Upload File

service mesh the salesforce - istio

15
The Salesforce Service Mesh - Our Istio Journey [email protected] Pratima Nambiar, Architect

Upload: others

Post on 17-Oct-2021

3 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Service Mesh The Salesforce - Istio

The Salesforce Service Mesh- Our Istio Journey

[email protected] Nambiar, Architect

Page 2: Service Mesh The Salesforce - Istio

Our Istio JourneyAgenda - The Salesforce Service Mesh

• Background - Why Service Mesh ? • Initial Service Mesh implementation• Why Istio • Istio POC• Progressive adoption of Istio• Features we are watching and expect to adopt

Page 3: Service Mesh The Salesforce - Istio

Security / Compliance

● mTLS everywhere using specific set of ciphers● FIPS compliance in some deployments● Zero Trust

Reliability

● #1 core value - trust translates into ensuring high availability

Observability

● Single pane of glass monitoring solution vs. fragmented islands of observability

Background - Why Service Mesh ?

Build an application networking layer that provides all the required plumbing for making service-to-service communication secure, reliable, observable so that service owners can

focus on business logic

Page 4: Service Mesh The Salesforce - Istio

Design Principles

Keep it simple

Solve for the current business use cases and make incremental progress

Favor incremental adoption of technologies and controlled exposure of features (Eg. envoy and istio)

Make the application networking layer as transparent as possible

Invest time in horizon scanning

Page 5: Service Mesh The Salesforce - Istio

Pre-Istio Service Mesh

• Started with another open source data plane• Switched to envoy and built our own XDS

implementation• Solve for the most common use cases• Zookeeper backed EDS• Opinionated configuration for resiliency based on

our test framework• Metrics for visibility to our internal metrics system

mid 5 digits # of envoys in production

Monolith

Monolith Service AEnvoy

Envoy

In-house control plane Zookeeper

Page 6: Service Mesh The Salesforce - Istio

Why Istio

As service mesh adoption grew keeping up our control plane to solve for new use cases was challenging

● StatefulSets● TCP services● Redis● Service specific config

Pivot to Istio was strategic

● Initial review indicated it’s sophisticated features would meet our ends. ● Strong active community - ~275 contributors and has grown significantly since then.

Page 7: Service Mesh The Salesforce - Istio

Istio POC

Minimum viable product• mTLS using our internal CA• Bare metal / Kubernetes service support• Metrics to our internal metrics system• Set good defaults for resilience policiesIstio Contributions• Support for custom CA.• Performance related fixes for bare metal• Resiliency fixes for pilot and envoy

communication• Envoy metrics service configurable

What we liked• CRDs for defining mesh configuration

• Easier to read• Can plugin to our tools and pipelines

What could have been better• Very little support for mesh wide

configuration• Istio converts all K8s services into sidecar

configuration.

Page 8: Service Mesh The Salesforce - Istio

Istio based Service Mesh

Istio Pilot

Config WebHook

Kubernetes API

Metrics Relay

Internal CA

istio

-pro

xy

Monolith on Bare Metal

Metrics Platform

Sync Service Zookeeper

ServiceEntry

Service on K8s

istio-proxy

Page 9: Service Mesh The Salesforce - Istio

Salesforce Hyperforce

Salesforce’s pivot to run on public cloud infrastructure presented additional challenges:

● Zero Trust Architecture● Increased adoption of dynamic infrastructure● Multi Substrate

Page 10: Service Mesh The Salesforce - Istio

Istio Adoption - Continued

New Use Cases - QPid, Solr, Zookeeper, Redis

Blue/Green Deployment of our monolith

Declarative authorization policies using Envoy Filters

OPA based authorization for more finer grained/sophisticated rules

Out-of-the-box health signals for all services for SRE using envoy telemetry

Istio deployment & upgrades managed via spinnaker pipelines

Page 11: Service Mesh The Salesforce - Istio

Istio Adoption - Ingress Gateway

Ingress Gateway as our edge proxy for all traffic from the public internet

DNS and Certificates API integration to support our complex DNS/certificates requirements

Monolith Service AEnvoy

Envoy

Untrusted Services

Ingress Gateway

Istiod

Page 12: Service Mesh The Salesforce - Istio

Istio Adoption - Ingress Gateway

Istiod

Ingress Assistant

Kubernetes API

DNS API Certificate Services

Ingress Gateway

Vault

config repo

Page 13: Service Mesh The Salesforce - Istio

Istio adoption - coming soon

HBase on Service Mesh

Auto registration for services running on bare metal

DNS Proxy for TCP multi cluster support

Sophisticated Traffic Shifting

JWT based Authentication/Authorization

Integrations for Service Protection

Rate limiting

Page 14: Service Mesh The Salesforce - Istio

Features we are watching

Support for mesh spanning multiple Kubernetes clusters

WebAssembly technology for proxy extensions

Improvements to DNS Proxy (Statefulset support)

