►
From YouTube: FICO's Istio Journey
Description
#IstioCon2021
Presented at IstioCon 2021 by Jeet Kaul.
So you’ve actually done security well and are using an external Redis provider that only allows TLS to talk to it. You could simply configure each of your applications to use TLS from the application pod or you can use Istio to handle the TLS part. This lightning talk demonstrates how to use Istio to do TLS origination for Redis (TCP) using the sidecar instead of the egress gateway.
A
Hello,
everyone
and
thank
you
for
joining
us
for
this
session.
What
I
want
to
kind
of
really
go
through
is
talk
about
our
real
true
journey
of
going
to
the
cloud
and
obviously
going
and
leveraging
sdo.
So
I've
been
in
the
journey
at
fico.
We
have
been
doing
this
for
about
eight
years,
so
first
things
first,
yes,
we
have
instant
production,
we
have
had
it
for
over
a
year
now.
A
I
can
tell
you
that
when
we
were
making
this
decision
early
last
year,
this
is
obviously
before
the
whole
pandemic
thing.
We
were
having
internal
debates.
This
is
the
right
thing
to
do,
we'll
be
able
to
support
it,
but
it's
been
running.
We
have
deployed
in
seven
regions
around
the
globe-
north
america,
south
america,
europe,
asia,
australia
and
it's
it's.
It's
just
been
absolutely
wonderful.
Yep,
there
are
some
hiccups,
and
I
will
you
know
talk
about
that
too.
A
You
know
for
those
of
you
in
us,
you're,
probably
familiar
with
fico,
so
I
just
wanted
to
kind
of
give
a
quick
background
on
what
fico
does,
so
that
everybody
can
the
business
area
and
value
of
istio
for
us
for
the
u.s
people.
You
probably
know
what
the
fico
score
is
inside
u.s.
It
is
the
number
one
credit
score
it
literally.
90
percent
of
the
credit
pending
decisions
are
leveraged
the
score.
A
We
do
have
a
platform,
we
call
it
fico
platform,
and
this
is
the
one
that
I'm
going
to
actually
talk
about.
This
is
the
one
that
leverages
the
seo
in
the
next
few
slides.
We,
you
know,
do
a
lot
of
stuff
in
the
financial
services
market
worldwide.
A
We
have,
you
know,
65
percent
counts,
a
business
number
one
in
the
credit
accounts,
management
system
and
the
other
part
or
the
big
part
is
that
we
credit
card
fraud.
We
are
number
one
in
the
payment
credit
card
solution
and
all
of
these
solutions
are
running
on
top
of
the
platform,
and
this
is
the
one
and
that
we
built,
and
that
is
leveraging
istio.
A
Now
we
are
in
all
the
top
100
fortune,
500
companies
right
leverage,
fico
software
right,
so
we've
been
doing
ai
for
decades.
We
have.
We
have
195
patents
on
ai
and
machine
learning,
so
this
is
bread
and
butter
to
us-
and
you
know
it's
a
it's
a
65
year
old
company
we've.
So
let
me
kind
of
go
in
and
walk
through
the
journey
to
the
cloud
we've
been
doing
this
software
on
premises,
deploying
the
customer
site
for
decades
and
decades
and
in
2013
we
made
a
decision.
A
Okay,
we're
going
to
go
in
and
build
the
service
in
the
cloud.
Now,
in
order
for
us
to
do
that
right,
it
was
important
for
us
to
go
in
and
make
sure
you
know
we
were
cloud
ready,
and
now
this
is
2013..
A
You
know
this
is
before
docker.
This
is
for
kubernetes,
so
we
leveraged
linux
containers,
you
know
lxc's
and
did
the
self-service
model,
so
customer
will
come
in
and
say:
okay,
I
need
you
know
decisioning
software.
I
need
you
know
rules.
I
need
to
run
this
algorithm
and
we
would
spin
up
these
containers
and
we
had
to
build
our
own
control
plane.
We
had
to
worry
about
networking
stuff
isolation.
A
We
spent
a
lot
of
engineering
time
foundationally
building
this
stuff
and
as
we
built
this,
we
went
and
created
this
foundation
on
which
every
on-premises
software
that
we
had
built
was
then
re-platformed
on
top
of
this
right.
So
right,
so
let
me
you
know
kind
of
talk
about
you
know
now
again,
as
you
can
imagine,
we
were
building
this
pretty
soon.
Docker
came
in
right
after
docker
kubernetes
came
in,
so
we
had
to
go
through
a
journey
of
rebuilding
the
underlying
services.
