#IstioCon Moving large scale consumer e-commerce Infrastructure to Mesh Rajath Ramesh Principal Software Engineer @Carousell Harshad Rotithor Software Architect @Carousell #IstioCon About Carousell TB/month ● Internal egress bandwidth ~2 PB/month #IstioCon Architecture Overview ● User traffic infrastructure - TW region, all 3 zones ● REST APIs for client traffic ● gRPC for inter-service traffic

commit at a time from your microservice #IstioCon 3. Reuse existing infrastructure ● Minimize costs ● Reuse existing infrastructure to run tests #IstioCon Why don’t you ? ● Mock ? ● Contract testing Your laptop is not part of the mesh club #IstioCon A dummy proxy for the mesh ● Called by Lua code ● Parses the contract header and makes http call #IstioCon #IstioCon Wait … What about VirtualService Checkpoint 1. Minimize time to bug detection: yes 2. Allow simultaneous tests: yes 3. Reuse infrastructure: yes #IstioCon Drawbacks Contract header needs to be preserved all the way through the call

#IstioCon Upgrade Working Group Mission: To improve the stability, user experience, and test infrastructure around Istio upgrades #IstioCon Upgrade Working Group - Stability ● Standards and processes Provide a clear path forward #IstioCon Upgrade Working Group - Test Infrastructure ● Extend and improve the testing infrastructure ● Extend and add testing of upgrades across all supported methods. level: experimental, alpha, beta, and stable ● Ensuring appropriate documentation, testing, and code completion is done for each level ● Making sure that features continue to mature #IstioCon Release

model of Istio to guide the security audit as well as future security audits. 2. Carry out a manual code audit for security issues. 3. Review the fixes for the issues found in an audit from 2020. 4. Review obtained in parts of code bases that receive less attention. Our assessment is that, not counting the Operator, Istio is a very well-maintained and secure project with a sound code base, well-established test coverage with little to no room for improvement. We identified a few APIs in security-critical code parts that would benefit from fuzzing and wrote fuzzers for these. In total, 6 fuzzers were written

frictionless upgrade https://istio.io/latest/blog/2020/tradewinds-2020/ ● Fixed budget for infrastructure maintenance ● Desire predictability ● Longer support windows ● Skip releases for upgrades Detecting backwards incompatible changes ● Measuring developer efficiency ○ Test flakes ○ Feature and code coverage ● Feature promotion efficacy ● Improving overall developer experience https://istio.i

start from scratch New URLs are shown in the Search Engine Results ?????? ? #IstioCon Our infrastructure is deployed on GKE, with GCLB and Istio IngressGateway User Google Cloud Load Balancer Gateways

Service Mesh, Google Inc, 2020 Envoy is an edge and service proxy that allows traffic in an infrastructure to flow in a mesh, allowing you to visualize problem areas, tune performance, and add substrate

Experience Simplified tooling to bootstrap Wasm modules in Rust, C++, TinyGo, AssemblyScript Infrastructure to build, push, share, deploy, debug Wasm into Istio service mesh Wasm Registry Multi-cluster

implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter

its control plane. The goal of the assessment was to identify security issues related to the Istio code base, highlight high risk configurations commonly used by administrators, and provide perspective areas of focus for subsequent phases of the assessment. A test plan was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) architectures were used to provide testers with a way of validating that security expectations in the code were implemented when deployed. Each environment was deployed following Istio Documentation using