Integrations with Open Service Mesh on Azure Kubernetes Service (AKS)

The Open Service Mesh (OSM) add-on integrates with features provided by Azure and some open source projects.

Note

With the retirement of Open Service Mesh (OSM) by the Cloud Native Computing Foundation (CNCF), we recommend identifying your OSM configurations and migrating them to an equivalent Istio configuration. For information about migrating from OSM to Istio, see Migration guidance for Open Service Mesh (OSM) configurations to Istio.

Important

Integrations with open source projects aren't covered by the AKS support policy.

Ingress

Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with one of the following solutions:

• Application Routing
• NGINX ingress
• Contour ingress

Note

At this time, Azure Gateway Ingress Controller (AGIC) only works for HTTP backends. If you configure OSM to use AGIC, AGIC won't be used for other backends, such as HTTPS and mTLS.

Use the Azure Gateway Ingress Controller (AGIC) with the OSM add-on for HTTP ingress

Important

You can't configure Azure Gateway Ingress Controller (AGIC) for HTTPS ingress.

Create a namespace and deploy the application service

1. Installing the AGIC ingress controller.

2. Create a namespace for the application service using the kubectl create ns command.

   kubectl create ns httpbin
   

3. Add the namespace to the mesh using the osm namespace add OSM CLI command.

   osm namespace add httpbin
   

4. Deploy the application service to the namespace using the kubectl apply command.

   export RELEASE_BRANCH=release-v1.2
   kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/$RELEASE_BRANCH/manifests/samples/httpbin/httpbin.yaml -n httpbin
   

5. Verify the pods are up and running and have the envoy sidecar injected using the kubectl get pods command.

   kubectl get pods -n httpbin
   

   Your output should look similar to the following example output:

   NAME                      READY   STATUS    RESTARTS   AGE
   httpbin-7c6464475-9wrr8   2/2     Running   0          6d20h
   

6. List the details of the service using the kubectl get svc command.

   kubectl get svc -n httpbin
   

   Your output should look similar to the following example output:

   NAME      TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)     AGE
   httpbin   ClusterIP   10.0.92.135   <none>        14001/TCP   6d20h
   

Deploy the ingress configurations and verify access to the application service

1. Deploy the following Ingress and IngressBackend configurations to allow external clients to access the httpbin service on port 14001 using the kubectl apply command.

   kubectl apply -f <<EOF
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: httpbin
     namespace: httpbin
     annotations:
       kubernetes.io/ingress.class: azure/application-gateway
   spec:
     rules:
    - http:
         paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: httpbin
               port:
                 number: 14001
   ---
   kind: IngressBackend
   apiVersion: policy.openservicemesh.io/v1alpha1
   metadata:
     name: httpbin
     namespace: httpbin
   spec:
     backends:
    - name: httpbin
       port:
         number: 14001 # targetPort of httpbin service
         protocol: http
     sources:
    - kind: IPRange
       name: 10.0.0.0/8
   EOF
   

2. Verify the Ingress object was successfully deployed using the kubectl get ingress command and make note of the external IP address.

   kubectl get ingress -n httpbin
   

   Your output should look similar to the following example output:

   NAME      CLASS    HOSTS   ADDRESS         PORTS   AGE
   httpbin   <none>   *       20.85.173.179   80      6d20h
   

3. Verify the IngressBackend object was successfully deployed using the kubectl get ingressbackend command.

   kubectl get ingressbackend -n httpbin
   

   Your output should look similar to the following example output:

   NAME      STATUS
   httpbin   committed
   

4. Verify you can access the httpbin service using the external IP address of the ingress service and the following curl command.

   curl -sI http://<external-ip>/get
   

5. Confirm you receive a response with status 200.

Metrics observability

Metrics observability allows you to view the metrics of your mesh and the deployments in your mesh. With OSM, you can use Prometheus and Grafana for metrics observability, but those integrations aren't covered by the AKS support policy.

You can also integrate OSM with Azure Monitor.

Before you can enable metrics on your mesh to integrate with Azure Monitor, make sure you have the following prerequisites:

• Enable Azure Monitor on your cluster.
• Enable the OSM add-on for your AKS cluster.
• Onboard your application namespaces to the mesh.

1. Enable metrics for a namespace in the mesh using the osm metrics enable command.

   osm metrics enable --namespace myappnamespace
   

2. Create a ConfigMap in the kube-system namespace that enables Azure Monitor to monitor your namespaces. For example, create a monitor-configmap.yaml with the following contents to monitor the myappnamespace:

   kind: ConfigMap
   apiVersion: v1
   data:
     schema-version: v1
     config-version: ver1
     osm-metric-collection-configuration: |-
       # OSM metric collection settings
       [osm_metric_collection_configuration]
         [osm_metric_collection_configuration.settings]
             # Namespaces to monitor
             monitor_namespaces = ["myappnamespace"]
   metadata:
     name: container-azm-ms-osmconfig
     namespace: kube-system
   

3. Apply the ConfigMap using the kubectl apply command.

   kubectl apply -f monitor-configmap.yaml
   

4. Navigate to the Azure portal and select your AKS cluster.

5. Under Monitoring, select Logs.

6. In the Monitoring section, query the InsightsMetrics table to view metrics in the enabled namespaces. For example, the following query shows the envoy metrics for the default namespace:

   InsightsMetrics
   |     where Name contains "envoy"
   |     extend t=parse_json(Tags)
   |     where t.namespace == "default"
   

Automation and developer tools

OSM can integrate with certain automation projects and developer tooling to help operators and developers build and release applications. For example, OSM integrates with Flagger for progressive delivery and Dapr for building applications. The OSM integrations with Flagger and Dapr aren't covered by the AKS support policy.

External authorization

External authorization allows you to offload authorization of HTTP requests to an external service. OSM can use external authorization by integrating with Open Policy Agent (OPA), but that integration isn't covered by the AKS support policy.

Certificate management

OSM has several types of certificates it uses to operate on your AKS cluster. OSM includes its own certificate manager called Tresor, which is used by default. Alternatively, OSM allows you to integrate with Hashicorp Vault and cert-manager, but those integrations aren't covered by the AKS support policy.

Next steps

This article covered the Open Service Mesh (OSM) add-on integrations with features provided by Azure and some open source projects. To learn more about OSM, see About OSM in AKS.