Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Cloud-Native with Spring
#GFTacademy Warszawa
GFT GROUP
#GFTacademy
Age
nda
30/01/2018
17:30 - Introduction to cloud-native applications18:00 - Live coding sessions:a. Get started with Spring Cloudb. Microservices communication
19:00 - Break19:10 - Live coding sessions:c. Routing in the cloudd. Security in the cloud
20:00 - Discussion20:10 - Pizza/networking
Intro to cloud-native applications
#GFTacademy Warszawa
GFT GROUP
#GFTacademy
Why we are here?
30/01/2018
▪ Cloud is a hot topic and sexy topic▪ Cloud migration is a natural software evolution▪ We like Spring Cloud Framework▪ Used by the largest companies like Netflix
GFT GROUP
#GFTacademy
Cloud-Native application architecture
30/01/2018
▪ There are as many cloud-native application architecture definitions as people using this term
▪ In general cloud-native describes an approach to designing, building and running applications that combine advantages of container packaging, dynamic management, microservices-oriented architecture and cloud computing model
▪ The overall objective/motivation is to improve speed, scalability, margin and reduce the risk
▪ Cloud-Native applications are about delivering business value while reducing risk
GFT GROUP
#GFTacademy
Objective and motivation
30/01/2018
▪ Increase speed - first in marketplace wins, It is important especially in IB▪ Be able to scale - improve performance without larger servers▪ Increase margin - simply spend less on hosting▪ Reduce risk
▪ Monitoring, metrics, alerting▪ Fault isolation▪ Fault tolerance▪ Automatic recovery
▪ Mobile first, client diversity
GFT GROUP
#GFTacademy
Speed
30/01/2018
▪ Speed wins in the marketplace▪ Usually the process in big companies are very slow (weeks or month to deliver new
version to production)▪ The goal is to be able to deliver even every day▪ Use an API to create new environment▪ Use an API to deploy app▪ Use CI to speed up all processes
GFT GROUP
#GFTacademy
Reduce the risk
30/01/2018
▪ Recover from mistakes▪ Monitoring and alerting▪ Fault isolation▪ Fault tolerance
GFT GROUP
#GFTacademy
Scale and margin
30/01/2018
▪ Be ready to handle the increased demand▪ Scale horizontally rather than vertically▪ Improve performance without larger servers▪ Speed up deployment▪ Speed up maintenance
GFT GROUP
#GFTacademy
Mobile first, client diversity
30/01/2018
▪ Interact with platform seamlessly▪ Hide internal topology▪ Route trafic based on client type
GFT GROUP
#GFTacademy
Cloud-Native characteristics
30/01/2018
▪ Twelve-Factor ApplicationsSet of patterns for cloud-native apps
▪ Microservices architectureSmall decoupled components
▪ Self-service infrastructureIaaC, CaaC, containers etc.
▪ API collaboration
Live coding
#GFTacademy Warszawa
GFT GROUP
#GFTacademy
Setup
30/01/2018
▪ Clone sources – we will usemultiple branches▪ https://github.com/rakk/spring-cloud-training
▪ Clone configurations▪ https://github.com/rakk/spring-cloud-training-configuration
▪ Import project to your IDE▪ Tools and libraries
▪ JDK 1.8▪ Maven 3▪ Node.js 8.9.4▪ GIT
▪ Install http server▪ run: npm install http-server -g
GFT GROUP
#GFTacademy
Why Spring Cloud Framework
30/01/2018
▪ Spring Cloud provide a set of features that all components in a distributed system either need or need easy access to when required
▪ Well known with a big community▪ Well documented▪ Mature solution build on top of Netflix OSS▪ Production ready
GFT GROUP
#GFTacademy
Scope
30/01/2018
▪ Discovery (Eureka)▪ Config store▪ Hystrix▪ Feign▪ Zuul▪ Spring Cloud Security + OAuth2▪ Spring Admin▪ Zipkin
GFT GROUP
#GFTacademy
What are we going to do?
30/01/2018
▪ We will show you how to use Spring Cloud components to solve common problems in cloud-native application architecture
▪ We will build a sample microservices platform using Spring Cloud▪ Each chapter will have some theory▪ We are not going to tech you Spring Boot▪ We are not going to tech you OAuth2▪ We will try to answer all your question during coffee break, right after presentation and
trhrough emails even months after the event
GFT GROUP
#GFTacademy
Application architecture
30/01/2018
Get started
GFT GROUP
#GFTacademy
Discovery
30/01/2018
▪ Problem: find all running services and group them by service name▪ central place for a list of our services▪ server + client▪ server: ▪ annotation: @EnableEurekaServer▪ dependency: spring-cloud-starter-netflix-eureka-server
▪ client:▪ annotation: @EnableDiscoveryClients▪ dependency: spring-cloud-starter-netflix-eureka-client ▪ property: eureka.client.serviceUrl.defaultZone=http://localhost:9021/eureka
▪ other features: zones, replicas, integration….
