Gloo Mesh Enterprise Webinar 12.10.2020

Transcript

1. Gloo Mesh Enterprise Christian Posta Field CTO – Solo.io

2. 2 | Copyright © 2020 CHRISTIAN POSTA Global Field CTO,

   Solo.io @christianposta [email protected] https://blog.christianposta.com https://slideshare.net/ceposta

3. 3 | Copyright © 2020 Solo.io Gloo Platform What do

   we offer? Gloo API Infrastructure Platform - A portfolio of products to enable, secure, and observe application connectivity at the edge and between services across clusters and clouds What does the platform include? Gloo API Infrastructure: • Gloo Mesh – Enterprise Istio with multi-cluster, VM, multi-mesh, and Wasm management • Gloo Edge - A powerful next generation API gateway built on Envoy Proxy • Gloo Portal - Developer portal to catalog and expose running APIs. • Gloo Extensions - Developer tooling to extend Envoy with WebAssembly

4. 4 | Copyright © 2020 Service Mesh?

5. 5 | Copyright © 2020 Service mesh technologies provide the

   following: • Service discovery / Load balancing • Secure service-to-service communication • Traffic control / shaping / shifting • Policy / Intention based access control • Traffic metric collection • Service resilience • API / programmable interface

6. 6 | Copyright © 2020 Service proxy lives with application

   instance Account Communicate on the network Proxy responsible for enriching the network communication with: • Circuit breaking • Load balancing • Timeout, retry • Service discovery • Metric collection Other service

7. 7 | Copyright © 2020 Service proxy + control plane

   Account User Control Plane mTLS Control plane responsible for • Configuration translation • Telemetry, tracing collection • Platform service discovery • Policy declaration Policy enforcement

8. 8 | Copyright © 2020 Communication mesh between services WORK

   LOAD WORK LOAD WORK LOAD WORK LOAD Control Plane

9. 9 | Copyright © 2020 Istio is the dominant open-source

   leader https://istio.io Source: CNCF Survey 2020 raw data

10. 10 | Copyright © 2020 Challenges in service mesh adoption

    • Which one to choose? • Who will provide support, long-term support? • Multi-tenancy issues within a single cluster? • Managing multiple clusters • Fitting with existing services (sidecar lifecycle, race conditions, etc) • Delineation between developers and operations • What about legacy / hybrid environments?

11. 11 | Copyright © 2020 https://www.solo.io/products/gloo-mesh/ Open Source: https://github.com/solo-io/gloo-mesh/releases

12. 12 | Copyright © 2020 Multi-Cluster Operations Consistent configuration and

    orchestration across multiple clusters and VMs Istio Production and long-terms support (LTS, N-3) with patches and hotfixes for validated upstream Istio Role Based API Delegate ownership of configuration and policy by persona, including: developers, SREs, and admins WebAssembly Extend the service-mesh control plane with WebAssembly modules; manage their deployment and lifecycle across clusters Observability Operational visibility with a single pane of glass across multiple service mesh clusters Gloo Mesh Enterprise Enterprise Istio for single cluster, multi-cluster and multi-platform configuration. Focus on ease of use, powerful best practices built in, security, and extensibility Global Failover Routing Cross-cluster failover rand locality aware routing Multi-Mesh Multi-platform service mesh support (AWS App Mesh and Azure Open Service Mesh) across clouds and zones Security End to end security across clusters and meshes for zero trust networks https://www.solo.io/products/gloo-mesh/

13. 13 | Copyright © 2020 13 | Copyright © 2020

    Deep dive through example Gloo Mesh Enterprise

14. 14 | Copyright © 2020 14 | Copyright © 2020

    Single cluster Gloo Mesh Enterprise: Istio

15. 15 | Copyright © 2020 Services deployed in single cluster:

    Enterprise Istio • Upstream first • Specialty builds available (FIPS, ARM, etc) • Long Term Support (LTS) N-3 • Critical security patches • Production break-fix • One hour SLA Severity 1 • Install / upgrade • Architecture and operational guidance, best practices Account User Kubernetes Cluster Istiod

