JKS or PKCS12 or PEM format Challenges – Kafka broker SSL with client auth 5 • Certificate renewal requires keystore and truststore regeneration • Broker pods need restarting to pick up the modified

in a Typical Microservice Application Service Service Service Service Service Service Message Broker RPC RPC RPC Message Message Message Cache RDB NoSQL We need to manage multiple types of

Service Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service Service Instance V1 Service Instance V2 Service Instance V1 Service Instance V1 Service Instance V1 My-data-service Service Service Instance V2 SPRING EUREKA Cross-version Traffic Service Instance V1 SPRING CLOUD GATEWAY www.my-application.com 75% or Header: X-User-Type: Non-Admin RIBBON (Client-Side Load Balancer) 25% or Header: X-User-Type: Admin Service Instance V1 Service

uses the name you defined in platform such as Istio. • Service Instance. Each one workload in the Service group is named as an instance. Like pods in Kubernetes, it doesn't need to be a single process process in OS. Also if you are using instrument agents, an instance is actually a real process in OS. • Endpoint. It is a path in the certain service for incoming requests, such as HTTP URI path or gRPC new storage entities ENTITY TYPE DESCRIPTION INVENTORAY Inventory includes service, service_instance, endpoint, network_address. They are metadata for SkyWalking. Don’t delete these. INDICATOR

created before other users’ legitimate VirtualServices. Note: During testing, NCC Group observed an instance of a later created VirtualService being able to gain precedence over an earlier created one, but In other words, the Gateway resource must reside in the same namespace as the gateway workload instance. Such behavior could be configured by setting the PILOT_SCOPE_GATEWAY_TO_NAMESPACE environment Istio Location • istio/istio/pilot/tools/debug/pilot_cli.go (line 248) • istio/istio/pkg/envoy/instance.go (line 172) • istio/istio/mixer/pkg/perf/run.go (line 106) • istio/istio/tools/istio-iptables

unique identifier for the source workload instance. kubernetes://redis- master-2353460263- 1ecey.my-namespace source.ip ip_address Source workload instance IP address. 10.0.0.117 source.labels map[string map[string, string] A map of key-value pairs attached to the source instance. version => v1 destination.port int64 The recipient port on the server IP address. 8080 request.time timestamp The timestamp

ServcieDiscovery接口上的服务发 现方法和用户配置的规则构造xDS 4. Envoy从Discovery获取xDS，动态 更新 Kubernetes Service Instance Instance Service Endpoint Endpoint Istio Istio & Kubernetes：Mixer attribute Mixer proxy svc

ServcieDiscovery接口上的服务发 现方法和用户配置的规则构造xDS 4. Envoy从Discovery获取xDS，动态 更新 Kubernet es Service Instance Instance Service Endpoint Endpoint Istio14 Istio & Kubernetes：Mixer attribute Mixer proxy svc

Mixer通过通过rpc调用，将属性与日志发送给Adapter。基于Mixer的二次开发的流程 • 编写grpc服务端程序，接收来自mixer的数据，并实现自身业务逻辑 • 编写handler、instance、rule配置文件 • 编译打包adapter，上传至docker仓库 • 编写k8s的deployment和service配置文件 • 部署应用基于Mixer的二次开发Hanlder URL 、证书、缓存选项等等。基于Mixer的二次开发Instances Instances。属性映射。基于Mixer的二次开发Rules Rules。将数据交付给适配器。 定义了一个特定的 Instance 何时调用一个特定的 Handler插件编译和镜像打包 插件的编译 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build - a -installsuffix

traffic to restrict config pushed to sidecars ● Main Takeaways ○ P99.9 time from single Pilot instance to 0 - 3,000 sidecars < 1 second ○ Pilot CPU & memory within acceptable limits: < 10 cores, 25