GFT GROUP
#GFTacademy
Spring Cloud Config
30/01/2018
▪ Problem: tracking, managing and deploying configuration▪ central place for all your configuration▪ server + client▪ server: ▪ annotation: @EnableConfigServer▪ dependency: spring-cloud-config-server▪ property: spring.cloud.config.server.git=https://yourgitrepo/configuration
▪ client:▪ dependency: spring-cloud-starter-config▪ property: spring.cloud.config.uri=http://localhost:9020 in bootstrap.properties
▪ other features: pattern matching, vault, refresh…
GFT GROUP
#GFTacademy
Spring Boot Admin
30/01/2018
▪ Problem: services management▪ central place for administrative tasks like: update log level, view logs, run JMX…▪ server + client▪ server:▪ annotation: @EnableAdminServer▪ dependency:▪ de.codecentric:spring-boot-admin-server▪ de.codecentric:spring-boot-admin-server-ui
▪ client:▪ dependency: de.codecentric:spring-admin-starter-client▪ property: spring.boot.admin.url=http://localhost:9024
Hystrix
GFT GROUP
#GFTacademy
Age
nda
19/02/2018
1. Problem description2. Hystrix – Circuit Breaker implementation3. Live coding – adding Hystrix to the project4. Hystrix features5. Live coding – configuring Hystrix
GFT GROUP
#GFTacademy
Architecture
19/02/2018
GFT GROUP
#GFTacademy
Problem to solve
19/02/2018
Take out loan
Return loan
Incur debt
Return debt
Debt
Returned debt
Loan
Returned loan
Securities ServiceLending Service
Get loan
Loan
Get available securities
Securities
GFT GROUP
#GFTacademy
Problem to solve
19/02/2018
Incur debt
Incur debt
Error
Error
Error
Securities ServiceLending Service
Take out a loan
Take out loan
Return loanReturn debt
GFT GROUP
#GFTacademy
Problem to solve
19/02/2018
Error
Error
Securities ServiceLending ServiceTake out a loan
Take out a loan
Take out a loan
Take out a loan
Take out a loan
Take out a loan
Incur debt
Incur debt
GFT GROUP
#GFTacademy
Problem to solve
19/02/2018
Timeout
Securities ServiceLending ServiceTake out a loan
Take out a loan
Take out a loan
Take out a loan
Take out a loan
Take out a loan
GFT GROUP
#GFTacademy
Hystrix – live coding
19/02/2018
PendingLoan in pending state
Circuit Breaker
fallback
Lending Service
Take out loanIncur debt Incur debt
PendingLoan in pending state
fallback
Take out loanIncur debt
Securities ServiceTake out loan
Incur debt
DebtLoan
Incur debt
Debt
Take out loanIncur debt Incur debt
open
reset
Turn Off
Turn On
GFT GROUP
#GFTacademy
Hystrix – live coding
19/02/2018
▪ Add dependency spring-cloud-starter-hystrix to Lending Service▪ Add dependency spring-cloud-starter-hystrix-dashboard to Lending Service▪ Turn on Hystrix by adding annotation @EnableCircuitBreaker to LendingServiceApplication▪ Add @EnableHystrixDashboard annotation to LendingServiceApplication▪ Add @HystrixCommand annotation to methods from LoanService▪ Implement fallback methods▪ Add configuration properties:▪ hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds=20000▪ hystrix.command.default.circuitBreaker.requestVolumeThreshold=5▪ hystrix.command.default.circuitBreaker.errorThresholdPercentage=50▪ hystrix.command.default.metrics.rollingStats.timeInMilliseconds=600000
GFT GROUP
#GFTacademy
Hystrix – key features
19/02/2018
▪ Isolation modes▪ Request collapsing▪ Request caching
GFT GROUP
#GFTacademy
Timeout
Isolation mode – Thread pool (default)
19/02/2018
Securities Service Thread pool
Thread 2
Thread 1
Thread 3
Lending Service
fallback
Securities ServiceClient
Securities Service
fallback
Thread-pool rejection
GFT GROUP
#GFTacademy
Isolation mode – Thread pool (default)
19/02/2018
Securities ServiceClient
Securities Service
Securities Service Thread pool
Thread 1
Thread 2
Thread 3
fallback
fallback
fallback
Other ServiceClient Other Service
Other Service Thread Pool
Thread 1
Thread 2
Thread 3
Lending Service
GFT GROUP
#GFTacademy
Isolation mode – Thread pool and Semaphore
19/02/2018
Lending Service
Securities ServiceClient
Securities Service
Securities Service Semaphore
Thread 1
Thread 2
Thread 3
Other ServiceClient Other Service
Other Service Thread Pool
Thread 1
Thread 2
Thread 3
GFT GROUP
#GFTacademy
Isolation mode – Thread pool vs Sempahore
19/02/2018
Thread pool:
▪ Default isolation mode▪ Thread pool per dependency - isolates
dependency from application and other dependencies
▪ Thread pool clears up automatically when dependency becomes healthy
▪ Condition and metrics of thread pool represents health and performance characteristic of related dependency
