ServiceMesh Network Governance Plugin Description

ServiceMesh Network Governance Plugin

After version 5.1.5, Rainbond provides two plugins available by default, the integrated network management plugin (which handles both inbound and outbound networks) and the outbound network management plugin. The network management plug-in works in the same network space as the business container. It can monitor an allocated port, intercept the inbound business traffic, perform current limiting, circuit breaking and other processing, and then load the traffic onto the actual listening port of the business service.At the same time, it can also work in the outbound direction. When the business service needs to access the upstream service, it can perform traffic routing, circuit breaking, security verification, etc. by accessing the port monitored by the local outbound management plug-in, and then load the traffic to the host with the service. superior. ServiceMesh Network Governance Plugin Description - 图1

For plugin developers, the following two points need to be paid attention to:

  • The inbound governance plug-in needs to forward traffic according to the port forwarding rules assigned by the system. For example, the UI service itself is listening on port 8080, which cannot be changed, but we can change the access port when accessing the UI service from the edge gateway, so Rainbond application Runtime to dynamically generate listening port pairs for inbound network management plugins, such as the following configuration:

    1. "base_ports":[
    2. {
    3. "service_alias":"gre484d9",
    4. "service_id":"9703228e9b42cde3e3a72f4826e484d9",
    5. "port":8080,
    6. "listen_port":65301,
    7. "protocol":"http",
    8. " options":{
    9. "LIMIT_DOMAIN":"limit.common",
    10. "OPEN_LIMIT":"NO"
    11. }
    12. }
    13. ]

    The plugin will automatically inject the DISCOVER_URL variable when it is running. The above configuration information can be dynamically obtained through the address of this variable value. The inbound network management plugin must listen to port 65301 through the above configuration and load traffic to port 127.0.0.1:8080.

  • The outbound management plug-in does not have the problem of port mapping. The outbound management plug-in generates the local listening load to the remote address according to the dynamic configuration information of the subordinates.

  1. "base_services":[
  2. {
  3. "service_alias":"gre484d9",
  4. "service_id":"9703228e9b42cde3e3a72f4826e484d9",
  5. "depend_service_alias":"grcff92d",
  6. "
  7. ":"c81923991ff24280820a5d9d4"
  8. "protocol":"http",
  9. "options":{
  10. "BaseEjectionTimeMS":"30000",
  11. "ConsecutiveErrors":"5",
  12. "Domains":"todos",
  13. "Headers":"",
  14. "IntervalMS":"10",
  15. "MaxActiveRetries":"5",
  16. "MaxConnections":"10",
  17. "MaxEjectionPercent":"20",
  18. "MaxPendingRequests":"1024",
  19. "MaxRequests": "1024",
  20. "MaxRequestsPerConnection":"",
  21. "PROXY":"YES",
  22. "Prefix":"/",
  23. "Weight":"80"
  24. }
  25. }
  26. ]

Using the above native configuration discovery and service discovery to make custom plug-ins work, more data adaptation work needs to be done at the plug-in level.Rainbond also provides a dynamic configuration discovery service based on the envoy XDS (grpc) specification. The address of the XDS service is obtained through the two variables of XDS_HOST_IP and XDS_HOST_PORT in the plugin.

For users, the network governance of the plug-in layer is completely transparent to the business layer, and all distributed services with dependencies are similar to running the same host.

Plugin Practice

Integrated Network Governance Plugin

The integrated network management plug-in provided by default is based on envoy 1.9.0. The integrated network plug-in implements both inbound and outbound management. The following configuration parameters are provided::

Inbound direction

All restricted flow:

  • OPEN_LIMIT enables the full current limiting function, which depends on the third-party current limiting service, such as ratelimit , the current service needs to rely on the ratelimit service, and set the RATE_LIMIT_SERVER_HOST and RATE_LIMIT_SERVER_PORT environment variables.
  • LIMIT_DOMAIN The domain key of the current-limiting link, corresponding to the configuration of the global current-limiting service

open circuit:

  • MaxConnections is the maximum number of connections. It is only applicable to http1.1 for the Http protocol. The maximum number of TCP connections is set for the TCP protocol.
  • MaxRequests The number of concurrent requests, applicable to the HTTP protocol
  • MaxPendingRequests The maximum number of pending requests, applicable to the HTTP protocol
  • MaxActiveRetries maximum number of retries, applicable to HTTP protocol
  • MaxRequestsPerConnection The maximum number of requests per connection, applicable to HTTP protocol, supports http1.1 and http2
Outbound direction

Dynamic routing (HTTP protocol):

  • Domains

    Request a domain name. For the upstream service of the http protocol, it supports routing based on the domain name and reuses port 80.

  • Prefix

    Request the prefix of the Path path, and route different upstream services based on the prefix.

  • Headers

    Request headers, which route different upstream services based on request headers.

  • Weight

    Weight, based on different weights to distribute traffic to different upstream services.

Open circuit (connection oriented):

  • MaxConnections is the maximum number of connections. It is only applicable to http1.1 for the Http protocol. The maximum number of TCP connections is set for the TCP protocol.
  • MaxRequests The number of concurrent requests, applicable to the HTTP protocol
  • MaxPendingRequests The maximum number of pending requests, applicable to the HTTP protocol
  • MaxActiveRetries maximum number of retries, applicable to HTTP protocol
  • MaxRequestsPerConnection The maximum number of requests per connection, applicable to HTTP protocol, supports http1.1 and http2

Open circuit (facing upstream host):

  • ConsecutiveErrors The number of times the upstream service host was evicted with a 500 error.
  • BaseEjectionTimeMS The base time when the host was evicted, and the time when the host was evicted for the first time. If it is evicted n times, the time is n*BaseEjectionTimeMS
  • MaxEjectionPercent The maximum percentage of hosts to be ejected. If set to 100, full eviction is allowed.
  • IntervalMS The interval at which to analyze whether a host should be evicted
  • HealthyPanicThreshold Proportion to enter panic mode, default is 50

Outbound Network Governance Plugin

When the service does not need to use the management function in the inbound direction, only the outbound management plug-in can be used, and the configuration parameters are consistent with the outbound direction of the comprehensive management plug-in.