Profile picture
, 12 tweets, 3 min read
My Authors
Read all threads
If you find all this service mesh stuff confusing, and you really want to understand it, start with @envoyproxy. Learn Envoy's core feature set and how to configure it by hand.

Start simple. Learn how to use Envoy as a HTTP proxy or load balancer like you would nginx.
One of the best things about Envoy is the ability to leverage a configuration server to dynamically configure it at runtime.

Instead of configuring Envoy by hand and copying config files around, you can configure Envoy to sync configuration from remote server.
Envoy leverages the xds protocol for discovering and streaming configs, and the best part, it will hot reload the configuration, no more restarts! envoyproxy.io/docs/envoy/lat…
Envoy also has support for custom plugins, metrics, and a bunch of features you might find useful like rate limiting and circuit breakers, which can all be configured centrally, and that's what makes Envoy stand out from the crowd.
Envoy also set the bar when it comes to securing HTTP endpoints. Envoy makes it easy to centrally manage TLS certificates and rotate them without a restart.🤯 envoyproxy.io/docs/envoy/lat…
While you can use Envoy as a HTTP proxy or load balancer, you can also use it like an application server. Think Apache and PHP.

You can run Envoy in front of an application and fine tune the configuration for just that service. This is the fundamental idea behind a service mesh.
Once you have more than a handful of these Envoy proxies running around you're going to really appreciate the ability to configure them via a central configuration service.

So why all this talk of tools like Istio when you can just use Envoy?
Well, there are many ways to generate an TLS certificate, and to be honest, Envoy's raw configuration is a bit verbose and intimidating, and that leaves room for, you guessed it, abstractions.
There is another big component to the whole service mesh thing and that's service discovery. If you're running Kubernetes, then you'll need to integrate with its service layer. You can use DNS, but you know, DNS.
In addition to Kubernetes you got VMs and other service discovery tools like Consul and etcd.

This is where custom xds control planes come in. They know how to integrate with different service discovery tools and generate Envoy configs incorporating the service endpoints.
While you can write your own xds control plane with service discovery integration, TLS certificate management, and the ability to generate Envoy configs, I'm not sure that's the best use of your time. If you need all of that then, and only then, do you look at a "service mesh".
Which service mesh should you chose? Like I know.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Kelsey Hightower

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @kelseyhightower see all

Profile picture
Kelsey Hightower
@kelseyhightower
Open source is not a numbers game. It's about sharing and collaborating; on your own terms.
Some people will only have enough bandwidth to try out your project and offer feedback. That's a valuable form of contribution.
Some people will fork your project because they have ideas that differ from your own. That's fair game, and if you really think about it, you've inspired someone, and it presents an opportunity for experimentation and learning.
Read 3 tweets
Profile picture
Kelsey Hightower
@kelseyhightower
The Open Policy Agent project is super dope! I finally have a framework that helps me translate written security policies into executable code for every layer of the stack. openpolicyagent.org
The learning curve isn't as steep as you'd think. You gotta learn Rego, OPA's policy language, but once you do, you'll see an immediate payoff.

The best part is the tooling. I was able to learn Rego and experiment with policies from the command line.
I'm leveraging OPA as an embedded authorization framework with gRPC. I've created gRPC middleware that leverages OPA to authorize clients based on policies defined externally. openpolicyagent.org/docs/latest/ex…
Read 3 tweets
Profile picture
Kelsey Hightower
@kelseyhightower
There's a ton of effort attempting to "modernize" applications at the infrastructure layer, but without equal investment at the application layer, think frameworks and application servers, we're only solving half the problem.
Even with the best orchestration, logging, security, and debugging infrastructure, code has to be written to make the best use of it.
We are asking developers to implement all the best practices around security, performance, load shedding, and authorization, for every programming language.

Ideally we encapsulate it all and enable developers to do this:

import "do/the/right/thing"
Read 3 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!