Slide 1

Slide 1 text

Thomas Vitale The Golden Path to SpringOne Feb 23rd, 2023 Spring Cloud Gateway Resilience, Security, and Observability @vitalethomas

Slide 2

Slide 2 text

Systematic • Software Engineer and Cloud Architect. • Author of “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

Slide 3

Slide 3 text

API Gateway @vitalethomas

Slide 4

Slide 4 text

Scenarios Di ff erent clients need di ff erent APIs Cross-cutting concerns in distributed systems Uni fi ed interface for microservices Strangling the monolith @vitalethomas

Slide 5

Slide 5 text

Account Service [Container: Spring Boot] Provides functionality for managing members accounts. Loan Service [Container: Spring Boot] Provides functionality for managing book loans. Library [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] A member of the Library. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]

Slide 6

Slide 6 text

Routing @vitalethomas

Slide 7

Slide 7 text

The Architecture @vitalethomas

Slide 8

Slide 8 text

Observability @vitalethomas

Slide 9

Slide 9 text

Monitoring and management Operating applications in production Spring Boot Actuator ‣Health (liveness and readiness) ‣Metrics (Prometheus, OpenMetrics) ‣Flyway, Thread Dumps, Heap Dumps Micrometer Tracing (Spring Cloud Sleuth) ‣Distributed tracing ‣Instrumentation ‣OpenZipkin and OpenTelemetry @vitalethomas

Slide 10

Slide 10 text

grafana.com

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Resilience @vitalethomas

Slide 14

Slide 14 text

Retry @vitalethomas

Slide 15

Slide 15 text

Retry Book Route Retry Book Controller Edge Service Book Service t t t 1. Send HTTP request 2. Receive HTTP 503 error 3. Retry HTTP request 4. Receive HTTP 503 error 5. Retry HTTP request 6. Receive successfull HTTP response after second retry attempt @vitalethomas

Slide 16

Slide 16 text

Request Rate Limiter @vitalethomas

Slide 17

Slide 17 text

Rate Limiter https://stripe.com/blog/rate-limiters @vitalethomas

Slide 18

Slide 18 text

Circuit Breaker @vitalethomas

Slide 19

Slide 19 text

Circuit Breaker CLOSED HALF_OPEN OPEN Trip breaker when failure rate above threshold Attempt reset after wait duration Trip breaker after failure rate above threshold Reset breaker when failure rate below threshold @vitalethomas

Slide 20

Slide 20 text

Time Limiter @vitalethomas

Slide 21

Slide 21 text

Time Limiter and Fallback Book Route Time Limiter Fallback Time Limiter Book Controller Edge Service Book Service t t t t 1. Send HTTP request 2a. Receive successfull HTTP response within the time limit 2b. Throw exception when timeout expires and no fallback defined 2c. Return fallback when defined and timeout expires @vitalethomas

Slide 22

Slide 22 text

User Authentication @vitalethomas

Slide 23

Slide 23 text

Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Auth Service Delegates authentication to Strategy ? Protocol? Data Format?

Slide 24

Slide 24 text

OpenID Connect A protocol built on top of OAuth2 that enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). @vitalethomas

Slide 25

Slide 25 text

Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token OIDC

Slide 26

Slide 26 text

Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses Security context propagation ? Authorized access?

Slide 27

Slide 27 text

OAuth2 An authorization framework that enables an application (Client) to obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. @vitalethomas

Slide 28

Slide 28 text

Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses OAuth2 Resource Server OAuth2 Resource Server OAuth2 Resource Server { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token OAuth2

Slide 29

Slide 29 text

Token Relay Browser Edge Service Book Service Access Token Session Cookie Resource Server Access Token Resource Server Access Token Keeps mapping Session <---> Access Token OAuth2 @vitalethomas

Slide 30

Slide 30 text

Resources @vitalethomas

Slide 31

Slide 31 text

https://github.com/ThomasVitale/awesome-spring

Slide 32

Slide 32 text

Resources Source code • Sample project: • https://github.com/ThomasVitale/spring-cloud-gateway-resilience- security-observability • Spring Cloud Gateway: • https://spring.io/projects/spring-cloud-gateway • Spring Security, OAuth2, OpenID Connect: • https://www.youtube.com/watch?v=g7Dwv1BKnkg @vitalethomas

Slide 33

Slide 33 text

Thomas Vitale The Golden Path to SpringOne Feb 23rd, 2023 Spring Cloud Gateway Resilience, Security, and Observability @vitalethomas