Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

SophiaConf 2018 - D. Benque (Amadeus)

52 vues

Publié le

Support de présentation : Introduction to Service Mesh

Publié dans : Technologie
  • Soyez le premier à commenter

SophiaConf 2018 - D. Benque (Amadeus)

  1. 1. Introduction to Service Mesh David Benque Amadeus ©AmadeusITGroupanditsaffiliatesandsubsidiaries
  2. 2. _“A service mesh is a software infrastructure layer for controlling and monitoring internal, service-to-service traffic in microservices applications.” 2 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Definition by William Morgan CEO and co-founder of Buoyant
  3. 3. _“A service mesh is a software infrastructure layer for controlling and monitoring internal, service-to-service traffic in microservices applications.” _Infrastructure  Transparent for the applications _Controlling  Routing thanks to dedicated configuration _Monitoring  Traffic monitoring and tracing 3 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Definition by William Morgan CEO and co-founder of Buoyant
  4. 4. _“A service mesh is a software infrastructure layer for controlling and monitoring internal, service-to-service traffic in microservices applications.” _service-to-service  Services inside your system _microservices  Distributed systems 4 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Definition by William Morgan CEO and co-founder of Buoyant
  5. 5. 5 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Which service mesh ? Istio
  6. 6. Why a service mesh ? ©AmadeusITGroupanditsaffiliatesandsubsidiaries
  7. 7. 7 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Tell him we are cloud ready…
  8. 8. 8 ©AmadeusITGroupanditsaffiliatesandsubsidiaries He replied: we are only ready to deploy in the cloud…
  9. 9. 9 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Traffic Management Observability Security
  10. 10. What composes a service mesh ? ©AmadeusITGroupanditsaffiliatesandsubsidiaries
  11. 11. 11 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Service Mesh Architecture Service Mesh Control Plane Service Mesh Data Plane Configuration Process Process Proxy Proxy Proxy Proxy Proxy Proxy Proxy Proxy Configure Report PaaS Control Plane PaaS Workload Manage Service Service Service Service Service Service Service Service Operator User Traffic
  12. 12. 12 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Traffic Management Observability Security
  13. 13. 13 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – death star architecture
  14. 14. 14 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – A calls B calls C – Round Robin Loadbalancing
  15. 15. 15 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – A calls B calls C – Round Robin Loadbalancing
  16. 16. 16 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – A calls B calls C – Round Robin Loadbalancing
  17. 17. 17 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – A calls B calls C – Round Robin Loadbalancing
  18. 18. 18 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – Different Qualification (Source, Destination, Traffic)
  19. 19. 19 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – Different Qualification (Source, Destination, Traffic)
  20. 20. 20 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – Configuration
  21. 21. 21 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – Configuration
  22. 22. 22 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – Failure management – Circuit Breaker https://martinfowler.com/bliki/CircuitBreaker.html
  23. 23. 23 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Traffic routing – Failure management – Retry
  24. 24. 24 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Traffic Management Observability Security
  25. 25. Should each application bring its monitoring? 25 ©AmadeusITGroupanditsaffiliatesandsubsidiaries What about standard service monitoring Observability _Traffic monitoring should be a platform feature • Volume • KPI such as latency • Error/Success rate _Traceability • Microservices • Who is calling who ?
  26. 26. 26 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Observability - Telemetry Report _ Proxies offers tons of control points inside the system. _ Incoming and outgoing connection can be monitored _ More in case the protocol is known, L7 compliancy: • HTTP • GRPC • Mongo DB (envoy) • Dynamo DB (envoy) • Redis (envoy) _ Error/Success rate _ Opentracing compliancy
  27. 27. ©AmadeusITGroupanditsaffiliatesandsubsidiaries Istio classic dashboard
  28. 28. 28 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Service Graph
  29. 29. 29 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Tracing – Opentracing compliancy (Istio)
  30. 30. 30 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Traffic Management Observability Security
