Sign New Hampshire RFP Secure

Document type sign rfp new hampshire secure

good morning everybody good morning good morning and money my name is Zachary ductile I work for Microsoft work a lot in the community doing documentation demos talking a lot about DevOps and DevOps tooling and I'm joined today by Mishra Zacks best friend that's like the best best Idol I could get I'm also the the technical advisor to the CTO so I work in the office of CTO I work in a lot of open-source things a lot of advocacy work which is which is what I love doing and this is one of those things that I love doing so thanks for thanks for doing this act yeah for sure me sure I'm always stoked to to join you on stuff like this so today what are we gonna talk about we're gonna talk a little bit about aks we're gonna talk a lot about Hoshi Corp console and what it means to securely connect things in a messy world or in a messy timeline like we're in right yeah yeah so we're gonna talk about a lot more to do with you know service meshes talk about like how you can use console on kubernetes on a single cluster then we can do something we didn't try to do something you know brave and try to extend it to multiple clusters and then we'll have applications that will be sitting on multiple clusters you know talking between clusters and securely I do it all over TLS I also kind of show off some of the else layer 7 features like traffic splitting and failover and things like that so we will see how it goes we will be using you know guides that are already available which are already created by the Hoshi Cup team it's on the hashcode learn page we can drop the link after this as well but just learned of Hachiko comm slash console and this is the the key guy that I guess we'll follow the later half of this stream we also have a github repo I know zach has a link below which basically points to this repo and basically step by step what we're gonna do today so if you if you if you don't if you don't follow us and you got a missus that you know if I go too quickly and if zach you know is is asking me too many questions and we go out of time and then then yeah you can you can check the sweeper out on your own time so yeah yeah and I just want to let everybody know this is this is like it's a livestream it's not gonna be really this isn't like webinar style or anything it's just Mia and I hanging out we're gonna go through this feel free to ask questions live I'll try not to interject if if Mishra is you know talking on some points or something but I'm going to be taking down all the questions that we get so very worst case we'll answer them after but we're gonna try to answer them either as they come in or as time permits so feel free to ask questions if you see me in chat I'm Zachary Depp taua so if I respond that's that's me cool so I think Zack has two 80s clusters set up and what I've done is basically used use some of the some of the telephone that we wrote together to kind of spin this spin these things up so I'll quickly show you what I have here so I have a cluster module that we created and it basically has a very simple definition of a eks cluster this is entire form for those of you new to deform this is HCl which is Hoshi configuration language it's made for humans to read and write so it's fairly straightforward you know you have name of the cluster resource group name location DNS prefix and and Linux profile I hope you can see my screen I hope it's big enough like the text is big enough if not least you know messes us on chat and then I can increase the the screen size but I think we did a good job with the screen pot and things like that so yeah so yeah things like Linux profile you know you know specifying the service principle and and stuff like that and providing some tags and then we are outputting a bunch of things here the key thing here is the queue config so what I have done is actually created created two of these clusters the east east glossary u.s. east cluster and a cluster in u.s. West so we're going to be using both these clusters today today initially we'll just focus on the US East cluster so let me quickly show you these clusters if I go save group CTL config and I get contacts I'm gonna use left full commands I'm not gonna use any aliases anything so yeah so yeah here's here the two cluster so let's actually describe and get some notes from one of them so do get nodes maybe provide the context let's say aks East one that should show us the three V engine in East and then if I do the same with West yes one you'll see yeah there you go so those are the three notes and there of course they're different they not the same cluster just making sure that I'm not cheating your hair yeah there they are there are two different clusters running in two different things on it yes which is amazing and make sure that was all set up in the same terraform code base right like we didn't have to do separate code bases which sometimes I get that question that's ancillary or outside of this conversation but yeah all in that same code base which is really awesome yeah exactly all in the same code base you're just using a local module not doing anything fancy and in terraform and yeah and the one the one thing I think Zac I don't know if they have the same networking side of blocks I'm not quite sure what did you buy that so they do they have identical cider blocks and that's it's kind of intentional and I want to point this out real quick make sure we have someone in chat saying that they're watching from a mobile so if there's any way to increase the text size a little bit okay that would be helpful but yeah we have we have identical Network cider blocks one east in the east region one in us West Region and so they're disparate they're in different actually geographically different data centers one on the East Coast one on the west coast but the cider blocks are the same meaning they share the same networking space and so this this is a problem that and I've worked in this industry for a while this is a problem that people sometimes run into where they have like say they have a primary location and a DR location well they've set the cider blocks up blocks up identically so when they go to set up a VPN or some kind of connection they've got collisions they got to start setting up routes one IP does not equal the identical IP behind it you've got all kinds of interesting networking setups and so we did this intentionally just to show that how you could get around that basically exactly absolutely you don't really need to be under on this you know network them in a way or like in a predefined side of blocks at all all right so I'll get right into it so we have let's use the east cluster first and we will install console using console helm so you can actually install console helm you can see the guys that if you go the console website our if you use this tutorial will show you how to set up at the helm you know using helm three you know you can add the Hoshi Corp you know sorry Hoshi Corp mm checks and then you should be able to discover the console chart and install it if you like and this is the official chart that we ship directly it's built by a console team it's really amazing and I'll show you some of the things that it can do for you so yeah so this project there is this file called I think it's called helm console u.s. East one so this is the u.s. East one configuration for him here I'm defining some values for the ham shot so I'm defining like the console version which is 1/8 which is the latest stable version I'm defining the console key it's version which is our helper helper program that ships alongside the hancher what that