Slide 1

Slide 1 text

Copyright © 2020 HashiCorp April 2022 A Developer’s Introduction to Service Mesh 1

Slide 2

Slide 2 text

We must have a service mesh. 2

Slide 3

Slide 3 text

We want to secure service-to-service communication with mTLS. 3

Slide 4

Slide 4 text

Service Discovery DNS Load Balancing Round-robin Weighted Security mTLS Authorization Telemetry Metrics Tracing Traffic Management Circuit Breaking Retries 4

Slide 5

Slide 5 text

5 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh github.com/joatmon08/expense-report

Slide 6

Slide 6 text

CODE EDITOR -- - apiVersion: apps/v 1 kind: Deploymen t metadata : name: expens e labels : app: expens e release: v 1 spec : replicas: 1 selector : matchLabels : app: expens e release: v 1 template : metadata : annotations : prometheus.io/scrape: "true " consul.hashicorp.com/connect-inject: "true" https://github.com/sqshq/piggymetrics 6

Slide 7

Slide 7 text

Service Discovery Service Mesh Load Balancing Service Mesh Security Service Mesh 7 Telemetry Service Mesh?? Traffic Management Service Mesh

Slide 8

Slide 8 text

Service Discovery 8

Slide 9

Slide 9 text

Choosing an abstraction. Service Mesh. Proxy registration Application-Side Options. Libraries (e.g., Eureka) DNS Kubernetes services 9

Slide 10

Slide 10 text

CODE EDITOR @SpringBootApplicatio n @EnableDiscoveryClien t ## omitte d public class AccountApplication { public static void main(String[] args) { SpringApplication.run(AccountApplication.class, args) ; } } https://github.com/sqshq/piggymetrics 10

Slide 11

Slide 11 text

11 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh

Slide 12

Slide 12 text

TERMINAL > wget -qO- 127.0.0.1:19000/cluster s ## omitted for clarit y expense.default.eastus.internal.***.consul::10.244.1.7:20000: :cx_active:: 1 jaeger_9411::10.0.244.168:9411::cx_active:: 1 expense- v2.default.eastus.internal.***.consul::10.244.0.16:20000::cx_ active::1

Slide 13

Slide 13 text

Load Balancing 13

Slide 14

Slide 14 text

Choosing an abstraction. Service Mesh. Proxy configuration Application-Side Options. Libraries (e.g., Feign) Load balancers DNS 14

Slide 15

Slide 15 text

CODE EDITOR @SpringBootApplicatio n @EnableFeignClient s ## omitte d public class AccountApplication { public static void main(String[] args) { SpringApplication.run(AccountApplication.class, args) ; } } https://github.com/sqshq/piggymetrics 15

Slide 16

Slide 16 text

16 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh 50% TO V1 50% TO V2

Slide 17

Slide 17 text

TERMINAL > wget localhost:19000/config_dum p ## omitted for clarit y "dynamic_route_configs": [ { "route_config": { "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" , "name": "expense" , ## omitted for clarit y "route": { "weighted_clusters": { "clusters": [ { "name": “expense.default.eastus.internal.***.consul” , "weight": 500 0 } , { "name": “expense-v2.default.eastus.internal.***.consul” , "weight": 500 0 } ] , "total_weight": 1000 0 }

Slide 18

Slide 18 text

Security 18

Slide 19

Slide 19 text

Choosing an abstraction. Service Mesh. mTLS between proxies Proxy filters (TCP & HTTP) Application-Side Options. Libraries Write your own API authorization servers OIDC/JWT 19

Slide 20

Slide 20 text

CODE EDITOR builder.Services.AddAuthentication ( CertificateAuthenticationDefaults.AuthenticationScheme ) .AddCertificate(options = > { options.Events = new CertificateAuthenticationEvent s { OnCertificateValidated = context = > { var validationService = context.HttpContext.RequestService s .GetRequiredService() ; if (validationServic e .ValidateCertificate(context.ClientCertificate) ) { ## omitte d } return Task.CompletedTask ; } } ; }); https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-6.0 20

Slide 21

Slide 21 text

21 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh MTLS MTLS MTLS MTLS MTLS

