During a scheduled certificate rotation in the Istio service mesh, services began experiencing mutual TLS authentication failures. The issue started with intermittent 503 errors and gradually escalated to widespread service disruption across the mesh.
$ cat topics/cloud-native-architecture-scenarios
# Cloud Native Architecture Scenarios
---
>
cloud_native_scenario_01
output:
Cloud Native Architecture
Istio 1.12, Kubernetes 1.22, Production environment
Summary:
No summary provided
What Happened:
Diagnosis Steps:
Examined Istio proxy logs for authentication errors.
Checked certificate expiration dates and rotation status.
Verified Istio control plane component health.
Analyzed recent configuration changes and updates.
Tested certificate validation manually.
Root Cause:
The Istio certificate authority (Citadel) was unable to distribute new certificates due to a combination of issues: 1. The Kubernetes secret used for storing the root CA had incorrect permissions 2. A recent Istio upgrade changed the certificate rotation process without updating documentation 3. Custom certificate validation logic in some services rejected the new certificate format
Fix/Workaround:
• Short-term: Restored previous certificates and disabled automatic rotation:
# Patch to disable automatic rotation temporarily
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
certificates:
- secretName: cacerts
dnsNames:
- istio-ca.istio-system.svc
defaultConfig:
proxyMetadata:
ISTIO_META_CERT_ROTATION: "false"
• Long-term: Implemented proper certificate management:
# Proper Istio certificate configuration
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
pilot:
k8s:
env:
- name: PILOT_CERT_PROVIDER
value: "istiod"
- name: PILOT_ENABLE_XDS_CACHE
value: "true"
istiod:
k8s:
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istiod
patches:
- path: spec.template.spec.containers.[name:discovery].args[7]
value: "--caCertTTL=8760h"
- path: spec.template.spec.containers.[name:discovery].args[8]
value: "--workloadCertTTL=24h"
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_META_CERT_ROTATION: "true"
ISTIO_META_CERT_ROTATION_GRACE_PERIOD_RATIO: "0.2"
• Created a certificate monitoring solution:
// cert_monitor.go
package main
import (
"context"
"crypto/x509"
"encoding/pem"
"fmt"
"log"
"os"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promauto"
"github.com/prometheus/client_golang/prometheus/promhttp"
"net/http"
)
var (
certExpiryDays = promauto.NewGaugeVec(
prometheus.GaugeOpts{
Name: "istio_cert_expiry_days",
Help: "Days until certificate expiration",
},
[]string{"namespace", "secret_name", "cert_type"},
)
certRotationSuccess = promauto.NewCounterVec(
prometheus.CounterOpts{
Name: "istio_cert_rotation_success_total",
Help: "Total number of successful certificate rotations",
},
[]string{"namespace", "secret_name"},
)
certRotationFailure = promauto.NewCounterVec(
prometheus.CounterOpts{
Name: "istio_cert_rotation_failure_total",
Help: "Total number of failed certificate rotations",
},
[]string{"namespace", "secret_name", "reason"},
)
)
func main() {
// Set up Kubernetes client
config, err := rest.InClusterConfig()
if err != nil {
log.Fatalf("Failed to get cluster config: %v", err)
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
log.Fatalf("Failed to create Kubernetes client: %v", err)
}
// Start HTTP server for Prometheus metrics
http.Handle("/metrics", promhttp.Handler())
go func() {
log.Fatal(http.ListenAndServe(":8080", nil))
}()
// Monitor certificates
monitorCertificates(clientset)
}
func monitorCertificates(clientset *kubernetes.Clientset) {
for {
// Get all namespaces
namespaces, err := clientset.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{})
if err != nil {
log.Printf("Failed to list namespaces: %v", err)
time.Sleep(5 * time.Minute)
continue
}
// Check certificates in each namespace
