Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Workshop - Service Mesh Hub

Solo.io
September 24, 2020

Workshop - Service Mesh Hub

Managing a service mesh deployment that is consistent and secure across multiple clusters is tedious, error prone at best, and raises questions like:

* How should I deploy and manage multiple clusters of service mesh?
* What if my service meshes span across on-prem and cloud?
* What traffic control or security policies do I need to consider across multiple clusters?

Service Mesh Hub is a Kubernetes-native control plane to unify and simplify the operation of multi-cluster service mesh including concerns like service discovery, identity and trust domains, access control, cross cluster traffic, failover and more.

In this hands-on workshop we will explore different service mesh deployment patterns, multi-cluster topologies, and how Service Mesh Hub can address the configuration and operations needs for these environments.

Covered in this workshop:
* Deploy Istio onto two clusters
* Discover and unify the clusters to form a virtual mesh
* Configure cross cluster microservices communication
* Create access control policies
* Simulate traffic failover scenarios

Learn more
* About Service Mesh Hub https://www.youtube.com/playlist?list=PLBOtlFtGznBj4Zkf_d5VRlLgpBbhwXl9f
* Try the workshop https://github.com/solo-io/workshops
* Register for an upcoming event https://www.solo.io/events-webinars/

Solo.io

September 24, 2020
Tweet

More Decks by Solo.io

Other Decks in Programming

Transcript

  1. 3 | Copyright © 2020 How do you expose your

    applications ? MICROSERVICES EDGE GATEWAY Connect Secure Control Observe
  2. 4 | Copyright © 2020 How do internal services talk

    together ? THE OLD WAY MICROSERVICES API GATEWAY Connect Secure Control Observe
  3. 5 | Copyright © 2020 How do internal services talk

    together ? THE OLD WAY MICROSERVICES API GATEWAY Connect Secure Control Observe
  4. 6 | Copyright © 2020 How do internal services talk

    together ? THE NEW WAY SERVICE MESH Connect Secure Control Observe
  5. 10 | Copyright © 2020 Multicluster Service Mesh challenges •

    You need Federated Trust and Identity • You need to allow communications between clusters • You need to manage access control globally • You need to define a Disaster Recovery strategy • You need to secure the Edge as well • All of the above is highly complex
  6. 11 | Copyright © 2020 Service Mesh Hub is simplifying

    everything MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE CREATE CUSTOM RESOURCES WATCH MESH DISCOVERY MESH NETWORKING DISCOVER & WATCH MESH, PODS, SERVICES CREATE POLICIES SIGN CERTS CLUSTER CLUSTER CLUSTER istiod istiod istiod
  7. 12 | Copyright © 2020 SMH Mesh Discovery CLUSTER CLUSTER

    CLUSTER istiod istiod istiod MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD CREATE CUSTOM RESOURCES MESH DISCOVERY InputSnapshot MeshTranslator WorkloadTranslator TrafficTargetTranslator StartDiscover y SECRET ADDED KUBERNETES CLUSTER CRD ADDED OutputSnapshot
  8. 13 | Copyright © 2020 SMH Mesh Networking MESH NETWORKING

    InputSnapshot VirtualMeshTranslator FederationTranslator FailoverTranslator StartNetworkin g TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE WATCH mtlsTranslator TrafficTargetTranslator CERT OutputSnapshot TrafficPolicyTranslator AccessPolicyTranslator CLUSTER istiod
  9. 16 | Copyright © 2020 16 | Copyright © 2020

    Lab 1 Deploy your Kubernetes clusters
  10. 17 | Copyright © 2020 17 | Copyright © 2020

    Lab 2 Deploy Service Mesh Hub and register the clusters
  11. 18 | Copyright © 2020 18 | Copyright © 2020

    Lab 3 Deploy Istio on both clusters
  12. 19 | Copyright © 2020 19 | Copyright © 2020

    Lab 4 Deploy the Bookinfo demo app
  13. 20 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Current state
  14. 21 | Copyright © 2020 21 | Copyright © 2020