lets you do things like you know sidecar injection and I feel the like TLS creation a TLS certificate creation things like that and then specifying the data center this is gonna be us you name us East one in console and then I have you have a TLS configure which is just saying that I would just want us to be enabled across processor I think you know so the servers communicate securely the clients communicate to the server securely and this is all actually done just by enabling this flag which is super nice and then we have something called a mesh giving so I mean also installing the mesh gateway which you would see and find more relevant when we talk about multi cluster console deployment so this allows you to kind of you know get you know it's a gateway to other clusters and that's how you can look at it and it's the only public facing thing then you need to expose externally and and you know you can define the IPS you know restrict rules on it and thank stuff like that so that way it's still secure if it's on the public Internet but yeah that's the only thing that you need to expose and you also enable it console inject so this will allow us to kind of securely inject a sidecar into our kubernetes applications and you see how enables you to do cap you know services service communication securely also enabling UI so we can actually view the view the UI and I'm creating a load balancer service and for that which just expose ative externally ideally you don't want to do this on on your production clusters of and you know you you should have some form of like authentication to your UI but in this case I'm just gonna make it public so if you if you all want you can try it how's it trying to find the IP as well alright so those are all the values me sure it really quickly can you zoom your your vs code you're still just a tiny bit Thanks thanks man you know no that's great and I have it looks like I've got one more one question I don't know if this is if maybe this will be answered later Jack is asking with console connect your only option to run a web app is via ingress gateway also how did people run web apps with connect before console 1.8 no so no well the thing is I don't think the only option is the ingress is an option to actually ingress traffic into the console cluster into console connect the you could you can run you know web app api's you know and other like types of applications and secure them using connect and that's been always available since the release of connect and I think 2018 so yeah so when we came out actually we didn't actually have support for layer 7 protocols we had support for you know l3 and so we allowed like TCP UDP I mean of the TCP protocols to kind of you know those type of services to do that and we and that was all using TLS yeah so you could have you could have you can still use connect you know for other various applications you know and that was true prior to 1/8 what changed in 1/8 is is features like the English gateway which allows you to kind of ingress traffic into the cluster so you can still use connect inside the cluster the ingress would be before this you have used like either nginx or some you know your pre-configured you know ingress in this case you get that natively now which is really nice and then you know we added things like the van mesh join through the mesh gateways and you see that in the multi cluster hopefully we answered it in the multi plaster scenario and then we added a few a few other features as well as far the one it but those were those were kind of the big ones NES we added something called a terminating gateways which we won't get into today which allows you to kind of you know extend your match till the last minute for like traditional you know application like mainframes and things like that so yeah I'll talk about most of these features as we go through the through the livestream awesome thanks me sure cool cool so we'll get started will install all right so we'll install console on this communities cluster so what I'll do is I'll actually watch as these things are happening here so we'll watch for all the pods here and then actually that's watch for services as well so we can actually see the services come up as well so yeah you can see there's only one service available right now which is just a Cuban IT service I just of that it's basically a blank slate here so I'm creating the same shot he'll install and providing the values file that you saw trigger and giving it a name providing of providing the the home chart option and then also providing the context which is u.s. East and I'm just gonna wait on this while this is applying so as soon as I install hopefully this all works this is where like another demo start sack so you see we'll see we'll see how it goes today but yeah there you can see the first thing you'll see is like the kind of a TLS boot strapping which enables you to I can you know console automatically creates TLS certificates for you and you can always provide your own TLS certificate but in this case we're gonna just do it so it's just easier for us so in this case yeah we've already bootstrap the TLS certificates and now we'll wait on the server's to come online once the server's online which are these three these three you see these clients with these random IDs on them and these clients also running on every node and they'll also come online once the servers are healthy and then you see the mesh gateways come online which is the one that we use in the multi class just like right now we won't really you know look into the empire the second half of the livestream looked our most of this stuff yeah this takes about three to four minutes to complete and the reason why that is is because first of all you have to download all the docker images that you need for each of these things and these things are running a stateful set actually make sure you know there's a volume attached and things like that and then and once that's that's complete and then we actually start on some servers they would stab themselves they'd discover themselves which is nice which is again using the whole stateful set you know again as prefix now once those join they form a cluster then the clients can successfully you know talk to these talk to they talk to the cluster register themselves and then everything comes online so it's all like and I'm feeding on each other which is very very interesting which I know we love inefficient I mean it makes sense right like some some things are dependent on on others and we'll see that too will see this a little bit later how things even with rolling updates and things like that out how how they play through that way yeah and I think one thing to note here is like Zach that aks actually gives you you're talking about networking right so I I guess actually gives you you know the network like native networking primitive support as well so you can actually get like an azure network and you can use that to spin up you know any key s cluster so in this case I don't think we've done that Zack but you could do that I'm just giving another option out there for like networking per se if you if you want more control over networking on on your aqui es clusters then you could use the add your networking plugin right and that would not allow you to kind of get first class type use if you like right and something that I meant to ask you already so you know kubernetes already has a level of service discovery kind of built into it right what so console extends that right what what's what would you say is like the major reason you'd want to use something like console over just what's built in yeah it's a good question so