Scale - Better support for larger meshes

● Reduced proxy initialization times ● Optimized config delivery (Delta Xds)● Improved Envoy -> control plane load balancing

Egress Gateway evolution

Smoother upgrades

Page 15: Service Mesh The Salesforce - Istio

Thank You


Istio customer deck (PPT) - IBM

Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes

Comment Salesforce utilise Salesforce

An introduction to Istio - DeveloperMarch · An introduction to Istio bit.ly/sail-into-cloud Sail smoothly in the Cloud . I am a Developer Active Open Source Contributor Knative Minishift

Transparently Securing Kafka, Istio-style, with up to 300% ... · Transparently Securing Kafka, Istio-style, with up to 300% Higher Performance than Native TLS in Microservice Environments

Kubernetes Gateway APIs - Istio

How to Manage Any Layer-7 Traffic in an Istio Service Mesh?

VMware NSX Service Mesh · Additions with NSX-SM NSX Service Mesh Extends Istio Focus on service to service communications Control the flow of traffic and API calls between services

xiaorui.ccxiaorui.cc/static/service_mesh.pdf · httpl.l, http2.O grpc/tcp wtih or without mTLS Istio citadel report Envoy Pod servB . istio Istio jaeger prometheus zipkin fluented

FROM LEGACY TO CLOUD - speakerhub.com · Introduce a Service Mesh like Istio for enhanced resilience and tracing Evaluate a MySQL cluster on Kubernetes (Galera ?) Monitoring with

What Is Salesforce? | Salesforce Training - What Does Salesforce Do? | Salesforce Tutorial | Edureka

FAMILY ISTIOPHORIDAE ISTIO Makaira ISTIO Istio Istiophorus

Istio / Service Mesh - events.redhat.com · Istio and Microservices Distributed Traces supplemental slide Follow a request as it moves from one service to another Where is it getting

Managing Microservice Applications with Istio

Connect, secure and monitor services Istio Overview on GCP and …€¦ · Connect, secure and monitor services on GCP and in hybrid environments. Confidential & Proprietary Istio:

HYBRID CLOUD ISTIO: SOLVING CHALLENGES OF...ISTIO: SOLVING CHALLENGES OF HYBRID CLOUD Zack Butcher (@ZackButcher) - Stealth Startup Christian Posta (@christianposta) - Red Hat 8 May,

How to Manage Any Layer-7 Traic in an Istio Service Mesh?

How Salesforce uses Salesforce

Deploy Microservices like a Ninja with Istio Service Mesh€¦ · The purpose of these proxies is to solve the application networking challenges. They make application networking:

Expert Kubernetes & ISTIO: Service Mesh

Cloudforce Sydney 2012 - Salesforce on Salesforce

Enterprise Service Mesh - Istio v1 · 2019-06-18 · Fragmented or No DevOps Process Microservices Based Architecture Platform & Infrastructure ... API Driven Microservices Cloud

Salesforce on Salesforce: Sales Development

Securing your APIs on the Cloud - Red Hat€¦ · SECURING YOUR APIS ON THE CLOUD 31 3scale API Management Istio Service Mesh API Contracts Monetisation Partner Ecosystem Developer

Securing Microservices with Istio

Salesforce API: Salesforce Console Deep Dive

Istio Service Mesh

Service Mesh Federation How SPIFFE helps Istio in · 6/25/2019  · A secure identity framework to provide strong identities for service-to-service authentication ... Identity isolations

How to Gain Insights from Istio by Leveraging Tools Like Jaeger, … · 2020. 8. 31. · How to Gain Insights from Istio by Leveraging Tools Like Jaeger, Prometheus and Cortex CNCF

Istio Service Mesh Managing microservices with · 2019-10-04 · NetFlix OSS first microservices patterns and libraries open-sourced 2013 Spring Cloud Enterprise microservice framework

FAMILY ISTIOPHORIDAE ISTIO Makaira ISTIO Istio ...forage organisms during the warmer season and back to warm waters for spawning or over-wintering during the colder season. Being among

Run Your Business Better Using Salesforce: How Salesforce Uses Salesforce

Istio · Weaving the mesh svcA sidecar sidecar Service A ... Fault Injection ... Istio adds fault tolerance to your application

Istio...Modeling the Service Mesh etcd Kubernetes Consul Abstract Model Custom discovery Platform Adapter Envoy API Rules API Istio-Manager Service discovery & traffic rules 1. Environment-specific

Services Mesh Istio: Sailing to a Secure - Istio... · Istio: Sailing to a Secure Services Mesh Spike Curtis, Tigera & Dan Berg, IBM. ... Ops needs a cross-platform toolchain: Canary