In this section, we will learn about Tanzu Service Mesh (TSM)
41. The Appeal of Containers
The best part about containers is they are ultra-portable. They can be layered like a cake to build brand new images. A container image from the internet can be taken and used to add a new binary to build something custom. That's the appeal of containers. However, this means application development teams can download images from anywhere on the Internet and build new images inheriting vulnerabilities.
42. Implement Mutual TLS (mTLS) for Application Services across Multiple Clouds using Tanzu Service Mesh
Getting the services on one cloud to work with services deployed on a different cloud can be challenging. Every cloud has its own methods of configuring networking and the complexity can be daunting. It can be difficult manage the protection of your data in flight all the way from the source application to the destination and back.
Tanzu Service Mesh makes the process of connecting applications running across clouds simple for operations and applications teams by grouping all those services into a global namespace that spans multiple clusters. By leveraging open source projects like Istio, Tanzu enables applications to discover remote services through DNS. It routes network traffic to remote clusters, and manages mTLS encrypted links between clouds that ensure your data is always protected without having to implement mTLS directly in the application layer itself.
43. Login to Tanzu Service Mesh
- Tanzu Service Mesh Integration is already enabled. For reference this is done by simply clicking Actions -> Tanzu Service Mesh -> Add on your cluster - Don't execute these steps now
- Just click on the link for 'Tanzu Service Mesh' to open Tanzu Service Mesh
44. View the Global Namespace
- Click on 'Home' from the left hand side navigation pane
- Click on 'GNS Overview'
- Click on 'acmefitness'
A global Namespace defines the logical security boundary of an application running across multiple Clusters/Cloud. Once a Global namespace has been created a CA domain and automated mTLS Encryption is enabled for all the microservices in that domain.
45. Acme-Fitness application Microservices
This application is running on one cluster running on TKG in vSphere ('vsphere-pf-demo') and one cluster that is running in GKE ('gke-tsm')
We have an ingress gateway that is the main ingress for the application ('istio-ingressgateway'). The 'catalog' service is running in the 'vsphere-pf-demo' cluster, and that we can see an mTLS protected, cross-cluster link between the 'shopping' service and the 'catalog' service. No special rules had to be created to enable this and this link is being completely managed by Tanzu Service Mesh.
46. Look at Micro-Services Performance
Hover over the 'catalog-mongo' service name in the graph and show the performance stats. The value of exposing these KPIs right in the Service Mesh interface is to speed troubleshooting.