows you to integrate with Hashicorp Vault and cert-manager, but those integrations aren't covered by the AKS support policy.