Slide 1

Slide 1 text

Service Mesh A good deal for Microservices? 1 5 . 0 7. 2 0 2 0 1 Hanna Prinz

Slide 2

Slide 2 text

~ "Fix your Microservices by throwing a Mesh at it!" ~

Slide 3

Slide 3 text

@INNOQ @HannaPrinz How did we get here?

Slide 4

Slide 4 text

Monolith Microservices @INNOQ @HannaPrinz

Slide 5

Slide 5 text

Microservices @INNOQ @HannaPrinz

Slide 6

Slide 6 text

Timeout Circuit Breaking Encryption Retry collect & emit Metrics Decryption Authorization Routing @INNOQ @HannaPrinz

Slide 7

Slide 7 text

Service Mesh Metrics Config Retry Timeout Circuit Breaker Routing Encrypt Decrpyt Authorization Metrics ... } @INNOQ @HannaPrinz

Slide 8

Slide 8 text

Microservices with Service Mesh Service Mesh Evolution Monolith Microservices In Theory Microservices in Practice @INNOQ @HannaPrinz

Slide 9

Slide 9 text

Infrastruktur-Service Y Service Mesh Architecture Microservice 1 Microservice 2 Proxy Proxy Control Plane App Infrastructure-Service X Application Data Plane Control Plane Infrastructure @INNOQ @HannaPrinz

Slide 10

Slide 10 text

Hurray, Technology! @INNOQ @HannaPrinz

Slide 11

Slide 11 text

Service Mesh Features Observability Resilience Routing Security @INNOQ @HannaPrinz

Slide 12

Slide 12 text

Monitoring A Service Mesh can automatically deliver all 4 "Golden Signals": Latency Traffic Volume Errors (Status Codes) Satuation ... but it cannot look into the Microservices' Business Logic https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/#xref_monitoring_golden-signals @INNOQ @HannaPrinz

Slide 13

Slide 13 text

Monitoring mit Service Mesh Record Network Traffic Metrics -> Latency / Response Time -> HTTP Status Codes -> Requests per Second ... make them available to a Monitoring-System ... and visualize them with dashboards @INNOQ @HannaPrinz

Slide 14

Slide 14 text

Order Shipping Invoicing Postgres Demo Application Service use neither code nor libraries for monitoring! https://github.com/ewolff/microservice-istio

Slide 15

Slide 15 text

@INNOQ @HannaPrinz Istio

Slide 16

Slide 16 text

Service Mesh Features Observability Resilience Routing Security @INNOQ @HannaPrinz

Slide 17

Slide 17 text

Routing Typically implemented in the Edge Router / API Gateway e.g. NGINX, Envoy, Ambassador, Traefik Instance A Instance B Load Balancing Instance A Instance B Path-based Routing /a /b Instance A Instance B Blue/Green Deployment Instance A Instance B A/B-Testing 50% 50% Instance A Instance B Canary Releasing London World 17 @INNOQ @HannaPrinz

Slide 18

Slide 18 text

Routing with a Service Mesh Microservice 1 Microservice 2 Proxy Proxy Control Plane App Application Data Plane Control Plane Routing Rules 18 @INNOQ @HannaPrinz

Slide 19

Slide 19 text

Routing mit Service Mesh GET /new GET / 90% 10% Service 1 Service 2A Proxy Proxy Service 2B Proxy Complex Routing Rules for A/B Testing and Canary Releasing Service 1 Service 2 Proxy Proxy Service 2 Proxy PRODUKTION STAGING Traffic Mirroring locality=London locality=* 19 @INNOQ @HannaPrinz

Slide 20

Slide 20 text

Service Mesh Features Observability Resilience Routing Security @INNOQ @HannaPrinz

Slide 21

Slide 21 text

Resilience What if a service is not available as expected? Goal: Overall system continues to function ... with restrictions where necessary Methods: Retry, Timeout, Circuit Breaking 21 500 @INNOQ @HannaPrinz

Slide 22

Slide 22 text

Resilience with a Service Mesh Microservice 1 Microservice 2 Proxy Proxy Control Plane App Application Data Plane Control Plane Resilience Rules 22 @INNOQ @HannaPrinz

Slide 23

Slide 23 text

Resilience with a Service Mesh Fault Injection Delay Injection Service 1 Service 2 Proxy Proxy Timeout Retry Service 1 Service 2 Proxy Proxy 4s 502 23 @INNOQ @HannaPrinz

