Migrating Hundreds of Legacy Applications to Josef Adersberger, CTO,

Similar documents
Patterns and Pains of Migrating Legacy Applications to Kubernetes Josef Adersberger & Michael Frank, QAware Robert Bichler, Allianz Germany

Container-Native Applications

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM

Lessons Learned: Deploying Microservices Software Product in Customer Environments Mark Galpin, Solution Architect, JFrog, Inc.

Service Mesh and Related Microservice Technologies in ONAP

MSB to Support for Carrier Grade ONAP Microservice Architecture. Huabing Zhao, PTL of MSB Project, ZTE

A Comparision of Service Mesh Options

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

NGINX: From North/South to East/West

Which compute option is designed for the above scenario? A. OpenWhisk B. Containers C. Virtual Servers D. Cloud Foundry

Cloud Native Architecture 300. Copyright 2014 Pivotal. All rights reserved.

Run Stateful Apps on Kubernetes with PKS: Highlight WebLogic Server

How to Keep UP Through Digital Transformation with Next-Generation App Development

API, DEVOPS & MICROSERVICES

TEN LAYERS OF CONTAINER SECURITY

OPENSHIFT 3.7 and beyond

Continuous Delivery for Cloud Native Applications

The Road to Istio: How IBM, Google and Lyft Joined Forces to Simplify Microservices

[Docker] Containerization

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

Red Hat Roadmap for Containers and DevOps

70-532: Developing Microsoft Azure Solutions

Why Kubernetes Matters

Handling Microservices with Kubernetes - Basic Info

Managing your microservices with Kubernetes and Istio. Craig Box

Service Mesh and Microservices Networking

Cloud Native Security. OpenShift Commons Briefing

Cisco Container Platform

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

The four forces of Cloud Native

70-532: Developing Microsoft Azure Solutions

How to Re-Architect without Breaking Stuff (too much) Owen Garrett March 2018

Microservices with Red Hat. JBoss Fuse

Kubernetes Integration Guide

WHITEPAPER. Embracing Containers & Microservices for future-proof application modernization

Container-Native Storage

Oh.. You got this? Attack the modern web

Designing MQ deployments for the cloud generation

Zero to Microservices in 5 minutes using Docker Containers. Mathew Lodge Weaveworks

Performance Testing in a Containerized World. Paola Rossaro

Service Mesh with Istio on Kubernetes. Dmitry Burlea Software FlixCharter

TIBCO Cloud Integration Security Overview

Delivering Microservices Securely and at Scale with NGINX in Red Hat OpenShift. November, 2017

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Dynamic App Services in Containerized Environments

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservices on CloudFoundry. Tony Erwin,

Istio. A modern service mesh. Louis Ryan Principal

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

ISTIO 1.0 INTRODUCTION & OVERVIEW OpenShift Commons Briefing Brian redbeard Harrington Product Manager, Istio

The Long Road from Capistrano to Kubernetes

Microservices at Netflix Scale. First Principles, Tradeoffs, Lessons Learned Ruslan

GoDocker. A batch scheduling system with Docker containers

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

Four times Microservices: REST, Kubernetes, UI Integration, Async. Eberhard Fellow

CASE STUDY Application Migration and optimization on AWS

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

CHALLENGES IN A MICROSERVICES AGE: MONITORING, LOGGING AND TRACING ON OPENSHIFT. Martin Etmajer Technology May 4, 2017

SERVERLESS APL. For now this is just research in Cloud technologies in SimCorp A/S.

Open Cloud Engine - An Open Source Cloud Native Transformer

DevOps Course Content

IBM Compose Managed Platform for Multiple Open Source Databases

Security oriented OpenShift within regulated environments

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

Etanova Enterprise Solutions

Serverless Architecture Hochskalierbare Anwendungen ohne Server. Sascha Möllering, Solutions Architect

Kubernetes The Path to Cloud Native

How to re-invent your IT Architecture. André Christ, Co-CEO LeanIX

EVERYTHING AS CODE A Journey into IT Automation and Standardization. Raphaël Pinson

AWS Lambda. 1.1 What is AWS Lambda?

