Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
solo.io / Gloo Mesh - Service Mesh - Deep Dive / 31 Aug 2020
solo.io / Gloo Mesh - Service Mesh - Deep Dive / 31 Aug 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Multi-Cluster Service Mesh Federated Trust and Identity

Description

Service Mesh Hub (SMH) is a control plane for multi-cluster service mesh environments. This video shows how SMH federates trust and identity across multiple clusters grouped together in a single, logical virtual mesh.

Questions? https://slack.solo.io
Learn more https://www.solo.io/products/service-mesh-hub/

DM us on slack to request a workshop or demo.

A

Hi everyone welcome to this new theory about multi-cluster service mesh. I am denis janno director of field engineering at solo.io and, as I said, it will be a series where we will try to address the most common challenges when trying to deploy a service mesh across multiple cluster.

A

So some of the challenges that that you need to federate trust and identity. You need to allow communication between the cluster. You need to use different service mesh technology. In general, I mean you can have like ecu locally and app mesh in aws, for example, you need also to manage the access control in a simpler way.

A

You need to think about like the disaster recovery strategy and all of the above is very very complex, so we are going to start this series with the federated trust and identity and we'll take the example of istio and we'll start by looking at the different models you have when you want to use multiple clusters, one. That's called the shared control plane model where you have only one control plane and you need a flat network between your two clusters.

A

So that's not really commonly used. The most popular approach is what we call the replicated control plane. The name can be confusing because there is no such replication. It's really.

A

uh You really have two independent sto clusters, but you use some of the style objects to allow communication between them and what you need as well is this federation of identity, trust and that's where we are going to focus in this presentation and to simplify that we have launched this project at solo.io, which is called servicemeshhub, and the idea is really to allow you to simplify the way you deploy multiple meshes across multiple environments.

A

That's why I use a different diagram here. You see there is no mention of istio, it's really about having different meshes and using edge gateways to allow microservices from one mesh to communicate with microservices on the other mesh and obviously, in the case of sto, we have this steel, ingress gateway, and that is this edge gateway.

A

We also have an option to use our own gateway, that's called glue, but the idea really with the service mesh herb, is to allow you to manage multiple meshes and unify the trust and allow communication across the mesh with multiple mesh technologies. So we started with istio app mesh is around the corner and and others are coming, and the idea is that this service mesh up really simplify your life. It just like makes a discovery of the different micro services and different meshes automatic.

A

It allows you to simplify the way you manage access controls and the way you uh unify the uh identity and all these things. So we will focus on on the identity again in this one. But uh in the next talk we will speak about the other part of what you need.

A

So let's go and jump directly in the in the demo here, so I'm I've prepared. So basically, what I'm going to do is that it's part of a workshop that we are going to deliver soon. The first uh first workshops will be in september uh in uh both u.s and europe uh times zone, so you'll be able to register in the one that makes more sense for you, but what I did here is that I use this environment where you have like um three cubans clusters, one where we will just deploy service mesh herb.

A

You can consider that as an admin cluster and the two other clusters will be the two clusters where I have istio deployed and where I want to federate the identity. Obviously the service mesh up could run on one of them, but we did that that way, so that you understand it's not really a requisite.

A

So what I did already I deployed like cubans clusters. I deployed the service mesh herb on one cluster and I used this mesh ctl command just to register my two other clusters, so that service meshup knows about them, and then I deployed stu in the standard way on both sides using the estee operator, so nothing special in the way I deployed it.

A

And finally, I deployed the famous book info demo app so now. What I'm going to do is that I'm going to look at the current identity of these two meshes. So if I uh so remember, cane 2 is my first cluster and kind. 3 is my second cluster. So here I'm going to send a request between the from the reviews microservice on this cluster to the rating microservice on the same cluster, and I'm going to look at what I get so here.

A

You should see that there is no such tls happening here. So what I'm going to do first is to enable that so I'll enable tls by switching the mod to strict on both cluster kind, 2 and kind. Three.

A

So just going to do that quickly and if I call the same command here, then it will be more interesting because I'll be able to see that uh the certificates here the certificate chain with this uh clustered local organization, which is the default one.

A

You see you have one. That's finished by d, a y here, for example. So what I'm going to do now is that I'm going to run the same command, but I'm going to do it on the the other cluster kind. Three and you should see the same organization name, but as you can see, the certificates are different.

A

So that's why now we need to unify that so that they can trust each other and and we can have like secure mtls between the two clusters.

A

So what we do in in our case that we have this uh crd, that's called virtual mesh, where we just simply say that we want uh to create a virtual mesh based on the two mesh we have today like kind two and kind three, and we want also like this auto restart pods makes your life easier, because, basically, when you have this new identity, you need to restart multiple hto components so that they will start to use the new certificates.

A

So I just enabled that so I'm going to create this object here on the service mesh herb and what you can see. What happens?

A

You know there is like a certificate that will be spread it across the two clusters, so you'll be able to to get it on on the two clusters, and at that time you know that most of the the things have already happened, but we'll also be able to take a look at the service that will restart and, and things like that, so let me check that here so for them and nothing is restarting because the certificates are not delivered yet you see it's there on kind. Two should probably be there on kind three as well.

A

Yes, and now, if I look at the services on kind two, you start to see that um the different uh pods are restarted, so that the.

A

Cycle proxy on all of these different pods.

A

Now we will use the new certificates.

A

So, let's wait a little bit more. That should be quite fast. You see also that istio ingress gateway is starting as well, because it also needs to have this new certificate.

A

But we can already try between like the communication between the review and the rating because they already restarted now. If I try to look at the kind to here, I see there's like this service mesh organization, and I see it finished by b q a w and if I do the same with your site yeah, I see the same here so you see that now we have like a unified identity.

A

So let me go back quickly on my slides here.

A

So, as I said, we just covered that part and we will cover uh many other topics in the next videos and uh also just wanted to highlight a little bit of our portfolio at solo.io.

A

So we've discussed here about the service mesh hub that allows you to simplify, like multi-cluster service meshes, but we also have a glue, which is our api gateway that you can use, especially if you don't have like service mesh.

A

We have this webassembly project that we are working on to be able to use uh to create easily assembly filters for envoy when this will become stable in envoy and you'll, be able to apply these filters on glue because it's android-based, but also on stu itself, and we also have this developer portal that you can use in both cases both for glue or for istio. That allows you to simplify the way your user can interact with your apis.

A

So I hope you enjoyed this video and the next one is coming soon where we will cover the way service. Mesh hub, helps you to simplify the communication between the two clusters. Thank you.