I think yeah kubernetes has kubernetes services coverage services primitive right that allows you to create these services which we'll use actually for console as well but what that gives you is just an IP and you know you can if you know two pods are using two pods on your application that using the service they're actually not encrypting any traffic they're not using end to end TLS encryption you know there's no like handshake okay this is just finished we'll continue on that but yeah so I think so it doesn't give you the security and also doesn't give you like you know things like your native l7 like traffic splitting support and all the the first-class features that develop developer would want and also something that networking themes like you know for them TLS will be important you know making sure like you know they can actually detect whether certain certain applications are down and this networking is to be blamed X doing all those things and also kind of the observability into your service mesh that's another big thing that a mesh just provides you you know just by default so it's it's fairly fairly useful if you if you if you find use cases for it okay so you have the the cluster ready so as you can see everything is running the mesh gateways are healthy everything is running so now next what we'll do is actually quickly see whether we have a working console cluster so in order to do that I'll run this really fancy kubernetes exact commands I'm gonna exact into yeah yeah so here I'll basically see exact into one of the state full set servers and just run the console members command which just lists all the members in the cluster you should see six of these things you should see the three servers which you can see they're all alive and then you'll see the the three three clients that are that are running as well so yeah so you have servers and clients so that's all good stratasys in one data center so now we have the control pin setup we can actually see the UI as well so let me just quickly do CTL okay service and that should give me the name of my console UI I should give me the IP and then I'll open this up here HTTP close this one actually all right let me open that and yes this is a sale sign search so yeah ideally you don't want to do this in production but I'm just gonna show you the UI just for ease of use here yeah that's the nice looking UI that the console team has has given us and has like things like intentions which we'll talk about the next few good thing next few bits here you have the note if you have the ACL system which we aren't using for this one but I definitely recommend for production and then yeah different options like key value and stuff like that so all the things that console provides you alright so you have the cluster already Zak so I think next thing what we will do is actually deploy services into it so let's do services we are working with today in a front end service which is a very basic application that just does curl on an upstream and the upstream service is in ep so very very simple not doing anything complicated so I'll open them up and show you the the yeah Mille definitions for these things if I go to kubernetes open the front-end llamo you'll notice that this is a very simple deployment named front end and then it defines a few annotations which I'll come back to in a bit but yeah the container itself is just a very simple cool container just curls in upstream localhost 1991 and the reason why I called that localhost port is where we basically asked console connect to give us an upstream so here what are we actually annotating is we are providing a console inject annotation that says hey inject a sidecar into my application and then and define up streams for this wah I want to depend on an API service which I'll show you in a bit and then I'm specifying and telling connected hey make that API service available on a local port 9091 for me and that's what I'm using to kind of call upstream I'll quickly show you the API service fairly simple it just says API v1 is the version 1 of our API also has annotations the console annotations you know we want the injection cycle injection to be true and we're tagging it with some metadata tags saying that this is a version 1 in console and then we're providing some very simple like helpful hello from v1 text back it's very fancy very sophisticated so I do ask a question real quick me sure so that shows a listen on 8080 right but you're you're asking the front-end to stand it up on 90 91 for you is that right yeah that's correct so yeah so that's not a mistake and that's that's actually on purpose so here's a console actually understands this console is kind of the brain of the DSN right so it understands it registers the service and once it registers the service understand that hey it's exposing a port 8080 I'm gonna you know basically check that port 8080 and make sure that that's healthy and then register it as a service services I kind of the heart of console and then that kind of defines everything else so which is really beneficial so you can do things like you know in on the front-end application you say hey I don't care where this API service you know what port it's exposing you know it's a logical service I'm going to name it as API and just give me a port 9091 cuz that's what's available for me and you know connect can actually provide you a and dynamically as well but in this case we are going to explicitly provide it so we can actually call it oh yeah so that's kind of the story then in console handles all the kind of a TLS magic and and you know forwarding to the right ports and things like that so okay so I'll I'll get this up and running Zack since I'm just going to keep looking at the time as well so we don't know I just you don't go past the prescribed time okay so I'm gonna do a coupe city I'll apply for the for the front end so you'll see the front end application running and then I'm gonna do the apply for the v1 which is the API which you can kind of you know think about as a back-end to your front-end application so yeah that's our API coming online and you see the front-end so what do you notice here instead of being one container you've now have three containers right and that's the kind of the sidecar injection which are console Connect which are console Connect console key it's project by key for does which yeah gets install as part of the hell charge you don't need to do anything all you have to do is do that annotation which has inject the sidecar and and the rest is just taken care for you sorry it's gonna switch back to this yeah so the API is healthy the front-end is healthy and now ideally you can just in this case like in the front end is basically you know doing a curl call on 99 you very simple and waiting for one second so actually let's just look at the logs for this service so that'll give us an idea whether this is happening of working quickly before that I'll show you these services being registered here so here automatically I didn't refresh the browser we have updated the UI you see the API has two instances we have front-end which has the instances and what you'll notice here it says connected with proxy connected with proxy that's kind of the console connect injection okay I have been happening successfully so let's look at the logs here so I'll do logs for the front-end service and then you'll notice that that there's some curl calls that is being successful so right there so you say 200 okay you have these things you know churning up you'll see the the time change so even though you can't see the output though half you know that this is this is actually updating it's not