 Hello, hello, I am I'm just familiarizing with the session and just checking out all of my goodness the people who are here This is wonderful. All right. Well, you're here for what multiplayer? Istio Okay There's probably any number of you are almost on all of you here that work with Istio Some of you might say that you play with Istio. I wonder how many of you have Been in a multiplayer Istio We're gonna we're gonna explore that today. There's been a lot of multi-playing with Istio between My co-presenter Shin and I so by the way, my name is Lee Calcote. I'm founder of Layer 5 I'm joined by Shin Hong of Intel He is he'll be with us on the second half of this presentation. Well, we'll talk we'll talk about that Good. All right. So so what was it multiplayer Istio collaborative was some plugins? That's right collaborative It was about an hour before Well, right now. I was cleaning up some slides, you know, or maybe I was creating some slides you you'll never know And I while doing so Google slide said that there's a new feature. You can collaborate more easily with live pointers. I Thought how true is that? That's very true And I think it's pretty Evident why that's true if you want to be on the same page with somebody you grab a whiteboard a lot of times In this day and age a lot of us work remote heck some of us attend virtual conferences We do a lot of remote things It's nice to be able to share a screen share, you know, get your mice interacting and Clearly Google thinks that's this the true as well. So that's that that was kind of timely because we're going to talk about Multiple mice and that's in part how we're going to do multiplayer Istio The focus for Shin and I these last few months as we've been doing lots of collaboration Has been on web assembly filters and was some plugins in inside of Istio So Istio's you know, some of you know this some of you have written this some of you are unfamiliar with some of this So so you respect it. We're going to go through it, which is that Istio has one extensibility story a Story that's near and dear to my heart as well as a story around integrations I think probably previously referred to as add-ons or maybe they still are Istio's extensibility story Takes us into proxy land into the data plane and Istio's ability to well sort of Impressively dynamically load and unload web assembly filters or envoy filters compiled to web assembly Really cool because you get to that's a ton of control a ton of power to have in your hands and and have over your Traffic and whether you want to use those filters to to do things like additional security. Maybe some some more telemetry Maybe like there's a number of things to be done with with that traffic with intercepting it Maybe you want to you know, you've got a couple of filters that you want to have handle your requests So maybe you'd like to chain them together So a pretty cool capability we all know that at least in some of the We all know that for when we're talking about on Istio sidecars it's an envoy based thing and always capability to have either Pre-compiled filters and have those built-in and shipped with the envoy image or in this case dynamically loaded filters For real-time use cases that you might you might have a lot of us have It's pretty pretty cool. So anyway the extensibility functionality is just super interesting. It can also be a bit well well, anything that's sophisticated is often somewhat complex and so We're gonna that's been part what we're gonna talk about today is some how to how to wrangle part of that the integrations here are Well less Dangerous maybe or less it's you know integrations are like using and in a third-party capability and Enhancing the experience that Istio mesh delivers whereas this extensibility is like well. No, you're you potentially are writing Wasm filters and augmenting the Core functionality of how the mesh behaves or maybe you're borrowing someone else's filters, but but either way There's a little bit of a difference between the level of depth of Behavioral change that you have depending upon extensibility or integrations Hey, so Istio proxy extensibility, you know, there's you're primarily two configurable resources for managing on-boy filters for managing Wasm plugins in Istio one of those and probably that the eldest of the two is on-boy filter and You know, feel free to correct me in the chat if I'm if I misstate this but so it's it's in alpha and and I think the the right way to refer to that keep that resource of that capability is that It's not likely to make its way into beta or stable rather its successor or its Younger sibling the wasm plugin is a new newer a newer resource still at alpha as well But probably on its way towards beta and towards stable it at some point There's additional functionality that's being built in Into wasm plugin, so you'll find some of that from on-boy filter But maybe a smaller Configuration area in wasm plugin maybe one that's a little more safe if you think about Istio as a platform and its extensibility any platform that you extend or that you Inject a plug-in into there's a lot of responsibility on the platform to not fall over or to to have a sandbox around what's what's happening inside of that plug-in and so in part the Objectives of wasm plugin as I understand it going forward are to well maybe help reduce some of that configurable surface area help eliminate some of the Like expert knowledge potentially needed to configure on-boy in this way There's some nice enhancements that wasm plug-in brings as a resource and that is to specify that to do filter chaining and to specify the order in which You like for these filters to do their thing Also, there's additional ways to retrieve the filters themselves and through a couple of other protocols other than just file Which I believe is the only one that on-boy filter supports So and hopefully I didn't confuse there's a number of things if you think about the life cycle management of an on-boy Well, maybe I shouldn't use the term on-boy filter if you think about the life cycle management of a wasm plug-in There are any number of concerns like hey is is the you know, what version are you using? How is that wasm plug-in image that that small binary? How is that distributed is that? Cashed is it not is there an image pull policy? Yes, there is by the way an image pull policy in Istio using wasm plug-in Like any powerful feature We've got to be a bit knowledgeable about you know, how you're configuring these things so