    Federated Trust and Identity
  15. 23 | Copyright © 2020 Service to Service Authentication •

    By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. • Mutual TLS authentication refers to two parties authenticating each other at the same time. • In Istio, Mutual TLS work as follow: − Istio re-routes the outbound traffic from a client to the client’s local sidecar Envoy. − The client side Envoy starts a mutual TLS handshake with the server side Envoy. During the handshake, the client side Envoy also does a secure naming check to verify that the service account presented in the server certificate is authorized to run the target service. − The client side Envoy and the server side Envoy establish a mutual TLS connection, and Istio forwards the traffic from the client side Envoy to the server side Envoy. − After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.
  16. 24 | Copyright © 2020 SPIFFE ID • SPIFFE, the

    Secure Production Identity Framework for Everyone, is a set of open- source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. • A SPIFFE ID is a string that uniquely and specifically identifies a workload. SPIFFE IDs are a Uniform Resource Identifier (URI) which takes the following format: spiffe://trust domain/workload identifier
  17. 25 | Copyright © 2020 SPIFFE ID in Istio •

    The SPIFFE ID of a workload looks like spiffe://<trust domain>/ns/<namespace>/sa/<service account> • The default trust domain is cluster.local, so a the SPIFFE ID corresponding to a Pod started with the service account pod-sa in the default namespace would be spiffe://cluster.local/ns/default/sa/pod-sa. • In a multi-cluster deployment, using the cluster.local trust domain is a problem because there would be no way to differentiate a workload of a cluster from one of another cluster if they use the same service account and namespace names. • Istio allows you to use a different trust domain using the trustDomain parameter of the MeshConfig option.
  18. 27 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Virtual Mesh creation workflow CERT-AGENT CERT-AGENT CREATE CERTIFICATE / KEY AND CSR SHARED ROOT SIGN CERT WITH SHARED ROOT
  19. 28 | Copyright © 2020 28 | Copyright © 2020

    Lab 5 Create the Virtual Mesh
  20. 31 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER RBAC disabled
  21. 32 | Copyright © 2020 Enable RBAC apiVersion: networking.smh.solo.io/v1alpha2 kind:

    VirtualMesh metadata: name: virtual-mesh namespace: service-mesh-hub spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub - name: istiod-istio-system-kind3 namespace: service-mesh-hub apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: global-access-control namespace: istio-system spec: {} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 2 CLUSTER 1 CLUSTER 2
  22. 33 | Copyright © 2020 Enable RBAC apiVersion: networking.smh.solo.io/v1alpha2 kind:

    VirtualMesh metadata: name: virtual-mesh namespace: service-mesh-hub spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub - name: istiod-istio-system-kind3 namespace: service-mesh-hub apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: global-access-control namespace: istio-system spec: {} CLUSTER 3 CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 3
  23. 34 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER RBAC enabled
  24. 35 | Copyright © 2020 Ingress Gateway apiVersion: networking.smh.solo.io/v1alpha2 kind:

    AccessPolicy metadata: namespace: service-mesh-hub name: istio-ingressgateway spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: istio-ingressgateway- service-account namespace: istio-system clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: productpage CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: annotations: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: productpage namespace: default spec: rules: - from: - source: principals: - kind2/ns/istio- system/sa/istio-ingressgateway- service-account selector: matchLabels: app: productpage CLUSTER 2
  25. 36 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Ingress Gateway
  26. 37 | Copyright © 2020 Productpage apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy

    metadata: namespace: service-mesh-hub name: productpage spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-productpage namespace: default clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: details - kubeServiceMatcher: namespaces: - default labels: service: reviews CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: details namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-productpage selector: matchLabels: app: reviews CLUSTER 2 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: details namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-productpage selector: matchLabels: app: details CLUSTER 2
  27. 38 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Productpage
  28. 39 | Copyright © 2020 Reviews apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy

    metadata: namespace: service-mesh-hub name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: ratings namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-reviews selector: matchLabels: app: ratings CLUSTER 2
  29. 40 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Reviews
  30. 43 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Before
  31. 44 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER After
  32. 45 | Copyright © 2020 Traffic Policy apiVersion: networking.smh.solo.io/v1alpha2 kind:

