API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests is effort effort intensive – Creating + maintainting E2E, service tests, component tests adds up very quickly • What happens if you do not address the problem? – Thorough test coverage can take a lot of time outcome: Just create E2E tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up

#IstioCon Our clusters #IstioCon The problem Running end-to-end tests at Omio is both not efficient and cost-effective #IstioCon How tests are run ● On QA (dev -> PR -> master -> deploy QA … Allow simultaneous tests Only one commit at a time from your microservice #IstioCon 3. Reuse existing infrastructure ● Minimize costs ● Reuse existing infrastructure to run tests #IstioCon Why don’t :get("x-devroute") 3 if string.match(contract, "foo") == nil then 4 return 5 end #IstioCon 6 -- we have a contract match 7 address = contract[“foo”] 8 headers = request_handle:headers()

industry standards and security advisories are clear and detailed. ● Security fixes include regression tests. A�er the manual auditing commenced, the auditing team found that the Istio team had prioritised go#L21 The fuzzers were merged ad-hoc so they could run throughout the audit. At the time of the end of the audit, the these are the stats of the fuzzers: Fuzzer Total executions Total hours of execution features to support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio itself is implemented in Go which shields the project from memory-unsafe

istio/istio/manifest/profiles Impact The profiles provided by Istio are likely the ones that will end up being deployed into pro- duction environments. Without a secured, hardened version, users risk deploying interface does not provide many direct means for performing dangerous actions — for example, the POST /tap end- point for intercepting traffic requires a non-default extension to be loaded — it still provides an string.char(tonumber(h, 16)) end) return s end function query(s) local ans = {} for k,v in s:gmatch('([^&=?]-)=([^&=?]+)' ) do ans[ k ] = urldecode(v) end return ans end function envoy_on_request(request_handle)

integrity and privacy protection for sensitive data ○ Strong isolation for multi-vendor services ○ End-to-end security! (not just between middle boxes) ● High performance networking ○ Much higher multi-Gbps solutions to communicate between Legacy VNFs and new CNFs ● Need a stricter security model for end-to-end key protection #IstioCon Legacy VNF  CNF: Option 1 ● Recommended architecture ● But… not adorable Performance & Security #IstioCon Legacy VNF  CNF: Option 3 ● Further performance concerns #IstioCon End-to-end Key Protection ● SDS (Secret Discovery Service) ● A stricter security model ○ Protections for

Satisfaction score 2,836 Unique livestream viewers 1,517 Unique recording viewers 25+ End User Presentations 10 IstioCon Partners Where did people join from? Where did people join from? months. 18.6% New users to the project from beginning of Jan to end of Feb. 87% Of Istio users are new users at the end of February 2021. Impact for the project Source: http://eng.istio.io/

Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use Istio authorization policy to control the access to each

Do you like ? We’re Hiring! cash.app/careers tetrate.io/careers Internal Presentation THE END Internal Presentation Understanding Istio Internal Presentation Cash App EKS -> Cash App EKS Internal

• 入门实践 • 进阶实践 • 概念与生态 #IstioCon ServiceMesher 数据来源：https://cloudnative.to/blog/service-mesh-end-user-survey-report/ 罗广明（百度） 马若飞（Freewheel） 邱世达（Alibaba） 宋净超（Tetrate） 赵化冰（腾讯） 关注的技术 所在行业 工作年限 职位分类

Secure Platform #IstioCon Secure Platform – JWT Verify Using request authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using mutual TLS for service-to-service authentication