faking this alright so you'll see the time change that we kind of keep keep track of that and you see say hello from v1 which is what we which is you want alright so now it's it's time to kind of talk about interesting new concept that I really like and it's mean for humans it's the concept of intentions so intentions are basically your way of you know enforcing an intent of what you want to to talk to what so basically it's an authorized method of doing authorization on top of the security that you already get with that TLS end-to-end thing so here what I can do is actually define an intention that says hey I want my front end and my API service and I don't want any traffic between them actually so I can actually deny traffic now before I do this I want to talk about why this is actually interesting because you know in a world like kubernetes in a dynamic scheduling environment you have you don't have like static IP addresses really you don't get Sally IP addresses we don't have the luxury of that anymore you can't like firewall like this IP with this you know this service kind of get a point to point to different services what you really need is to kind of and logical notion of a service which is the logical service it might have multiple instances under it might have just one instance under it and then you need to do some form of identity identity based authorization that says hey this traffic that's coming in is from the front end service I don't want that to go to API and that's what kind of intentions allow you to do that's it's awesome it's kind of like I think of it like firewalling except instead of giving that explicit IP you say anything that could be this API so like say you lose all your API nodes they come back up with completely different IPS we don't care if it's an API do allow or deny it based on what our intentions are absolutely absolutely and you can define like all kinds of rules like you know stop like basically I don't allow anything by default and then only like you know allow certain things as they get created which is which is I think the way to go but in this case Peter we have to allow so yeah I think we'll deny this and as soon as I hit save here you see we will stop getting traffic here so notice the bottom of the screen what I'll do is actually shrink this a little bit if I can let me see all right so here let me let me make this okay now I'll hit save and watch the what's the bottom screen so as soon as I hit save you see these empty responses now coming up coming back in it's there's no more healthy responses hey I sorry didn't mean to cut you off there it's it is instant like that that's this is a live cluster that you made that change to and it is an instant response yeah exactly so I think the the the way this works is very interesting we use like you know long polling and things like that to make sure we can do things like that and give you like that instant instant kind of response oh yeah if I delete if you delete this thing again we're back immediately immediately yeah yeah which is quite fast and it's pretty nice and yeah this is all done using TLS and all right so that's intentions for you and we'll continue going forward now and just for the sake of time because we do have to be just on the same cluster right now exactly so I think what we'll do is let's let's talk about you know traffic splitting and things like that like else layer 7 style thing that I think might be more relevant for developers yeah and people that you know care about like canary deployments and trying stuff out before releasing which should be the case please test stuff out before we say you can test in production if you do do things like traffic splitting and you know and and and you know you know only it's you know direct traffic to is you know subset of your new applications and if there's errors you can you know easily you know rollback and so yeah I think meshes allow you to do that which is another pretty cool thing yeah for sure if you want if you want to start setting that up I can kind of explain in case anybody hasn't seen a canary or a B blue-green deployment if you release a new back end or a new piece of your application instead of sending all of your traffic to that application you can say only send you know 30% of my traffic to that application and you can slowly failover I got maybe failover is not the right word you can slowly push your traffic onto that new environment so if something's wrong you don't have a hundred percent of your clients hitting that problem you can pull it all back you know pretty rapidly absolutely so yeah here I have the API v2 version 2 of the API and it's very different from v1 what's different is this this text if it just says hello hello from v2 that's the the difference and you have few few new annotations here so I'm different defining some metadata version 2 and then thanks virgin so that's basically what's different about me me too so I'll deploy version two of this application and see how we can kind of move traffic to this you know gracefully and so what I'll do is I'll hit apply on this be sure I've got question real fast I think it's kind of relevant to the intentions we were just checking out so can you make intentions on the verb and path and then Amir says +14 verb and path possibly headers yeah yeah so that's a great question so right now you can only do intentions on the logical service itself on just a verb so you don't have the option of doing like path based intentions but those are also it's something that we definitely look into and resolving and and that'll give you the kind of the layer 7 intention enforcement which will be pretty cool I am really excited for that feature as well so I think that's coming awesome thanks me sure cool so here here we have the ok we have the v2 and then I'll apply this in east cluster and you see this come on line here so that's coming on line and I'll pull down the container do the same like sidecar injection and and next what I'll show you is while that's coming up I'll show you a new notion of kind of redefining a resolution for a service so in concert we have this concept of a service resolver which is very interesting so this allows you to kind of define that hey this service the default for like all the traffic should be v1 but it does have to be subset so the v1 and v2 and then it's all done using that metadata which now becomes relevant which you might be wondering why is it tagging certain things you know with version 2 and 2 in this case this becomes very relevant as you can see right here so we have the service metadata version 1 version 2 that's the V sub sub set v1 subsets v2 so that's how we're going to define and this is all 30 lines of code there is no complex Eid you know any crazy you know you know Yama definitions I guess which is you know this is fairly simple straightforward definition so the first thing we want to do is kind of define a service default for this service I'm you know which is just you know what protocol the service is HTTP you can do this you know using annotations as well but in this case I'm gonna use create the service resolver first so before that what I'll do is actually copy copy up some of these configurations and put them in the console server so I'm not exposing the API and you know externally so I have to just run everything you Wyatt so you through the server which is which is probably not what you should do in production but something that I'm just gonna do for ease of use for this this is a hands-on livestream so we're gonna just okay so the first thing I'm gonna do is define a service default which you already saw which is just basically saying that