you don't I Don't see don't over pull in this case as in that example But there's a number so the suffice to say there's a number of concerns as you go to do life cycle management of Awesome plugins and so the Istio control plane is helping with lots of this or Istio itself just helps with this There are other tools in the CNCF Messery is one of those that ends up Well, hopefully helping people as they go to run Istio or other cloud-native infrastructure So Messery is a sandbox project at the moment. It is It has a few different adapters on each of those adapters have historically been focused on Integrating deeply with service meshes notably with Istio Anymore it has just expanded over the last couple of years to do Multi cluster multi Kubernetes cluster management Have some workflow built in have a catalog do some some GitOps There's there's it's kind of a mouthful actually to do some performance management but So there's a Messery adapter speaking of plugins and extensibility Messery is Quite the extensible platform on Messery adapters. There's one for Istio The adapters are one of the ways in which Messery is extensible And so it's if we kind of look at Istio as a project and its extensibility and its integrations In a similar way Messery as a platform has an extensibility story And this is probably a bit of an eye chart But it is where you see the yellow here is where there are Where Messery is pluggable and one of those places that we it is highlighted is Filter management the ability to have a catalog of WebAssembly or wasm envoy filters and Help Istio or help you distribute those to your various Istio control planes and and to manage them and and so There's Here's here's a another eye chart for you recently in the collaborations that Shin and some of the other folks at Intel and get the community within the Messery project there's been a fair bit of recent focus on support for wasm filters Shin will tell you about this in a moment, but Intel wants to do a number of different things with Wasm filters and there's been a couple of blog posts that some of you again might have might have helped write or you've probably read on Istio.io about some of the work that they've been doing either with like enhanced load balancing or hardware accelerated MTLS and some of that is facilitated through Wasm plugins and so as you get more of those wasm plugins and you go to manage their life cycle and Go to go to store them or go to understand Keep their configurations and track their configurations a tool like Messery is built to help with that Okay It is so so now I get to explain why it is that Shin isn't here with us one This isn't one is for 26 a.m. For him, but that's not he's not a slacker. That's not why he's here. It's the what's the the great firewall of China made it a super pain in the rump to Live Record our collaborations and we were able to get it done. But but so fresh as of this morning. He has Well a demo to share with you about all the stuff that I just took us through and he's gonna tell us more about Intel's doings with Web assembly filters Does anyone else have a hard time clicking and Talking at the same time. Yeah Anyway, I'm gonna so I'm gonna load up a video we're gonna watch I'm Shin for for a few minutes here and Do message in the channel if you can't hear it, but you should From Intel China. I'm a cloud native software developer focusing on the service match acceleration And I'm also the maintainer of the CSF said books project service match performance And we're very happy today to present with Lee and I will show you the demo. Let's start Before we dev in that star where it begins With the installation Let's start with installing mastery through mastery CTL So I would be passing the design platform on which I'd like to install mastery Which is Kubernetes for today's demo of the mastery suppose are wide off other platforms mastery CTL would auto open my default browser at a location while the freshly running mastery server is listening to We land on mastery cloud dashboard. It facilitates management of all your mastery servers right from one place It also gives a list of active users from one O-1 team based on the privileges assigned to the user Let's navigate to the public phasing catalog, which is our highly kerated list of reusable infrastructure design or other sites of configuration like wasm filters and in future would be supporting OPA policy ebpf programs This is one of my design that I had published a few weeks ago with this mastery design you can install Istio and enable Intel QAT acceleration for the TLS handshake in the Istio gateway I know that was mouthful of words But in a moment, I will demonstrate how such complex clownative infrastructures can be visually comprehended This is the mastery dashboard It gives an overview of different things either readjusted or discovered by the server You can see it discovered the workload in the cluster, but there was no service match installed So at first we will need to deploy mastery adapter for Istio service match The work of the adapter is to readily integrate with Istio service match and all of its capabilities It runs as a separate container and communicates with mastery over GIPC Now I would be connecting to mastery adapter instance running at poad 10,000 Before moving forward, let's first check the connection to our mastery adapter and it looks like mastery was able to reach out to the newly deployed adapter Meet me after the demo and I will tell you the secret of running multiple instance of same mastery adapter And let's go to the match map visualizer to see what's going on in my cluster It gives a logical representation of my entire cluster and the resources discovered within its environment This makes things crystal clear while debugging And then this is the filter page where we can manage our was sent filters Here we can upload new was sent filters updated the config for any of our existing filters down the battery or published directly to catalog Let's input a was sent filter name package parser TCP There is the file upload and YAML config then we can choose the was sent battery file And let's go back to the match map. It has another mode designer you can choose and the dragon job many useful components and Was sent filters when you create your design And you can also filter and use existing public design with your teammates Let's work on the design is to HTTP header filter You can see my teammates collaborating on the design here In this design, we have the