►
Description
My blog is running on Istio
Many think that running Istio is hard due to its complexity, operational cost, and resource requirements. In my presentation I'd like to demystify the most popular service mesh by sharing details of my self-hosted infrastructure. He will share some details on how he can spin up an exact replica of his blog under seconds while having the extensive benefits of a service mesh, e.g. observability.
A
Okay,
thank
you
hi
everyone,
and
thank
you
for
having
me
welcome
to
this
month's
currency
meetup.
This
presentation
is
called
I
blog
it's
running
on
steel,
I'm
christian
fakata
working
as
adopts
sre
engineer
at
lastpass,
and
I
really
like
cloud
native
infrastructures,
particularly
the
observability
aspect
of
cloud
native
infrastructures.
A
So,
starting
from
this,
and
starting
from
my
experience
at
last,
pass
where
we
we
are
using
this
skill
in
production,
I
decided
to
sell
a
host
and
run
a
blog,
also
on
hto,
to
have
a
self-hosted
playground
to
play
around
with
technology,
and
I
decided
to
put
together
this
presentation
to
demystify
the
complexity
of
sto
by
showcasing
this
simple
use
case
so
first,
what's
this
deal,
istio
and
service
meshes
in
general
provide
a
unified
way
to
handle
traffic
management
services,
service,
communication,
observability
and
security.
A
A
A
A
You
can
spin
up
local
clusters
to
develop
and
debug
kubernetes
clusters
locally
on
your
laptop,
and
most
of
these
are
happening
because
it's
becoming
the
default
standard
for
cloud
computing
for
tech
companies
at
any
size,
not
just
at
the
big
tech
companies,
but
starting
from
startups
and
regular
companies
as
well
and
how
it
became
standard,
because
kubernetes
provides
an
extensive
set
of
useful
features
that
otherwise
only
could
be
covered
by
dozens
of
other
applications,
all
stitched
together
with
a
glue
and
that
glue
is
specific
to
each
and
every
company
that
that's
trying
to
solve
these
questions.
A
A
Well,
that's
good
news,
because
this
year
was
also
becoming
easier
and
easier,
as
we
are
going
on.
Eco
developers
and
maintainers
are
focusing
on
making
it
as
simple
as
possible
by
improving
on
its
operational
cost
day,
two
tasks
and
and
it
and
they
are
lowering
the
operational
entries
of
cost
as
well.
A
A
A
1-5,
sorry,
and
from
this
point,
it's
istio
is
embracing
a
monolithic
approach,
basically
simplifying
the
control
plane
by
having
a
single
service.
It's
called
sdod
and
all
of
the
other
features
that
we
could
see
at
the
previous
side
are
in
this
single
service,
which
is
basically
all
of
our
control.
Brain.
A
Other
than
this
shift
in
in
terms
of
architecture,
there
are
other
under
the
hood
improvements
as
well.
You
can
choose
between
different
installation
methods.
You
can
install
the
hto
services
with
ham,
you
can
use
in
place
or
canary
upgrades.
You
can
use
this
operator.
You
can
use
a
cli
tool
to
debug
your
mesh
and
apply
manifest.
A
A
We
had
matching
environment
and
we
have
a
dev
cluster
where
we
could
try
out
the
functionality,
but
there
were
use
cases
and
dutch
cases
where
we
were
hit
by
that
affected
us,
but
fortunately
the
community
and
the
maintainers
were
always
there
to
guide
us
through
that
phase
and
compared
to
this,
the
last
few
upgrades
were
quite
uneventful,
and
I
think
uneventful
is
a
good
thing.
When
you
are
working
in
ops.
A
Another
great
thing
about
this
steel
is
that
you
can
adopt
it
very
early.
It
still
is
quite
powerful,
as
I
mentioned,
and
then
you
first
cleanse
the
dogs
and
see
the
extended
feature
set
and
all
the
config
options,
it's
very
easy
to
get
overwhelmed
by
the
sheer
amount
of
options,
knobs
and
and
all
of
it,
and
by
the
docks
itself
as
well.
A
However,
you
can,
if
you
can
effort
to
look
into
the
certain
use
cases
that
you
are
having
problem
with
and
you
want
to
streamline,
and
you
have
the
time
to
solve
these
one
by
one
adoptic
istio
gradually,
then
it's,
I
would
say
this
is
the
optimal
way
of
adopting
any
new
complex
technology.
If
it's
possible.
A
A
A
When
you
download
a
certain
version
of
an
sdo
release,
you
will
have
default
profiles
ready
available,
so
you
can,
for
example,
deploy
a
demo
profile
or
a
default
profile
of
istio
locally
in
your
cluster,
and
you
can
start
to
play
around
with
it.
You
can
have
a
look
at
the
features,
the
config
options-
and
you
can
go
from
this
point.
A
Then
there
you
will
need
an
english
gateway
to
expose
your
cluster.
Inroad
gateway
is
basically
an
ingress
controller
and
it's
a
load
balancer.
It's
operating
at
the
edge
of
your
service
mesh,
it
receives
incoming
http
and
pcp
connections
and,
yes,
that's
basically
an
ingress
resource.
In
the
the
words
there
are
other
gateway
and
english
resources,
it's
an
optional
tool.
A
A
A
Next
to
the
gateway,
there's
virtual
service,
which
is
an
eco-specific
crd,
it's
it's
an
api,
but
you
can
communicate
with
it
with
yaml
files
and
it's
implemented
as
a
crd.