The importance of monitoring containers

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

HySecure Quick Start Guide. HySecure 5.0

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Developing Kubernetes Services

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

OpenIAM Identity and Access Manager Technical Architecture Overview

CONTAINERS AND MICROSERVICES WITH CONTRAIL

MODERNIZING TRADITIONAL SECURITY:

#techsummitch

SQUASH. Debugger for microservices. Idit Levine solo.io

Defining Security for an AWS EKS deployment

AWS FREQUENTLY ASKED QUESTIONS (FAQ)

NGF0502 AWS Student Slides

Fidor Solutions Software Defined Everything and Breaking up the Monolith. marc grimme

Connecting to Mimecast

MICROSERVICES I PRAKTIKEN från tröga monoliter till en arkitektur för kortare ledtider, högre skalbarhet och ökad feltolerans

Cloud Native Java with Kubernetes

Security Precognition: Chaos Engineering in Incident Response

Building a high-performance, scalable ML & NLP platform with Python. Sheer El Showk CTO, Lore Ai

Learn. Connect. Explore.

Enterprise Node.js Support

Getting the Most out of Access Manager

Mesosphere and Percona Server for MongoDB. Jeff Sandstrom, Product Manager (Percona) Ravi Yadav, Tech. Partnerships Lead (Mesosphere)

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

Transcription:

proud CNCF member } Migrating Hundreds of Legacy Applications to Josef Adersberger, CTO, QAware @adersberger THE GOOD, THE BAD, THE UGLY

RESILIENT HYPERSCALE SPEED OPEX SAVINGS

Let s bring all our web applications into the cloud! I ve already canceled our current data center contract. CIO

Great goal! But we ll need our time. Chief Architect

Excellent! You ve got one year.

My priorities: (1) Security level (2) Time (3) OpEx savings (4) Migration costs CIO

WE WERE BRAVE 8

AND WE HAD IMPEDIMENTS

THE GOOD

Visibility 11

Let s architect the cloud!

BUILD AND COMPOSED AS MICROSERVICES 3 KEY PRINCIPLES CLOUD NATIVE APPLICATIONS DYNAMICALLY EXECUTED IN THE CLOUD PACKAGED AND DISTRIBUTED AS CONTAINERS

OMG - no greenfield approach!? Hundreds of legacy systems!?

Questionnaire: Typical Questions And Their Motivation 1. Technology stack (e.g. OS, appserver, jvm) 2. Required resources (memory, CPU cores) 3. Writes to storage (local/remote storage, write mode, data volume) 4. Special requirements (native libs, special hardware) 5. Inbound and outbound protocols (protocol stack, TLS, multicast, dynamic ports) 6. Ability to execute (regression/load tests, business owner, dev knowhow, release cycle, end of life) 7. Client authentication (e.g. SSO, login, certificates) What images to provide? How many applications will be hard/ inefficient to schedule (>3 GB RAM, > 2 cores)? What storage solutions to provide? What applications will be hard to impossible to be containerized? Are there any non cloud-friendly protocols? How risky is the migration? Is the migration maybe not needed? What IAM and security mechanisms have to be ported to the cloud?

EAM TOOL SYSTEM PROPERTIES QUESTIONNNAIRES BASIC TOUR-DE-MIGRATION dashboard for information radiator JIRA MIGRATION TASKS CLOUDALYZER XLS STATIC ANALYSIS IBM MIGRATION TOOL QAVALIDATOR SONARQUBE MIGRATION DATABASE freestyle analysis with Tableau 16

Emergent design of software landscapes 17

ALL WEB APPLICATIONS (~400) OLD APPLICATIONS (~200) MORE MODERN APPLICATIONS (~200) Re-architect to run on k8s on AWS lift & shift VMs to AWS EC2

CLIENTS CLIENTS TLS 1.0+ HTTPD WEB LAYER APPLICATION ALMIGHTY LEGACY FRAMEWORK J2EE 1.4 APPSERVER JVM 1.6 JVM 8 TLS 1.2 AWS WEB LAYER OUTER APPLICATIONS API GATEWAY INNER APPLICATIONS ALMIGHTY FRAMEWORK NG JEE 7 APPSERVER DOCKER KUBERNETES / OPENSHIFT (CAAS) all 2-way TLS 1.2 & OIDC identity token mostly non-tls; TCP-Binary, WS, REST, C:D, LDAP Corba, SMTP, FTP, NAS, all TLS 1.2 AWS DB MQ HOST BATCH FS ONPREM DATA CENTER RACF ESB DB MQ HOST BATCH FS RACF ESB ONPREM DATA CENTER

