Lee Calcote

April 2019

calcotestudios.com/talks

Lee Calcote

linkedin.com/in/leecalcote

@lcalcote

gingergeek.com

lee@calcotestudios.com

clouds, containers, functions, applications, and their management

calcotestudios.com/talks

github.com/leecalcote

at

gingergeek.com

Microservices

The more, the merrier?

BookInfo Sample App

Reviews v1

Reviews Pod

Reviews v2

Reviews v3

Product Pod

Details Container

Details Pod

Ratings Container

Ratings Pod

Product Container

Reviews Service

Benefits

First few services are relatively easy

Democratization of language and technology choice

Faster delivery, service teams running independently, rolling updates

@lcalcote

Challenges

Next 10 or so may introduce pain

Language and framework-specific libraries

Distributed environments, ephemeral infrastructure, out-moded tooling

Why use a Service Mesh?

to avoid...

• Bloated service code

• Duplicating work to make services production-ready

  • Load balancing, auto scaling, rate limiting, traffic routing...

• Inconsistency across services

  • Retry, tls, failover, deadlines, cancellation, etc., for each language, framework

  • Siloed implementations lead to fragmented, non-uniform policy application and difficult debugging

• Diffusing responsibility of service management

@lcalcote

Which is why...

 I have a container orchestrator.

@lcalcote

Core

Capabilities

• Cluster Management

  • Host Discovery

  • Host Health Monitoring

• Scheduling

• Orchestrator Updates and Host Maintenance

• Service Discovery

• Networking and Load Balancing

• Stateful Services

• Multi-Tenant, Multi-Region

Additional

Key Capabilities

• Application Health and Performance Monitoring

• Application Deployments

• Application Secrets

@lcalcote

minimal capabilities required to qualify as a container orchestrator

Service meshes generally rely on these underlying layers.

Which is why...

 I have an API gateway.

@lcalcote

• Ambassador uses Envoy

• Kong uses Nginx

• OpenResty uses Nginx

• Traefik

What do we need?

• Observability

• Logging
• Metrics
• Tracing

• Traffic Control

• Resiliency

• Efficiency
• Security

• Policy

@lcalcote

What is a Service Mesh?

a dedicated layer for managing service-to-service communication

@lcalcote

Missing: application lifecycle management, but not by much

Missing: distributed debugging; provide nascent visibility (topology)

BookInfo Sample App on Service Mesh

Reviews v1

Reviews Pod

@lcalcote

Reviews v2

Reviews v3

Product Pod

Details Container

Details Pod

Ratings Container

Ratings Pod

Product Container

Envoy sidecar

Envoy sidecar

Envoy sidecar

Envoy sidecar

Envoy sidecar

Reviews Service

Enovy sidecar

@lcalcote

DEV

OPS

Layer 5

where Dev and Ops meet

Problem: too much infrastructure code in services

@lcalcote

layer5.io/landscape

What is Istio?

@lcalcote

• Observability

• Resiliency

• Traffic Control

• Security

• Policy Enforcement

istio.io

github.com/istio

@IstioMesh

Observability

what gets people hooked on service metrics

@lcalcote

Goals

• Metrics without instrumenting apps

• Consistent metrics across fleet

• Trace flow of requests across services

• Portable across metric back-end providers

You get a metric!  You get a metric!  Everyone gets a metric!

© 2018 SolarWinds Worldwide, LLC. All rights reserved.

Traffic Control

control over chaos

@lcalcote

• Traffic splitting
  • L7 tag based routing?
• Traffic steering
  • Look at the contents of a request and route it to a specific set of instances.
• Ingress and egress routing

Resilency

• Systematic fault injection

• Timeouts and Retries with timeout budget

• Circuit breakers and Health checks

• Control connection pool size and request load

content-based traffic steering

Istio Architecture

Istio Architecture

@lcalcote

• Touches every packet/request in the system.
• Responsible for service discovery, health checking, routing, load balancing, authentication, authorization, and observability.

• Provides policy and configuration for services in the mesh.
• Takes a set of isolated stateless sidecar proxies and turns them into a service mesh.
• Does not touch any packets/requests in the system.

Pilot

Citadel

Mixer

Istio Architecture

@lcalcote

Service Proxy Sidecar

- A C++ based L4/L7 proxy

- Low memory footprint

- In production at Lyft™

@lcalcote

Capabilities:

• API driven config updates → no reloads
• Zone-aware load balancing w/ failover
• Traffic routing and splitting
• Health checks, circuit breakers, timeouts, retry budgets, fault injection…
• HTTP/2 & gRPC
• Transparent proxying
• Designed for observability

the included battery

Pod

Proxy sidecar

App Container

What's Pilot for?

@lcalcote

provides service discovery to sidecars

manages sidecar configuration

Pilot

Citadel

the head of the ship

Mixer

system of record for service mesh

}

provides abstraction from underlying platforms

What's Mixer for?

• Point of integration with infrastructure back ends
  • Intermediates between Istio and back ends, under operator control
  • Enables platform and environment mobility
• Responsible for policy evaluation and telemetry reporting
  • Provides granular control over operational policies and telemetry
• Has a rich configuration model
  • Intent-based config abstracts most infrastructure concerns

@lcalcote

Pilot

Citadel

Mixer

an attribute-processing and routing machine

operator-focused

1. Precondition checking
2. Quota management
3. Telemetry reporting

Mixer

@lcalcote

Mixer

Foo Pod

Proxy sidecar

Service Foo

Foo Container

an attribute processing engine

AppOptics™

@lcalcote

• Uses pluggable adapters to extend its functionality
  • Adapters run within the Mixer process
• Adapters are modules that interface to infrastructure backends
  • (logging, metrics, quotas, etc.)
• Multi-interface adapters are possible
  • (e.g., SolarWinds® adapter sends logs and metrics)

Mixer Adapters

types: logs, metrics, access control, quota

Papertrail™

Prometheus™

Stackdriver™

Open Policy Agent

Grafana™

Fluentd

Statsd

®

What's Citadel for?

@lcalcote

• Verifiable identity
  • Issues certs
  • Certs distributed to service proxies
  • Mounted as a Kubernetes   secret
• Secure naming / addressing
• Traffic encryption

Pilot

security at scale

Mixer

security by default

Orchestrate Key & Certificate:

• Generation
• Deployment
• Rotation
• Revocation

®

Adopting a service mesh

Adopter’s Dilemma

Which service mesh to use?

What's the catch? Nothing's for free.

layer5.io/meshery

@lcalcote

Meshery

a multi-service mesh performance benchmark and playground

Demo

Deployment

• Deployment of Meshery and sample app

Configuration

• Cluster, adapters and grafana

• Configuration validation using Istio Vet

Performance tests

• View individual test result

• Compare multiple tests (two)

• Compare multiple tests (many)

• Benchmark Specification

Side-by-Side Performance Comparison

Istio

Linkerd

Consul

Octarine

App Mesh?

Results coming…

     Upcoming presentations:

1. Container World

2. DockerCon

3. KubeCon EU

@lcalcote

layer5.io/meshery

Service Mesh Benchmark Specification

A project and vendor-neutral specification for capturing details of:

1. Environment / Infrastructure

   • Number and size of nodes, orchestrator

2. Service mesh and its configuration

3. Service / application details

Bundled with test results.

github.com/layer5io/service-mesh-benchmark-spec

@lcalcote

layer5.io/meshery

@lcalcote

layer5.io/books

Subscribe for Early Release

at

https://layer5.io/subscribe