Envoy must have one of the fastest adoption stories in the history of FOSS. It is excellent software, although the space is full of contenders - Traefik and Istio are also exciting projects!
Istio is service-mesh software with several components and the data plane is Envoy. Linkerd 2 is a competitor with its own data plane.
Traefik is not a service mesh, it's a webserver and reverse-proxy and similar to Nginx and HAProxy, although all of them have been trying to get into this space along with Kong and others.
In the other direction there's also Heptio Contour and Datawire Ambassador that use Envoy as a reverse-proxy.
Currently we wire all of our VPCs into a large network to access services, and that brings with it all of the associated security concerns.
I wonder if moving to something like this would allow us to eliminate the global network and let VPCs run in an isolated context save for services published via mesh.
Look into VPC Endpoint Services, it may address your use case.
"You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service (referred to as an endpoint service). Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint. You are the service provider, and the AWS principals that create connections to your service are service consumers."
Apologies, I'm not sure if you are disagreeing with me in any way or not. :)
Envoy is indeed open source and freely-available for corporations to use. That is not what I was implying.
Amazon, out of all the big companies (Google, Netflix, Microsoft etc.), is the one with the least contribution to the open source world, despite using many of open source tools to build their AWS products.
No it isn't. Just because users aren't legally required to contribute doesn't mean that they don't have a moral duty to support the project, if they can. Given Amazon's vast resources I think it is reasonable to feel that they should help out a bit.
Is this really true, though? Looks like Amazon has multiple github accounts with lots of projects, including some high profile ones like Firecracker, etc.
This has become a bit of an interesting topic to me because it keeps being brought up by people who sort of just state it as fact without providing any real argument. How much is enough? One full time developer? Ten? What if the project doesn't want to merge their contributions? Amazon just got killed on HN for open sourcing all of their ElasticSearch work in a separate repository.
I feel like they can't win on open source with some of you guys.
On these figures, Amazon is behind other giants and has fewer contributions that a number of midsize tech companies like Red Hat or Pivotal (my employer).
It looks like that's missing data - including some very big ones. https://github.com/firecracker-microvm/firecracker has quite a few stars and came out in 2018 - no mention. All three of them have contributed to the Linux kernel in significant fashions, and it's not listed for any of them, despite the 72k stars.
And are github repos and stars the only way to measure open source contribution? The Xen project only has 162 stars, yet I don't think anyone would say it isn't an important project, and it's one Amazon has contributed to - if you're using a PV guest on Xen that's protected against Meltdown, chances are high you're using the Vixen mitigation that Amazon released.
Could Amazon do more? Probably. I'm not trying to say they're perfect. But this idea that they don't contribute back to open source seems pretty flawed, even by the data in your link, which seems incomplete.
A lot of folks have complained about this data set, but the author has updated based on feedback. So it'll improve.
But unless Amazon are hiding several hundred contributors and thousands of commits in a repo that's been magically overlooked for years, the figures tend to make them look bad.
It’s tricky to collect Amazon data on this. Amazon contributes back to projects under individual employee developers accounts quite a bit.
For some reason Amazon just doesn’t want to show they had any involvement with that commit and doesn’t care about how it’s seen. From the times I’ve seen it, seems like this might by by design
For core services like a proxy, http server etc, I’m kind of glad when larger companies adopt/support a solid service. I think it validates that choice for other companies, and brings attention/bug fixes etc among other things.
While I generally agree I've found Amazon to be particularly bad at supporting their "hosted open source" products vs what they've built. Dynamo and S3 are much more solid than anything they're just wrapping. I think that's part of why it feels like a cheap money grab.
While I understand where you are coming from, have you used envoy or Ambassador (based on envoy)? They are extremely well designed, especially to address the service routing issues of multi-cloud, Kubernetes, micro services etc. I was extremely happy to see AWS backing envoy. It somewhat confirmed a lot of the research we did in the space.
They don't have to. They're busy serving customers who pay lots of money to have their problems solved, not to pontificate about the morality of building with open-source software.
You're free to set your project's license to whatever you want but why complain when it's used the way you said it can be?
You are probably right in the sense of what-is, that Amazon's moral compass is guided only by legal obligations. That does not make it what-should-be. Companies are groups of people. Decency is not erased when a corporation enters the picture.
Corporations exist for the benefit of the society that grants them their charter and that charter can--and should--be revoked when the corporation acts against the best interests of that society. We do have that power, but we've forgotten about it.
"I expect more of companies and people than their minimum legal obligations."
That's weird ... what do you expect from, say, hammers and blenders ?
