Istio moved to CNCF Graduation stage (opens in new tab)

It's malpractice to not seriously consider Linkerd over Istio at this point.

Boy do I have bad news for you about all of modern software...

Did you folks try to upgrade it? For us it was a nightmare (breaking changes, etc.)

Contour is a gateway: a controller that manages Envoy proxies at the edge of a Kubernetes environment. Istio is a service mesh: a controller that manages Envoy proxies at the edge and alongside each workload. If you are using Istio, you probably don't need Contour.

A year ago, a number of Envoy gateway maintainers (including Contour) announced their intention to join up to build one implementation of an Envoy gateway. They haven't made a lot of noise since, but they are apparently up to v0.4.

https://blogs.vmware.com/opensource/2022/05/16/contour-and-c...

You can also use the Gateway API to manage Istio. So, if you are using Istio, you probably don't need Envoy Gateway either.

Wherever you look, it's still Envoy. Unless of course you look at Linkerd, who have their own thing.

100% this. GRPC has nearly all its code contributions by google. If google removed its funding the project would be at risk. It’s closer to a proprietary offering with source code available than a mature FOSS ecosystem. Think redhat enterprise Linux is to gRPC where-as istio/k8s is closer to Debian.

You acknowledge contributions from several large companies. It's obvious it won't go away if Google pulls support or anything. Perhaps the fact that some random folks across the internet don't feel compelled to submit patches is simply due to the low level nature of the project and that it does the job quite well and its scope is limited by its nature, thereby limiting the need for customization by every individual. I really wonder what the standard is. If I recall correctly, for instance a certain proxy graduated by CNCF was such crap at one point that it linear searched routes. That naturally necessitates contributions if you actually use such software in production at scale.

Why is there a need to read between the lines? The post seems quite clear what is needed and it sounds like the ball is just in gRPC court. If anything it seems promising that there was movement after 3.5 years.

It’s really hard to have any influence on it unless you’re inside the Google fence. Even for the primary maintainers of those two external parties that you mentioned.

Yes you need additional tooling but often, such as in C++ it's the nature of the build environments for that language. There are many organizations using gRPC in mission critical environments along with C++.

.NET tooling is quite good, although I have only used it in toy examples.

Bazel, rules_proto and its grpc rules for various languages is the tooling you are looking for in my opinion! It's so nice to be able to share your proto files and generate stubs / clients across language boundries, being able to see exactly which pieces of your application break when a shape or signature changes in a proto file. Without a monorepo, it would be hard to see the impact of proto changes across disparate code repositories.

Perhaps the tooling feel somewhat overkill for toy apps that can be done with Ruby on rails or such. Many large orgs with billions of dollars of revenue per year companies are utilizing gRPC across many languages.

Surely Google has been using gRPC across many languages for a decade or more at this point, and surely this is a solved problem at Google. How is this not solved outside of Google?

The CNCF has their own tool - a Grafana dashboard for all their projects:

https://devstats.cncf.io

A bit awkward to use but lots of great info there. I use it every now and then (I'm a maintainer of Dapr).

I've never encountered a proxy that can't do the portions of TLS 1.3 that gRPC requires - NGINX, Envoy, linkerd, all the managed cloud offerings I know of, and any random Go binary can handle it. What esoteric portions of the spec are you referring to?

gRPC _does_ require support for HTTP trailers, which aren't used much elsewhere. If you want to use streaming RPCs, you also need a proxy that doesn't buffer (or allows you to disable buffering).

> perfect engineering

You couldn't get a better example of good pragmatic engineering than gRPC compared to something like CORBA or DCOM. I can't talk about "all cases" but in the cases I've come across it's a much better solution than JSON over http.

c'mon, you gotta at least drop some of the "better ways" you prefer.

what do you people use for inter service com? http??? why?

> the former has a single vendor behind it, and the latter has almost all the cloud industry

The same could be said about Apple products, but that doesn't mean people should be dissuaded from using them. Quite the opposite: being in charge of a technology means you can be 100% focused on it and be relentlessly focused on making it great for your customers.

I'd love to hear a compelling comparison between linkerd and istio without having to compare either with other (unrelated) categories of software.

Anyone who reads these comments should be able to get an understanding of both service meshes without having to research other software.

Are you saying that istio IS kubernetes and linkerd is not? I don't think linkerd WANTS to be kubernetes.

I love your podcast, Craig, but this "hot take" is too hot to hold

This is a good analogy. For more context in the past 5 years working with customers in the Bay Area I’ve not encountered one who mentioned linkerd let alone ran it in production.

More than half those companies ran istio in production at large scales.

I think it does come down to risk and risk mitigation. As someone who works for an “Istio vendor” we see some of the largest deployments of Istio in the world for mission critical/tier-0 workloads… and all the steps it took to get there including evaluation/POC of other vendors/mesh technologies.

Part of these decisions are based on things like “What is the rest of the industry doing?” “How vibrant/diverse is the community?” “How mature is the project _for enterprise adoption_?” “What vendors are available for enterprise support?” “Is it already available in my platform of choice?” etc.etc.

The sting of “picking the wrong container orchestrator” is still fresh in a lot of organizations.

We see Istio make it through these questions with good answers for a lot of organizations where other/alternative service mesh vendors strike out pretty quickly.

This is even before we get to the “feature comparisons” for usecases these large organizations focus on/have.

Interesting. IMO Istio is built to entice VPs and Linkerd is built to entice engineers.

No need to ignore CNCF. Linkerd has had a "Graduated CNCF" rubber stamp for a 2 years.

You have not given me one single reason why I would be better of with Istio

I think you could disregard a few of these without too much thought. Nginx - predatory vendor, AWS - only makes sense if you need the deep integration, Consul - only makes sense if you are on the hashi stack. Traefik I haven't spent much time with recently, but I'm a bit suspect of ingresses that reposition themselves as mesh to gain adoption.

I think this just demonstrates the power of vendor-neutral Open Source. I don’t mean that in an inflammatory way. Istio, a collaborative project from Google/IBM that was arguably going to be a slight differentiator for their respective clouds was forced to go vendor-neutral after Linkerd did.

Same thing happened to Knative.

CNCF definitely has some politics but its been interesting to see large OSS projects be essential dead on arrival now if its not in a vendor neutral holding org.

I personally try to favor vendor neutral projects now. Slightly smaller chance of being burned like I was with Grafana switching licenses.

Tldr: you can bring your open source project to CNCF and if there are enough infra/platform developers vouching for it then you can become an incubated project. After that, there is a bunch of boxes (traction, integration, stability) that you need to check before CNCF endorses you as a graduated project.

Why would you want this?

You might not know what J2EE or Kubernetes do if you compare them like that.

That's an interesting thought. Even if I would throw it away for istio in the end, the experience for managing Envoy, might be valuable.

How do I do that exactly? I need to install some iptables rules inside a pod to redirect pod traffic to envoy?

I don't think that I need mtls and extra CPU load for useless (to me) encryption does not sound so good. Can I opt-out of this specific feature?

Also I'm worried about its pervasiveness. Is it possible to enable those side-cars only on selected pods?