Vaulted Istio Certificates
Tetrate

How to Use Hashicorp Vault As a More Secure Way to Store Istio Certificates

Introduction

In this article, we’ll explore how to use Hashicorp Vault as a more secure way to store Istio certificates than using Kubernetes Secrets. By default, Secrets are stored in etcd using base64 encoding. In environments with stringent security policies, this might not be acceptable, so additional security measures are needed to protect them. One such solution involves storing secrets in an external secret store provider, like HashiCorp Vault.

Read More
How to Use SkyWalking for Distributed Tracing in Istio
Tetrate

How to Use SkyWalking for Distributed Tracing in Istio

In cloud native applications, a request often needs to be processed through a series of APIs or backend services, some of which are parallel and some serial and located on different platforms or nodes. How do we determine the service paths and nodes a call goes through to help us troubleshoot the problem? This is where distributed tracing comes into play.

This article covers:

  • How distributed tracing works
  • How to choose distributed tracing software
  • How to use distributed tracing in Istio
  • How to view distributed tracing data using Bookinfo and SkyWalking as examples
Read More
eBPF
Tetrate

Diagnose Service Mesh Network Performance with eBPF

Background

This article will show how to use Apache SkyWalking with eBPF to make network troubleshooting easier in a service mesh environment.

Apache SkyWalking is an application performance monitor tool for distributed systems. It observes metrics, logs, traces, and events in the service mesh environment and uses that data to generate a dependency graph of your pods and services. This dependency graph can provide quick insights into your system, especially when there’s an issue.

However, when troubleshooting network issues in SkyWalking’s service topology, it is not always easy to pinpoint where the error actually is. There are two reasons for the difficulty:

  • Traffic through the Envoy sidecar is not easy to observe. Data from Envoy’s Access Log Service (ALS) shows traffic between services (sidecar-to-sidecar), but not metrics on communication between the Envoy sidecar and the service it proxies. Without that information, it is more difficult to understand the impact of the sidecar.
  • There is a lack of data from transport layer (OSI Layer 4) communication. Since services generally use application layer (OSI Layer 7) protocols such as HTTP, observability data is generally restricted to application layer communication. However, the root cause may actually be in the transport layer, which is typically opaque to observability tools.

Access to metrics from Envoy-to-service and transport layer communication can make it easier to diagnose service issues. To this end, SkyWalking needs to collect and analyze transport layer metrics between processes inside Kubernetes pods—a task well suited to eBPF. We investigated using eBPF for this purpose and present our results and a demo below.

Read More
Istio Cost Analyzer
Istio, Open Source, Service Mesh, Tetrate

Use Tetrate’s Open Source Istio Cost Analyzer to Optimize Your Cloud Egress Costs

Who Is This For?

You should read this if you run Kubernetes and/or Istio on a public cloud, and you care about your cloud bill. Cloud providers charge money for data egress, including data leaving one availability zone destined for another. If your Kubernetes deployments span availability zones, you are likely being charged for egress between internal components. Even if you don’t run Kubernetes/Istio, you’ll still run into cross-zone data egress costs, which this article will help you understand and minimize.

Read More
Minimizing Cross-Zone Traffic
Tetrate

Minimizing Cross-Zone Traffic Charges with Istio

Deploying Kubernetes clusters across availability zones can offer significant reliability benefits, especially when you use Istio for application routing and load balancing. If you have built redundant failure domains in separate zones, the mesh can automatically shift traffic to another zone should one zone fail. Istio’s locality-aware load balancing can also help reduce latency and cross-zone traffic charges from your cloud provider by keeping traffic within the same zone as much as possible.

Read More
Automate Istio CA rotation
Tetrate

Automate Istio CA Rotation in Production at Scale

One of Istio’s core capabilities is to facilitate a zero trust network architecture by managing identity for services in the mesh. To retrieve valid certificates for mTLS communication in the mesh, individual workloads issue a certificate signing request (CSR) to istiod. Istiod, in turn, validates the request and uses a certificate authority (CA) to sign the CSR to generate the certificate. By default, Istio uses its own self-signed CA for this purpose, but best practice is to integrate Istio into your existing PKI by creating an intermediate CA for each Istio deployment.

Read More
David Wang
Announcements, Tetrate

David Wang joins Tetrate as the Head of Marketing

Tetrate is excited to announce and welcome David Wang to the team! David is joining as the Head of Marketing for Tetrate. He will be building and leading a world-class marketing team to develop a strategic narrative for Tetrate in the emerging Service Mesh market. David will spearhead an innovative, repeatable, and scalable GTM strategy for Tetrate. In addition, he will also create brand awareness and credibility with the analyst firms, enterprises, and the market while continuing to grow Tetrate’s unrivaled reputation within the developer community.

Read More
Tetrate

Brian Dussault joins Tetrate as the Head of Engineering

Tetrate is excited to announce and welcome Brian Dussault to the team! Brian is joining as the Head of Engineering. He will lead and scale the Engineering organization owning TSB and open source initiatives that offer rich and highly performant solutions empowering multiple personas across the enterprise in their Service Mesh journey.

Read More