  31. 31. 31 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Runtime service management Security _Mutual TLS Encryption • Automatic Certificate Rotation and Distribution _Role Base Access Control (RBAC) • To the API • Service to Service • EndUser to Service
  32. 32. 32 ©AmadeusITGroupanditsaffiliatesandsubsidiaries How did we manage before? Good old times of monolithic application “A Service ? …You mean an application ?” Application Front End Server 1 DB DB Server 2 Server 3
  33. 33. How did we manage before? First web giants Big distributed systems in early web-scale companies are managed by libraries dealing with RPC Stubby Hystrix Finagle ? Open Transaction Framework Service Integrator
  34. 34. And Now? Microservice and Cloud Service Mesh
  35. 35. 35 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Traffic Management Observability Security Service Mesh = Distributed proxies helping for …
  36. 36. 36 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Questions ?
  37. 37. Backup Slides ©AmadeusITGroupanditsaffiliatesandsubsidiaries
  38. 38. 38 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Competition Istio
  39. 39. ©AmadeusITGroupanditsaffiliatesandsubsidiaries Competition (June 2018) Istio _ Strong community backed by IBM, Google, Lyft (launcher) _ Version 0.8 _ Under standardization/hardening toward 1.0 in 2018 _ Using Envoy for data plane proxy Linkerd _ Opensource by Bouyant _ Version 1.4 with PRD users _ CNCF Project _ Being replaced by Conduit (by Bouyant)
  40. 40. 40 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Competition Please place your text here (June 2018) Istio _ Lightweight sidecar proxy _ C++ _ Preserve network identity Linkerd _ On proxy per Node _ Java (JVM!) _ “Men in the middle” from network perspective PaaS WorkloadPaaS Workload Node 1 Node 2 Service Service Service Service Node 1 Node 2 Service Service Service Service Proxy ProxyProxy ProxyProxy Proxy
  41. 41. Traffic Management _ Request Routing _ Load Balancing _ Handling failures
  42. 42. 42 ©AmadeusITGroupanditsaffiliatesandsubsidiaries Traffic Management _ VirtualService: • Define the targets hosts • Selects a route based on • tokens of destination (kubernetes labels) • tokens of source (kubernetes labels) • tokens inside L7 (http headers) _ Route: • Qualify a set of endpoints _ DestinationRule • Loadbalancing • TLS • Circuit Breaker _ Gateways and ServiceEntry Istio Concepts apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings.prod.svc.cluster.local http: - match: - sourceLabels: env: prod - headers: cookie: regex: "^(.*?;)?(user=jason)(;.*)?" uri: prefix: "/ratings/v2/" route: - destination: weight: 75 host: ratings.prod.svc.cluster.local subset: v1 - destination: weight: 25 host: ratings.prod.svc.cluster.local subset: v2 apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: ratings-destination namespace: foo spec: host: ratings # interpreted as ratings.foo.svc.cluster.local trafficPolicy: loadBalancer: simple: LEAST_CONN subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2
  43. 43. Traffic Management Request Routing _ A way to achieve service integration like we do with SI. • For most of the cases yes • No dynamic values in rules •  Not possible to do affinity using rules _ A way to better control routing while doing: • Canary and A/B testing • User selection • Destination selection • Weight based _ Tag traffic (L7): • Useful for opentracing _ Mirroring _ Extend to external service
  44. 44. Traffic Management Loadbalacing _ Support envoy loadbalancing algorithms: • Round Robin • Weighted least request • Ring hash • Maglev • Random • +Zone aware load balancing (envoy feature to be activated) • % to be routed to same zone (default 100%) • Min cluster size (default 6)
  45. 45. Traffic Management Handling failures _ Timeouts • Server side (by config) • Client side (by http header) _ Bounded retries with timeout budgets and variable jitter between retries _ Limits on number of concurrent connections and requests to upstream services _ Active (periodic) health checks on each member of the load balancing pool _ Fine-grained circuit breakers (passive health checks) – applied per instance in the load balancing pool
  46. 46. Traffic Management Handling failures _ Timeouts • Server side (by config) • Client side (by http header) _ Bounded retries with timeout budgets and variable jitter between retries _ Limits on number of concurrent connections and requests to upstream services _ health checks: • Active: on each member of the load balancing pool • Passive: Fine-grained circuit breakers – applied per instance in the load balancing pool + Fault injection
  47. 47. Security ©AmadeusITGroupanditsaffiliatesandsubsidiaries
  48. 48. Security _ RBAC: • Role-Based semantics, which is simple and easy to use. • Service-to-service and endUser-to-Service authorization.
  49. 49. Security MTLS

×