16. 16 | Copyright © 2020 16 | Copyright © 2020

    Configuration abstraction level, complexity, ownership and contention Gloo Mesh Enterprise: role-based API

17. 17 | Copyright © 2020 Configuration: typical roles Account User

    Kubernetes Cluster Istiod SRE Platform Team Service Team (provider) Service Team (consumer)

18. 18 | Copyright © 2020 Example: Service Team (provider) Sidecar

    • Service dependencies • Hostname routing • CORS • Traffic splitting • Rate limiting • Fault injection • Circuit breaking VirtualService DestinationRule Configured with these Istio resources for each service Account Service Sidecar VirtualService DestinationRule User Service VirtualService (ingress) VirtualService (ingress)

19. 19 | Copyright © 2020 Example: Service Team (consumer) •

    Timeouts • Retries • Retry budget • Locality aware load balancing • Circuit breaking Sidecar VirtualService DestinationRule Configured with these Istio resources for each service Account Service Sidecar VirtualService DestinationRule User Service

20. 20 | Copyright © 2020 Problem: Contention…Who owns these resources!?

    Sidecar VirtualService DestinationRule VirtualService (ingress) Istio’s API closely mimics Envoy’s. It’s low level and does not lend itself to multi-team ownership and delineation

21. 21 | Copyright © 2020 Example: Platform owner(s) • Kubernetes

    owner, network/security ops • What services should/should not communicate? • What calls can cross organizational boundaries? • Identity propagation • Traffic encrypted • Default resilience settings • High availability of solution ServiceEntry Configured with these Istio resources PeerAuthentication AuthorizationPolicy Gateway EnvoyFilter WorkloadEntry

22. 22 | Copyright © 2020 Gloo Mesh: simplified role-based API

    Account User Kubernetes Cluster Istiod SRE Platform Team Service Team (provider) Service Team (consumer) Gloo Mesh Management Plane Translate to Istio TrafficPolicy AccessPolicy Gloo Mesh API simplifies the model to selection of source and target: Source -> policy -> Target

23. 23 | Copyright © 2020 23 | Copyright © 2020

    Quick Demo: role-based API

24. 24 | Copyright © 2020 24 | Copyright © 2020

    Problem: Multiple clusters

25. 25 | Copyright © 2020 Deploy Istio across multiple clusters

    for high availability and isolation Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User AWS EKS Orders Istiod Ingress User Account

26. 26 | Copyright © 2020 Problem: configuration semantics and explosion

    Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User Cluster 3 Orders Istiod Ingress User Account Account VS User VS Account DR User DR Account SC Account SE3 User SC User SE2 User SE3 Orders VS User VS Orders DR User DR Orders SC Orders SE3 User SC User SE1 User SE3 Orders VS User VS Orders DR User DR Orders SC Orders SE3 User SC User SE1 User SE3 Account VS Account DR Account SC Config boundary Config boundary Config boundary

27. 27 | Copyright © 2020 Problems operating multiple clusters and

    control planes • Making clusters aware of dependent services on other clusters (service discovery / partitioning) • Unifying identity domains / limited trust networks • Often need to write multiple configurations in multiple clusters just to accomplish something simple (like traffic routing) • Consistent security • Defining failover semantics (locality, priority, etc) • Isolating fault domains (trust, configuration, etc)

28. 28 | Copyright © 2020 28 | Copyright © 2020

    Solution: a federation management plane Gloo Mesh Enterprise: management plane

29. 29 | Copyright © 2020 Gloo Mesh management plane for

    federation Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User AWS EKS Orders Istiod Ingress User Account Gloo Mesh Management Plane Service Teams / SRE / Platform Team Translate and orchestrate TrafficPolicy AccessPolicy

30. 30 | Copyright © 2020 Gloo Mesh multi-cluster configuration Gloo

    Mesh Management Plane Translate and orchestrate Istiod Cluster 1 Istiod Cluster 2 Istiod Eks/Gke/Aks Source(s) Target(s) Applied Policy TrafficPolicy Source(s) Target(s) Applied Policy AccessPolicy TrafficPolicy TrafficPolicy TrafficPolicy AccessPolicy AccessPolicy AccessPolicy

