SLIDE 1
A Service Mesh Is Easy To Swallow In Small Pieces
Andrew Jenkins Eng Lead, Aspen Mesh @notthatjenkins
A Service Mesh Is Easy To Swallow In Small Pieces Andrew Jenkins - - PowerPoint PPT Presentation
A Service Mesh Is Easy To Swallow In Small Pieces Andrew Jenkins - - PowerPoint PPT Presentation
A Service Mesh Is Easy To Swallow In Small Pieces Andrew Jenkins Eng Lead, Aspen Mesh @notthatjenkins Why Should I Use A Service Mesh? Managing Microservices Without a Service Mesh Python Node.js Java Flask http.createServer Spring
SLIDE 2
SLIDE 3
Service A
Pod Flask OpenTracing Flask Kingpin Lemur Open SSL 110d Python
Service B
Pod
Service C
Pod
Managing Microservices Without a Service Mesh
http.createServer Jaeger Zoologist Express RL Open SSL 102l Node.js Spring OpenTracing Spring Disco-java Ribbon Open SSL 110f Java
SLIDE 4
Service A
Pod Flask Service Mesh Python
Service B
Pod
Service C
Pod
Managing Microservices With a Service Mesh
http.createServer Node.js Spring Java Service Mesh Service Mesh
SLIDE 5
Service A
Pod Flask Python
Service B
Pod
Service C
Pod
Managing Microservices With a Service Mesh
http.createServer Node.js Spring Java Envoy Envoy Envoy
SLIDE 6
Config data to Envoys TLS certs to Envoys Monitors K8s for new pods to inject Envoys
Mixer Sidecar Injector Pilot
Istio Control Plane
Ingress Gateway Egress Gateway Envoy
Container
Flask Python
Container
SERVICE A
SERVICE A Envoy
Container
http.createserver Node.js
Container
SERVICE A
SERVICE B Envoy
Container
Spring Java
Container
SERVICE A
SERVICE C
Policy, quota & telemetry
Citadel Aspen Mesh Agent
Managing Microservices With Istio
Telemetry to Aspen Mesh SaaS
SLIDE 7
Aspen Mesh Architecture
Mixer Sidecar Inj Pilot
Ingress
Egress Envoy Flask Python SERVICE A Envoy http.createserver Node.js SERVICE B Envoy Spring Java SERVICE C Citadel Agent
Ingress Cortex Istio-vet User mgt Graph Details Tardis Jaeger
Istio 0.2.12 -> 1.0.4-am1
User’s Cluster
Mixer Sidecar Inj Pilot Citadel
Client-ui
SLIDE 8
Small Pieces Framework
SLIDE 9
Walk: Easy / Out-of-the-box Run: Good value for most Jetpack: Extra credit
Getting Started With Istio
Replace
SLIDE 10
Sidecar for All Pods?