Slide 24

Slide 24 text

Service Mesh Features Observability Resilience Routing Security @INNOQ @HannaPrinz

Slide 25

Slide 25 text

Security with a Service Mesh Microservice 1 Microservice 2 Proxy Proxy Application Data Plane Control Plane Control Plane App Authorization Rules TLS-Certificate 25 @INNOQ @HannaPrinz

Slide 26

Slide 26 text

Security with a Service Mesh Service 1 Service 2 Proxy Proxy Authentication with mTLS Authorization Service 1 Service 2 Proxy Proxy GET /api GET / Authorization Rule TLS-Certificate 26 @INNOQ @HannaPrinz "Service 1"

Slide 27

Slide 27 text

Service Mesh Features Network metrics and access logs Emit tracing data to backend Timeouts & Retries Circuit Breaking Business metrics or logs Passing on tracing headers Alerting Use cache or standard responses in Circuit Breaker Automatic Canary Releasing Authentication with mTLS Authorization Complex routing rules Canary Releasing & A/B-Testing Observability Resilience Routing Security @INNOQ @HannaPrinz

Slide 28

Slide 28 text

Service Mesh Market @INNOQ @HannaPrinz

Slide 29

Slide 29 text

Service Mesh Implementations Istio @INNOQ @HannaPrinz

Slide 30

Slide 30 text

30 @INNOQ @HannaPrinz

Slide 31

Slide 31 text

Istio VS Linkerd 2 *2017 By Google & IBM optimized for feature-richness and configurability optimized for Kubernetes, but not exclusive *2017 by Buoyant optimized for usability and performance Kubernetes only @INNOQ @HannaPrinz

Slide 32

Slide 32 text

Features @INNOQ @HannaPrinz Network metrics and access logs Emit tracing data to backend Timeouts & Retries Circuit Breaking Authentication with mTLS Authorization Complex routing rules Canary Releasing & A/B-Testing Observability Resilience Routing Security Istio ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✓ ✓ ✓ ✗

Slide 33

Slide 33 text

Nice Table. @INNOQ @HannaPrinz

Slide 34

Slide 34 text

34 Usability @INNOQ @HannaPrinz

Slide 35

Slide 35 text

apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: istio-attributegen-filter spec: workloadSelector: labels: app: reviews configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '1\.6.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "istio.stats" patch: operation: INSERT_BEFORE value: name: istio.attributegen typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters. value: config: configuration: | { "attributes": [ { "output_attribute": "istio_operationId", "match": [ { "value": "GET /users", "condition": "request.url_path == '/use }, { "value": "POST /order", "condition": "request.url_path == '/ord }, { "value": "GET /invoice/{id}", "condition": "request.url_path.matches( && request.method == 'GET'" } ] } ] } vm_config: runtime: envoy.wasm.runtime.null code: local: { inline_string: "envoy.wasm.attributege Service Mesh Magic is based on a lot of YAML apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: istio-attributegen-filter spec: workloadSelector: labels: app: reviews configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '1\.6.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "istio.stats" patch: operation: INSERT_BEFORE value: name: istio.attributegen typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.h value: config: configuration: | { "attributes": [ { "output_attribute": "istio_operationId", "match": [ { "value": "GET /users", "condition": "request.url_path == '/user }, { "value": "POST /order", "condition": "request.url_path == '/orde }, { "value": "GET /invoice/{id}", "condition": "request.url_path.matches(' && request.method == 'GET'" } ] } ] } vm_config: runtime: envoy.wasm.runtime.null code: local: { inline_string: "envoy.wasm.attributegen

Slide 36

Slide 36 text

@INNOQ @HannaPrinz Istio VS Linkerd 2 Comparison of Configuration

Slide 37

Slide 37 text

Service 11ms GET /users POST /order GET /invoice/42 Service 4ms 17ms 2ms Monitoring Precision @INNOQ @HannaPrinz by Service by Endpoint

Slide 38

Slide 38 text

@INNOQ @HannaPrinz

Slide 39

Slide 39 text

Monitoring Precision by Endpoint with apiVersion: linkerd.io/v1alpha1 kind: ServiceProfile metadata: name: service-b.default.svc.cluster.local namespace: default spec: routes: - name: GET /users condition: method: GET pathRegex: /users - name: POST /order condition: method: POST pathRegex: /order - name: GET /invoice/{id} condition: method: GET pathRegex: /invoice/[^/]* Service A GET /users POST /order GET /invoice/42 Service B 4ms 17ms 2ms @INNOQ @HannaPrinz Linkerd 2