for _, namespace := range namespaces.Items {
ns := namespace.Name
// Get all secrets in the namespace
secrets, err := clientset.CoreV1().Secrets(ns).List(context.TODO(), metav1.ListOptions{})
if err != nil {
log.Printf("Failed to list secrets in namespace %s: %v", ns, err)
continue
}
// Check each secret for certificates
for _, secret := range secrets.Items {
// Check if this is a TLS secret
if secret.Type != "kubernetes.io/tls" && secret.Type != "istio.io/key-and-cert" {
continue
}
// Check certificate data
for key, data := range secret.Data {
if key == "ca.crt" || key == "tls.crt" || key == "cert-chain.pem" || key == "root-cert.pem" {
// Parse certificate
block, _ := pem.Decode(data)
if block == nil {
log.Printf("Failed to decode PEM block from %s in secret %s/%s", key, ns, secret.Name)
certRotationFailure.WithLabelValues(ns, secret.Name, "decode_failure").Inc()
continue
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
log.Printf("Failed to parse certificate from %s in secret %s/%s: %v", key, ns, secret.Name, err)
certRotationFailure.WithLabelValues(ns, secret.Name, "parse_failure").Inc()
continue
}
// Calculate days until expiration
expiryDays := time.Until(cert.NotAfter).Hours() / 24
certExpiryDays.WithLabelValues(ns, secret.Name, key).Set(expiryDays)
// Log warning if certificate is expiring soon
if expiryDays < 30 {
log.Printf("WARNING: Certificate %s in secret %s/%s expires in %.1f days", key, ns, secret.Name, expiryDays)
}
// Check if certificate was recently rotated
issuedDays := time.Since(cert.NotBefore).Hours() / 24
if issuedDays < 1 {
log.Printf("Certificate %s in secret %s/%s was recently rotated (%.1f hours ago)", key, ns, secret.Name, time.Since(cert.NotBefore).Hours())
certRotationSuccess.WithLabelValues(ns, secret.Name).Inc()
}
}
}
}
}
// Sleep before next check
time.Sleep(1 * time.Hour)
}
}
• Implemented a certificate rotation testing procedure:
#!/bin/bash
# test_cert_rotation.sh
set -euo pipefail
NAMESPACE=${1:-istio-system}
SECRET_NAME=${2:-istio-ca-secret}
WORKLOAD_NAMESPACE=${3:-default}
WORKLOAD_NAME=${4:-sleep}
echo "Testing certificate rotation for Istio in namespace $NAMESPACE"
# Check istiod status
echo "Checking istiod status..."
kubectl get pods -n $NAMESPACE -l app=istiod
# Check current root certificate
echo "Checking current root certificate..."
kubectl get secret $SECRET_NAME -n $NAMESPACE -o jsonpath='{.data.root-cert\.pem}' | base64 -d | openssl x509 -noout -text | grep "Validity" -A 2
# Check workload certificates
echo "Checking workload certificates..."
POD_NAME=$(kubectl get pod -n $WORKLOAD_NAMESPACE -l app=$WORKLOAD_NAME -o jsonpath='{.items[0].metadata.name}')
kubectl exec -n $WORKLOAD_NAMESPACE $POD_NAME -c istio-proxy -- ls -la /var/run/secrets/istio/
# Get certificate expiry
kubectl exec -n $WORKLOAD_NAMESPACE $POD_NAME -c istio-proxy -- cat /var/run/secrets/istio/cert-chain.pem | openssl x509 -noout -text | grep "Validity" -A 2
# Trigger certificate rotation
echo "Triggering certificate rotation..."
kubectl delete secret $SECRET_NAME -n $NAMESPACE
# Wait for istiod to restart
echo "Waiting for istiod to restart..."
kubectl rollout restart deployment/istiod -n $NAMESPACE
kubectl rollout status deployment/istiod -n $NAMESPACE
# Wait for workload certificates to be rotated
echo "Waiting for workload certificates to be rotated..."
sleep 60
# Verify new certificates
echo "Verifying new certificates..."
kubectl get secret $SECRET_NAME -n $NAMESPACE -o jsonpath='{.data.root-cert\.pem}' | base64 -d | openssl x509 -noout -text | grep "Validity" -A 2
# Verify workload certificates
echo "Verifying workload certificates..."
kubectl exec -n $WORKLOAD_NAMESPACE $POD_NAME -c istio-proxy -- cat /var/run/secrets/istio/cert-chain.pem | openssl x509 -noout -text | grep "Validity" -A 2
# Test connectivity
echo "Testing connectivity..."