SLIDE 11
Sidecars
Some services in the mesh All services in the mesh Multicluster
SLIDE 12
Mutual TLS Mixer Adapters Security Policy
Ingress Gateway App A Sidecar
App B App F Sidecar
Load Balancing Routing TLS Tracing Metrics Resiliency
App C Sidecar App D Sidecar App E Sidecar Cluster 1 Cluster 2
Global TLS
SLIDE 13
No correlation headers Correlation headers Add app-specific spans
Tracing
SLIDE 14
productpage Sidecar
Trace: 278ac3a1… Span: 1 url: /productpage Trace: 278ac3a1… Span: 4bc254… url: /reviews/0 278ac3a1…
x-b3-spanid
https://istio.io/docs/tasks/telemetry/distributed-tracing/#understanding-what-happened
x-b3-traceid x-request-id x-b3-parentspanid x-b3-sampled x-b3-flags x-ot-span-context
Headers to copy:
SLIDE 15
Ingress Gateway productpage Sidecar reviews Sidecar ratings Sidecar details Sidecar
Trace: 278ac3a1… Span: 278ac3a1… url: /productpage Trace: 278ac3a1… Span: 1 url: /productpage Trace: 519d1a0… Span: 4bc254… url: /reviews/0 Trace: 519d1a0… Span: 2 url: /reviews/0 Trace: 1a3c322… Span: 8ae6a… url: /details/0 Trace: a4f1347… Span: 1834e0f… url: /ratings/0 Trace: a4f1347… Span: 3 url: /ratings/0 Trace: 1a3c322… Span: 4 url: /details/0
SLIDE 16
Ingress Gateway productpage Sidecar reviews Sidecar ratings Sidecar details Sidecar
Trace: 278ac3a1… Span: 278ac3a1… url: /productpage Trace: 278ac3a1… Span: 1 url: /productpage Trace: 278ac3a1… Span: 4bc254… url: /reviews/0 Trace: 278ac3a1… Span: 2 url: /reviews/0 Trace: 278ac3a1… Span: 8ae6a… url: /details/0 Trace: 278ac3a1… Span: 1834e0f… url: /ratings/0 Trace: 278ac3a1… Span: 3 url: /ratings/0 Trace: 278ac3a1… Span: 4 url: /details/0 278ac3a1… 278ac3a1…
SLIDE 17
Ingress Gateway productpage Sidecar reviews Sidecar ratings Sidecar details Sidecar
Trace: 278ac3a1… Span: 278ac3a1… url: /productpage Trace: 278ac3a1… Span: 1 url: /productpage Trace: 278ac3a1… Span: 4bc254… url: /reviews/0 Trace: 278ac3a1… Span: 2 url: /reviews/0 Trace: 278ac3a1… Span: 8ae6a… url: /details/0 Trace: 278ac3a1… Span: 1834e0f… url: /ratings/0 Trace: 278ac3a1… Span: 3 url: /ratings/0 Trace: 278ac3a1… Span: 4 url: /details/0 278ac3a1… 278ac3a1… Trace: 278ac3a1… Span: f32941… CHECK_AUTH Trace: 278ac3a1… Span: a3241… WAIT_QUEUE Trace: 278ac3a1… Span: 96e41… DISK_READ
SLIDE 18
Opt-in with config Global Enable Integrate with CA
Mutual TLS
Replace
SLIDE 19
App A Sidecar App B Sidecar
Citadel
Mutual TLS
SLIDE 20
App A Sidecar App B Sidecar
Mutual TLS
App D No “choose your front door” DestinationRule appA: ISTIO_MUTUAL … App C Sidecar Use DestinationRules to opt-in mesh services to mTLS – when all clients are mesh services.
SLIDE 21
App A Sidecar App B Sidecar
Mutual TLS
MeshPolicy … App C Sidecar All services in the mesh – mTLS on by default App D Sidecar
SLIDE 22
App A Sidecar App B Sidecar
Mutual TLS
App C Sidecar Bring your own signing cert External clients and servers in same trust domain App D Sidecar
Citadel
Your CA
SLIDE 23
Timeouts & Outlier Detection Fault injection Retries
Resiliency
Replace
SLIDE 24
Timeouts
- Accelerate error notification
- Reduce hopeless-work-lingering
Outlier detection
- Eject overloaded/failed outliers
- Reduce hopeless-work-generation
Timeouts & Outlier Detection
Replace
SLIDE 25
Exercise what happens if a particular microservice is slow or returns errors sporadically to test resilience Policies and selectors to only expose faults to particular workloads (test, beta)
Fault Injection
Replace
SLIDE 26
Valid for requests that are IDEMPOTENT Jitter New upstream
Retries
SLIDE 27
Some services All services Multicluster No correlation headers Correlation headers Add app-specific spans Opt-in with config Global Enable Integrate with CA Timeouts & Outlier Detection Fault injection Retries Mutual TLS Sidecars Resilience Tracing
SLIDE 28
Thank You
Walk by Bakunetsu Kaito Run by Vaibhav Radhakrishnan, Noun Project
SLIDE 29
Rate today’s session
Session page on oreillysacon.com/ny O’Reilly Events App