View
7
Download
0
Category
Preview:
Citation preview
| ©2019 F5 NETWORKS1
| ©2019 F5 NETWORKS2
F5 & Nginx in Container EnvironmentsTHE IMPORTANCE OF INFRASTRUCTURE AUTOMATION
| ©2019 F5 NETWORKS3
BRIEF SUMMARY
Kubernetes and OpenShift topics
➢ Ingress and Load Balancing solutions
➢ Service Mesh solutions
DevOps Automation topics
➢ CICD in practice
➢ F5 Automation and Orchestration toolchain
Agenda
| ©2019 F5 NETWORKS4
Kubernetes & OpenShiftIngress, Load Balancing and Service Mesh
| ©2019 F5 NETWORKS5
| ©2019 F5 NETWORKS6
GETTING THE DEFINITIONS RIGHT
Ingress and load balancing solutions
Load BalancingGet the definition right
Distribute the traffic over several end points
➢ Outside K8S: LB traffic towards multiple HA Ingress Controllers
➢ Inside K8S: LB traffic for a K8S Service towards several POD’s
https://kubernetes.io/docs/concepts/services-networking/service
IngressGet the definition right
L7 PATH or URL based routing
➢ Send traffic towards a K8S Service based on URL or PATH
➢ Terminate SSL Traffic
➢ Blue-Green or Canary Deploys
➢ URL rewriting
➢ Etc.
https://kubernetes.io/docs/concepts/services-networking/ingress
Our solutionsNginx and F5 Ingress portfolio
➢ Kubernetes: ingress-nginx
➢ NginxInc: kubernetes-ingress
(NGINX OSS based)
➢ NginxInc: kubernetes-ingress
(NGINX Plus based)
➢ commercial support
➢ F5 Big-IP with Container Ingress
Service aka CIS
➢ commercial support
https://github.com/F5Networks/k8s-bigip-ctlrhttps://github.com/nginxinc/kubernetes-ingress/blob/master/docs/nginx-ingress-controllers.md
| ©2019 F5 NETWORKS10
Example scenario 1AWS ALB + NGINX PLUS INGRESS CONTROLLER
Nginx PlusMore then the OSS version
➢ DNS SRV Record Support
➢ JWT Auth Support
➢ ModSecurity 3.0 WAF
➢ App Health Checks
➢ HA Support
https://www.nginx.com/products/nginx/#compare-versions
Nginx PlusMore then the OSS version
➢ Configuration Sync
➢ Dynamic Reconfiguration (API)
➢ Key Value Store (API)
➢ Live Activity Monitoring (API)
➢ Cache Management (API)
https://www.nginx.com/products/nginx/#compare-versions
| ©2019 F5 NETWORKS13
Example scenario 2F5 BIG-IP + F5 CONTAINER INGRESS SERVICE (CIS)
Big-IP + CISContainer Ingress Service
➢ No daisy chaining of LB and Ingress solutions = easier to configure and debug
➢ Multi-cloud consistent security policies
➢ Access on the POD level to other Big-IP modules/features
➢ LTM
➢ ASM
➢ AFM
➢ APM
https://github.com/F5Networks/k8s-bigip-ctlr
| ©2019 F5 NETWORKS15
| ©2019 F5 NETWORKS16
COMPLEXITY – ANTIDOTE AGAINST A SERVICE MESS
Why Service Mesh
| ©2019 F5 NETWORKS17
BEWARE FOR THE NEXT GENERATION ESB (ENTERPRISE SERVICE BUS) TRAP!
Service Mesh
➢Remember – microservices on top of Kubernetes/OpenShift is all about smart endpoint and dump pipes
| ©2019 F5 NETWORKS18
Service Mesh
The sidecar approach
➢ Istio (with Envoy proxy)
➢ Linkerd 2.x (Conduit)
➢ F5 Aspen Mesh (Mesh as a
Service)
Inside application container approach
➢ Nginx Unit (web & app server)
TWO APPROACHES
https://layer5.io/landscape
Aspen MeshEnterprise service mesh using Istio
➢ Service discovery
➢ Intelligent load balancing and request routing
➢ Secure communication
➢ Policy enforcement
➢ Unified logging and requests tracing
➢ Blue/Green and canary testing
➢ HTTP/HTTP2/gRPC Support
➢ Hybrid and multi-cloud support
https://aspenmesh.io
Aspen MeshVisibility & insights for microservices
➢ Hosted SaaS for reduced TCO
➢ Visualization of clusters and microservices
➢ Real-time health and security monitoring
➢ Details and insights into errors and warnings
➢ Customizable alerts
➢ End-to-end policy map for your services
➢ Predictive Analyticshttps://aspenmesh.io
Aspen MeshAccess to engineering and support
➢ Tested, packaged and documented
➢ Performance optimization
➢ Technical support
➢ Troubleshoot production issues
➢ Upstream bug fixes
➢ Feature development
➢ Community representation
https://aspenmesh.io
| ©2019 F5 NETWORKS22
Aspen Mesh
Based on Istio and enriched with
➢ Jaeger (CNCF backed) for distributed
tracing and microservice plotting
➢ Prometheus (CNCF backed) for metrics
collection and alerting
➢ Grafana for metrics dashboarding
A HOSTED ANALYTICS PLATFORM - INTERNALS
API Server
| ©2019 F5 NETWORKS23
Aspen MeshA HOSTED ANALYTICS PLATFORM – IN DEPTH MICROSERVICE MONITORING AND TRACING