kubectl exec -n $WORKLOAD_NAMESPACE $POD_NAME -c sleep -- curl -s httpbin.default:8000/headers | grep "X-Forwarded-Client-Cert"
echo "Certificate rotation test completed successfully"
• Implemented a Rust-based certificate validation tool:
// cert_validator.rs
use std::fs::File;
use std::io::Read;
use std::path::Path;
use std::time::{Duration, SystemTime};
use clap::{App, Arg};
use openssl::x509::X509;
use serde::{Deserialize, Serialize};
use serde_json::json;
#[derive(Debug, Serialize, Deserialize)]
struct CertificateInfo {
subject: String,
issuer: String,
valid_from: String,
valid_to: String,
days_until_expiry: i64,
is_expired: bool,
is_self_signed: bool,
serial_number: String,
signature_algorithm: String,
key_usage: Vec<String>,
extended_key_usage: Vec<String>,
subject_alt_names: Vec<String>,
}
fn main() -> Result<(), Box<dyn std::error::Error>> {
let matches = App::new("Certificate Validator")
.version("1.0")
.author("DevOps Team")
.about("Validates certificates for Istio service mesh")
.arg(
Arg::with_name("cert")
.short("c")
.long("cert")
.value_name("FILE")
.help("Certificate file to validate")
.required(true)
.takes_value(true),
)
.arg(
Arg::with_name("ca")
.short("a")
.long("ca")
.value_name("FILE")
.help("CA certificate file to validate against")
.takes_value(true),
)
.arg(
Arg::with_name("json")
.short("j")
.long("json")
.help("Output in JSON format"),
)
.arg(
Arg::with_name("warn-days")
.short("w")
.long("warn-days")
.value_name("DAYS")
.help("Warn if certificate expires within this many days")
.default_value("30")
.takes_value(true),
)
.get_matches();
let cert_file = matches.value_of("cert").unwrap();
let ca_file = matches.value_of("ca");
let json_output = matches.is_present("json");
let warn_days: i64 = matches.value_of("warn-days").unwrap().parse()?;
// Load certificate
let cert = load_certificate(cert_file)?;
let cert_info = get_certificate_info(&cert)?;
// Validate certificate
let mut validation_errors = Vec::new();
// Check expiration
if cert_info.is_expired {
validation_errors.push("Certificate is expired".to_string());
} else if cert_info.days_until_expiry < warn_days {
validation_errors.push(format!(
"Certificate will expire in {} days",
cert_info.days_until_expiry
));
}
// Check against CA if provided
if let Some(ca_path) = ca_file {
let ca_cert = load_certificate(ca_path)?;
if !validate_certificate_against_ca(&cert, &ca_cert)? {
validation_errors.push("Certificate is not signed by the provided CA".to_string());
}
}
// Check if self-signed
if cert_info.is_self_signed {
validation_errors.push("Certificate is self-signed".to_string());
}
// Output results
if json_output {
let result = json!({
"certificate": cert_info,
"validation_errors": validation_errors,
"valid": validation_errors.is_empty()
});
println!("{}", serde_json::to_string_pretty(&result)?);
} else {
println!("Certificate Information:");
println!(" Subject: {}", cert_info.subject);
println!(" Issuer: {}", cert_info.issuer);
println!(" Valid From: {}", cert_info.valid_from);
println!(" Valid To: {}", cert_info.valid_to);
println!(" Days Until Expiry: {}", cert_info.days_until_expiry);
println!(" Serial Number: {}", cert_info.serial_number);
println!(" Signature Algorithm: {}", cert_info.signature_algorithm);
println!("\nKey Usage:");
for usage in &cert_info.key_usage {
println!(" - {}", usage);
}
println!("\nExtended Key Usage:");
for usage in &cert_info.extended_key_usage {
println!(" - {}", usage);
}
println!("\nSubject Alternative Names:");
for san in &cert_info.subject_alt_names {
println!(" - {}", san);
}
if !validation_errors.is_empty() {
println!("\nValidation Errors:");
for error in &validation_errors {
println!(" - {}", error);
}
println!("\nResult: INVALID");
} else {
println!("\nResult: VALID");
}
}
// Exit with error code if validation failed
if !validation_errors.is_empty() {
std::process::exit(1);
}
Ok(())
}
fn load_certificate<P: AsRef<Path>>(path: P) -> Result<X509, Box<dyn std::error::Error>> {
let mut file = File::open(path)?;
let mut data = Vec::new();
file.read_to_end(&mut data)?;
let cert = X509::from_pem(&data)?;
Ok(cert)
}
fn get_certificate_info(cert: &X509) -> Result<CertificateInfo, Box<dyn std::error::Error>> {
let subject = cert.subject_name().to_string();