CLIENTS CLIENTS TLS 1.2 TLS 1.0+ HTTPD WEB LAYER APPLICATION ALMIGHTY LEGACY FRAMEWORK J2EE 1.4 APPSERVER JVM 1.6 AWS WEB LAYER OUTER APPLICATIONS API GATEWAY INNER APPLICATIONS ALMIGHTY FRAMEWORK NG JEE 7 APPSERVER JVM 8 DOCKER KUBERNETES / OPENSHIFT (CAAS) all 2-way TLS 1.2 & OIDC identity token mostly non-tls; TCP-Binary, WS, REST, C:D, LDAP Corba, SMTP, FTP, NAS, all TLS 1.2 AWS DB MQ HOST BATCH FS ONPREM DATA CENTER RACF ESB DB MQ HOST BATCH FS RACF ESB ONPREM DATA CENTER

Can we evolve existing enterprise applications into the cloud with reasonable effort? Monolithic Deployment Containerization Microservices Traditional Infrastructure 12-Factor App Principles Cloud-native Apps CLOUD FRIENDLY CLOUD NATIVE CLOUD ALIEN 2

Can we evolve existing enterprise applications into the cloud with reasonable effort? Put the monolith into a container Sweetspot time and value (security, opex) and enhance the application according the 12 factors Monolithic Deployment Containerization Microservices Traditional Infrastructure 12-Factor App Principles Cloud-native Apps CLOUD FRIENDLY 2

Edge Service to the Rescue

BEFORE AFTER CLIENTS CLIENTS EDGE SERVICE MONOLITH BACKEND API GATEWAY MONOLITH BACKEND

CLIENTS TLS 1.2 + diverse user contexts (SAML, Cookie, Header, Certificate, User/Pwd, ) EDGE SERVICE user context Redirect to (S)SO if user context not set / valid but required Change user context to OIDC identity token > 10 IAM SYSTEMS TOKEN PROVIDER API GATEWAY MONOLITH TLS 1.2 + identity token TLS 1.2 + identity token

Web Layer Edge Service <<pod>> Edge Service <<container>> Edge Service Chassis <<spring boot app>> Edge Service Filters Edge Library Token Handling Filter <<pre>> Static Content Filter <<routing>> Auth Plugins Security Filter <<pre>> Netflix Zuul / Spring Cloud Zuul Token API Token Service Token Cache SPI Redis Token SPI Token Provider Spring Boot Spring Framework API Gateway

Sidecars to the Rescue

Container Patterns Applied Sidecar: Enhance container behaviour Pod Ambassador: Proxy communication Log extraction / re-formatting (fluentd) Scheduling (Quartz) TLS tunnel (Stunnel, ghosttunnel) Application Container Pattern Container Other Container Circuit Breaking (linkerd) Request monitoring (linkerd) Adapter: Provide standardized interface Configuration (ConfigMaps & Secrets to files) Design patterns for container-based distributed systems. Brendan Burns, David Oppenheimer. 2016

Kubernets Constraints Initially we thought we ll run into k8s restrictions on our infrastructure like: No support for multicast No RWX PVC available We did. But cutting these application requirements lead to a better architecture in each and every case.

THE BAD

STATE

Databases AWS MONOLITH Activate TLS for all database connections (low effort on application-side but separate project on the database side) DATABASES Databases stay in onprem data center Advantages: ONPREM DATA CENTER onprem/cloud version of the application can run in parallel privacy Disadvantages: latency (no real problem)

Files File persistence is very restricted to keep persistent state completely out of AWS (privacy). No file writes allowed into container No RWX PVC available Files with application data written to PVC must be deleted after 15mins No NAS mounts from onprem data centers into containers allowed Migration tasks for affected applications Store files as BLOB in database or use FTPS

Session State 90% OF THE APPLICATIONS HAVE SESSION STATE 100% OF THE APPLICATIONS HAVE MORE THAN 1 INSTANCE Session Stickyness: not within the cloud! Session Persistence: Within existing application database: performance impact too high for most Redis: no transport encryption out-of-the-box and separate infrastructure required Session Synchronization: Application server: nope, no dynamic peer lookup within k8s In-memory data grid: Hazelcast. Nope. $$$ for TLS. In-memory data grid: Apache Ignite. Done. Embedded within application or standalone in a separate container. Little bit cumbersome but working k8s peer lookup Runs into JIT bug on IBM JVM (some methods have to be excluded from JIT)

DIAGNOS- ABILITY need a DevOps?