hey this is an HTTP service which is this one so let me apply this and this will exactly do the console thing and then run a command called concept config and then write this config so that'll create the service default and then what I'll do is basically you say resolve the service and create the service resolver which you already saw as well and the next thing what we want to do is create something called a service splitter so this is the three things that the defaults the resolver that defines the subset and the splitter that actually splits the service and into certain based on certain weights so in this case I'm going to do 50 50 50 to 50 do we do and again the name matters and you're defining it as API which makes which targets the API service so I'm gonna do that let me copy the so it service which is right here alright let me clean this up alright so yeah that's the service printer configuration that I've apply next to our cluster and then hopefully you can notice at the bottom here this will be me know kind of I think it's almost 50/50 and the reason why this this might be weighted that way is because v1 has two instances and v2 has just one instance so you can see that now we're kind of dividing traffic between v1 and v2 which is what we expect so now let's say everything has gone according to plan like you know you know we've successfully done that using like few lines of code we able to spit traffic everything works and you you feel v2 is the version that you want to deploy to which in my life has not happened that often like I've relied on you version will be like okay there's many errors in in production I get a rollback but in this case let's say that's the case so we can actually split traffic 100% and I'll show you configures valo again very simple con igure I'm defining zero for subsets 1v1 and wait hundred for the subset v2 which is the version two of the application all right so what I'll do is I will apply this make sure I've got a quick question why is the splitter underscore but the resolver is Pascal case oh that's that's that's that's basically me copy pasting stuff and so I you can you can use both and that's a good that's a good catch so that means everyone's paying attention yeah you can use you can use both and so in this case I'm using I'm using the I'm using the older version for my configs or from a previous example that I had done before to a new config that I updated why are the documentation so that's just on me that's a good catch all right so now you'll see as soon as it's actually set hundred percent immediately you see that all the traffic is now going to be - yeah which is fairly fairly simple very easy to use I think one of one of my colleagues for banks who works on a console core team created a touch bar application for Mac that can you can just toggle the traffic of this of the between the the two instances just using the touchpad which is the most I would you know most like I guess a innovative thing I'm use seen for the touch by I do not use my Mac that's part III wish I had my my Escape key back I really miss my Escape key right yeah I think the new yeah so right here so now what we're gonna do is finally I think we're at the point bid we can try multi cluster stuff we kind of kind of understand you know what's going on with it so we're splitting l7 stuff so same server like service to service communication now let's talk about in a multi cluster things and here's where like the 1/8 release is actually really cool because it introduces a lot more a lot more kind of you know you know I guess ease of use for operators are going to connect these things together multiple clusters together so here's the a guide that our education team has actually done on the learn platform for Hoshi car and it kind of shows you a diagram this is basically what we're doing today I'm gonna just stick modify the configure a little bit with the names because we have different cluster names but pretty much in this in this in this tutorial it goes over like how to do this and it's fairly straightforward so what we're kind of trying to do is we have the front-end application let's say this is us east one here and this is us west cluster which is the other cluster that we have the US east cluster will have a front-end application and we'll move the version 2 of the API to the US West cluster and what we'll do is actually you know hopefully failover to that if there's something going wrong here okay in a US east cluster and we'll bootstrap a whole you know whole multi cluster console deployment here so in order to do that first I have to actually you know create uncomment these lines which were the Federation lines which allows you to kind of do Federation and console and this basically does everything that's all you need to do that creates you a new secret it actually rolls the the servers and so on so let's go ahead and do this because this takes a little bit so we can save some time here let me upgrade that and I've uncommented that let me just save this make sure I've saved this ok and then I'm gonna hand do a hem upgrade which updates the same cluster the u.s. east cluster and then basically rolls the rolls the servers and the reason why we have to do this is because we have to create new secrets for Federation that our servers will use and then use use the same whenever CA this TLS a and and inserts for the for the other meshed cluster so Zack I have a question for you actually sure what's so I know you use with I I know you like you probably talk to a lot of aks users and and folks that use kuben IDs like what I think for me the most the one of the most interesting bits has been how people have solved the kind of a multi clustered problem like how they solve like hey how you actually move traffic in the class page sure so what have you seen in your experience that has like you felt like ok like you know this is a viable solution for doing multi cluster console I mean I mean honestly honestly console I I get asked about console a lot I've seen some people that build either have like reverse proxies even still outside so think of a kubernetes cluster running a container that handles this or even even a separate proxy of some kind like an engine X or something but but honestly console gets brought up a lot and consoles is one of the services admittedly that I haven't played with a ton you know I use terraform a lot I use Packer a lot but console is one that I just haven't played with very much but it gets brought up so often and it didn't start as this kind of service right wasn't it key even it's yeah yeah exactly it was a service discovery solution and and yeah we we always wanted to complete the loop with with actually me no because we had service discovery we had can you know dynamic configuration we had other features like dining locking and stuff which you need in a distributed system and of course like the servers and used raft and things like that so we were like okay so the last piece that we were missing was actually the console Connect which is allowing the you know the traffic to actually go through to go through the data plane yes one thing to note here is I actually didn't talk about this and I should have a service which contains two things right a control thing and a data plane so in console the control plane other servers and the API that's available by the servers which is again you know you you hopefully have multiple the consoles I was running so if one one one has issues the other one can kind of take over it becomes a leader the key thing here is that the data planes actually disconnect like data planes actually separate component off as mentioned people usually