Add support for service mesh

[astro-stan]

I was debating whether to file this as a "new app" or "feature or enhancement" request. Please attach appropriate labels if needed.

Is your feature request related to a problem? Please describe. I have been looking for a 'set-it-and-forget-it' solution that will allow me to monitor all of the ~apps~ pods running in the cluster, while also providing mTLS for service-to-service communication and other goodies.

I cannot think of a better solution than adding support for a service mesh. A service mesh provides: :heavy_check_mark: Automatic mTLS between services (issuing, rotation, the whole life cycle) :heavy_check_mark: Automatic request retries and/or timeouts :heavy_check_mark: Monitoring and tracing :heavy_check_mark: Fault injection (for simulating failures and observing how they affect your cluster) :heavy_check_mark: Traffic split (canaries, blue/green deploys) :heavy_check_mark: And more...

It does this by injecting a proxy sidecar container into every pod, which allows it to provide all of the above features without altering the application being run.

Describe the solution you'd like Adding support for Linkerd2 and/or Istio would be ideal. Both have advantages and disadvantages but the gist is:

• Linkerd2 - lighter, faster, beginner friendly
• Istio - more resource intensive, harder to set up, but packs more features (although they would probably not be needed for the majority of users)

If I had to choose one, I would say Linkerd2 is the better choice at this stage. Istio can be added later as a more advanced alternative if there is enough interest from the community.

Describe alternatives you've considered There is no suitable alternative to a service mesh as far as I am aware. Well, one can start manually implementing all of the features a service mesh provides, but this becomes harder and harder as the cluster scales or more apps are being added. Therefore, I don't believe this to be a realistic alternative.

Additional context DISCLAIMER I am not very familiar with the Truecharts architecture, and I have only just began looking at the common chart library. However, I am pretty certain that adding support for a service mesh it would not be as easy as adding a new app. It would most likely require changes to the common chart templates. I am available for discussions / clarifications should they be needed.

[PrivatePuffin]

I like the idea, but I think this should be something you should request from iX-Systems to handle, as they create/design the general architecture.

Adding a servicemesh on top of their architecture, is going to ask for a unworkable support burden. In addition, our current user target is only Home/Enthousiast users, which do not require servicemesh. Our future target would be SMB/SME with just a few servers in a cluster, setups which require servicemesh are not really something we see as usecase for those small clusters either.,

Also: SCALE does not support any clustering at the moment, so there is no use for it anyway. Adding servicemeshing for single-node clusters is simply silly.

TLDR: If you need servicemeshing, your deployment scale is basically too big for TrueNAS SCALE and if you want service meshing you most likely are better off completely DIYíng it yourself.

Hence i'm going to close this issues, as even if we're going to add it, it would be 2023 or 2024. We try to only keep issues open for things that are at least aimed to get worked on in a somewhat reasonable timeframe.

That being said If you come up with a nice design, PR's will always be reviewed fairly.

[PrivatePuffin]

In addition: I also know some servicemeshes prefer to have their own CLI tools installed on the host, hence it's better suited as a suggestion to the iX-Systems Jira anyway.

[PrivatePuffin]

I have been looking for a 'set-it-and-forget-it' solution that will allow me to monitor all of the apps pods running in the cluster

It's called prometheus, servicemesh is not primarily a monitoring tool ;-)

[astro-stan]

Hi,

It's called prometheus, servicemesh is not primarily a monitoring tool ;-)

Key point is:

while also providing mTLS for service-to-service communication and other goodies.

(which I have described further down below)

Adding a servicemesh on top of their architecture, is going to ask for a unworkable support burden.

Can you elaborate a bit on that?

EDIT:

adding servicemeshing for single-node clusters is simply silly.

I would disagree. It does not say anywhere (as far as I am aware) that you should not have service meshing in your single node cluster. And adding one brings only benefits - mTLS, monitoring, tracing, retrying, etc. This gives you better security, observability and reliability.

[PrivatePuffin]

Adding a servicemesh on top of their architecture, is going to ask for a unworkable support burden.

Can you elaborate a bit on that?

Complications lead to more support requests on the support discord. I'm the only one capable of adding this and I simply already have a roadmap full for months. On top of that I definately do not have the time to also provide support for Service meshing.

Also: We cannot add the CLI tools for some of those service meshes anyway, we are NOT related to iX-Systems and cannot add things to the core system. IMHO, this is something you should request from iX-Systems, not from us. We are just an application catalogue. Nothing more, nothing less.

[PrivatePuffin]

In terms of security, my current focus is adding support for networkPolicies. I think that's more important at this stage to add, when it comes to security hardening.

[astro-stan]

Hi, Thanks for elaborating.

we are NOT related to iX-Systems and cannot add things to the core system.

I am aware of that. But I don't think we need to at least in the case of Linkerd2. They provide a set of helm charts which can be used for deployment on kubernetes and do not need their CLI tool as far as I am aware.

That being said, the charts look complicated, so I am not sure if I will be able to transform them into Truechart apps by myself, but I will certainly give it a try when I have some free time and make a PR if I succeed.

IMHO, this is something you should request from iX-Systems, not from us.

I did write in their forums after you suggested it yesterday. This is the responce I got: https://www.truenas.com/community/threads/support-for-service-mesh.98055

[PrivatePuffin]

I did not suggest withing on the forum, their developers don't even check it often. I suggest filing an official suggestion on their Jira bugtracker.

[PrivatePuffin]

I would be able to add this, but it would be end of 2022 or start of 2023 at the soon-est. I would also need to discuss it with iX developers and sync roadmaps on it.

[PrivatePuffin]

I'm going to end this discussion however. Because it's not really worth my time, because i'm not going to start working on it for months, even if I wanted to add it.

TLDR:

• I would prefer if iX deploys this and not us.
• This will take a long time because we've more important stuff to bother
• We would need carefull staff consideration before doing so.

You will understand more as soon as our bluefin blog is launched. Our goal is currently stability, which is already taking up all our development time for the next year.

[astro-stan]

I did not suggest withing on the forum, their developers don't even check it often.

Wanted to check if there is an interest before adding it to their jira. I still got a responce from IX systems representative, so that is good.

Anyway, I understand what you are saying, and I am aware it is not an easy thing to achieve. I appreciate what you and all of the people involved with the project are doing. Adding a service mesh to SCALE is not someting I need for a production environment. All of this is just a hobby for me so I am willing to wait as long as I need to to get it.

[PrivatePuffin]

I did not suggest withing on the forum, their developers don't even check it often.

Wanted to check if there is an interest before adding it to their jira. I still got a responce from IX systems representative, so that is good.

Just to be clear: Stating things to morgan does NOT mean it reaches the developers.

[truecharts-admin]

This issue is locked to prevent necro-posting on closed issues. Please create a new issue or contact staff on discord of the problem persists