let issuer = cert.issuer_name().to_string();
let not_before = cert.not_before().to_string();
let not_after = cert.not_after().to_string();
let now = SystemTime::now();
let expiry = cert.not_after().to_systime()?;
let days_until_expiry = if expiry > now {
expiry.duration_since(now)?.as_secs() as i64 / 86400
} else {
-1
};
let is_expired = now > expiry;
let is_self_signed = subject == issuer;
let serial_number = cert.serial_number().to_bn()?.to_hex_str()?.to_string();
let signature_algorithm = cert.signature_algorithm().object().to_string();
let mut key_usage = Vec::new();
if let Some(usage) = cert.key_usage() {
if usage.digital_signature() {
key_usage.push("Digital Signature".to_string());
}
if usage.non_repudiation() {
key_usage.push("Non Repudiation".to_string());
}
if usage.key_encipherment() {
key_usage.push("Key Encipherment".to_string());
}
if usage.data_encipherment() {
key_usage.push("Data Encipherment".to_string());
}
if usage.key_agreement() {
key_usage.push("Key Agreement".to_string());
}
if usage.key_cert_sign() {
key_usage.push("Certificate Sign".to_string());
}
if usage.crl_sign() {
key_usage.push("CRL Sign".to_string());
}
if usage.encipher_only() {
key_usage.push("Encipher Only".to_string());
}
if usage.decipher_only() {
key_usage.push("Decipher Only".to_string());
}
}
let mut extended_key_usage = Vec::new();
if let Some(usage) = cert.extended_key_usage() {
for oid in usage.iter() {
extended_key_usage.push(oid.to_string());
}
}
let mut subject_alt_names = Vec::new();
if let Some(sans) = cert.subject_alt_names() {
for san in sans.iter() {
if let Some(dns) = san.dnsname() {
subject_alt_names.push(format!("DNS:{}", dns));
} else if let Some(ip) = san.ipaddress() {
subject_alt_names.push(format!("IP:{:?}", ip));
} else if let Some(uri) = san.uri() {
subject_alt_names.push(format!("URI:{}", uri));
}
}
}
Ok(CertificateInfo {
subject,
issuer,
valid_from: not_before,
valid_to: not_after,
days_until_expiry,
is_expired,
is_self_signed,
serial_number,
signature_algorithm,
key_usage,
extended_key_usage,
subject_alt_names,
})
}
fn validate_certificate_against_ca(cert: &X509, ca_cert: &X509) -> Result<bool, Box<dyn std::error::Error>> {
// Check if the certificate is signed by the CA
let cert_issuer = cert.issuer_name().to_string();
let ca_subject = ca_cert.subject_name().to_string();
if cert_issuer != ca_subject {
return Ok(false);
}
// Verify the signature
let ca_pubkey = ca_cert.public_key()?;
let result = cert.verify(&ca_pubkey)?;
Ok(result)
}
Lessons Learned:
Certificate management in service meshes requires careful planning and monitoring.
How to Avoid:
Implement certificate monitoring with alerts for upcoming expirations.
Test certificate rotation procedures regularly in non-production environments.
Document certificate management procedures and automate where possible.
Use longer-lived root certificates and shorter-lived workload certificates.
Implement graceful certificate rotation with overlapping validity periods.
>
cloud_native_scenario_02
output:
Cloud Native Architecture
Istio 1.12, Kubernetes 1.22, Microservices architecture
Summary:
No summary provided
What Happened:
A company expanded their microservices architecture from 50 to 200 services as part of a major feature release. After deployment, they observed significant latency increases (from ~100ms to >1s) for API calls, despite the cluster having adequate CPU and memory resources. The issue affected all services, not just the newly added ones.
Diagnosis Steps:
Analyzed service mesh telemetry data to identify bottlenecks.
Profiled the Istio control plane components.
Examined Envoy proxy configurations and metrics.
Reviewed network policies and service mesh configuration.
Tested with and without the service mesh to isolate the issue.
Root Cause:
Multiple issues were identified in the Istio service mesh configuration: 1. The default Istio control plane was undersized for the number of services. 2. Excessive telemetry collection was overwhelming Prometheus. 3. The Envoy proxy sidecar resource limits were too low. 4. Mutual TLS was configured with excessive certificate rotation. 5. The service mesh topology had excessive dependencies creating a "cascade" pattern.
