A Service Mesh Is Easy To Swallow In Small Pieces Andrew Jenkins Eng Lead, Aspen Mesh @notthatjenkins
Why Should I Use A Service Mesh?
Managing Microservices Without a Service Mesh Python Node.js Java Flask http.createServer Spring Lemur Express RL Ribbon Kingpin Disco-java Zoologist OpenTracing Flask Jaeger OpenTracing Spring Open SSL 110d Open SSL 102l Open SSL 110f Pod Pod Pod Service A Service B Service C
Managing Microservices With a Service Mesh Python Node.js Java Flask http.createServer Spring Service Mesh Service Mesh Service Mesh Pod Pod Pod Service A Service B Service C
Managing Microservices With a Service Mesh Python Node.js Java Flask http.createServer Spring Envoy Envoy Envoy Pod Pod Pod Service A Service B Service C
Managing Microservices With Istio Istio Control Plane Telemetry to Aspen Mesh SaaS Pilot Mixer Citadel Sidecar Injector Aspen Mesh Agent Config data to Envoys TLS certs to Envoys Monitors K8s for new pods to inject Envoys Policy, quota & telemetry Ingress Egress Gateway Gateway Envoy Envoy Envoy Container Container Container Flask http.createserver Spring Python Node.js Java Container Container Container SERVICE A SERVICE A SERVICE A SERVICE A SERVICE B SERVICE C
Aspen Mesh Architecture Cortex User’s Cluster User mgt Pilot Mixer Citadel Sidecar Inj Agent Graph Details Ingress Ingress Egress Envoy Envoy Envoy Istio-vet Flask http.createserver Spring Tardis Python Node.js Java Pilot Mixer SERVICE A SERVICE B SERVICE C Jaeger Citadel Client-ui Sidecar Inj Istio 0.2.12 -> 1.0.4-am1
Small Pieces Framework
Getting Started With Istio Replace Walk: Easy / Out-of-the-box Run: Good value for most Jetpack: Extra credit
Sidecar for All Pods?
Sidecars Some services in the mesh All services in the mesh Multicluster
Cluster 1 Load Balancing Routing TLS App A App B Tracing Sidecar Metrics Resiliency Mutual TLS Ingress App C App D Mixer Adapters Gateway Sidecar Sidecar Security Policy Cluster 2 App E App F Global TLS Sidecar Sidecar
Tracing No correlation headers Correlation headers Add app-specific spans
278ac3a1… productpage Sidecar Trace: 278ac3a1… Span: 4bc254… url: /reviews/0 Trace: 278ac3a1… Span: 1 url: /productpage x-b3-parentspanid x-b3-spanid x-b3-sampled Headers to copy: x-b3-traceid x-b3-flags x-request-id x-ot-span-context https://istio.io/docs/tasks/telemetry/distributed-tracing/#understanding-what-happened
Ingress productpage reviews ratings Gateway Sidecar Sidecar Sidecar Trace: 519d1a0… Span: 4bc254… Trace: 519d1a0… Trace: a4f1347… Trace: a4f1347… url: /reviews/0 Span: 2 Span: 1834e0f… Span: 3 Trace: 278ac3a1… Trace: 278ac3a1… url: /reviews/0 url: /ratings/0 url: /ratings/0 Span: 278ac3a1… Span: 1 details url: /productpage url: /productpage Sidecar Trace: 1a3c322… Trace: 1a3c322… Span: 8ae6a… Span: 4 url: /details/0 url: /details/0
278ac3a1… 278ac3a1… Ingress productpage reviews ratings Gateway Sidecar Sidecar Sidecar Trace: 278ac3a1… Span: 4bc254… Trace: 278ac3a1… Trace: 278ac3a1… Trace: 278ac3a1… url: /reviews/0 Span: 2 Span: 1834e0f… Span: 3 Trace: 278ac3a1… Trace: 278ac3a1… url: /reviews/0 url: /ratings/0 url: /ratings/0 Span: 278ac3a1… Span: 1 details url: /productpage url: /productpage Sidecar Trace: 278ac3a1… Trace: 278ac3a1… Span: 8ae6a… Span: 4 url: /details/0 url: /details/0
278ac3a1… 278ac3a1… Ingress productpage reviews ratings Gateway Sidecar Sidecar Sidecar Trace: 278ac3a1… Span: 4bc254… Trace: 278ac3a1… Trace: 278ac3a1… Trace: 278ac3a1… url: /reviews/0 Span: 2 Span: 1834e0f… Span: 3 Trace: 278ac3a1… Trace: 278ac3a1… url: /reviews/0 url: /ratings/0 url: /ratings/0 Span: 278ac3a1… Span: 1 details url: /productpage url: /productpage Sidecar Trace: 278ac3a1… Trace: 278ac3a1… Trace: 278ac3a1… Span: f32941… Span: 96e41… Span: a3241… Trace: 278ac3a1… Trace: 278ac3a1… DISK_READ CHECK_AUTH WAIT_QUEUE Span: 8ae6a… Span: 4 url: /details/0 url: /details/0
Mutual TLS Opt-in with config Replace Global Enable Integrate with CA
Mutual TLS App A App B Sidecar Sidecar Citadel
Mutual TLS App C App A Sidecar Sidecar App B Sidecar App D No “choose your front door” DestinationRule appA: ISTIO_MUTUAL Use DestinationRules to opt-in mesh … services to mTLS – when all clients are mesh services.
Mutual TLS App C App A Sidecar Sidecar App B Sidecar App D Sidecar All services in the mesh – mTLS on by MeshPolicy default …
Mutual TLS Your CA Citadel App C App A Sidecar Sidecar App B Sidecar App D Sidecar Bring your own signing cert External clients and servers in same trust domain
Resiliency Timeouts & Outlier Detection Fault injection Replace Retries
Timeouts & Outlier Detection Timeouts - Accelerate error notification - Reduce hopeless-work-lingering Replace Outlier detection - Eject overloaded/failed outliers - Reduce hopeless-work-generation
Fault Injection Exercise what happens if a particular microservice is slow or returns errors sporadically to test resilience Policies and selectors to only expose faults to particular Replace workloads (test, beta)
Retries Valid for requests that are IDEMPOTENT Jitter New upstream
Sidecars Tracing Some services No correlation headers All services Correlation headers Multicluster Add app-specific spans Mutual TLS Resilience Opt-in with config Timeouts & Outlier Detection Global Enable Fault injection Integrate with CA Retries
Thank You Walk by Bakunetsu Kaito Run by Vaibhav Radhakrishnan, Noun Project
Rate today’s session Session page on oreillysacon.com/ny O’Reilly Events App
Recommend
More recommend