get this mess this up they don't have a clear understanding of like you know others are those the same thing I think the key thing here to note is they are two different things so the data plane we're using envoy but you could use you know other things like it's totally pluggable with console you can use Indian accent a chief proxy and things like that I'm using envoy provides you with some really amazing XTS api's that allow you to do a lot of interesting things it has this way too many you know signals to be honest it's one of great projects that I think lyft started it's now part of CNC I think nice and yeah so it's a really good really interesting proxy so yeah the data pains actually separate from the control plane so data pain is responsible for routing the packets and the control plane which is console servers are responsible for providing configuration providing service discovery data become becoming the authority for authorizing access which you saw using intentions and that's all done why are the servers but the data planes kind of separate and it all it needs is some configuration and then it just does this thing it just can you know basically uses a certificate valid its connections create connections forwards the and the traffic from one proxy to the other that's kind of the big you know big thing that the proxy does and and it actually does they all think the life at the heavy lifting right like it actually is being used it's in your runtime path for your application that's now is the important thing so I think this rollout is almost done and I have like two quick questions maybe if we can fit them in here and I apologize if I mispronounce your name Akash is asking share the details of this article available on Hoshi Corp I think it was it an article you just mentioned article history here it's gonna followed by oh yeah so yes that's right so there's the Dutch bar yes that's that's the right application banks console touch bar ops here that's the one that I think Yvonne yeah you want pointed out yeah that's the one that that was the question so I think I think you mentioned in an Akash and I apologize if I'm mispronouncing your name which article were you looking for we can we can try to find that for you and I do have another question that I passed up just to save for later Jack had a question is there a tutorial on doing this may change making nginx accessing console for certs to be connect capable I'm not I'm not quite sure if I know if there is an article that's out I don't know maybe in the blogs when we released support but I think you should check out the hajikko blogs if if there is one there is one article yeah I'm not caught sure maybe we'll follow up Zack on that question yeah for sure I was gonna say to me sure and I are both on so if you have any questions for sure follow us or not even follow us just send us a DM and Emily open so you don't have to yeah my dams are open as well there's there's no requirement to follow I misspoke there but if you want to follow you can the there's one more question how does consul compare to sto it's a little involved answer how about I give it right after we finish the 15 minutes left on the thing and I'll answer this question no problem alright so what we're doing here is first thing we want to do is kind of actually use a new secret that we created as part of this upgrade which is the federated secret which we'll use to kind of bootstrap the other cluster so here's here's that secret and that just happened we just got created it has the the CA cert that we'll use I'm sorry the screen is a little smaller but yeah I apologize for that and then the CA key and what's interesting here is there's another service server config Jason that's available right here okay so so this one this one actually encodes this is all B's 64 encoded this is the kubernetes babe you know basic secrets there's nothing to it console yeah but yeah this is base 64 encoded what I'll do it here is actually echoed the secret out and then I'll do a base64 decode this will show you what's inside this so this is the config that we need to use for the other cluster so we can kind of provide the data center for why the primary gateway so as you can see you know to boost up other data centers all the only configuration that you need is this which allows you to get a point to a different cluster right which is our primary data center and then you have a secondary data centers which which which PCB point your primary gateway so all the kind of the joining so all the servers that exist in the other data centers join you're using a van join and console has been multi data centers from hey you know man when we started console so this is not something new for us there but initially what you had to do is you have to expose all the servers in any data center publicly and make them job and join using and gossipy we still it was still encrypted connection but it was all the internet and you know you would have to use you would then actually point all the servers and open communication between them and this is not ideal for especially in a scenario like kubernetes when you might have multiple clusters and and you know exposing services it's a little you know a little difficult in terms of like you know me you know exposing your your you bringing off the off the data center on the public Internet so in order to do that we with 1-8 we release something called van you know with Federation van joined which allows you to kind of go through the gateways and yes that's done using using this configuration right here so what we'll do next is kind of bootstrap the other data center so what we will do is I'll show you the I'll actually export this configuration so it's ready to be consumed I'm just gonna export it to a KML file here and then what I'll do is I'll apply this configuration on the second cluster on the west cluster as you can see the context is West here and that'll create the secret so that's all ready so what I'll do is actually switch over to this side here and show you and actually watch the cluster here as well so this is us all right so I'm gonna watch for pods and secrets and then there's of course is a blank cluster and then we have a secret the console Federation secret that's that's only the only secret that's on here all right now I could you show you the the best configuration so the best configuration is similar to the East one the only difference is we are providing this TLS we can even care less and actually providing the two certificates using a secret which we just created the console Federation secret so we need that and I mean a blink Federation and again it's the same and then we also providing the server configuration that I showed you with the primary data center and the IP address for the for the proxy there and then we're doing a console inject and then we also basically allowing the mesh Cape it to be enabled as well so fairly simple configuration I'm not gonna go into it too much here so what I'll do is now actually install him install console in this cluster alright and then you'll see and use the helm values and I'm using the best cluster now so you'll see the the same type of which trapping happen here you see the you see the in the in TLS init container come online and then you'll see the the bunch of servers and clients and stuff and that'll take about three or four minutes okay now I can answer that question and I wasn't trying to the question so yeah so yeah I think we have we have actually a page open up the page and I'll open this up I think we have a dedicated page for this so overview and since this is a live stream I can actually do this which is really