Slide 40

Slide 40 text

Monitoring Precision by Endpoint with apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: istio-attributegen-filter spec: workloadSelector: labels: app: reviews configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND proxy: proxyVersion: '1\.6.*' listener: filterChain: filter: name: "envoy.http_connection_manager" subFilter: name: "istio.stats" patch: operation: INSERT_BEFORE value: name: istio.attributegen typed_config: "@type": type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: configuration: | { "attributes": [ { "output_attribute": "istio_operationId", "match": [ { "value": "GET /users", "condition": "request.url_path == '/users' && request.method == 'GET'" }, { "value": "POST /order", "condition": "request.url_path == '/order' && request.method == 'POST'" }, { "value": "GET /invoice/{id}", "condition": "request.url_path.matches('^/invoice/[[:alnum:]]*$') && request.method == 'GET'" } ] } ] } vm_config: runtime: envoy.wasm.runtime.null code: local: { inline_string: "envoy.wasm.attributegen" } Service A GET /users POST /order GET /invoice/42 Service B 4ms 17ms 2ms @INNOQ @HannaPrinz Istio Experimental in Version 1.6

Slide 41

Slide 41 text

41 Performance & Ressourcen •Latency - highly dependent on traffic •Istio: additional ca. 3ms Latency - per call between services! •Linkerd 2: no current numbers, similar to Istio in earlier versions •Resources •Additional containers for Control Plane & each sidecar •→ Increased CPU & memory consumption But: Depending on the concrete project → make your own benchmark! @INNOQ @HannaPrinz

Slide 42

Slide 42 text

TL;DR @INNOQ @HannaPrinz

Slide 43

Slide 43 text

Service Mesh Solves many essential problems of microservices + Another complex piece of technology – ... without changing the code! Increased latency and resource consumption 43 @INNOQ @HannaPrinz

Slide 44

Slide 44 text

Decision support Service Mesh Indicators Selection criteria • Many microservices, many synchronous calls • Many unsolved problems in monitoring, routing, resilience and/or security • Most services run in Kubernetes • Which features are really missing? • Existing infrastructure - Kubernetes, Consul, AWS, ... • Temporal and cognitive capacity in the team • Activity of the Community @INNOQ @HannaPrinz Objective: As much complexity as necessary, but as little as possible

Slide 45

Slide 45 text

Complexity? Uhm... @INNOQ @HannaPrinz

Slide 46

Slide 46 text

Monolith Microservices @INNOQ @HannaPrinz

Slide 47

Slide 47 text

"don't distribute your objects." ☝ https://martinfowler.com/articles/distributed-objects-microservices.html Martin Fowler @INNOQ @HannaPrinz

Slide 48

Slide 48 text

Alternatives? @INNOQ @HannaPrinz https://www.infoq.com/articles/architecture-trends-2020/

Slide 49

Slide 49 text

Try not to need a Service Mesh

Slide 50

Slide 50 text

More Service Mesh • Service Mesh Comparison at servicemesh.es https://servicemesh.es/ • Blog Post: Happy without a Service Mesh https://innoq.com/en/blog/happy-without-a-service-mesh/ • Example-Application on GitHub https://github.com/ewolff/microservice-istio • Linkerd Tutorial https://linkerd.io/2/tasks/ • Istio Tutorial https://istio.io/docs/setup/getting-started/ @INNOQ @HannaPrinz

Slide 51

Slide 51 text

Krischerstr. 100 40789 Monheim am Rhein Germany +49 2173 3366-0 Ohlauer Str. 43 10999 Berlin Germany +49 2173 3366-0 Ludwigstr. 180E 63067 Offenbach Germany +49 2173 3366-0 Kreuzstr. 16 80331 München Germany +49 2173 3366-0 Hermannstrasse 13 20095 Hamburg Germany +49 2173 3366-0 Gewerbestr. 11 CH-6330 Cham Switzerland +41 41 743 0116 innoQ Deutschland GmbH innoQ Schweiz GmbH www.innoq.com Thank you! Questions? Hanna Prinz [email protected] @HannaPrinz Icons made by srip, Smashicons, Nikita Golubev, Freepik, surang and Darius Dan from www.flaticon.com and licensed by CC 3.0 BY Service Mesh Primer - 2nd Edition Free at leanpub.com/service-mesh-primer