Istio, Linkerd - Or No Mesh at All?

GOTOpia Chicago / April 2021 Service Meshes: Istio, Linkerd - or No Mesh at All?

Eberhard Wolff Hanna Prinz @ewolff @hannaprinz • Software Development • DevOps, Kubernetes, Service Mesh

Hanna Prinz

Consultant at INNOQ Deutschland GmbH

[email protected] @hannaprinz

2 • Architecture, DevOps • Focus on business, technology & software architecture

Eberhard Wolff

Fellow at INNOQ Deutschland GmbH

[email protected] @ewolff

3 What is a service mesh? What problems does it try to solve? Microservices are distributed Systems

Retry Routing and Discovery

Timeout Circuit Breaker Microservice Microservice Encryption Metrics

Authentication & Authorization Logs

5 @hannaprinz @ewolff @INNOQ Service Mesh Architecture

Application Microservice Microservice

Data Plane Proxy Proxy

Metrics Config Metrics

Control Plane Control Plane

Infrastructure Kubernetes API Infrastructure Services

6 @hannaprinz @ewolff @INNOQ Service Mesh Implementations Istio vs Linkerd

Istio Linkerd

Google, IBM & Lyft Buoyant many features, optimized for usability & highly customizable performance Envoy proxy linkerd-proxy custom concept for ingress supports any ingress traffic controller optimized for Kubernetes Kubernetes only support for other platforms

8 @hannaprinz @ewolff @INNOQ Service Mesh Implementations

Open Service Mesh

Istio

9 @hannaprinz @ewolff @INNOQ 10 @hannaprinz @ewolff @INNOQ Service Mesh Features Service Mesh Features

Routing Resilience Security Observability

12 @hannaprinz @ewolff @INNOQ Routing

Complex routing for A/B testing & Traffic mirroring canary releasing

90% Service 2A Service 2 Production

Service 1 Service 1

Service 2B Service 2 10% Staging

13 @hannaprinz @ewolff @INNOQ Service Mesh Features

Routing Resilience Security Observability

14 @hannaprinz @ewolff @INNOQ Resilience Features

Timeout Microservice Microservice Retry 4s x Circuit Breaker Proxy Proxy

15 @hannaprinz @ewolff @INNOQ Chaos Engineering

Microservice Microservice Fault Injection Delay Injection Proxy Proxy

16 @hannaprinz @ewolff @INNOQ Service Mesh Features

Routing Resilience Security Observability

17 @hannaprinz @ewolff @INNOQ Authentication & Encryption

Microservice 1 Microservice 2 mTLS Encryption & Authentication Proxy Proxy

18 @hannaprinz @ewolff @INNOQ Service Authorization

Microservice 1 Microservice 2 ✓ Proxy Proxy

X Can also be limited to HTTP methods / paths Microservice 3

Proxy

19 @hannaprinz @ewolff @INNOQ Service Mesh Features

Routing Resilience Security Observability

20 @hannaprinz @ewolff @INNOQ Observability Features •Dashboard

21 @hannaprinz @ewolff @INNOQ @hannaprinz @ewolff @INNOQ @hannaprinz @ewolff @INNOQ Observability Features •Dashboard •Preconfigured Prometheus, Grafana and Jaeger •Tracing support •Access logs (or similar features such as Linkerd's "tap")

24 @hannaprinz @ewolff @INNOQ Service Mesh Challenges Configuration Complexity

Example: Traffic Split

Microservice 2a 90%

Microservice 1

10% Microservice 2b

can be one CRD (Custom Resource Definition) with 10 lines of YAML (Linkerd) ... or two CRDs with 30 lines of YAML (Istio)

26 @hannaprinz @ewolff @INNOQ Debugging Complexity

Microservice Microservice Ingress Proxy Proxy

Control Plane

Kubernetes & Overlay Network

Hardware & Cloud

27 @hannaprinz @ewolff @INNOQ Performance & Benchmarking •Additional latency: ~ 3ms (as published by Istio) •Additional CPU & memory resources •Depending on architecture, traffic and mesh implementation → Do your own benchmark!

https://istio.io/latest/docs/ops/deployment/performance-and-scalability/ 28 @hannaprinz @ewolff @INNOQ Do You Need a Service Mesh? Do your services need mentioned routing, resilience, security, or observability features?

Libraries Service Mesh

30 @hannaprinz @ewolff @INNOQ Can you avoid needing these features at all? ... by choosing a suitable architecture

Deployment Syncronous Asyncronous Monollith

31 @hannaprinz @ewolff @INNOQ Conclusion Approaching Service Mesh

1. Is the problem somewhere else? → e.g. synchronous architecture: lots of network traffic, slow, unreliable 2. Which features do you need? → routing, resilience, security, observability? 3. Have you considered alternatives? → e.g. libraries 4. Challenges acceptable? → e.g. configuration, performance impact, additional complexity

33 @hannaprinz @ewolff @INNOQ More about Service Mesh

• Service Mesh Comparison https://servicemesh.es • Blog Post: Happy without a Service Mesh https://www.innoq.com/en/blog/happy-without-a-service- mesh

Linkerd Tutorial GOTO Book Club • Getting started with Service Mesh • https://www.youtube.com/watch?v=w14ge2838Vs https://linkerd.io/getting-started • Istio Tutorial https://istio.io/docs/setup/getting-started • Sample application with Istio and Linkerd Tutorial on GitHub https://github.com/ewolff/microservice-istio https://github.com/ewolff/microservice-linkerd Service Mesh Primer - 2nd Edition for free at leanpub.com/service-mesh-primer

@hannaprinz @ewolff @INNOQ Thank you! Questions? www.innoq.com Hanna Prinz [email protected] @hannaprinz

Eberhard Wolff [email protected] @ewolff Service Mesh Primer - 2nd Edition for free at leanpub.com/service-mesh-primer

innoQ Deutschland GmbH

Krischerstr. 100 Ohlauer Str. 43 Ludwigstr. 180E Kreuzstr. 16 Hermannstrasse 13 Erftstr. 15-17 Königstorgraben 11 40789 Monheim 10999 Berlin 63067 Offenbach 80331 München 20095 Hamburg 50672 Köln 90402 Nürnberg +49 2173 3366-0