Metrics Diagnosability Traces Events / Logs

Metrics Diagnosability Traces Events / Logs

Metrics High effort to instrument for valuable insights Scalability unclear for hundreds of applications Applications have no time to run their own Prometheus instance Scalability unclear for hundreds of applications (Jaeger & ZipKin) Applications have no time to run their own instance Diagnosability Scalability unclear (a lot of events lost) Applications have no time to run their own EFK instance Non-standardized log format requires custom log rewrite adapter but no fluentd DaemonSet Traces Events / Logs

Metrics Traces Events / Logs

SECURITY need a SecDevOps?

We Came Far CLIENTS TLS 1.2 + user context EDGE SERVICE API GATEWAY CLIENTCERT ACL TOKEN CHECK MONOLITH EGRESS RULES BACKEND Two-way TLS 1.2 + identity token Two-way TLS 1.2 + identity token TLS 1.2 + user context security filters included secrets injected at container startup

The Bad: Certificate Management VAR 1: CLOUD NATIVE STYLE CERTIFICATE MANAGEMENT (SPIFFE-BASED, AT SERVICE MESH OR APPLICATION LEVEL) VAR 2: REPLACE BY POLICIES (AT NETWORKING LEVEL) e.g. e.g. SPIRE

THE UGLY String hostrequest = new HostRequest().hostusPokus(message);

CLOUD ENABLING CLOUD ALIENS 44

TOXIC TECH

The Almighty Legacy Framework APPLICATION ALMIGHTY LEGACY FRAMEWORK J2EE 1.4 APPSERVER JVM 1.6 worry-free package framework from the early 2000s with about 500kLOC and 0% test coverage Migration tasks from J2EE 1.4 to JEE 7 and Java 6 to 8 add identity token check and token relay modify session handling (synchronization) modify logging (to STDOUT) modify configuration (overwrite from ConfigMap) enforce TLS 1.2 place circuit breakers predefined liveness and readiness probes Strategies: the hard way: migrate manually and increase coverage decorate with ambassadors, sidekicks and adapters do not migrate parts and replace that API within the applications

~ 100 systems live on target by end of this year (after 8mo) ~ 200 systems live on target by end of first quarter 2018 other ~200 systems migrated by end of first quarter 2018 via virtual lift & shift. They will be migrated onto Kubernetes afterwards 47

That s what we ve learned from migrating hundreds of J2EE legacy apps onto Kubernetes?

No stupid as-is into containers approach!

Getting as close as possible to cloud friendly application principles. Increasing the security level by an order of magnitude!

proud member of the CNCF Q -> A

Thank you! josef.adersberger@qaware.de @adersberger TWITTER.COM/QAWARE - SLIDESHARE.NET/QAWARE

BONUS SLIDES

Industrialization 54

DOZENS OF MIGRATION PROJECTS RUNNING IN PARALLEL (UP TO ~80) Guidance (cookbook, sample application) Development environment (SEU-as-Code) Training sessions Support sessions Standard images Automated Refactorings (RefactoBot) Pre-migrated frameworks SUPPORT TEAM (~10 FTE) Solutions: Edge service, ambassadors INDUSTRIALIZATION TEAM (~6 FTE) ARCHITECTURE TEAM (~2 FTE) Application blueprint (target architecture, migration rules) Migration database

NO SPEAK CLOUD

DMS System APPLICATION POD APPLICATION DMS ADAPTER ONPREM DMS ADAPTER Proprietary (binary) TCP-level on fixed ports Non-encrypted Multiple target servers DMS Hard-coded DNS names as reference to other servers in response dnshostname1.com SVC.HOST1 SVC.HOST2 SVC.HOST3 PODS lbl:host1 lbl:host2 lbl:host3 STUNNEL STUNNEL STUNNEL KUBERNETES ON AWS STUNNEL DMS dnshostname1.com.myapp.svc.cluster.local ONPREM

RUN 8 PLAN Continuous Delivery BUILD Continuous Feedback GRASP

IDE (ECLIPSE, INTELLIJ) INFORMATION RADIATOR Code Status GITHUB ENTERPRISE ARTIFACTORY Trigger Code JARs Docker image Docker image Kubernetes Cluster JENKINS ACCOUNTABILITY PLUGIN deploy RUNNING TESTED APPLICATIONS

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback