Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
solo.io / Gloo Platform / 18 Oct 2022
solo.io / Gloo Platform / 18 Oct 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Gloo Platform and Gloo Mesh 2.1 Demo

Description

Check out the demo for Gloo Platform and Gloo Mesh 2.1.

A

In this demo, we'll take a look at glue, mesh 2.1 and the recently announced glue platform.

A

So, with glue platform, what we're focusing on is that next set of challenges and next Journey that organizations need to take once they've gotten past the initial steps of modernization, adopting Cloud technology things like first few steps into public Cloud things like containers kubernetes, and what we find is that, once they've deployed their applications, these applications need to communicate with each other and how you provide that application networking. On top of these various Cloud Technologies, whether that's on premises in a public Cloud, both or multiple clouds we need to.

A

We need to solve the challenges around communication, around zero trust security, around API and service, to service networking policies, and we need to do this in a way that scales to large deployments, multiple clusters, lots of different teams and, as I mentioned in this very heterogeneous environment, and so that's why we built glue platform is a multi-layered approach that solves challenges at the edge with the API Gateway, the only API Gateway, that's built directly on top of the service mesh.

A

It doesn't force you to use a service mesh, it's option, but if you happen to be going down this path, it it natively ties in with with your service mesh, so you can have the same policies to describe networking and security for both north-south and East-West traffic.

A

The second layer is glue mesh, and this is an Enterprise service mesh that focuses on running a service mesh at scale, allowing various teams to onboard to it. The complex works workflows that might show up around it, centralized observability, zero trust properties, multi-tenancy and you know tying in with with a various components that a large organization probably needs like observability tools or private key and public key infrastructure.

A

The last layer is glue, Network, which goes a layer deeper and tries to provide defense and depth by controlling the lower layer, cni components in in the network and on top of this we've also built graphql capabilities. So it will expose these apis and orchestrate the the data from these services.

A

So, as a recap, glue, Network forms the foundation of these lower layer. Networking Concepts using things like psyllium using ebpf glue mesh, provides an Enterprise service mesh with multi-cluster support, multi-tenancy support, advanced concepts, including sidecar, or no Sidecar deployments.

A

Glute Gateway is our API Gateway, which can be used to replace some of those bloated full stack life, full life cycle, API management, vendors with more lightweight cloud-friendly Gateway technology in the demo that we'll take a look at today, we'll see a multi-cluster deployment, we'll see, Global, routing and advanced failover, we'll see our API Gateway in action and we'll see how the lower layers of the network come into the pictures of so we'll start by looking at the user interface.

A

So we have two clusters in this demo: it's for Simplicity of the demo, but you can add as many clusters as you need, and the first thing you will notice is that we're able to discover what's running in those clusters. Here we have a cluster in US West. Here we have a cluster in U.S east and we've discovered that we have istio running in the Clusters. This happens to be a solo supported version of istio.

A

We have full life cycle management as well as cve patching and production slas around our builds of istio, which are drop-in replacements for the open source project. The next thing, we'll see, is a concept called workspaces. Workspace is a way to carve up the capabilities of the service mesh that you want to expose to different teams.

A

Now the sample application that we'll be using is the good old istio book info demo, which you can see here, and a very big tenant of ours here at solo, is that our products should fit into these modern Cloud native workflows get Ops is at the heart of those workflows.

A

So all of the configuration that drives the behavior of this platform, whether at the Gateway level or at the mesh level or the networking level, should be done and should be driven through declarative configuration and those should be stored in git, and so in this demo, you'll see that we have our git repo with the various policy objects that we will use to drive the behavior of the mesh. We also use Argo CD, and you can see that things are green here. We've synced everything into the various clusters and.

A

We will will be able to use automation to drive the the behavior of this platform. So the first thing I'm going to take a look at, is implementing a Gateway API Gateway.

A

Now our glue Gateway as I've mentioned, can replace full stack or full life cycle, rather API management gateways, uh with capabilities such as request transformation rate, limiting oidc integration, web application, firewalling and and more for this demo, I'm going to take a look at rate limiting so the first thing we'll do is we come into our configuration, we're going to drive this through a git Ops workflow?

A

If we take a look at our rate, limiting policy, what you'll notice in blue mesh is that the way we configure our services and our Behavior is slightly different than what you see in the istio community. Now we can do it with istio objects, but if the objects are very service specific, you apply a policy to a specific service, with glue mesh to manage a more wide scale, widely deployed set of services and and application networking.

A

What we do is we Define policies and then use labels and selectors to apply those policies to various Services, it's much more intuitive and much easier to handle at large scale.

A

So in this case, what we're gonna we're gonna do here is we can see that this policies rate limit policy applies to routes that have this label rate. Limited is true, so let's find a route, and let's actually come in here and edit this route, and what we're going to do is I'm going to give it labels put rate limited is true. So now, whenever we call a product page in the book info demo, we will potentially be rate limited. Let's see, rate limit. These changes come back here and we'll look at the client settings.

A

We're set right here and specifically we're going to be rate limiting on requests that come in with these specific headers X number and X Type, and if we see those requests over it, we'll rate limited them at one per minute, all right! So now, if I come over here and um check out our go, CD we'll see that we're out of sync.