I expect people to do nice things and be kind and think of my interests. Simple tools, on the other hand (like screwdrivers and shovels and LLCs and Corporations and family trusts) should just do exactly what they are designed to do - and nothing more.
Fair point. Still, even corporate entities are made up of flesh-and-blood humans. So if those humans benefit substantially more than the original creators of a work then it's reasonable to expect those founders to change their license or stop contributing.
So it's possible that well-funded consumer/producers like Amazon may at times crush, overtake, or otherwise discourage some of the unpaid labor that they benefit from.
(Not trying to make a moral argument. Personally I'm a bit conflicted on consuming and producing FOSS.)
AWS generally doesn’t announce dates for BAA coverage ahead of time, but your account manager may be able to give you a heads-up a couple weeks beforehand if you ask.
One more new cloud service intended to fix what’s wrong with existing cloud services. At what point do you just go back to traditional app architecture with normal servers?
This is all running on normal servers. A service mesh is about communication.
If you're doing any kind of communication between components then that has to be facilitated somehow, and production requirements like security, retries, load-balancing, observability, etc have to live somewhere. A mesh just extracts it all into a single external system.
I thought AWS Xray was the non-transferrable skill that you were supposed to pour your time into and amalgamate into your project to solve this problem.
> shamelessly exploitative of others' work and success
i.e. using open source under the published license? Look, I'd prefer that everyone using open software supports it with public patches, but if it's not under A/GPL or something, then clearly the authors weren't so worried about it. If you don't like others using your work without publishing their changes, use A/GPL. If you don't like others using your work without paying you, go with shared source (and accept that you're writing proprietary software) or use a noncommercial license or something. But don't publish something and then complain that people used it under the exact terms that you published it!
Traditional licenses forced you to contribute back if you used community's code. SaaS changed everything: you can now "leech" software without giving back.
We need a new model. We need to force contribution, because software corporations won't give back otherwise. I've worked for big corps and the bureaucracy will not allow it, even if developers wish to. If we don't force legal departments to comply we will lose the whole culture of freedom we've built in the past 40 years.
After GPL solves this exact problem. The new problem is that no one wants that solution because massive cloud deployments ate business projects not open source hobby nrojects
I think it would be reasonable to require that if you use the open source software for commercial reasons, you must also open source your modifications. The real problem is companies building their proprietary solutions on top of free labor. If they at least had to open source then that would hold back their competitive advantage they are trying to create by not contributing.
So... AGPL? This is not an unsolved problem, unless I'm missing something. And if your answer is that companies won't touch AGPL with a 10-foot pole... why would you expect to get better results with something else?
> We need to force contribution, because software corporations won't give back otherwise
This is untrue; plenty of permissively-licensed projects are supported by code contributions and dedicated paid support by software companies who use their code. You don't need copyleft, much less something new beyond copyleft, to get that.
What Redis and others want gratis-but-proprietary licensing for is to prevent cloud services companies from competing with their SaaS offerings, not to force anyone to “give back”.
How does App Mesh vs Istio shake out? I’ve been reticent to use Istio on GKE but it seems to offer some great features. Something with this basic feature is pretty useful with just a few more micro services, than I current manage.
They're both control planes for envoy proxy. App Mesh is a managed proprietary solution, Istio is open source and self-hosted but there are managed options available. Istio explicitly supports k8s and consul; app mesh doesn't care where the envoy proxies run (great for migrating).
I _think_ Istio is a full knowledge model where everyone knows about everyone else in the mesh, App Mesh is explicit. The configuration pushed to the proxies only have the targets that have been modeled as such in the app mesh model (great for larger organizations).
This is a service mesh like Istio not an API gateway, it's mainly used for automatic and transparent service discovery and load balancing where client and server service endpoints don't have to worry about that, also other features are automatic handling of failure when one server endpoint isn't responding, traffic management, securing communications between services, enforcing L7/L4 kind of a firewall between services, telemetry, etc..., you probably don't want to use a service mesh like this until your software architecture gets really complex
73 comments
[ 3.7 ms ] story [ 130 ms ] threadTraefik is not a service mesh, it's a webserver and reverse-proxy and similar to Nginx and HAProxy, although all of them have been trying to get into this space along with Kong and others.
In the other direction there's also Heptio Contour and Datawire Ambassador that use Envoy as a reverse-proxy.
I wonder if moving to something like this would allow us to eliminate the global network and let VPCs run in an isolated context save for services published via mesh.
"You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service (referred to as an endpoint service). Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint. You are the service provider, and the AWS principals that create connections to your service are service consumers."
https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-se...