On
top
of
this
and
start
changing
our
platform
to
leverage
services.
A
Underneath,
let
me
quickly,
you
know
kind
of
talk
about
what
our
platform
story
basically
is
yeah,
you
know
under
we
have
to
do
this
standard
thing.
We
had
to
support
life
cycle
stuff.
You
know
design
stage,
pre-prod
prod.
All
of
that
stuff.
We
have.
You
know
orchestration
engines
built
in
you
know.
Obviously
we
need
data
ingestion
connecting
to
all
kinds
of
data
sources,
and
you
know
security
infrastructure.
A
You
know
execution
fabrics,
you
know
we
execute
our
things
in
spark.
Obviously,
containers
started
in
serverless
stuff,
but
the
heart
of
the
platform,
basically,
is
the
items
that
you
see
in
red.
We
allow
our
customers
to
come
in,
build
a
solution
in
a
visual
way.
They
can
come
back
and
define
their
rules
could
be
decision
trees
because
we
decision
tables
they
can
design
their
optimization
algorithms.
A
A
Now
I'm
gonna
quickly
go
through.
You
know
what
what
it
means.
What,
fundamentally
we
do
on
this
platform,
so
requests
would
come
in
and
these
could
be,
you
know,
request
response.
It
could
be.
A
batch
request
could
be
a
streaming
data
coming
in
and
our-
and
this
is
true
for
most
of
the
things
that
we
do-
we
go
in
data
ingestion
happens.
We
wrangle
with
the
data
we
go
in
and
you
know
go
into
some
transformations
after
that.
We
have
to
go
in.
You
know
what
we
call.
A
Then
we
go
in
and
leverage
external
data,
so
credit
reports-
I
don't
know
how
many
of
you
are
familiar
with
that,
but
you
know
we
get
feedback
and
input
into
the
data
source,
all
kinds
of
resources
use
that
to
actually
go
ahead
and
make
a
decision
as
part
of
the
decision.
We
incorporate
different
kind
of
analytics.
So
again
these
machine
learning
models
predictive
analytics.
We
then
have
some
business
rules
that
are
leveraged
so
that
you
can
come
back
and
give
a
response
back
to
the
customer.
A
A
So
you
know,
compliance
to
us,
you
know
is
foundational,
so
you
know
we
just
can't
say
this
is
we're
going
to
be
pcr
or
hipaa
compliant.
We
have
to
ensure
that
you
know
communication
stuff
is
encrypted
between
pods
and
you
know,
as
we
were
kind
of
you
know,
thinking
about
okay.
What
are
we
going
to
do?
We
need
to
solve
all
these
issues.
A
You
know
we
could
come
back
and
do
tl
extermination
in
in
pods,
but
we,
the
biggest
problem
we
had
in
that
decision
was
it
would
have
caused
disruption
to
all
of
the
customers
right.
So
not
customers
were
internal
teams
for
us
they
would
have
to
rebuild
their
software
because
we
were
trying
to
solve
an
in-home
solution.
The
bigger
part
for
us
basically
was.
We
wanted
to
externalize
lots
of
things,
so
observability
logging
metering.
You
know
all
of
these
things
we
want
to
externalize
and
this
the
best
framework,
the
better
approach.
A
The
approach,
obviously
was
sdl,
so
you
know
you
are
secure
by
default.
You
are
private
by
design
very,
very
foundational
elements
for
us,
so
we
have
to
be
and
we
have
to
live
in
a
zero
trust
model.
A
The
the
part
of
the
thing
that
really
was
wonderful-
and
you
know
this
was
one
of
the
worries
we
had
was.
There
was
no
impact
on
any
of
our
internal
teams.
We
have.
We
have
lots
of
teams,
building
all
kinds
of
services
and
we
have
solutions
running.
It
was
a
seamless
integration.
It
did
not
matter
at
all.
We
deployed
it
in
production
across
seven
different
regions
and
voila.
We
had
all
of
this
security
posture
it
built
in
and
we
didn't
have
to
change
anything
in
this.
A
You
know
the
other
part
that
was
very
attractive
to
us
was
was
not
just
the
security
part
right,
but
there
are
lots
of
other
things
in
istio
that
provide
a
lot
of
benefits.
So
you
know
transparent
decision
capture
happened,
we
had
built
this
whole.
We
had
a
control
plane
that
built
canary
deployment
and
blue
green
deployment,
a
lot
of
work,
a
lot
of
code,
a
lot
of
testing.
All
of
that
is
now.
A
You
know,
relegated
interest
here,
one
of
the
things
a
couple
of
things
that
we
haven't
done
yet
and
that
you
know
we're
really
looking
forward
to
we
started.