Slide 22

Slide 22 text

TERMINAL > wget localhost:19000/config_dum p ## omitted for clarit y "transport_socket": { "name": "tls" , "typed_config": { "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" , "common_tls_context": { "tls_params": {} , "tls_certificates": [ { "certificate_chain": { "inline_string": "-----BEGIN CERTIFICATE——\n***\n——END CERTIFICATE-----\n " } , "private_key": { "inline_string": "[redacted] " } } ] , "validation_context": { "trusted_ca": { "inline_string": "-----BEGIN CERTIFICATE——\n***\n——END CERTIFICATE-----\n " } } } , "require_client_certificate": tru e

Slide 23

Slide 23 text

CODE EDITOR @SpringBootApplicatio n @EnableOAuth2Clien t @EnableGlobalMethodSecurity(prePostEnabled = true ) ## omitte d public class AccountApplication { public static void main(String[] args) { SpringApplication.run(AccountApplication.class, args) ; } } https://github.com/sqshq/piggymetrics 23

Slide 24

Slide 24 text

24 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh ALLOW REPORT TO ACCESS /API/EXPENSE/TRIP

Slide 25

Slide 25 text

TERMINAL > wget localhost:19000/config_dum p ## omitted for clarit y { "@type": "type.googleapis.com/envoy.admin.v3.ListenersConfigDump" , "dynamic_listeners": [ "active_state": { "filter_chains": [ { "filters": [ { "http_filters": [ { "name": "envoy.filters.http.rbac" , "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC" , "rules": { "policies": { "consul-intentions-layer7-0": { "permissions": [ { "and_rules": { "rules": [ { "url_path": { "path": { "prefix": "/api/expense/trip " } } } , "principals": [ { "authenticated": { "principal_name": { "safe_regex": { "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/report$ " }

Slide 26

Slide 26 text

Traffic Management 26

Slide 27

Slide 27 text

Choosing an abstraction. Service Mesh. Proxy configuration Envoy circuit breaker: set maximum, pending, and current connections for upstream service instances Envoy outlier detection: eject service instance if failures reach threshold Application-Side Options. Libraries Write your own 27

Slide 28

Slide 28 text

CODE EDITOR @SpringBootApplicatio n @EnableCircuitBreake r ## omitte d public class AccountApplication { public static void main(String[] args) { SpringApplication.run(AccountApplication.class, args) ; } } https://github.com/sqshq/piggymetrics 28

Slide 29

Slide 29 text

CODE EDITOR var retryPolicy = GetRetryPolicy() ; var circuitBreakerPolicy = GetCircuitBreakerPolicy() ; services.AddHttpClient( ) .SetHandlerLifetime(TimeSpan.FromMinutes(5) ) .AddHttpMessageHandler( ) .AddPolicyHandler(retryPolicy ) .AddPolicyHandler(circuitBreakerPolicy) ; static IAsyncPolicy GetCircuitBreakerPolicy( ) { return HttpPolicyExtension s .HandleTransientHttpError( ) .CircuitBreakerAsync(5, TimeSpan.FromSeconds(30)) ; } https://docs.microsoft.com/en-us/dotnet/architecture/microservices/implement-resilient-applications/implement-circuit-breaker-pattern 29

Slide 30

Slide 30 text

30 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh IF HTTP 5XX > 3 ERRORS, EJECT SERVICE. DIVERT TRAFFIC TO ANOTHER SERVICE VERSION

Slide 31

Slide 31 text

CODE EDITOR apiVersion: consul.hashicorp.com/v1alpha 1 kind: ServiceDefault s metadata : name: repor t spec : protocol: htt p upstreamConfig : overrides : - name: expens e passiveHealthCheck : interval: "10s " maxFailures: 3 https://www.consul.io/docs/connect/proxies/envoy#passive_health_check 31

Slide 32

Slide 32 text

Telemetry 32

Slide 33

Slide 33 text

Two sources of telemetry. Service Mesh. Proxy metrics (merge with application) Proxy traces (only work if you have application traces) Application-Side Options. Libraries (OpenTelemetry, Prometheus exporters) Write your own 33

Slide 34

Slide 34 text

You still need instrumentation for your application.

Slide 35

Slide 35 text

CODE EDITOR builder.Services.AddOpenTelemetryMetrics(b = > { b.AddPrometheusExporter(o = > { o.StartHttpListener = true ; o.HttpListenerPrefixes = new string[] { metricsEndpoint } ; } ) .AddHttpClientInstrumentation( ) .AddAspNetCoreInstrumentation() ; }) ; builder.Services.AddOpenTelemetryTracing(b = > { b.AddSource(serviceName ) .SetResourceBuilder ( ResourceBuilder.CreateDefault( ) .AddService(serviceName: serviceName, serviceVersion: serviceVersion) ) .AddSqlClientInstrumentation(o = > { o.SetDbStatementForText = true ; } ) .AddHttpClientInstrumentation( ) .AddAspNetCoreInstrumentation( ) .AddZipkinExporter(o = > { o.Endpoint = new Uri(tracingUri) ; }) ; }); https://github.com/joatmon08/expense-report/tree/main/expense/dotnet 35

Slide 36

Slide 36 text

TERMINAL > java \ -javaagent:/app/agent/opentelemetry-javaagent.jar \ -Dotel.traces.exporter=zipkin \ -Dotel.metrics.exporter=prometheus \ -Dotel.resource.attributes=service.name=expense \ -jar /app/spring-boot-application.jar

Slide 37

Slide 37 text

37 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh CONFIGURE SERVICE MESH TO EXPOSE PROXY TRACES

Slide 38

Slide 38 text

TERMINAL > wget localhost:19000/config_dum p "tracing": { "http": { "name": "envoy.tracers.zipkin" , "typed_config": { "@type": "type.googleapis.com/ envoy.config.trace.v3.ZipkinConfig" , "collector_cluster": "jaeger_9411" , "collector_endpoint": "/api/v2/spans" , "shared_span_context": true , "collector_endpoint_version": "HTTP_JSON " } } }

Slide 39

Slide 39 text

39 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh CONFIGURE SERVICE MESH TO EXPOSE PROXY METRICS

Slide 40

Slide 40 text

CODE EDITOR apiVersion: consul.hashicorp.com/v1alpha 1 kind: ProxyDefault s metadata : name: globa l spec : config : protocol: htt p envoy_prometheus_bind_addr: "0.0.0.0:20200 " https://www.consul.io/docs/connect/proxies/envoy#passive_health_check 40

Slide 41

Slide 41 text

41 PROXY EXPENSE V1 (.NET) PROXY REPORT V2 (.NET) REPORT V3 (.NET) EXPENSE V2 (JAVA) PROXY PROXY REPORT SERVICE EXPENSE SERVICE Service Mesh MERGE METRICS FROM APPLICATION TO PROXY METRICS ENDPOINT

Slide 42

Slide 42 text

CODE EDITOR apiVersion: apps/v 1 kind: Deploymen t metadata : name: expens e labels : app: expens e release: v 1 spec : replicas: 1 selector : matchLabels : app: expens e release: v 1 template : metadata : annotations : prometheus.io/scrape: "true " consul.hashicorp.com/connect-inject: "true " consul.hashicorp.com/enable-metrics-merging: "true " consul.hashicorp.com/service-metrics-port: "9464 " https://www.consul.io/docs/connect/proxies/envoy#passive_health_check 42

Slide 43

Slide 43 text

TERMINAL > wget localhost:20200/metric s # TYPE envoy_cluster_upstream_rq_time histogra m # TYPE runtime_jvm_gc_count_total counte r # HELP runtime_jvm_gc_count_total The number of collections that have occurred for a given JVM garbage collect

Slide 44

Slide 44 text

Service Discovery Service Mesh Load Balancing Service Mesh Security Service Mesh 44 Telemetry Service Mesh?? Traffic Management Service Mesh

Slide 45

Slide 45 text

github.com/joatmon08 
 /expense-report

Slide 46

Slide 46 text

Rosemary Wang HashiCorp 
 she/her 
 
 @joatmon08 Thank you!