Fix/Workaround:
• Short-term: Optimized the most critical Istio components:
# Before: Default istiod deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app: istiod
template:
metadata:
labels:
app: istiod
spec:
containers:
- name: discovery
image: docker.io/istio/pilot:1.12.0
resources:
requests:
cpu: 500m
memory: 2Gi
limits:
cpu: 1
memory: 4Gi
# After: Optimized istiod deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod
namespace: istio-system
spec:
replicas: 3
selector:
matchLabels:
app: istiod
template:
metadata:
labels:
app: istiod
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- istiod
topologyKey: kubernetes.io/hostname
containers:
- name: discovery
image: docker.io/istio/pilot:1.12.0
resources:
requests:
cpu: 1
memory: 4Gi
limits:
cpu: 2
memory: 8Gi
env:
- name: PILOT_TRACE_SAMPLING
value: "1"
- name: PILOT_ENABLE_EDS_DEBOUNCE
value: "true"
- name: PILOT_DEBOUNCE_AFTER
value: "100ms"
- name: PILOT_DEBOUNCE_MAX
value: "1s"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "false"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "false"
• Optimized Envoy proxy sidecar configuration:
# Global proxy configuration
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
concurrency: 2
proxyMetadata:
ISTIO_META_HTTP10: "1"
ISTIO_META_ROUTER_MODE: "sni-dnat"
tracing:
sampling: 0.01
accessLogFile: "/dev/null"
components:
proxy:
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
hpaSpec:
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
• Long-term: Implemented a comprehensive service mesh optimization strategy:
- Scale up Istio control plane for large service mesh
- Optimize telemetry collection
- Configure appropriate resource limits for Envoy proxy sidecars
- Adjust certificate rotation settings
Lessons Learned:
Proper resource management and configuration are critical for service mesh performance.
How to Avoid:
Scale control plane components based on service mesh size.
Optimize telemetry and tracing configurations.
Set appropriate resource limits for sidecars.
Regularly review and optimize service mesh configurations.
>
cloud_native_scenario_03
output:
Cloud Native Architecture
Kubernetes, Consul, Microservices, Production environment
Summary:
No summary provided
What Happened:
A company running a cloud native application on Kubernetes suddenly experienced widespread connectivity issues between microservices. Services were unable to discover and connect to their dependencies, resulting in cascading failures across the application. The issue occurred after a routine infrastructure update.
Diagnosis Steps:
Analyzed service logs for connection errors.
Examined Kubernetes DNS and service configurations.
Reviewed recent infrastructure changes.
Checked Consul service discovery status and logs.
Tested service-to-service connectivity manually.
Root Cause:
The service discovery failure was caused by multiple factors: 1. A Consul server pod was evicted due to node resource pressure 2. The Kubernetes DNS service was overloaded with requests 3. Service mesh sidecar proxies had outdated service discovery information 4. Network policies were incorrectly updated during the infrastructure change 5. Service registration TTLs were set too high, preventing timely updates
Fix/Workaround:
• Short-term: Restored service discovery functionality:
# Consul server StatefulSet with improved resource management
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: consul-server
namespace: consul
spec:
serviceName: consul-server
replicas: 3
selector:
matchLabels:
app: consul-server
template:
metadata:
labels:
app: consul-server
spec:
terminationGracePeriodSeconds: 30
securityContext:
fsGroup: 1000
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- consul-server
topologyKey: kubernetes.io/hostname
containers:
- name: consul
image: consul:1.12.0
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- "agent"
- "-server"
- "-bootstrap-expect=3"
- "-ui"
- "-data-dir=/consul/data"
- "-bind=0.0.0.0"
- "-advertise=$(POD_IP)"
- "-client=0.0.0.0"
- "-retry-join=consul-server-0.consul-server.$(NAMESPACE).svc.cluster.local"