As
I
said.
Like
eight
years
ago,
we
had
to
build
our
own
id
and
access
management
service,
so
we
built
a
squaring
proxy
and
every
service
will
have
to
just
fundamentally
incorporate
their
security
proxy
into
their
software
inside
fico
and
the
problem
that
happens
with.
A
That
is
that
you
can
imagine
you
know,
as
you
fix
issues
you
find
problems,
you
have
you
know
security
fixes
you
need
to
do.
Suddenly
every
service
has
to
incorporate
the
new
version,
actually
really
really
looking
forward
to
the
the
leveraging
that
functionality
in
this
year.
The
other
part
right.
A
You
know
we
get
asked
a
lot
about
data
sovereignty,
and
so
the
fact
that
we
get
a
lot
of
control
in
in
in
networking
right
in
we,
we
believe
we're
going
to
be
able
to
leverage
a
lot
in
making
that
work
for
us
in
the
customer
requests
that
we
are
getting
and-
and
so
you
know,
foundationally
like
mess
smashes
the
place
where
a
lot
of
things
are
going
to
happen.
A
So
you
know
there
are.
There
are
a
lot,
a
lot
of
lessons
learned
in
this
year
over
a
year
that
we
have
been
doing
this
one
big
thing
right.
You
obviously,
when
you
look
at
you,
know,
standard
this.
Your
story,
you're,
going
to
find
out
yeah
security
check
right,
observability
check.
It
was
very
interesting.
You
know
at
least
for
me
personally,
I'm
sure
our
engineers
were
knew
that
and
thought
nothing
of
it,
but
it
it
has.
It
has
been
incredibly
helpful.
A
We
before
we
deployed
istio
in
some
in
some
of
the
regions
we
were
getting
this.
You
know
customers
would
come
in
and
say
hey
some
of
these
requests,
you
know
are
not
you
know
we're
getting
timeouts,
they
were
closing
the
connection
because
they're
not
getting
the
response
back
and
you
know
you
would
look
at
fingers
controller.
A
We
would
know
requests
coming
in
and
you
go
in
you're,
looking
at
logs
in
the
vpc
and
you're
not
able
to
figure
out
what
is
happening
so
after
you
know
deploying
this
you
will
be
able
to
actually
see
for,
for
the
given
customer.
Is
that
request
coming
in
to
the
service
in
the
back
end
right?
Is
that
hanging
in
and
clearly
we
saw
nothing
and,
interestingly
enough,
we
were
able
to
figure
out
that
there
was
a
bug
in
the
cloud
load.
A
Balancer,
our
use
case
is,
is
slightly
different
than
what
most
people
do.
We
constantly
you
know
in
our
lower
environment,
we
are
creating
thousands
of
pods
and
deleting
them
every
hour
and
it's
the
nature
of
the
business
because
we
go
in
and
spin
things
on
demand.
You
build
things
you
try
to
test,
and
then
you
know
you
destroy
them
and
we
trashed
the
controlled
black
plane
back
like
massively
and
it
we
had
like
incredible
growing
pains
in
that
one
incredible.
A
You
know
getting
the
configuration
correct
between
the
mixed
side,
car
and
you
know,
non-cycle
stuff.
You
know
it
just
felt
truly
magical
it
was.
It
was
a
lot
of
work
that
it
had
had
to
be
done.
So
one
of
the
things
that
we
were
lucky
was
we.
A
We
realized
that,
if
we're
going
to
go
in
and
back
to
the
farm
on
this,
we
needed
partnership
to
evolve
with
this.
You
know
how
to
go
in
and
update,
because
you
know
we're
keeping
up
with
the
latest
version,
how
to
make
sure
and
test
and
how
to
update
this
and
work.
The
new
use
cases
we
are
trying
to
do.
We
got
a
lot
of
help
from
the
titrate
folks.
They
understand
this
url
really
well,
they're.
Also
helping
us
foundationally,
fine-tune
and
decrease
the
footprint
as
our
request
load
increased.
A
You
know
our
issue,
control
pane
has
increased
dramatically.
You
know,
so
we
had
to
kind
of
tune
that
so
that
we
could
go
in
and
increase
the
the
footprint
for
that.
So
it's
been
it's.
It's
been
very,
very
interesting.
We're
glad
that
we
have
kind
of
done
it
and
we
are
in
the
process
of,
as
I
said
earlier,
leveraging
it
to
do
a
whole
lot
more.
It
is
going
to
be.
You
know
it's
like
a
foundational
part.