▪ Adds computational overhead
Semaphore:
▪ Limits the number of concurrent calls to any given dependency
▪ Synchronous approach▪ No timeouts▪ Applicable to fallback and command
execution
GFT GROUP
#GFTacademy
Request collapsing
19/02/2018
Securities Service Client
Securities Service
Securities Service Semaphore
Thread 1
Thread 2
Thread 3
Lending Service
Collapser
▪ Reduces the number of threads and network connections needed to perform concurrent HystrixCommand
● It can be done at global and user request context ● Simplifies API design since optimizations are done by Hystrix● Increases latency before the actual command is executed
GFT GROUP
#GFTacademy
Request caching
19/02/2018
Securities Service Client
Securities Service
Securities Service Semaphore
Thread 1
Thread 2
Thread 3
Lending Service Cache
Id: REQ1
Id: REQ1
Id: REQ1
▪ Deduplicates calls within a request context in a concurrent-aware manner▪ Data retrieval is consistent throughout a request▪ Eliminates duplicate thread executions
GFT GROUP
#GFTacademy
Hystrix - summary
19/02/2018
▪ Protects from failure from dependencies accessed via client libraries▪ Reduces risk of cascading failures in a distributed system▪ Isolates points of failures▪ Fails fast and rapidly recovers▪ Offers graceful degradation and fallback mechanism▪ Gives control over latency▪ Enables near real-time monitoring, alerting and operational control
GFT GROUP
#GFTacademy
Resources
19/02/2018
▪ https://github.com/Netflix/Hystrix/wiki▪ https://github.com/Netflix/Hystrix/tree/master/hystrix-contrib/hystrix-javanica▪ http://cloud.spring.io/spring-cloud-netflix/single/spring-cloud-
netflix.html#_circuit_breaker_hystrix_clients
Feign
GFT GROUP
#GFTacademy
Age
nda
19/02/2018
1. Problem description2. Feign features3. Live coding – adding Feign to the project and
integrating it with Hystrix4. Live coding – enabling Hystrix Dashboard
GFT GROUP
#GFTacademy
Problem to solve
19/02/2018
Lending Service Securities Service
Apache CXF Client REST Server
POST /debt
PUT /debt/{debtId}
GET /debt/{debtId}
Client client = ClientBuilder.newBuilder().newClient();WebTarget target = client.target("http://localhost:9001");target = target.path("debt").queryParam("id", "1");Invocation.Builder builder = target.request();Response response = builder.get();Debt debt = builder.get(Debt.class);
Spring RestTemplate
RestTemplate restTemplate = new RestTemplate();restTemplate.getForObject("http://securities-service/debt/1", Loan.class);
GFT GROUP
#GFTacademy
Problem to solve
19/02/2018
Lending Service Securities Service
Apache CXF Client REST Server
POST /debt
PUT /debt/{debtId}
GET /debt/{debtId}
Client client = ClientBuilder.newBuilder().newClient();WebTarget target = client.target("http://localhost:9001");target = target.path("debt").queryParam("id", "1");Invocation.Builder builder = target.request();Response response = builder.get();Debt debt = builder.get(Debt.class);
Spring RestTemplate
RestTemplate restTemplate = new RestTemplate();restTemplate.getForObject("http://securities-service/debt/1", Loan.class);
• Hard to write
• Hard to understand
• Hard to test
GFT GROUP
#GFTacademy
Feign – live coding
19/02/2018
Securities Service Thread Pool
Thread 1
Thread 2
Thread n
Securities (Feign) Client
Lending ServiceSecurities
Service
Ribbon
Eureka
GFT GROUP
#GFTacademy
Feign – main features
19/02/2018
▪ Declarative web service client with minimal code overhead▪ Seamless integration with Spring Cloud technologies ▪ Pluggable annotations (e.g. JAX-RS annotation processing) ▪ Support for various encoders and decoders (Gson, Jackson, Sax, JAXB)▪ Customizable underlying HTTP client (OkHttp, Ribbon)▪ Integrates with Hystrix▪ Simple request interception▪ Works with any type of text based APIs▪ Makes unit testing much easier
GFT GROUP
#GFTacademy
Feign – live coding
19/02/2018
▪ Add dependency: spring-cloud-starter-openfeign▪ Turn on Feign by adding annotation @EnableFeignClients to LendingServiceApplication▪ Implement SecuritiesClient▪ Add property: feign.hystrix.enabled=true▪ Add SecuritiesClientFallback implementation▪ Add it to the @FeignClient annotation
Break
#GFTacademy Warszawa
Routing
GFT GROUP
#GFTacademy
API Gateway Pattern
30/01/2018
▪ The purpose of the API Gateway is to represent a single point of entry to all clients▪ Benefits
▪ Exposes each API for each consumer, according to the communication and client types, and embraces security once it is the main entry point.