nice I could not do this on a prep night so I think we have a concert regardless I can't find it right now but we have a console you know page that kind of defines the differences between is the on console and what's different so yeah I think the the key the key differences are that you know the idea of an intention is fairly new to just the console and then we have you know the multi data center support which allows you to kind of have console running anywhere so what's different here is that it doesn't matter if you have you know your services on a VM you can actually create which type of whole new data center for your VM and your on-prem and actually you know run console there and connected connected via the same kind of connect mechanism that you saw and the services you know notion is the same between kubernetes and on tram at the services notion and can be l7 support and all the features that we just saw they just apply and the exact same way for both and the bootstrapping is the exact same in the services service intention communication is the exact same and so yeah you get a lot of benefits just just by kind of you kind of look at console as a kind of a global service catalog and and you can have you know and heterogeneous data center which means you might have multiple kubernetes clusters but one on Prem VMware based vm PM said that you're gonna have controlling a and then you might have some VMs indeed and databases that are running on dedicated VMs on your cloud provider as well and all of that can be connected using and you wouldn't need you wouldn't need a consult and you wouldn't need a kubernetes control plane on your vm side as well due to kind of good strap all of that so it's all done via wire this multi data center approach that's kind of a big difference yeah and Akash min she was asking can I use console connect with Red Hat OpenShift and that pretty much answers it it's it's a host agnostic it's its environment agnostic VM as well and that's another big thing that I talk to a lot of people about it like conferences when when conferences were happening was how do i connect how do I connect to via console or some mechanism to my VMs and console was the answer there's one one person here and I think it's Chris I apologize if not console Connect seems great but I had an issue with Connect sidecar pattern using inject and job in a kubernetes world never going to completion because the sidecar never ends hope to see it fix yeah yeah if that's an issue like please bring it up to to our github github repo and and please create an issue there if that's that's an issue that you seeing repeatedly and ple se provide like logs like you know a bunch of logs may be the version stuff like that and the console core game and and then the service smash team will kind of look into that and we also have a discussion forum which is discussed or a sheik or calm it has a console category so maybe someone's already asked a question and you've already answered it so check that out there and I'll defer those questions to our to our console team is there experts in this stuff all right so what I'll do here is now we have this okay at the cluster is actually ready as you can see we have everything running everything's good trapped you know this is a brand-new cluster that we just bootstraps AK which is a completely different data center running in West closer to me where I am in Vancouver and so what I'll do now is actually do this this one command that will is the defining command for this live stream which is like did we actually bootstrap this successfully and so if I do a councilmembers but look at the van members which are like oh the over that mask a way that I was talking about and this will show you all the servers in all of your data centers sooner then do that hopefully this works yeah so you see tangled that what I was so yeah here you have here you have six of these instances you know few running in the east these are all servers and then the one running in the West what you'll notice this that what Zack was mentioning earlier is the site the the side of blocks are all laughing so you don't care whether like you know you actually don't care about how your networking these things it doesn't matter with console you just need the meshes to be public the the mesh gateways to be to be public and you connect them make sure this connectivity between them that's all you need to care about and the rest will this work so this is this is how easy it is to kind of bootstrap the other data center all right so now what we lose as I said let's move that V 2 versions act onto to west cluster so then what I have is a special Yammer here which is API we do you us us best newest best one yeah I'm alright and this is also part of the tutorial you can check it out this is very very different from that API v1 v2 because it has another text which says hello from V to us well so that's the old the only thing that's different again again we're not doing something fancy there's the the annotations are the same you know you're not doing anything fancy again not creating any separate C IDs and virtual services and multiple clusters no he's just going to create this one deployment so yeah we'll do this we'll just apply the Yammer here cube city of context West and I'm gonna apply the version two of the application and that's going to be the only thing that's running in inner West data center here alright so that's gonna bootstrap and take a little bit so what I'll do is actually show you show you yeah so what show you the the you know the services that that'll actually allow you to allow you to connect the two data centers and see how we can kind of kind of simulate a failure so before doing that I'll clean up the resolvers that had created earlier so it feels like clean after the service splitter quick question me sure is there a limit to the number of mesh gateways you can run in terms of like auto-scaling know you can so yeah that's another thing that's a good point so you can actually run multiple mesh gateways it doesn't matter what we do is we actually load balance we actually go between them and so we discover all of them because it's again all using such services at heart right so service mesh gateway is actually a service and console as you can see right there so when we when console itself request for mesh gateways you get to as the answer and then we direct traffic towards them in the future we might actually hopefully add some features like you know you know it may be prefer one gateway over the other in terms of instances I don't know if that's a cool feature but I don't know if that's even in the roadmap actually I shouldn't be I should but I would be cool but on the other hand like this this is this is how the mesh game is defined yeah so just define using the same service you know notion in console and you can have multiple instances running ok I'm gonna quickly go yeah few minutes left what I'll do now is create create a failover a resolver so so here's a new new way of kind of defining failures and it's very complex very sophisticated as you can imagine if I open this failover convey it's actually only eight lines it says it says hey you know just failover for you know for the API service failover to the uswest one data center if there's no healthy instances running in East data center so now cool thing here is that this is an array of data center so if let's say you have other you know you know console data centers to let you rest one you know you know is your Pacific and so on so you can just keep adding them here so in in the order of preference will just basically failover one after the other so if don't if