Yet another Amazon product based on open source software, while still contributing almost nothing to this space.
Permissions: Commercial use, Modification, Distribution, Patent use, Private use
Envoy is indeed open source and freely-available for corporations to use. That is not what I was implying.
Amazon, out of all the big companies (Google, Netflix, Microsoft etc.), is the one with the least contribution to the open source world, despite using many of open source tools to build their AWS products.
This has become a bit of an interesting topic to me because it keeps being brought up by people who sort of just state it as fact without providing any real argument. How much is enough? One full time developer? Ten? What if the project doesn't want to merge their contributions? Amazon just got killed on HN for open sourcing all of their ElasticSearch work in a separate repository.
I feel like they can't win on open source with some of you guys.
On these figures, Amazon is behind other giants and has fewer contributions that a number of midsize tech companies like Red Hat or Pivotal (my employer).
And are github repos and stars the only way to measure open source contribution? The Xen project only has 162 stars, yet I don't think anyone would say it isn't an important project, and it's one Amazon has contributed to - if you're using a PV guest on Xen that's protected against Meltdown, chances are high you're using the Vixen mitigation that Amazon released.
Could Amazon do more? Probably. I'm not trying to say they're perfect. But this idea that they don't contribute back to open source seems pretty flawed, even by the data in your link, which seems incomplete.
But unless Amazon are hiding several hundred contributors and thousands of commits in a repo that's been magically overlooked for years, the figures tend to make them look bad.
For some reason Amazon just doesn’t want to show they had any involvement with that commit and doesn’t care about how it’s seen. From the times I’ve seen it, seems like this might by by design
https://aws.amazon.com/opensource/
You're free to set your project's license to whatever you want but why complain when it's used the way you said it can be?
Corporations exist for the benefit of the society that grants them their charter and that charter can--and should--be revoked when the corporation acts against the best interests of that society. We do have that power, but we've forgotten about it.
That's weird ... what do you expect from, say, hammers and blenders ?
I expect people to do nice things and be kind and think of my interests. Simple tools, on the other hand (like screwdrivers and shovels and LLCs and Corporations and family trusts) should just do exactly what they are designed to do - and nothing more.
So it's possible that well-funded consumer/producers like Amazon may at times crush, overtake, or otherwise discourage some of the unpaid labor that they benefit from.
(Not trying to make a moral argument. Personally I'm a bit conflicted on consuming and producing FOSS.)
I don’t see why it is different from asking a small one-man shop to take care of my infrastructure for me?
It's a start. Looking forward to more contributions from the team.
If you're doing any kind of communication between components then that has to be facilitated somehow, and production requirements like security, retries, load-balancing, observability, etc have to live somewhere. A mesh just extracts it all into a single external system.
Always space for one more I guess!
i.e. using open source under the published license? Look, I'd prefer that everyone using open software supports it with public patches, but if it's not under A/GPL or something, then clearly the authors weren't so worried about it. If you don't like others using your work without publishing their changes, use A/GPL. If you don't like others using your work without paying you, go with shared source (and accept that you're writing proprietary software) or use a noncommercial license or something. But don't publish something and then complain that people used it under the exact terms that you published it!
Traditional licenses forced you to contribute back if you used community's code. SaaS changed everything: you can now "leech" software without giving back.
We need a new model. We need to force contribution, because software corporations won't give back otherwise. I've worked for big corps and the bureaucracy will not allow it, even if developers wish to. If we don't force legal departments to comply we will lose the whole culture of freedom we've built in the past 40 years.
Forcing contribution would actually remove freedom.
I’m interested in your proposed mechanism for that!
EDIT: fixed typo
This is untrue; plenty of permissively-licensed projects are supported by code contributions and dedicated paid support by software companies who use their code. You don't need copyleft, much less something new beyond copyleft, to get that.
What Redis and others want gratis-but-proprietary licensing for is to prevent cloud services companies from competing with their SaaS offerings, not to force anyone to “give back”.
They're both control planes for envoy proxy. App Mesh is a managed proprietary solution, Istio is open source and self-hosted but there are managed options available. Istio explicitly supports k8s and consul; app mesh doesn't care where the envoy proxies run (great for migrating).
I _think_ Istio is a full knowledge model where everyone knows about everyone else in the mesh, App Mesh is explicit. The configuration pushed to the proxies only have the targets that have been modeled as such in the app mesh model (great for larger organizations).
App Mesh roadmap: https://github.com/aws/aws-app-mesh-roadmap
Istio's: https://istio.io/about/feature-stages/
Let's say I have a bunch of services calling each other. Which I already do... Why should I add this?