Service Mesh的流量为什么在通信两端都需要经过sidecar ?

本文使用istio来描述问题

一、问题

sidecar的核心功能

  • Outbound Feature
    • Load Blancing
    • Retry and circuit breakder
    • Other
  • Inbound Feature
    • Other

在我看来,除了Load BlancingRetry and circuit breakder两个功能必须在Outbound完成,其他功能在Outbound或者Inbound都是可以完成的。那么,大家就会想,既然是这样,为什么不只使用Outbound进行代理,Inbound就不要再使用代理层了,这样可以降低延时。

二、回答

下面是Inboound存在的硬核理由。

  • QUIC
    Envoy社区正在推动官方重构其架构的目的之一就是为了QUIC,最终目的是希望使用QUIC作为Sidecar之间的通讯协议。
  • mTLS
    TLS (Transport Layer Security) provides the necessary encryption for applications when communicating over a network. HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP that leverages TLS for security. The TLS technique requires a CA (Certificate Authority) to issue a X.509 digital certificate to a service, which is then handed over to the consumer of the service for it to validate it with the CA itself. mTLS extends the same idea to applications, for example, microservices wherein both the provider and the consumer require to produce their own certificates to the other party. These certificates are validated by both parties with their respective CAs. Once validated, the communication between the server/client or provider/consumer happens securely.

Buoyant公司的CEO William,曾经给出对service mesh的定义:服务网格是一个独立的基础设施层,用来处理服务之间的通信。

所以,我们应该把所有的sidecar当成一个整体来对待,二不应该割裂开来看待它们,把所有的sidecar连在一起,就可以实现一个有语义的通信网络。这样,功能点在inbound,或者outbound实现,仅仅只是实现细节而已,不用太纠结。