persistent volume persistent volume claims the Prometheus pod and the HTTP being deployment in default namespace You can also click the resource to check out its Details and modify it easily And We can also connect the resources like that And We do have HTTP filter which is pre-configured without was sent plug-in Oh, I can see that my teammates add a github runner It can help the integration with the github And I want to add an ago workflow in the design Besides one of my favorite features is the ability to leave comments It not only helps in documenting any important notes But also work great for real-time conversation with the teammates. I can see that Lee had leave a comment Let's see what he said Okay, fine. It seems that I need to delete the github runner and the ago workflow Before we deploy it, let's go back to the virtualizer to find that we don't have an is to installed so we need to Navigate to the life cycle page to deploy an is to The next base to install is to well be is to system And we will deploy it to the same cluster which have the design Then we can click the Deploying and let's open another window to see whether is to is deployed in the cluster Okay, I can see the is to System next base and let's see the resource in the next base Pair it As a risk in the deployments. It's all good And we can also easily deploy Grafana and Prometheus Then we can go back to the match map and See if we are able to deploy the design into our Kubernetes cluster Looks like we go field deployment bugs Okay, let me see what's new in the comments Okay Okay, let's try and void felter instead of what's in plug-in. I Will go over here to clone a copy After we fix it, we can deploy the design into our cluster Let's go back to the virtualizer to have an overview It's do HTTP felter is good and the pods which have the wasm filters were deployed as well and Another part we can do is the actions We can open the terminal to execute some operations and see what's going on in the post We can choose which container to work with we can do some operations like input some Commands to check the connections to other posts Another interesting things we can do is to run a performance test you can choose an existing performance profile and input your application url You can also input additional options or upload certificates Okay, round the test and then We can go to the performance page to check the test results. The here is the results and we can also make a comparison between two results and we can also go over here to see the node details Kubernetes cluster version and the performance result chart At last, please let me take a moment to introduce the Intel at the wasm Intel cloud native team is also actually Participate and exploring the wasm filter in cloud native and the security As the first step, we made efforts in the security area We partnered with TechTrip to provide an easy to wasm plugin Integrated with motor security to implement the wasm functionality in the HTTP filter chain However, you may know that motor security is transitioning to end-of-life effective March 31st 2024 and Alternative wasm engine code Klazi is growing So we are also investigating and observing its integration with wasm and We are also working on the integration of wasm and Intel hardware acceleration Please contact me later if you are interested Thank you very much. Oh very good. All right well, so There were a lot of things covered there. I'm gonna share these slides again and Man, yeah, again. Anyway, I have to give it to Shin for covering all that and also and also So so quickly you can see that's pretty fresh So one of the things that I'm Shin just spoke about was a number of the different Intel driven initiatives around wasm filter creation Some of those you can find in the mesh read catalog. So there's a Well, there's a public-facing catalog of not only wasm filters, but also the designs those visual designs that Shin was showing are Users of mesh we can choose to publish those designs and make them reusable for others and to collaborate and so yep, so there's That catalog is out at mesh read.io slash catalog the environment that Shin was just using is well It's hosted by the CNCF. It's It's a two node It's not a two node cluster. It's some two nodes with Meshry running on one node and Kubernetes running on the other And it's available to you all to go and well Like if whether you're advanced with wasm plugins or just starting to go out and well Pull down the designs that Shin was just creating to try them out to clone them to Republish them if you want to this environment has that so I hosted a mesh read with a live Kubernetes cluster and You should go try it Go go see if if this helps you like it did Shin and I in your collaborations with your teammates In understanding what the heck is going on in the whether it's in the data plane or elsewhere Yep, the community Would surely appreciate your feedback But all of you might benefit from it as well that playground is well It's cleaned out on a nightly basis, but if you work on any designs inside there, those are saved off So you don't lose your work in that sense But just in case there's any crypto miners it gets cleaned out every night, so Yeah, so hopefully you Your noodle got tickled a little bit Hit me with your questions if you like here or or after the fact and Shin He might even be on at the moment, but but he's certainly asking for feedback He's there certainly looking for collaborators in the wasm filters that they're doing Go out and give that that visual designer a try see if it if it helps you Yeah, I forget that we we can't do Q&A like You know live, so I'll just I just keep monologuing and Anyway, good. Well Shin thanks so much for for the collaboration Go out and use Istio's extensibility go run yourself a few chained Wasm plugins. It's pretty cool. It's pretty neat how it just the ability to dynamically load and unload and If you make a mistake, well, then you'll be in good company So anyway, okay good. Well, thanks all We'll see you in the chat. We'll see you At the rest of Istio con I'll check chat just in case people have questions just before we While you're fervorously, you know typing feverishly typing Why don't scientists trust atoms? Yeah, because they make up everything so And I figured I'd just slip that in while in case we had questions coming through Good, I might be looking in the wrong place, but I don't see any just yet. So all right Well, thanks so much for having us. I will see you at the next one