- "-retry-join=consul-server-1.consul-server.$(NAMESPACE).svc.cluster.local"
- "-retry-join=consul-server-2.consul-server.$(NAMESPACE).svc.cluster.local"
- "-domain=consul"
ports:
- containerPort: 8500
name: http
- containerPort: 8301
name: serflan
- containerPort: 8302
name: serfwan
- containerPort: 8300
name: server
- containerPort: 8600
name: dns
readinessProbe:
httpGet:
path: /v1/status/leader
port: 8500
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /v1/status/leader
port: 8500
initialDelaySeconds: 30
periodSeconds: 10
volumeMounts:
- name: data
mountPath: /consul/data
- name: config
mountPath: /consul/config
volumes:
- name: config
configMap:
name: consul-server-config
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
• Optimized Kubernetes DNS configuration:
# CoreDNS ConfigMap with optimized settings
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30 {
success 9984
denial 9984
prefetch 10
}
loop
reload
loadbalance
}
consul {
errors
cache 30
forward . 10.100.0.10:8600
}
• Long-term: Implemented a comprehensive service discovery resilience strategy:
// service_discovery_monitor.go
package main
import (
"context"
"encoding/json"
"fmt"
"log"
"net/http"
"os"
"os/signal"
"sync"
"syscall"
"time"
"github.com/hashicorp/consul/api"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
type ServiceHealth struct {
ServiceName string
Status string
InstancesUp int
InstancesAll int
LastChecked time.Time
}
type ServiceDiscoveryMonitor struct {
consulClient *api.Client
kubeClient *kubernetes.Clientset
serviceHealth map[string]ServiceHealth
healthMutex sync.RWMutex
checkInterval time.Duration
alertThreshold float64
namespaces []string
consulNamespace string
}
func NewServiceDiscoveryMonitor(consulAddr, consulNamespace string, checkInterval time.Duration, alertThreshold float64, namespaces []string) (*ServiceDiscoveryMonitor, error) {
// Configure Consul client
consulConfig := api.DefaultConfig()
consulConfig.Address = consulAddr
consulClient, err := api.NewClient(consulConfig)
if err != nil {
return nil, fmt.Errorf("failed to create Consul client: %w", err)
}
// Configure Kubernetes client
kubeConfig, err := rest.InClusterConfig()
if err != nil {
return nil, fmt.Errorf("failed to create Kubernetes config: %w", err)
}
kubeClient, err := kubernetes.NewForConfig(kubeConfig)
if err != nil {
return nil, fmt.Errorf("failed to create Kubernetes client: %w", err)
}
return &ServiceDiscoveryMonitor{
consulClient: consulClient,
kubeClient: kubeClient,
serviceHealth: make(map[string]ServiceHealth),
checkInterval: checkInterval,
alertThreshold: alertThreshold,
namespaces: namespaces,
consulNamespace: consulNamespace,
}, nil
}
func (m *ServiceDiscoveryMonitor) Start(ctx context.Context) {
// Start HTTP server for health checks
go m.startHTTPServer()
// Start monitoring loop
ticker := time.NewTicker(m.checkInterval)
defer ticker.Stop()
// Do an initial check
m.checkServiceDiscoveryHealth(ctx)
for {
select {
case <-ticker.C:
m.checkServiceDiscoveryHealth(ctx)
case <-ctx.Done():
log.Println("Shutting down service discovery monitor")
return
}
}
}
func (m *ServiceDiscoveryMonitor) startHTTPServer() {
http.HandleFunc("/health", m.healthHandler)
http.HandleFunc("/metrics", m.metricsHandler)
log.Fatal(http.ListenAndServe(":8080", nil))
}
func (m *ServiceDiscoveryMonitor) healthHandler(w http.ResponseWriter, r *http.Request) {
m.healthMutex.RLock()
defer m.healthMutex.RUnlock()
// Check if any service is unhealthy
for _, health := range m.serviceHealth {
if health.Status != "healthy" {
w.WriteHeader(http.StatusServiceUnavailable)
fmt.Fprintf(w, "Service discovery unhealthy: %s is %s", health.ServiceName, health.Status)
return
}
}
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "Service discovery healthy")
}
func (m *ServiceDiscoveryMonitor) metricsHandler(w http.ResponseWriter, r *http.Request) {
m.healthMutex.RLock()
defer m.healthMutex.RUnlock()
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(m.serviceHealth)
}
func (m *ServiceDiscoveryMonitor) checkServiceDiscoveryHealth(ctx context.Context) {
log.Println("Checking service discovery health...")
