Istio IstioCon 2021, 10 Mar 2021

Previous Meeting

⏯

youtube image

►

From YouTube: Your laptop as part of the service mesh

Description

#IstioCon2021

Presented at IstioCon 2021 by Lorenzo Fundaró.

In this talk, we will show how we used Istio’s EnvoyFilter to dynamically route requests from our QA cluster to a developer’s laptop and back. This networking hack significantly eased development, especially when running end-to-end tests and helped us reduce infrastructure costs.

A

Hello thanks for listening to this talk. My name is lorenzo, and this is your laptop as part of the service mesh.

A

Today, I'm going to talk about envoy, filter, I'll, walk you through a problem we had at omeo and I'll explain how envoy filter help us solve this problem at the end, we're going to have a demo, and hopefully you can take some inspiration home some questions if you have post them on slack or twitter.

A

So let me give you some context. First, omio is a company that sells tickets of flights, buses and trains all under a single transaction. We integrate more than 800 providers across europe and north america.

A

Our developer flow is nothing out of the ordinary people, make a feature open, apr. The pr gets to merge to master then deploy starts from ta up to the production.

A

Our clusters, both production and qa, are running kubernetes and easter. So now the problem today running end-to-end tests at omeo is both not efficient and cost. Effective people are running tests today in qa, but this process is slow as it requires many steps in the pipeline to reach qa and then find out if there was a problem, other people spin up standalone vms, where they need to go through the lengthy process of putting strap bootstrapping all the dependencies that they need for the test.

A

So why is this process neither efficient nor cost effective? So first, I would like to minimize time to bug detection. Ideally, I would like to run this test at pr time or even from the comfort of my laptop today. We are just three steps away to find if there is a problem allow simultaneousness, particularly if you're, if you're, if you're testing a particular service, um you want to make sure you go one commute at a time, so you don't have noise or overlapping tests.

A

We want to reuse existing infrastructure as well. So all these services that are being bootstrapped in vms they're already existing in qa. So why not reuse them at this point you may ask, but why don't you do mocking or contract testing at the scale of 800 providers? Mocking has a high cost. Also mocks are like any other software. They will have bugs and they'll require maintenance.

A

So can we do better in this diagram? We have a qa cluster with three services, a b and c a request triggers a chain of call that hits a then normally should go to b and then c. What? If, for that particular request? I can change that chain of call and make it hit b star on my laptop and we filter to the rescue.

A

So enboy filter is a wrapper around lua filter. Lua filter exposes two functions as the api and they're left to be implemented.

A

These functions are executed during the life cycle of a request, and the name clearly tells when they are executed, we're interested on endpoint requests and we would like to run some routing logic in there to do something with our request to send it to b star, for example, notice that there is the request handle there, which is a simple wrapper around the original request.

A

So, having access to the request and being able to run some logic now, the question is who and where do we reroute?

A

This lead us to use the request as the messenger of this routing information, we can add this header x that route with a json which key is the service subject to reroute and the value the address of where to reroute. In this way, developers don't have to deploy any extra infrastructure.

A

They don't have to change their logic in their code. They just need to add this header and the rerouting habits.

A

Let's take a look at a pseudo implementation of our function, so you get check you first check if the header is present and if there is a match, if there is no match with the service that this um this function is running in, then you just return and the flow goes as normal. If there is a match, then you take the address. You take the headers of the original request and you make the call to whatever you need to make it and notice that we respond immediately.

A

So this this query, this this request doesn't go to the original destination, but goes to where's where to the client immediately.

A

The only problem is that your laptop is not part of the service mesh cloud. This lua code can only make calls to members of the mesh, and but this is easy to overcome. We can have a dummy proxy that will be now called by the lua code. Then it passes the contract header and makes any http calls that needs to do so. The big picture looks like this.

A

uh Let's say we have a request that has routing information with for b, so the request gets to a there's no match with service a then. It goes to b the lua code finds a match with b and sends that request to our that route proxy running in the cluster, this proxy parses the contract and then sends the request. Finally to be running your laptop notice. That b doesn't have to be your laptop.

A

It can be also a c agent or anything you want as long as there is connectivity, what about virtual services, so this can also be implemented with virtual services, but the goal of this contract was to make it as easy as possible for developers to use this rerouting feature. We didn't want them to have any prior knowledge to istio or having to deploy virtual services and destination groups so our checkpoint.

A

um We now can run this test from pr or from our laptop. We can have as many simultaneous tests as possible because this routing happens on a per request basis. um We can also reuse all the infrastructure we have in qa and reduce costs, so it seems that we're doing good drawbacks. Yes, there are drawbacks. The contract header needs to be preserved all the way through the call chain.

A

That can be a problem, if does if there is no, um if the servers don't pass the header, let's do a demo now. So, on the left side, we have a kubernetes cluster running an echo server. Let's imagine this is b and let's check it out.

A

So, yes, we have that equal server running there and let's check the locks, because we're going to try to hit that service. That service is running on port 311 and we'll see how the logs do something after we hit it so yeah that was us hitting the the server.

A

And now we have here a docker, um an echo server running in docker on port 8001. This echo server is the same one as the one. It's the same one as the one in the cluster.

A

So now we're making we're going to make a request again to the server running in kubernetes on port 30. But this time we're gonna, add our header. Actually you have it somewhere here, yeah there. You go so notice that we add this. The brow header saying when you hit echo server, please send it to docker on port 8001..

A

So let's try this.

A

So you see that there is right now a request that came to the docker server and notice that that went through the whole cluster, hitting the lua code in the echo server in kubernetes and finally making the reroute.

A

So some learnings, um I think the adoption rate of this contract has been lower than we expected.

A

People are some. Some teams are using this on their day-to-day workflow, but some others aren't because um they are using grpc mainly and this contract doesn't support that. I think at the end of the day, the we had a lot of fun doing this and the experience is positive, and so we use issue in ways we never thought of, and we thought it was worth sharing this with you.

A

So thank you very much and if you have any questions or want to um try to dig in a bit more on this, please check our blog post on medium or our reference implementation, I'll be also on slack answering questions. Thank you very much. Bye.