WSO2 API Manager is a full lifecycle API Management solution which has an API Gateway and a Microgateway. Istio is a service mesh solution which helps users to deploy and manage a collection of microservices. Service meshes in their native form have an “API Management gap” that requires to be filled. These are related to exposing services to external consumers (advanced security, discovery, governance, etc.), business insights, policy enforcement, and monetization. This explains how WSO2 API Manager plans to integrate with Istio and manage services deployed in Istio as APIs.
When users move towards a microservice architecture from monolithic app architecture, it can result in a considerable number of fine-grained microservices. Therefore, it was a challenge to manage all these microservices. As a solution, Istio was able to provide a platform to connect, manage, and secure all these microservices, while reducing the complexity of deployments. In addition, Istio includes APIs that let it integrate in to any logging platform or telemetry or policy system.
However, when users need to expose these microservices to the outside in a secured controlled manner, API Management comes into the picture. Most of the time we need to create APIs (for microservices) and share them with other developers who might be part of your organization or external organizations. Therefore, API Management within a service mesh solution is required in order to operate successfully. You can use this capability to expose one or more services from an Istio service mesh as APIs by adding API management capabilities.
While Istio provides data plane (DP) and control plane (CP) capabilities, WSO2 API Manager provides management plane capabilities to manage microservices.
The Mixer is a core Istio component which runs in the control plane of the service mesh. The Mixer plug-in model enables new rules and policies to be added to groups of services in the mesh without modifying the individual services or the nodes where they run. API management policies such as authentication (by API key validation), rate-limiting, etc. can be deployed and managed by WSO2 API Manager without doing any changes to the actual microservice or sidecar proxy.
API Management for Istio
When you need to expose this service to the outside in a managed way, the API developer can use the WSO2 API Publisher Portal to create the API by attaching necessary policies like security, rate limiting etc. The Publisher is capable of pushing all these policies in to the Envoy proxy via the Pilot and Mixer in order for them to take action with regard to policy enforcement. After publishing the API, it will appear in the WSO2 API Developer Portal. Thereafter, the app developer can discover these APIs and use them in their application along with all the capabilities provided by the developer portal such as, getting a subscription plan, adding application security etc. If you are a business user, you can use WSO2 API-M Analytics to get more business insights by looking at the API Analytics.
Route of a successful request
Let us now see how service calls work with this solution and at which point API related quality of services gets applied. As you can see in the diagram below, when a request comes from the outside, it first goes to the Istio proxy (Envoy) and then it will communicate with the Mixer in order to perform policy checks. Based on the outcome of the policy checks, the request may be routed to the service or an error should be sent back to the client. For more information, see the diagram and the detailed steps.
- The client sends the request to the service (Istio capture the request and redirects it to the Istio-proxy). This enters the Kubernetes cluster via an ingress point.
- The Istio proxy captures a wealth of signal and sends it to the Mixer as attributes.
- The Mixer adapter then calls WSO2 API Manager for various types of policy checks and verifications.
- WSO2 API Manager performs the policy checks and responds back to the Mixer.
- The Mixer communicates the outcome of the policy checks to the Istio proxy.
- When there are no policy validation failures, the request is routed to the microservice.
- The microservice executes the service logic and sends the response.
- The response is sent out to the client.
Install Istio for WSO2 API Manager
For more information, see Istio for WSO2 API Manager Quick Start guide.