1 | ©2019 F5 NETWORKS€¦ · 3 | ©2019 F5 NETWORKS BRIEF SUMMARY Kubernetes and OpenShift topics Ingress and Load Balancing solutions Service Mesh solutions DevOps Automation topics

| ©2019 F5 NETWORKS1


F5 & Nginx in Container EnvironmentsTHE IMPORTANCE OF INFRASTRUCTURE AUTOMATION


BRIEF SUMMARY

Kubernetes and OpenShift topics

➢ Ingress and Load Balancing solutions

➢ Service Mesh solutions

DevOps Automation topics

➢ CICD in practice

➢ F5 Automation and Orchestration toolchain

Agenda


Kubernetes & OpenShiftIngress, Load Balancing and Service Mesh



GETTING THE DEFINITIONS RIGHT

Ingress and load balancing solutions

Load BalancingGet the definition right

Distribute the traffic over several end points

➢ Outside K8S: LB traffic towards multiple HA Ingress Controllers

➢ Inside K8S: LB traffic for a K8S Service towards several POD’s

https://kubernetes.io/docs/concepts/services-networking/service

https://kubernetes.io/docs/concepts/services-networking/service/

IngressGet the definition right

L7 PATH or URL based routing

➢ Send traffic towards a K8S Service based on URL or PATH

➢ Terminate SSL Traffic

➢ Blue-Green or Canary Deploys

➢ URL rewriting

➢ Etc.

https://kubernetes.io/docs/concepts/services-networking/ingress

https://kubernetes.io/docs/concepts/services-networking/ingress/

Our solutionsNginx and F5 Ingress portfolio

➢ Kubernetes: ingress-nginx

➢ NginxInc: kubernetes-ingress

(NGINX OSS based)

➢ NginxInc: kubernetes-ingress

(NGINX Plus based)

➢ commercial support

➢ F5 Big-IP with Container Ingress

Service aka CIS

➢ commercial support

https://github.com/F5Networks/k8s-bigip-ctlrhttps://github.com/nginxinc/kubernetes-ingress/blob/master/docs/nginx-ingress-controllers.md

https://github.com/F5Networks/k8s-bigip-ctlr

https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/nginx-ingress-controllers.md


Example scenario 1AWS ALB + NGINX PLUS INGRESS CONTROLLER

Nginx PlusMore then the OSS version

➢ DNS SRV Record Support

➢ JWT Auth Support

➢ ModSecurity 3.0 WAF

➢ App Health Checks

➢ HA Support

https://www.nginx.com/products/nginx/#compare-versions


Nginx PlusMore then the OSS version

➢ Configuration Sync

➢ Dynamic Reconfiguration (API)

➢ Key Value Store (API)

➢ Live Activity Monitoring (API)

➢ Cache Management (API)




Example scenario 2F5 BIG-IP + F5 CONTAINER INGRESS SERVICE (CIS)

Big-IP + CISContainer Ingress Service

➢ No daisy chaining of LB and Ingress solutions = easier to configure and debug

➢ Multi-cloud consistent security policies

➢ Access on the POD level to other Big-IP modules/features

➢ LTM

➢ ASM

➢ AFM

➢ APM





COMPLEXITY – ANTIDOTE AGAINST A SERVICE MESS

Why Service Mesh


BEWARE FOR THE NEXT GENERATION ESB (ENTERPRISE SERVICE BUS) TRAP!

Service Mesh

➢Remember – microservices on top of Kubernetes/OpenShift is all about smart endpoint and dump pipes


Service Mesh

The sidecar approach

➢ Istio (with Envoy proxy)

➢ Linkerd 2.x (Conduit)

➢ F5 Aspen Mesh (Mesh as a

Service)

Inside application container approach

➢ Nginx Unit (web & app server)