▪ Abstracts underlying microservices topology and technologies involved to final consumers.
▪ Drawbacks▪ New layer of complexity to the final microservices solution▪ Additional latency
GFT GROUP
#GFTacademy
Application architecture
19/02/2018
GFT GROUP
#GFTacademy
Zuul and Ribbon
30/01/2018
▪ Zuul ▪ JVM based router and server side load balancer▪ Zuul is built to enable dynamic routing, monitoring, resiliency and security▪ Spring Cloud delivers a Zuul Reverse Proxy
▪ Ribbon ▪ Client Side Load Balancer▪ Used by Feign and Zuul▪ Can be used with or without Eureka▪ Fully configurable
GFT GROUP
#GFTacademy
Zuul configuration
30/01/2018
▪ Add dependency spring-cloud-starter-netflix-zuul▪ Add annotation @EnableZuulProxy▪ Sample configuration
zuul.routes.ls.path=/ls/**zuul.routes.ls.strip-prefix=truezuul.routes.ls.service-id=lending-service
zuul.routes.web.path=/web/**zuul.routes.web.strip-prefix=truezuul.routes.web.url=http://localhost:8080
GFT GROUP
#GFTacademy
Filters and Fallbacks
30/01/2018
▪ Filter: Extends ZuulFilter▪ Fallback: Implements FallbackProvider▪ To use it create appropriate beans
@BeanWebFallback webFallback() {
return new WebFallback();}
@BeanPreLogFilter preLoginFilter() {
return new PreLogFilter();}
GFT GROUP
#GFTacademy
Ribbon configuration
30/01/2018
▪ Customizing the Ribbon Client using properties▪ FLoadBalancerClassName: should implement ILoadBalancer▪ NFLoadBalancerRuleClassName: should implement IRule▪ NFLoadBalancerPingClassName: should implement IPing▪ NIWSServerListClassName: should implement ServerList▪ NIWSServerListFilterClassName should implement ServerListFilter
▪ Custom servers list▪ Custom servers filter▪ Custom ping
GFT GROUP
#GFTacademy
Alternatives
30/01/2018
▪ Spring Cloude Gateway▪ Built on Spring Framework 5, Project Reactor and Spring Boot 2.0▪ More powerfull than Zuul
▪ Nginx https://www.nginx.com/solutions/api-gateway/▪ LinkerD https://linkerd.io/▪ Kong https://getkong.org/
GFT GROUP
#GFTacademy
Further reading
30/01/2018
▪ Documentationhttps://cloud.spring.io/spring-cloud-netflix/single/spring-cloud-netflix.html#netflix-zuul-starter
▪ Performancehttps://engineering.opsgenie.com/comparing-api-gateway-performances-nginx-vs-zuul-vs-spring-cloud-gateway-vs-linkerd-b2cc59c65369
GFT GROUP
#GFTacademy
Zipkin
30/01/2018
▪ Problem: tracking in distributed system▪ unify way to track all request and data flow▪ server + client▪ server:▪ annotation: @EnableZipkinServer▪ dependency:▪ io.zipkin.java:zipkin-server▪ io.zipkin.java:zipkin-autoconfigure-ui:runtime
▪ client: ▪ dependency: spring-cloud-starter-zipkin▪ property: spring.zipkin.baseUrl=http://localhost:9022
Security
GFT GROUP
#GFTacademy
Cloud security challenges
19/02/2018
▪ Distributed architecture▪ On-demand scalability▪ Lightweight services▪ Usually REST-ful communication▪ Lots of internal communication▪ Mixed technologies
GFT GROUP
#GFTacademy
OAuth 2.0 Security protocol
19/02/2018
▪ Don’t reinvent the wheel - widely used standard▪ Single global authorization server▪ Lightweight and scalable▪ Stateless clients
Its all about tokens!
AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT
GFT GROUP
#GFTacademy
Application architecture
19/02/2018
GFT GROUP
#GFTacademy
OAuth 2.0 Single Sign On
19/02/2018
▪ Add dependency spring-security-oauth2▪ Add dependency spring-security-cloud if you are using spring cloud▪ Add annotation @EnableOAuth2SSO▪ Optionally extend WebSecurityConfigurerAdapter to configure custom behaviour
▪ Sample configuration
security.oauth2.client.clientId=187437898658212security.oauth2.client.clientSecret=afadac1be1375c2968781d7beafb2e0asecurity.oauth2.client.accessTokenUri=https://graph.facebook.com/oauth/access_tokensecurity.oauth2.client.userAuthorizationUri=https://www.facebook.com/dialog/oauthsecurity.oauth2.resource.userInfoUri=https://graph.facebook.com/me
GFT GROUP
#GFTacademy
OAuth 2.0 Authorization flow
19/02/2018
▪ Authorization - function of specifying access rights/privileges to resources ▪ Authentication - act of confiming the identity of the application user
GFT GROUP
#GFTacademy
Application architecture
19/02/2018
GFT GROUP
#GFTacademy
OAuth 2.0 Resource Server
19/02/2018
▪ Add dependency spring-security-oauth2▪ Add dependency spring-security-cloud if you are using spring cloud▪ Add annotation @EnableResourceServer▪ Optionally extend ResourceServerConfigurerAdapter to configure custom behaviour
▪ Sample configuration
security.oauth2.resource.id=lending-uisecurity.oauth2.resource.userInfoUri=https://graph.facebook.com/me
GFT GROUP
#GFTacademy
Application architecture
19/02/2018
GFT GROUP
#GFTacademy
OAuth 2.0 Application Client
19/02/2018
▪ Add dependency spring-security-oauth2▪ Add dependency spring-security-cloud if you are using spring cloud▪ Add annotation @EnableOAuth2Client
▪ Sample configuration
security.oauth2.client.clientId=187437898658212security.oauth2.client.clientSecret=afadac1be1375c2968781d7beafb2e0asecurity.oauth2.client.accessTokenUri=https://graph.facebook.com/oauth/access_tokensecurity.oauth2.client.grantType=client_credentials
GFT GROUP
#GFTacademy
OAuth 2.0 Issues
19/02/2018
▪ Client credentials leak enables faking client▪ Refresh or Access Token leak grants attacker all privileges▪ Base mechanism is susceptible to open redirect and CSRF attacks▪ Designed to handle user scopes not roles▪ Handles authorization not authentication▪ Resource Server should validate token▪ Access Token invalidation issues
GFT GROUP
#GFTacademy
JSON Web Token (JWT)
19/02/2018
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
{"alg": "RS256","typ": "JWT"
}
{"exp": 1517221510,"user_name": "mzzi","authorities": ["ROLE_ADMIN"
],"jti": "145cde5b-abe2-4d24-
a412-0024cd17c641","client_id": "gft-client","scope": ["openid"
]}
{RSASHA256(base64UrlEncode(header)+"."+
base64UrlEncode(payload),, public_key,private_key)
}
GFT GROUP
#GFTacademy
JWT appliances
19/02/2018
▪ Adding authentication layer to OAuth (Open ID)
▪ Can be securely passed through javascript app to keep backend stateless
▪ Trusted service to service communication
GFT GROUP
#GFTacademy
Further reading
19/02/2018
▪ OAuth▪ https://tools.ietf.org/html/rfc6749▪ https://oauth.net/2/▪ https://developers.facebook.com/docs/facebook-login/
▪ JWT▪ https://tools.ietf.org/html/rfc7519▪ https://jwt.io
▪ Spring Security OAuth▪ http://projects.spring.io/spring-security-oauth/docs/oauth2.html▪ https://cloud.spring.io/spring-cloud-security/
Discussion
#GFTacademy Warszawa
Pizza/networking
#GFTacademy Warszawa