API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests is effort effort intensive – Creating + maintainting E2E, service tests, component tests adds up very quickly • What happens if you do not address the problem? – Thorough test coverage can take a lot of time outcome: Just create E2E tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up

traffic leaves the mesh bypassing the egress gateway.”8 This means that Istio alone cannot provide some core security controls and the documenta- tion suggests that additional mitigations, such as a network ns/admin#post--quitquitquit 11https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/address.proto#core-pipe 29 | Google Istio Security Assessment Google / NCC Group Confidential Finding DestinationRules applyUpstreamTLSSettings, and buildUpstreamClusterTLS Context functions within istio/pilot/pkg/networking/core/v1alpha3/cluster.go Impact An attacker that is able to intercept raw network connections between

industry standards and security advisories are clear and detailed. ● Security fixes include regression tests. A�er the manual auditing commenced, the auditing team found that the Istio team had prioritised memory-unsafe implementation issues such as buffer overflow and use-a�er-free issues. Envoy - which plays a core role in the Istio service mesh - is implemented in C++ and memory-corruption issues can therefore policies to the proxies and checks whether the policy of each proxy is up to date. Authentication has two core features in Istio: 1. Peer authentication: used for service-to-service authentication to verify the

#IstioCon Our clusters #IstioCon The problem Running end-to-end tests at Omio is both not efficient and cost-effective #IstioCon How tests are run ● On QA (dev -> PR -> master -> deploy QA …. ) ● Allow simultaneous tests Only one commit at a time from your microservice #IstioCon 3. Reuse existing infrastructure ● Minimize costs ● Reuse existing infrastructure to run tests #IstioCon Why don’t order matters #IstioCon Checkpoint 1. Minimize time to bug detection: yes 2. Allow simultaneous tests: yes 3. Reuse infrastructure: yes #IstioCon Drawbacks Contract header needs to be preserved all

Zhang - Link #IstioCon Writing Tests ● Istio.io page content is automatically verified through tests, and you can help by creating one! ● Guide for creating tests ● Sample page with a test ● make Working Group ● Contributing ○ Check out the style guides for documentation ○ Look into writing tests and how they work ○ We are here to help you with your PR! #IstioCon Thank you! @albertsun0 https://albert

Image transfers are over localhost + Reproducible configuration with other developers and Istio tests + Easy to setup bespoke clusters, including enabling alpha features and multicluster - Local resource

3. Sidecar & ExportTo tuning is required 1. Resource consumption 2. Resource Mounts (#15517) 4. Tests on the production-size environment aren’t a waste of time 1. Istio Discovery Restarts (#25495) 2

Adaptor In process Bypass adaptor SkyWalking backend Tracing Metric Receiver in gRPC/HTTP Analysis Core Query CoreIstio telemetry Attribute Vocabulary https://istio.io/docs/reference/config/policy-and- service for incoming requests, such as HTTP URI path or gRPC service class + method signature. Core ConceptsIstio telemetry formatSkyWalking native telemetry formatTelemetry to Analysis scope • https://github.com/apache/incubator- skywalking-query-protocolEcosystem powered by GraphQL and SkyWalking core • Open source UI project for SkyWalking • https:// github.com/ TinyAllen/ rocketbotServiceMesher公众号

#IstioCon Common services are in core cluster Projects shared solution cluster • Different namespace • Project runs as tenant, need control rights Solution cluster connect core cluster with Istio multi-cluster multi-cluster - Replicated control planes Some standalone cluster without Istio can access core cluster also, as tenant. HP Horizon Platform Connect With Istio #IstioCon Secure Platform • JWT Verify

maturity ○ Move “slowly and fix things” ○ Sustain the tremendous production adoption of Istio ● Stable core ○ Current Istio functionality meets user needs ○ Measured feature introduction ● Reducing operational