| ©2019 F5 NETWORKS24
Aspen MeshA HOSTED ANALYTICS PLATFORM – MULTI CLOUD/CLUSTER OVERVIEW
Nginx UnitDynamic by Design
● Applies changes instantly
● No reload or restart required
● Less overhead during updates
● Zero-interruption reconfigure
https://unit.nginx.org
Nginx UnitAPI-Controlled
● Does not rely on config files
● Single REST API to learn/use
● Familiar JSON payload
https://unit.nginx.org
Nginx UnitMultilingual
● Side-by-side language
versions
● Uniform app configuration
● Apps run on the same server (or
container)
● Python, PHP, Go, Perl, Ruby,
JavaScript (Node.js), Java
https://unit.nginx.org
Built-in SSL/TLS support
Independent, manageable apps
No shared credentials required
Nginx UnitSecures and Isolates
https://unit.nginx.org
One app fails, doesn’t effect others
Server is uniformly configurable
Goal: cgroups support
Nginx UnitSecures and Isolates
https://unit.nginx.org
| ©2019 F5 NETWORKS30
CONTROL PLAIN TO BE ORCHESTRATED IN YOUR CI/CD PIPELINE
Nginx Unit
| ©2019 F5 NETWORKS31
DevOps CI/CD PipelinesAutomation and Orchestration
| ©2019 F5 NETWORKS32
DevOps ReadingsMY FAVORITE BOOKS ON DEVOPS / DEVSECOPS
| ©2019 F5 NETWORKS33
PIPELINE ORCHESTRATION – ON PREMISE AND AS A SERVICE
CI/CD Pipelines
Drone
| ©2019 F5 NETWORKS34
A PRACTICAL EXAMPLE
Development SCM (Git) Code Scan BuildUnit/System
TestPackaging
CI/CD Pipeline
Auto Deploy Provisioning
Testing (GATE)
Release Management
Signoff (APPROVAL)
Deploy Production
Pipeline 1 - CI Development
Pipeline 2 - CD Deployment
| ©2019 F5 NETWORKS35
CI/CD Pipeline
• Development
• SW Config Management (SCM)
• Code Scan
• Build
• Unit Test
• Packaging
• Auto Deploy and Provisioning
• Testing
• Release Management
• Signoff and Deploy in PROD
TOOLING ECOSYSTEM
| ©2019 F5 NETWORKS36
CI/CD Pipeline
• Development
• SW Config Management (SCM)
• Code Scan
• Build
• Unit Test
• Packaging
• Auto Deploy and Provisioning
• Testing
• Release Management
• Signoff and Deploy in PROD
TOOLING ECOSYSTEM
| ©2019 F5 NETWORKS37
A PRACTICAL EXAMPLE
Development SCM (Git) Code Scan BuildUnit/System
TestPackaging
CI/CD Pipeline
Auto Deploy Provisioning
Testing (GATE)
Release Management
Signoff (APPROVAL)
Deploy Production
Pipeline 1 - CI Development
Pipeline 2 - CD Deployment
| ©2019 F5 NETWORKS38
CI/CD Pipeline
• Development
• SW Config Management (SCM)
• Code Scan
• Build
• Unit Test
• Packaging
• Auto Deploy and Provisioning
• Testing
• Release Management
• Signoff and Deploy in PROD
TOOLING ECOSYSTEM
| ©2019 F5 NETWORKS39
CI/CD Pipeline
• Development
• SW Config Management (SCM)
• Code Scan
• Build
• Unit Test
• Packaging
• Auto Deploy and Provisioning
• Testing
• Release Management
• Signoff and Deploy in PROD
TOOLING ECOSYSTEM
Different types
• Performance
• Integration
• User Acceptance
• Security Testing
| ©2019 F5 NETWORKS40
CI/CD Pipeline
• Development
• SW Config Management (SCM)
• Code Scan
• Build
• Unit Test
• Packaging
• Auto Deploy and Provisioning
• Testing
• Release Management
• Signoff and Deploy in PROD
TOOLING ECOSYSTEM
ARA Tools (Application Release Automation)
https://www.spinnaker.io
| ©2019 F5 NETWORKS41
What is still missing?
Edge Infrastructure
Automation 👷 !
| ©2019 F5 NETWORKS42
TWO TYPES OF APPROACHES
Infrastructure as code stored in source control ➢ Single Source of Truth
• Approach 1 : Configuration using Imperative API’s− A sequence of (dependent) commands to reach a certain result
− Requires in depth domain knowledge of the infra product
• Approach 2 : Configuration using Declarative API’s− A declaration of your desired end-state in one command
− Actual to desired state convergence, like Kubernetes/OpenShift
Infrastructure change types
| ©2019 F5 NETWORKS43
F5 AUTOMATION & ORCHESTRATION TOOLCHAIN
F5 Automation Toolchain
• DO : Declarative Onboarding
• AS3 : Application Services 3
• TS : Telemetry Streaming
Infra changes - Declarative
https://github.com/F5Networks/f5-appsvcs-extension
| ©2019 F5 NETWORKS44
Infrastructure PipelineINFRASTRUCTURE AS CODE AND SERVICE CATALOGUE
Auto Deploy Provisioning
Testing (GATE)
Release Management
Signoff (APPROVAL)
Deploy Production
Updated Pipeline 2 - CD Deployment
Development SCM (Git) Code Scan BuildUnit/System
TestPackaging
Pipeline 1 - CI Development
| ©2019 F5 NETWORKS45
Recommended