Basically,
the
difference
between
other
kubernetes
and
risk
resources
is
that
the
gateway
itself
does
not
include
any
traffic
routing
configurations
and
capabilities.
A
A
A
Still
ctrl
or
hd
operator
contains
a
simple
configuration
for
port,
80
and
443,
but
other
than
this,
I'm
using
a
simple
pls
instead
of
a
mutual
dns,
which
can
be
also
turned
off,
turned
on
when
there's
a
clear
need
for
that,
but
I'm
just
using
a
simple
tls
for
this
english
purpose
and
I'm
referencing
a
name
of
a
certificate
and
beside
this
I
have
a
redirect
for
port
82
443
and
basically
that's
all
that
you
need
to
expose
your
entry
point
in
the
in
the
service
mesh.
A
A
You
have
to
reference
gateway
to
apply
the
routing
itself.
You
can
see
that
it's
called
plug
and
if
we
go
back
to
the
previous
side,
this
gateway
is
called
black.
So
that's
that
will
be
the
one
that
I
that
these
virtual
servers
will
use
and
the
bottom
section
the
http
root
destination
host
is
basically
an
http,
and
this
can
either
redirect
or
forward
the
traffic
by
default
it
forwards
and
that's
the
way
I'm
using
it.
A
A
So
what
can
the
simple
setup
get
you
there's
an
index
controller
which
is
again
optional,
but
one
of
the
benefits
of
using
this
deal
is
that
you
can
get
away
using
only
steel
instead
of
using
dozens
of
separate
services
with
all
of
their
lifecycle
management,
then
you
can
have
traffic
management
capabilities.
Sdo
can
help
you
start
with
fault
injection
traffic,
shifting
circuit
breaking
and
more.
These
are
optional.
You
can
try
these
out
one
by
one
and
adopt
the
one
that
you
need.
A
The
great
benefit
here
is
that
is
still
when
the
invoice
sidecars
are
helping
you
to
solve
all
these
without
instrumenting
your
application
bid
with
these
logics
and
your
applications
can
focus
on
the
business
problems
that
you
are
actually
trying
to
solve.
A
A
Basically,
with
this
deal,
we
will
have
the
golden
signals
readily
available
for
your
services.
Without
adding
a
single
line
of
code
to
the
specific
services,
then
istio
can
actually
there's
a
type
on
the
slide,
because
the
second
bullet
point
under
observability
should
be
workload
level.
Traces
because
hto
can
automatically
add
three
ac
traces
trace
bands
for
workload
to
work
communication
within
the
mesh.
A
A
The
application
code
should
propagate
the
trace
context
between
the
incoming
and
the
outcoming
requests.
So
you
can
improve
on
this,
but
basically
the
service
to
service
spams
are
covered
with
the
pdo
and
the
envoy
sidecars
running
next
to
your
workloads,
and
as
I
mentioned,
this
simple
setup
is
a
great
playground
to
build
upon.
You
can
experiment
with
all
these
features
and
proceed
with
proceeding
your
own
pace.
A
A
A
But
yes,
that's
basically
about
it.
Chromatix
graph
online
log
is
doing
all
the
magic
behind
the
metrics
and
logs
that
are
available
without
any
fine
tuning
and
adding
these
by
hand.
And
if
you
want
you
can
extend
over
these
you
can
you
can
create
more
advanced
dashboards.
A
I
have
these
running
behind
my
blog,
but
again
there
isn't
a
single
line
of
edit
code
to
the
application
itself.
It's
all
the
same
default
locks
and
metrics
and
traces
that
are
available
with
this
still
on
the
right.
You
can
see
the
traces
itself,
that's
added
with
the
profound
tempo,
but
there's
no
instrumentation
at
the
application
side.
A
So
that's
another
future
improvement
idea
that
I
could
add,
but
at
this
stage
the
the
idea
is
to
leverage
the
default
capabilities
of
this
deal.
So,
yes,
that
was
about
it.
It's
a
bit
overkill
running
a
block
doesn't
even
require
dedicated
servers
anymore.
You
can
use
lambda
functions,
go
and
go
serverless,
but
I
wanted
to
have
a
servo
speed
playground
to
experiment
with
the
extensive
set
of
features
that
istio
and
invoice
can
provide,
and
this
file
this
firearm.
I
really
like
the
capabilities
and
the
freedom
that
that
this
self-hosted
platform
can
provide
me.
A
If
you
can,
if
you
want
to
move
into
the
advanced
topics,
you
can
implement
them
at
your
own
place.
As
I
mentioned,
you
can
add
security
headers
with
steel's
envoy
filters.
You
can
experiment
with
a
b
testing.
You
can
shift
a
certain
percentage
of
your
traffic
to
a
new
modified
version
of
your
service.
You
can
get
started
with
chaos.
Engineering
by
default
injection.
You
can
implement
reach
limiting
ground
still.
A
Around
the
students
gateway
or
the
invoice
proxies,
you
can
use
locality
based
load
balancing
for
external
services.
So
let's
say
you
are
relying
on
a
third
party
service
or
yeah
other
regions,
and
if
they,
if
those
regions
or
services
are
having
an
outage,
you
can
shift
your
traffic
automatically
to
the
healthy
boat
source
services.