docker.recipes

Istio Service Mesh Demo Stack

advanced

Service mesh with sidecar injection, traffic management, and observability.

Overview

Istiod is Istio's unified control plane that manages the entire service mesh infrastructure, handling configuration distribution, certificate management, and proxy lifecycle. This stack demonstrates core service mesh capabilities by combining Istiod with Envoy sidecars, Kiali for topology visualization, Jaeger for distributed tracing, and Prometheus/Grafana for metrics collection and monitoring. The configuration creates two sample microservices with dedicated Envoy proxy sidecars that intercept and manage all network traffic. This demonstration environment showcases how Istio implements the sidecar proxy pattern, where each service communicates through its dedicated Envoy proxy rather than directly with other services. The Envoy proxies collect telemetry data, enforce security policies, and enable advanced traffic management features like circuit breaking, load balancing, and canary deployments. Jaeger captures distributed traces across service boundaries, while Kiali provides a visual representation of service dependencies and traffic flows. Development teams adopting microservices architectures will find this stack valuable for understanding service mesh concepts before implementing Istio in Kubernetes clusters. Platform engineers can use this environment to prototype traffic management policies, test observability configurations, and demonstrate service mesh benefits to stakeholders. The stack serves as an educational tool that removes Kubernetes complexity while preserving core Istio functionality.

Key Features

  • Istiod control plane managing Envoy proxy configurations and certificate distribution
  • Sidecar proxy pattern with dedicated Envoy containers for each microservice
  • Kiali service mesh topology visualization with traffic flow indicators
  • Jaeger distributed tracing with OpenTelemetry protocol support
  • Prometheus metrics collection from Envoy proxies and Istio components
  • Grafana dashboards for service mesh observability and performance monitoring
  • Protocol sniffing for automatic traffic detection and routing
  • mTLS certificate management through Istiod's built-in certificate authority

Common Use Cases

  • 1Learning service mesh concepts before deploying Istio in production Kubernetes clusters
  • 2Prototyping traffic management policies and observability configurations
  • 3Demonstrating microservices communication patterns to development teams
  • 4Testing distributed tracing implementation across multiple service boundaries
  • 5Evaluating service mesh overhead and performance impact on application latency
  • 6Training platform engineers on Envoy proxy configuration and management
  • 7Developing custom Grafana dashboards for service mesh monitoring

Prerequisites

  • Docker Engine 20.10+ with Docker Compose v2 support
  • 8GB RAM minimum (2GB for Jaeger, 1GB each for Prometheus/Grafana, 4GB for remaining components)
  • Understanding of microservices architecture and inter-service communication
  • Basic knowledge of load balancing, proxies, and network traffic management
  • Familiarity with observability concepts including metrics, traces, and logs
  • Available ports: 3000, 8081-8082, 9090, 15010-15014, 16686, 20001

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  # Simulated Istio control plane
3  istiod: 
4    image: istio/pilot:latest
5    ports: 
6      - "15010:15010"
7      - "15012:15012"
8      - "15014:15014"
9    environment: 
10      - PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND=true
11      - PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND=true
12    networks: 
13      - istio_net
14
15  # Sample microservice with Envoy sidecar
16  service-a: 
17    image: nginx:alpine
18    networks: 
19      - istio_net
20
21  service-a-envoy: 
22    image: envoyproxy/envoy:v1.28-latest
23    volumes: 
24      - ./envoy-service-a.yaml:/etc/envoy/envoy.yaml
25    ports: 
26      - "8081:8080"
27    depends_on: 
28      - service-a
29    networks: 
30      - istio_net
31
32  service-b: 
33    image: nginx:alpine
34    networks: 
35      - istio_net
36
37  service-b-envoy: 
38    image: envoyproxy/envoy:v1.28-latest
39    volumes: 
40      - ./envoy-service-b.yaml:/etc/envoy/envoy.yaml
41    ports: 
42      - "8082:8080"
43    depends_on: 
44      - service-b
45    networks: 
46      - istio_net
47
48  # Kiali service mesh visualization
49  kiali: 
50    image: quay.io/kiali/kiali:latest
51    ports: 
52      - "20001:20001"
53    environment: 
54      - AUTH_STRATEGY=anonymous
55    networks: 
56      - istio_net
57
58  # Distributed tracing
59  jaeger: 
60    image: jaegertracing/all-in-one:latest
61    ports: 
62      - "16686:16686"
63      - "14268:14268"
64    environment: 
65      - COLLECTOR_OTLP_ENABLED=true
66    networks: 
67      - istio_net
68
69  prometheus: 
70    image: prom/prometheus:latest
71    ports: 
72      - "9090:9090"
73    volumes: 
74      - ./prometheus.yml:/etc/prometheus/prometheus.yml
75      - prometheus_data:/prometheus
76    networks: 
77      - istio_net
78
79  grafana: 
80    image: grafana/grafana:latest
81    ports: 
82      - "3000:3000"
83    environment: 
84      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD}
85    volumes: 
86      - grafana_data:/var/lib/grafana
87    networks: 
88      - istio_net
89
90volumes: 
91  prometheus_data: 
92  grafana_data: 
93
94networks: 
95  istio_net:

.env Template

.env
1# Istio Service Mesh Demo
2GRAFANA_PASSWORD=secure_grafana_password
3
4# Kiali at http://localhost:20001
5# Jaeger at http://localhost:16686
6# Services at http://localhost:8081, 8082

Usage Notes

  1. 1Kiali mesh visualization at http://localhost:20001
  2. 2Jaeger tracing at http://localhost:16686
  3. 3Envoy sidecars handle traffic
  4. 4Demo setup - use Kubernetes for production
  5. 5Traffic management via Envoy configs