you don't find healthy instances and invest will fail over to the one in you then and the Asia Pacific and so on and we keep going and this is how easy it is to define that failover for everything alright so now what we'll do is actually create this failover one second this failover crusade which is a service resolver and then this is this is the config that you already saw so as soon as if I hit enter you should create a failover contain so nothing nothing has changed you still kind of you know dividing traffic between v1 v2 nothing happening crazy going crazy right now in the in the East data center right no problem no issues all right now we're gonna simulate a full outage for the v1 service and v2 services that are running in East and then failover to the west and we'll see how it works this is the kind of the closing the closing demo Wow moment hopefully this works all right so I'm gonna delete deployment is dangerous okay don't do this in production if you wanted me to and I'm sure no one said no one has done this in production right deleted service oh no that never happens yeah so again watch these things and go down and then watch the the logs here and see what happens here all right all right one two three demo gods I'm gonna delete the two instances and immediately we fail over to the West yeah and it's instant it just it's so interesting how how quickly it happens to me I mean even even seeing this before just how fast there there's no that's sub-second I don't know it's ridiculously fast it is it's really fast and I really like that how like easy it is to actually define the failover configs okay I'll show you the other data center actually quickly if I switch to the West one so here's the West data center and it only has that one API service that's running in there and yeah the responses are coming from the other API as you can see that there are sophisticated echo text message that says R Us past and I apologize didn't have any fancy you eyes for this live stream but wanted to keep things simple so that people understand what's going on yeah so within I guess within like half an hour so we kind of got all of our stuff done we got a full new brand new data center we got if you want to use if you use it yes it takes about like what three minutes to get a cluster actually its way back it used to be really painful but it's it's not so painful anymore yeah yeah it's it's really fast that I really appreciate that I said yeah so once those clusters are online install console on them you know connect them using that that the hem chart use the ham chart like the console team has done an amazing job you automate a lot of your operational bits using the Hampshire it also has options for pretty much anything so off the console kind of config including the hem char config is actually configurable using values so let's say you don't want to do cell science TLS Ertz you have your own CA in your company use that and bootstrap the whole thing try out the l7 features there's many features that we have the roadmap going forward as well for console 1/9 and beyond but yeah I think this is what we have in terms of like kind of some basic features I know we have another live stream plan that you want to use that yeah so we we're gonna do another one I don't know how soon that's gonna be we'll have to figure out the timing for that but what we're even gonna cover I don't even we're basically going to expand on this this live stream that we've we've done today exactly so you're gonna cover I think we probably will want to cover like other feature like maybe terminating gateways I talked about like hey how you can kind of redirect traffic to on prime and things like that's right yeah yeah we will definitely want to show like the what make sure I mentioned earlier the VM basically outside of kubernetes communication what that looks like I still get a lot of questions about people like from people saying hey we've still got on prim stuff we're trying to get into this cloudy you know world but it's we can't just make that cut over like this we need to step this through and so something like that could be totally helpful yeah and I think that's all we have today and I think the links are on on the livestream and there's you know all the other things that you need all the things that you need for that for forgetting the setup that we did today in the in that V meets like step by step and you create an issue on that project if you feel that there's some clarification that's required it's basically a step by step guide and then you can check out the learn platform it has a full guide on that Multi multi cluster situation we showed in the in this in this livestream yeah I hope you all enjoyed this this was really fun to do exact and really appreciate collaborating with me on this one and you know helping me through said that the AKS bits and and and things like that's what they I really appreciate the time and thanks everyone for watching ya know this was awesome and this was I mean it was totally it's I like this format better I like this format better than a webinar personally and I hope everybody enjoyed we had some great some great viewers and chatters asking some awesome questions if you all need anything after this piece please feel free to reach out to to either Mishra or myself we're both on Twitter we're kind of all over the place so you can you'll find us somewhere and yeah and I know there was a question about where that learned document that you have up is but it's actually linked inside of the readme on the repository so if you go to hash eco slash console - live stream - one that's that's listed here on the screen right now that in that readme you'll find a URL that'll take you to that directly to the learn page that me sure has that right right here that's linked right here in the tutorial so yeah check that out perfect cool cool cool yeah Chris Chris is saying we need more of this I agree I think we're gonna try to keep this rolling and and just I mean it's fun it's nice to connect with the community in this way webinars to me feel very prescriptive and it's like you know we're gonna show you all this stuff you can ask us questions but I like I like the interactive a lot more personally so I'd like to see if we can keep this rolling with just all kinds of different technologies and we can take lead from community as well if you have ideas please let us know yeah please do I really I think I'd really enjoy the format as I mentioned yeah I just it's just a little bit more more raw and let's see like I into into like doing this together and I really enjoy that and yeah like things I'm sure like things would fail in and you know it's even more interesting when that happens and you can kind of recover live which is exciting as well yeah for sure for sure and this is this has been really interesting because we're I'm in Texas and Mishra is in Vancouver and so to get this set up to where this worked this way was kind of trying but it's interesting to figure that out as well so it's it's been a very very fun process yeah I would love for you to talk about well maybe maybe in a blog post or something like how you how you set up your stream because it's just amazing LED lights behind you and just for everybody just so you know I I twitch stream as well and so I had some of this stuff previously set up but this was different trying to have dual presenters across kind of across the world so this has been really interesting cool all right well I think that's it for us if you'll have any questions please let us know thanks again for hanging out with us and have a beautiful day take care everyone stay safe bye everybody you