    TrafficPolicy metadata: namespace: service-mesh-hub name: simple spec: destinationSelector: - kubeServiceRefs: services: - clusterName: kind2 name: reviews namespace: default trafficShift: destinations: - kubeService: clusterName: kind3 name: reviews namespace: default subset: version: v3 weight: 75 - kubeService: clusterName: kind2 name: reviews namespace: default subset: version: v1 weight: 15 - kubeService: clusterName: kind2 name: reviews namespace: default subset: version: v2 weight: 10 CLUSTER 1
  33. 46 | Copyright © 2020 apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata:

    labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews.default.svc.kind3.global subset: version-v3 weight: 75 - destination: host: reviews.default.svc.cluster.local subset: version-v1 weight: 15 - destination: host: reviews.default.svc.cluster.local subset: version-v2 weight: 10 CLUSTER 2 apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews.default.svc.kind3.global namespace: istio-system spec: addresses: - 253.124.25.94 endpoints: - address: 172.18.0.230 labels: cluster: kind3 ports: http: 15443 hosts: - reviews.default.svc.kind3.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: TCP resolution: DNS CLUSTER 2 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews.default.svc.kind3.global namespace: istio-system spec: host: reviews.default.svc.kind3.global subsets: - labels: cluster: kind3 name: version-v3 - labels: cluster: kind3 name: version-v1 - labels: cluster: kind3 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 2
  34. 47 | Copyright © 2020 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata:

    labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh- hub name: virtual-mesh.service-mesh-hub namespace: istio-system spec: configPatches: - applyTo: NETWORK_FILTER match: context: GATEWAY listener: filterChain: filter: name: envoy.filters.network.sni_cluster portNumber: 15443 patch: operation: INSERT_AFTER value: name: envoy.filters.network.tcp_cluster_rewrite typed_config: '@type': type.googleapis.com/istio.envoy.config.filter.n etwork.tcp_cluster_rewrite.v2alpha1.TcpClusterR ewrite cluster_pattern: \.kind3.global$ cluster_replacement: .cluster.local workloadSelector: labels: istio: ingressgateway CLUSTER 3 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local subsets: - labels: version: v3 name: version-v3 - labels: version: v1 name: version-v1 - labels: version: v2 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 3 apiVersion: v1 kind: Pod metadata: labels: app: reviews istio.io/rev: default pod-template-hash: d978546db security.istio.io/tlsMode: istio service.istio.io/canonical-name: reviews service.istio.io/canonical-revision: v3 version: v3 name: reviews-v3-d978546db-dj59b namespace: default spec: ... CLUSTER 3 apiVersion: v1 kind: Service metadata: labels: app: reviews service: reviews name: reviews namespace: default spec: clusterIP: 10.97.193.52 ports: - name: http port: 9080 protocol: TCP targetPort: 9080 selector: app: reviews sessionAffinity: None type: ClusterIP status: loadBalancer: {} CLUSTER 3
  35. 48 | Copyright © 2020 Reviews apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy

    metadata: namespace: service-mesh-hub name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: kind2 - name: bookinfo-reviews namespace: default clusterName: kind3 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: ratings namespace: default spec: rules: - from: - source: principals: - kind3/ns/default/sa/bookinfo-reviews selector: matchLabels: app: ratings CLUSTER 3
  36. 49 | Copyright © 2020 49 | Copyright © 2020

    Lab 7 Multi-cluster Traffic
  37. 51 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Before Failover
  38. 52 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER After Failover
  39. 53 | Copyright © 2020 Outlier Detection apiVersion: networking.smh.solo.io/v1alpha2 kind:

    TrafficPolicy metadata: namespace: service-mesh-hub name: mgmt-reviews-outlier spec: destinationSelector: - kubeServiceRefs: services: - name: reviews namespace: default clusterName: kind2 - name: reviews namespace: default clusterName: kind3 outlierDetection: consecutiveErrors: 1 interval: 10s baseEjectionTime: 2m apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL maxEjectionPercent default value is 10% ! apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL CLUSTER 1 CLUSTER 2 CLUSTER 3
  40. 54 | Copyright © 2020 Envoy Filter apiVersion: networking.smh.solo.io/v1alpha2 kind:

    FailoverService metadata: name: reviews-failover namespace: service-mesh-hub spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub backingServices: - kubeService: name: reviews namespace: default clusterName: kind2 - kubeService: name: reviews namespace: default clusterName: kind3 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews-failover namespace: istio-system spec: configPatches: - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: REMOVE - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: ADD value: cluster_type: name: envoy.clusters.aggregate typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.config.cluster.aggregate.v2alpha.ClusterConfig value: clusters: - outbound|9080||reviews.default.svc.cluster.local - outbound|9080||reviews.default.svc.kind3.global connect_timeout: 1s lb_policy: CLUSTER_PROVIDED name: outbound|9080||reviews-failover.default.global CLUSTER 1 CLUSTER 2
  41. 55 | Copyright © 2020 Service Entry apiVersion: networking.smh.solo.io/v1alpha2 kind:

    FailoverService metadata: name: reviews-failover namespace: service-mesh-hub spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub backingServices: - kubeService: name: reviews namespace: default clusterName: kind2 - kubeService: name: reviews namespace: default clusterName: kind3 apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service- mesh-hub name: reviews-failover namespace: service-mesh-hub spec: addresses: - 240.76.63.152 hosts: - reviews-failover.default.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: http resolution: DNS CLUSTER 1 CLUSTER 2
  42. 56 | Copyright © 2020 Virtual Service apiVersion: networking.smh.solo.io/v1alpha2 kind:

    TrafficPolicy metadata: name: reviews-shift-failover namespace: default spec: destinationSelector: - kubeServiceRefs: services: - clusterName: kind2 name: reviews namespace: default trafficShift: destinations: - failoverServiceRef: name: reviews-failover namespace: service-mesh-hub apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service- mesh-hub name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews- failover.default.global port: number: 9080 CLUSTER 1 CLUSTER 2
  43. 59 | Copyright © 2020 How do you secure the

    Edge ? • The Istio Ingress Gateway can be used for that purpose, but it doesn’t provide the functionalities that you generally get in modern Edge/API Gateways like: − External authentication (OAuth, API keys, JWT, …) − Rate limiting − Complex transformations − ...
  44. 61 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE REVIEWS istiod

    istiod PRODUCTPAGE REVIEWS CLUSTER ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY
  45. 62 | Copyright © 2020 But how do you integrate

    them ? Istio Ingress Gateway • Gloo can access the services directly and take all the routing decisions • The communications between Gloo and the services are secured with mTLS. SERVICE MESH
  46. 64 | Copyright © 2020 But how do you integrate

    them ? Istio Ingress Gateway • Gloo can send the requests to the Istio Ingress Gateway and let it take the routing decisions • The communications between Gloo and Istio Ingress Gateway the services are secured with mTLS. SERVICE MESH
  47. 65 | Copyright © 2020 CLUSTER PRODUCTPAGE REVIEWS istiod istiod

    PRODUCTPAGE REVIEWS ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY CLUSTER CLUSTER
  48. 66 | Copyright © 2020 CLUSTER PRODUCTPAGE REVIEWS istiod istiod

    PRODUCTPAGE REVIEWS ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY CLUSTER CLUSTER
  49. 67 | Copyright © 2020 § Learn More www.solo.io §

    Gloo http://www.solo.io/products/gloo § Service Mesh Hub github.com/solo-io/service-mesh-hub § Community slack.solo.io § Request a Personalized Demo lp.solo.io/lp-request-a-demo-overview