31. 31 | Copyright © 2020 31 | Copyright © 2020

    Quick Demo: operating multiple meshes

32. 32 | Copyright © 2020 32 | Copyright © 2020

    Multiple mesh providers Gloo Mesh: Multi-mesh support

33. 33 | Copyright © 2020 https://www.solo.io/products/gloo-mesh/

34. 34 | Copyright © 2020 Gloo Mesh multi-cluster configuration Gloo

    Mesh Management Plane Translate and orchestrate Istiod Cluster 1 Istiod Cluster 2 AWS AppMesh EKS/ECS/EC2 Source(s) Target(s) Applied Policy TrafficPolicy Source(s) Target(s) Applied Policy AccessPolicy TrafficPolicy TrafficPolicy TrafficPolicy AccessPolicy AccessPolicy AccessPolicy

35. 35 | Copyright © 2020 35 | Copyright © 2020

    Extending the mesh Gloo Mesh Enterprise: WebAssembly

36. 36 | Copyright © 2020 Extending Envoy Proxy - Adding

    Custom Filters THE NEW WAY: WebAssembly − Write filter in any language − Compile to .wasm module − Dynamically load in Envoy Proxy during runtime

37. 37 | Copyright © 2020 Extend Envoy Proxy with Web

    Assembly (Wasm) EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER Why WebAssembly? • Polyglot: Envoy Filters are written in C++ and Wasm expands to any language • Secure and Reliable: Wasm runs in isolated VM, can dynamically update w/o Envoy restarts, no hard dependencies or cascading failures • Speed: Near native performance • Sustainable: Eliminates need to recompile and maintain a build of Envoy

38. 38 | Copyright © 2020 Gloo Mesh extensibility with WebAssembly

    Cluster 1 Account Istiod User Ingress Cluster 2 Orders Istiod Ingress User AWS EKS Orders Istiod Ingress User Account Gloo Mesh Management Plane SRE / Platform Team Deploy Wasm WasmDeployment Wasm registry

39. 39 | Copyright © 2020 Gloo Mesh Wasm support •

    Simplified tooling to bootstrap Wasm modules in Rust, C++, TinyGo, AssemblyScript • Infrastructure to build, push, share, deploy Wasm into Istio service mesh • Wasm Registry • Multi-cluster management, orchestration of Wasm lifecycle

40. 40 | Copyright © 2020 40 | Copyright © 2020

    Recap Gloo Mesh Enterprise

41. 41 | Copyright © 2020 The benefits of Gloo Mesh

    Capability Without Gloo Mesh With Gloo Mesh Istio support N-1, community best effort N-3 LTS, 1hr sev-1 SLA, architecture/operations guidance Role-based API High contention Tailor API to user Multi-cluster traffic and authorization policy Local and complex Global, simplified Extensibility Limited, manual Enterprise ready, multi- cluster Management Local CLI, gitops Global API, CLI, UI, gitops

42. 42 | Copyright © 2020 Feature readiness Capability Current Target

    stable Istio support Stable, supported Now Role-based API Beta, supported January 2021 Multi-cluster traffic and authorization policy Beta, supported January 2021 Extensibility Alpha, tech preview March 2021 Management Beta. supported January 2021

43. 43 | Copyright © 2020 • Enterprise Istio support, LTS

    (upstream, FIPS, ARM, validated builds, security patches for N-3) • Istio expertise, architecture, security, etc. • Role based API • Multi-cluster management plane • Identity federation • Unified, multi-cluster API, configuration • Failover, locality-based routing, adaptive traffic shifting • Web assembly extensions Phased Approach to Adopting Gloo Mesh Enterprise

44. 44 | Copyright © 2020 @christianposta GET GLOO MESH ENTERPRISE!

    https://www.solo.io/products/gloo-mesh/ Open Source: https://github.com/solo-io/gloo-mesh/releases

45. 45 | Copyright © 2020 • https://solo.io • https://solo.io/blog •

    https://slack.solo.io • https://gloo.solo.io • https://envoyproxy.io • https://istio.io • https://webassemblyhub.io