TWO APPROACHES

https://layer5.io/landscape

https://layer5.io/landscape/

Aspen MeshEnterprise service mesh using Istio

➢ Service discovery

➢ Intelligent load balancing and request routing

➢ Secure communication

➢ Policy enforcement

➢ Unified logging and requests tracing

➢ Blue/Green and canary testing

➢ HTTP/HTTP2/gRPC Support

➢ Hybrid and multi-cloud support

https://aspenmesh.io

https://aspenmesh.io/

Aspen MeshVisibility & insights for microservices

➢ Hosted SaaS for reduced TCO

➢ Visualization of clusters and microservices

➢ Real-time health and security monitoring

➢ Details and insights into errors and warnings

➢ Customizable alerts

➢ End-to-end policy map for your services

➢ Predictive Analyticshttps://aspenmesh.io


Aspen MeshAccess to engineering and support

➢ Tested, packaged and documented

➢ Performance optimization

➢ Technical support

➢ Troubleshoot production issues

➢ Upstream bug fixes

➢ Feature development

➢ Community representation

https://aspenmesh.io



Aspen Mesh

Based on Istio and enriched with

➢ Jaeger (CNCF backed) for distributed

tracing and microservice plotting

➢ Prometheus (CNCF backed) for metrics

collection and alerting

➢ Grafana for metrics dashboarding

A HOSTED ANALYTICS PLATFORM - INTERNALS

API Server


Aspen MeshA HOSTED ANALYTICS PLATFORM – IN DEPTH MICROSERVICE MONITORING AND TRACING


Aspen MeshA HOSTED ANALYTICS PLATFORM – MULTI CLOUD/CLUSTER OVERVIEW

Nginx UnitDynamic by Design

● Applies changes instantly

● No reload or restart required

● Less overhead during updates

● Zero-interruption reconfigure

https://unit.nginx.org

https://unit.nginx.org/

Nginx UnitAPI-Controlled

● Does not rely on config files

● Single REST API to learn/use

● Familiar JSON payload



Nginx UnitMultilingual

● Side-by-side language

versions

● Uniform app configuration

● Apps run on the same server (or

container)

● Python, PHP, Go, Perl, Ruby,

JavaScript (Node.js), Java



Built-in SSL/TLS support

Independent, manageable apps

No shared credentials required

Nginx UnitSecures and Isolates



One app fails, doesn’t effect others

Server is uniformly configurable

Goal: cgroups support

Nginx UnitSecures and Isolates




CONTROL PLAIN TO BE ORCHESTRATED IN YOUR CI/CD PIPELINE

Nginx Unit


DevOps CI/CD PipelinesAutomation and Orchestration


DevOps ReadingsMY FAVORITE BOOKS ON DEVOPS / DEVSECOPS


PIPELINE ORCHESTRATION – ON PREMISE AND AS A SERVICE

CI/CD Pipelines

Drone


A PRACTICAL EXAMPLE

Development SCM (Git) Code Scan BuildUnit/System

TestPackaging

CI/CD Pipeline

Auto Deploy Provisioning

Testing (GATE)

Release Management

Signoff (APPROVAL)

Deploy Production

Pipeline 1 - CI Development

Pipeline 2 - CD Deployment


CI/CD Pipeline

• Development

• SW Config Management (SCM)

• Code Scan

• Build

• Unit Test

• Packaging

• Auto Deploy and Provisioning

• Testing

• Release Management

• Signoff and Deploy in PROD

TOOLING ECOSYSTEM


CI/CD Pipeline

• Development


• Code Scan

• Build

• Unit Test

• Packaging


• Testing



TOOLING ECOSYSTEM


A PRACTICAL EXAMPLE


TestPackaging

CI/CD Pipeline


Testing (GATE)

Release Management

Signoff (APPROVAL)

Deploy Production


Pipeline 2 - CD Deployment


CI/CD Pipeline

• Development


• Code Scan

• Build

• Unit Test

• Packaging


• Testing



TOOLING ECOSYSTEM


CI/CD Pipeline

• Development


• Code Scan

• Build

• Unit Test

• Packaging


• Testing



TOOLING ECOSYSTEM

Different types

• Performance

• Integration

• User Acceptance

• Security Testing


CI/CD Pipeline

• Development


• Code Scan

• Build

• Unit Test

• Packaging


• Testing



TOOLING ECOSYSTEM

ARA Tools (Application Release Automation)

https://www.spinnaker.io

https://www.spinnaker.io/


What is still missing?

Edge Infrastructure

Automation 👷 !

https://emojipedia.org/construction-worker/


TWO TYPES OF APPROACHES

Infrastructure as code stored in source control ➢ Single Source of Truth

• Approach 1 : Configuration using Imperative API’s− A sequence of (dependent) commands to reach a certain result

− Requires in depth domain knowledge of the infra product

• Approach 2 : Configuration using Declarative API’s− A declaration of your desired end-state in one command

− Actual to desired state convergence, like Kubernetes/OpenShift

Infrastructure change types


F5 AUTOMATION & ORCHESTRATION TOOLCHAIN

F5 Automation Toolchain

• DO : Declarative Onboarding

• AS3 : Application Services 3

• TS : Telemetry Streaming

Infra changes - Declarative

https://github.com/F5Networks/f5-appsvcs-extension

https://github.com/F5Networks/f5-appsvcs-extension


Infrastructure PipelineINFRASTRUCTURE AS CODE AND SERVICE CATALOGUE


Testing (GATE)

Release Management

Signoff (APPROVAL)

Deploy Production

Updated Pipeline 2 - CD Deployment


TestPackaging



Documents

1 | ©2019 F5 NETWORKS€¦ · 3 | ©2019 F5 NETWORKS BRIEF SUMMARY Kubernetes and OpenShift topics Ingress and Load Balancing solutions Service Mesh solutions DevOps Automation topics