Individual Services(9 services)

Copy individual services to mix and match with your existing compose files.

istiod
istiod:
  image: istio/pilot:latest
  ports:
    - "15010:15010"
    - "15012:15012"
    - "15014:15014"
  environment:
    - PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND=true
    - PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND=true
  networks:
    - istio_net
service-a
service-a:
  image: nginx:alpine
  networks:
    - istio_net
service-a-envoy
service-a-envoy:
  image: envoyproxy/envoy:v1.28-latest
  volumes:
    - ./envoy-service-a.yaml:/etc/envoy/envoy.yaml
  ports:
    - "8081:8080"
  depends_on:
    - service-a
  networks:
    - istio_net
service-b
service-b:
  image: nginx:alpine
  networks:
    - istio_net
service-b-envoy
service-b-envoy:
  image: envoyproxy/envoy:v1.28-latest
  volumes:
    - ./envoy-service-b.yaml:/etc/envoy/envoy.yaml
  ports:
    - "8082:8080"
  depends_on:
    - service-b
  networks:
    - istio_net
kiali
kiali:
  image: quay.io/kiali/kiali:latest
  ports:
    - "20001:20001"
  environment:
    - AUTH_STRATEGY=anonymous
  networks:
    - istio_net
jaeger
jaeger:
  image: jaegertracing/all-in-one:latest
  ports:
    - "16686:16686"
    - "14268:14268"
  environment:
    - COLLECTOR_OTLP_ENABLED=true
  networks:
    - istio_net
prometheus
prometheus:
  image: prom/prometheus:latest
  ports:
    - "9090:9090"
  volumes:
    - ./prometheus.yml:/etc/prometheus/prometheus.yml
    - prometheus_data:/prometheus
  networks:
    - istio_net
grafana
grafana:
  image: grafana/grafana:latest
  ports:
    - "3000:3000"
  environment:
    - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD}
  volumes:
    - grafana_data:/var/lib/grafana
  networks:
    - istio_net

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  # Simulated Istio control plane
5  istiod:
6    image: istio/pilot:latest
7    ports:
8      - "15010:15010"
9      - "15012:15012"
10      - "15014:15014"
11    environment:
12      - PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND=true
13      - PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND=true
14    networks:
15      - istio_net
16
17  # Sample microservice with Envoy sidecar
18  service-a:
19    image: nginx:alpine
20    networks:
21      - istio_net
22
23  service-a-envoy:
24    image: envoyproxy/envoy:v1.28-latest
25    volumes:
26      - ./envoy-service-a.yaml:/etc/envoy/envoy.yaml
27    ports:
28      - "8081:8080"
29    depends_on:
30      - service-a
31    networks:
32      - istio_net
33
34  service-b:
35    image: nginx:alpine
36    networks:
37      - istio_net
38
39  service-b-envoy:
40    image: envoyproxy/envoy:v1.28-latest
41    volumes:
42      - ./envoy-service-b.yaml:/etc/envoy/envoy.yaml
43    ports:
44      - "8082:8080"
45    depends_on:
46      - service-b
47    networks:
48      - istio_net
49
50  # Kiali service mesh visualization
51  kiali:
52    image: quay.io/kiali/kiali:latest
53    ports:
54      - "20001:20001"
55    environment:
56      - AUTH_STRATEGY=anonymous
57    networks:
58      - istio_net
59
60  # Distributed tracing
61  jaeger:
62    image: jaegertracing/all-in-one:latest
63    ports:
64      - "16686:16686"
65      - "14268:14268"
66    environment:
67      - COLLECTOR_OTLP_ENABLED=true
68    networks:
69      - istio_net
70
71  prometheus:
72    image: prom/prometheus:latest
73    ports:
74      - "9090:9090"
75    volumes:
76      - ./prometheus.yml:/etc/prometheus/prometheus.yml
77      - prometheus_data:/prometheus
78    networks:
79      - istio_net
80
81  grafana:
82    image: grafana/grafana:latest
83    ports:
84      - "3000:3000"
85    environment:
86      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD}
87    volumes:
88      - grafana_data:/var/lib/grafana
89    networks:
90      - istio_net
91
92volumes:
93  prometheus_data:
94  grafana_data:
95
96networks:
97  istio_net:
98EOF
99
100# 2. Create the .env file
101cat > .env << 'EOF'
102# Istio Service Mesh Demo
103GRAFANA_PASSWORD=secure_grafana_password
104
105# Kiali at http://localhost:20001
106# Jaeger at http://localhost:16686
107# Services at http://localhost:8081, 8082
108EOF
109
110# 3. Start the services
111docker compose up -d
112
113# 4. View logs
114docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/istio-service-mesh/run | bash

Troubleshooting

  • Kiali shows empty topology: Verify Envoy proxies are properly configured and generating telemetry data to Prometheus
  • Jaeger traces not appearing: Check COLLECTOR_OTLP_ENABLED environment variable and ensure Envoy is configured to send traces to port 14268
  • Envoy proxy startup failures: Validate envoy.yaml configuration files exist in working directory with correct cluster and listener definitions
  • Istiod connection errors: Ensure pilot ports 15010-15014 are accessible and PILOT_ENABLE_PROTOCOL_SNIFFING variables are set
  • Grafana dashboard shows no data: Verify Prometheus is scraping Envoy admin endpoints and Grafana data source points to prometheus:9090
  • Service communication timeouts: Check Envoy cluster configurations match actual service names and ports in Docker network

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

istiodenvoykialijaegerprometheusgrafana

Tags

#istio#service-mesh#kubernetes#envoy#traffic-management

Category

DevOps & CI/CD

Related Recipes

Ad Space