Support for service mesh?

[stand]

Hi all,
I was wondering if it would be possible to add support for service meshing to TrueNAS SCALE?

From Wikipedia:
A service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between services or microservices, using a proxy.

This allows for:

• Automatic mTLS between services (issuing, rotation, the whole life cycle)
• Automatic request retries and/or timeouts
• Monitoring and tracing
• Fault injection (for simulating failures and observing how they affect your cluster)
• Traffic split (canaries, blue/green deploys)
• And more...

All without modifying any of applications running in the cluster.

Two options are Linkerd2 and Istio. Both are great, but:

• Linkerd2 is lighter, smaller and beginner friendly
• Istio is more resource intensive and harder to set up, but packs more features.

Would you be interested in adding a service mesh to SCALE?

 

[morganL]

Service meshes should be addable as separate apps within the TrueNAS SCALE apps catalog framework.

Truecharts is using Traefik for load balancing and proxy capabilities. There is also a mesh option that Traefik provides.

So, I'd suggest users that want a service mesh start planning and testing... with their preferred tools and apps. Let iX and the TrueNAS community know what works and what is difficult.

 

[FrostyCat]

Linkerd2 works with k3s, I've tested it previously. It's probably the best option as it can require very little configuration. I've been using Linkerd2 in production across hundreds of clusters for a few years and I'm very happy with how lightweight and powerful it is.

There is a caveat here, normally the TLS infrastructure you get if you use the built in options when installing (e.g. Helm chart or binary) will only be valid for 1 year, so the best approach is to also run cert-manager (https://cert-manager.io/) and have all the service mesh TLS refreshed before expiration. Having the services mesh certificates expire is something that needs to be avoided since it can bring the whole thing down.

 

[stand]

Thank you both for responding. Yes, I am leaning more towards Linkerd2 due to its simplicity but did not want to express preference in case IX systems wanted to implement the other.

I also took a look at the Linkerd2 helm charts the other day. They look complicated. I am not sure if I will be able to transform them into TrueNAS SCALE apps by myself. So I would appreciate help from the community.

Also, I wasn't aware that Linkerd2 will let its certificates expire. Thanks for bringing this up.