A

So, let's sync, that new change that we just made and get to our our platform and then we're gonna actually use Postman, because we can edit and alter the headers here when we, when we use Postman.

A

So if we send in requests these, don't we're not going to enable these headers we'll send in the requests we should see. We do get the HTML page back. That's the book info page now, if we enable these headers and send them in, we should see that approximately it's not 100, but approximately uh we'll see one and we'll see two. ah It's too many, so approximately one request per minute will trigger the rate limiting now under the covers. This is using the glove Gateway and glue.

A

Gateway is built on top of istio istiocentroscale and it is in the glute. When you adopt the glute platform, you can choose to use this technology standalone. You don't have to use the full bone surface mesh. You can just use the Gateway if you want so the next thing we'll take a look at is cross cluster traffic and failure.

A

So if I come back to the webpage here and I I refresh a few times, we should see traffic is flowing back and forth to the review service reviews, V1 and V2. You know if you're familiar with book info, there's no red stars reviews V3 is not here, so this traffic happens to be pinned to Cluster one. At the moment, cluster 2 is where we have reviews V3.

A

So if we come over to our our clusters here and we find front ends in cluster, one, let's go find deploy and let's just take the product page down in cluster one.

A

What we'll see is come back and refresh across fingers. We should see the traffic still continues and eventually we should see red stars, because now we are failing over automatically into the second cluster, and this failover behavior is handled by include mesh. There is a concept include mesh called virtual destination, which allows you to specify a global name, a globally routable name. That can then use priority and locality as a failover mechanism.

A

So whenever you talk to product page dot whatever in the mesh, it will automatically be routed to the the correct service.

A

So from a observability standpoint, we can see using our graph that traffic does indeed fail over between cluster 1 and cluster 2., and and we can, we can move things around a little bit.

A

Things should redraw.

A

See here, if we click on the Instagram click on product page, we can see the amount of traffic that is coming through those those various gateways.

A

Another thing that's uh interesting about glue, mesh, 2.1 and glue platform is the ability to manage the life cycle of istio itself. So across a large number of clusters, it can be very difficult to automate and control the upgrading process and the management of a particular version of istio from a single location or any location.

A

So what we have in in glute mesh is the is the ability to uh let's see if I, have the the ability to install and deploy lifecycle Managers from a single point of view, which then allows to control what istio versions get installed across a fleet of clusters and we can automate how we upgrade those those istio control planes and data planes across the fleet now. Lastly, what I'm going to cover here is the the defense and depth capabilities.

A

So, as we mentioned, you can optionally, so the Gateway can run standalone, blue mesh can run Standalone or they can run together with glue, Gateway and then glue. Network can run Standalone or with the mesh and the Gateway together, and what the networking component provides is functionality that can be built into ebpf and leverage from the cni.

A

In this case, we've discovered that psyllium happens to be running in these clusters.

A

Now we can also take a look at the health of each of these various components deployed in here. We can see that we have psyllium in a good State. We have istio in a in a healthy state and now, if I deploy a glue mesh access policy that states that product page can or cannot talk to the review service, what we want to see happening when we use the network is defense and depth.

A

We want the istio authorization policies to be written, but we also want the networking policies to be written so that at layer, 7 and layer, 3 and 4 that that networking is is controlled by by access rules.

A

So the first thing we'll do is come over to the policies page, a debug page and we'll take a look at any authorization policies, but but we don't have any- maybe we'll also add some cilium Network policies. Again, we don't, we don't have any, but in in glue mesh. What I want to do is I want to apply an access policy to glue mesh to the to control the traffic between product, page and reviews.

A

So when I do that, what we should see is that glue mesh will automatically go, create the correct authorization policies for istio and the correct psyllium Network policies for the lower layer networking so that if I come over here into my cluster and find a an application in one of these namespaces here, let's just let's just execute into this, and if we try to curl the reviews, I can fold back ends, uh 90 80.

A

well, we'll see. Is it hangs? It hangs because only product page can talk to the review service. Other applications cannot and this is being blocked at the network level. Now, if we could somehow circumvent the network level Maybe, you know, since the the rule allows us to talk from the product page, but we don't have any. Let's put that back from the product page, we should be able to talk to the the review service, but what, if I, don't call it using uco's Mutual TLS mechanism?

A

What if I call it directly from the proxy if I were to? If, if I were to do that curl? Let's? What is it reviews DOT book info and.

A

Reviews one: we should see that the connection will fail, because the mutual TLS that was expected isn't isn't provided. Now. If we recall this from product page directly, then the call would succeed, because that's that's what we've written the authorization policies for now. I invite you to take a look at the glue platform and to take a look at the glue mesh 2.1 release, there's a lot of stuff in in there that I'm not able to cover, and but we will create uh smaller demos, to walk you through things like the istio lifecycle management.

A

Things like ebpf acceleration for istos now in uh in English, 2.1 and integrating with psyllium and with network policies from your cni to give a much tighter control over the security and the network. Policies in your multi-cluster heterogeneous deployments so again take a look at glue, matching glue portal and thanks for stopping by this demo,.