Aspen Mesh 1.6 Service Mesh

Announcing Aspen Mesh 1.6

We’re excited to announce the release of Aspen Mesh 1.6 which is based on Istio’s release 1.6 (specific tag 1.6.5). As a release manager for Istio 1.6, I’ve been eager for Aspen Mesh’s adoption of 1.6 as Istio continues its trend of adding many enhancements and improvements. Our commitment and relationship with the Istio community continues to flourish as our co-founder and Chief Architect Neeraj Poddar was recently appointed to the Technical Oversight Committee and I joined the Product Security Working Group, a group tasked with handling sensitive security issues within Istio. With our team members joining these groups, you can be assured that your best interests are represented as we continue to develop Aspen Mesh.

As with every new major release, we’re excited to detail the new features and capabilities offered by Istio, and also new features available within Aspen Mesh. 

Hare are some key items to note for this new release:

Helm Based Installs

At Aspen Mesh, we encourage users to adopt the GitOps workflow using Helm. Istio is moving towards CLI tool based install using istioctl and the Istio Operator for installations and upgrades. While the chart structure located in the manifests/ directory shipped in Istio works with Helm, we’ve spent considerable effort in streamlining the charts to make them ready for the enterprise to ensure continuity.

However, upgrading to 1.6 will be drastic due to the structural changes made to the charts in Istio. Given the efforts we are putting into Istio, as well as the burden this places on users, our intent is to streamline this before the release of Aspen Mesh 1.7 to ease the upgrade process moving forward.

Istiod Monolith

With the change to Helm charts, users will be able to leverage Istiod and Telemetry v2. Istiod is the consolidated Istio controlplane, delivered as a monolithic deployment (with the exception of Mixer). There are two key reasons we are eager to support this consolidated deployment:

  1. It significantly reduces the memory and CPU footprint of the service mesh, resulting in lower operating costs.
  2. The simplified deployment model makes it easier for operators to debug production issues when the need arises. It’s no longer necessary to look at the logs of different services to determine the root cause of a problem, but rather just your Istiod pods.

Telemetry v2

As of Aspen Mesh 1.6, we only support Telemetry v2, also known as Mixerless telemetry. While Telemetry v2 does not have parity with Mixer, the benefits of Telemetry v2 now far outweigh the features no longer in Mixer. Don’t be alarmed as the Istio community is diligently working on having Telemetry v2 reach parity with Mixer.

Many of our users have reported Mixer related performance issues, such as high CPU load, high memory usage and even latency issues. These issues should be solved with the move towards Envoy-based filters, such as the WASM filter used by Telemetry v2. In-band and in-application, high performance C++ code should better meet the needs of large enterprises with hundreds of nodes and thousands of pods.

SDS: The Default Behavior Across Your Service Mesh

In Aspen Mesh 1.5, Secret Discovery Service (SDS) was not enabled by default for sidecar proxies across your cluster. With the Aspen Mesh 1.6 release, both gateways and workloads support SDS, allowing for better service mesh security as well as performance improvements.

For reference, beginning with Aspen Mesh 1.6, an executable istio-agent lives alongside Envoy sidecar proxy and safely shares certificates issued to it by Istiod with Envoy. This is a change from Aspen Mesh, where 1.5 Kubernetes Secrets were created by Citadel, presenting risks if the Kubernetes cluster wasn’t properly secured. One of the top benefits of SDS is that it allows Envoy to be hot-restarted when certificates are set to expire and need to be rotated.

Next Steps for You

Aspen Mesh 1.6 is available for download here. You can look at the complete list of changes in this release by visiting our release notes. If you have any questions about your upgrade path, feel free to reach out to us at support@aspenmesh.io.

If you’re new to Aspen Mesh, you can download a free 30-day trial