// Check Consul server health
m.checkConsulHealth(ctx)
// Check Kubernetes DNS health
m.checkKubernetesDNSHealth(ctx)
// Check service registration consistency
m.checkServiceRegistrationConsistency(ctx)
log.Println("Service discovery health check completed")
}
func (m *ServiceDiscoveryMonitor) checkConsulHealth(ctx context.Context) {
// Check Consul leader status
leader, err := m.consulClient.Status().Leader()
if err != nil || leader == "" {
m.updateServiceHealth("consul", "unhealthy", 0, 0)
log.Printf("Consul leader check failed: %v", err)
m.triggerAlert("Consul leader check failed", "critical")
return
}
// Check Consul server peers
peers, err := m.consulClient.Status().Peers()
if err != nil {
m.updateServiceHealth("consul", "unhealthy", 0, len(peers))
log.Printf("Consul peers check failed: %v", err)
m.triggerAlert("Consul peers check failed", "critical")
return
}
if len(peers) < 3 {
m.updateServiceHealth("consul", "degraded", len(peers), 3)
log.Printf("Consul cluster degraded: only %d peers available", len(peers))
m.triggerAlert(fmt.Sprintf("Consul cluster degraded: only %d peers available", len(peers)), "warning")
return
}
// Check Consul catalog services
services, _, err := m.consulClient.Catalog().Services(&api.QueryOptions{
Namespace: m.consulNamespace,
})
if err != nil {
m.updateServiceHealth("consul-catalog", "unhealthy", 0, 0)
log.Printf("Consul catalog check failed: %v", err)
m.triggerAlert("Consul catalog check failed", "critical")
return
}
m.updateServiceHealth("consul", "healthy", len(peers), len(peers))
log.Printf("Consul health check passed: %d peers, %d services", len(peers), len(services))
}
func (m *ServiceDiscoveryMonitor) checkKubernetesDNSHealth(ctx context.Context) {
// Check CoreDNS pods
pods, err := m.kubeClient.CoreV1().Pods("kube-system").List(ctx, metav1.ListOptions{
LabelSelector: "k8s-app=kube-dns",
})
if err != nil {
m.updateServiceHealth("kubernetes-dns", "unhealthy", 0, 0)
log.Printf("Kubernetes DNS pods check failed: %v", err)
m.triggerAlert("Kubernetes DNS pods check failed", "critical")
return
}
readyPods := 0
for _, pod := range pods.Items {
for _, condition := range pod.Status.Conditions {
if condition.Type == "Ready" && condition.Status == "True" {
readyPods++
break
}
}
}
if readyPods == 0 {
m.updateServiceHealth("kubernetes-dns", "unhealthy", readyPods, len(pods.Items))
log.Printf("Kubernetes DNS unhealthy: 0/%d pods ready", len(pods.Items))
m.triggerAlert("Kubernetes DNS unhealthy: no pods ready", "critical")
return
}
if readyPods < len(pods.Items) {
m.updateServiceHealth("kubernetes-dns", "degraded", readyPods, len(pods.Items))
log.Printf("Kubernetes DNS degraded: %d/%d pods ready", readyPods, len(pods.Items))
m.triggerAlert(fmt.Sprintf("Kubernetes DNS degraded: %d/%d pods ready", readyPods, len(pods.Items)), "warning")
return
}
// Check DNS service
svc, err := m.kubeClient.CoreV1().Services("kube-system").Get(ctx, "kube-dns", metav1.GetOptions{})
if err != nil {
m.updateServiceHealth("kubernetes-dns-service", "unhealthy", 0, 0)
log.Printf("Kubernetes DNS service check failed: %v", err)
m.triggerAlert("Kubernetes DNS service check failed", "critical")
return
}
m.updateServiceHealth("kubernetes-dns", "healthy", readyPods, len(pods.Items))
log.Printf("Kubernetes DNS health check passed: %d/%d pods ready, service IP: %s", readyPods, len(pods.Items), svc.Spec.ClusterIP)
}
func (m *ServiceDiscoveryMonitor) checkServiceRegistrationConsistency(ctx context.Context) {
// For each namespace, compare Kubernetes services to Consul services
for _, namespace := range m.namespaces {
// Get Kubernetes services
k8sServices, err := m.kubeClient.CoreV1().Services(namespace).List(ctx, metav1.ListOptions{})
if err != nil {
log.Printf("Failed to list Kubernetes services in namespace %s: %v", namespace, err)
continue
}
// Get Consul services
consulServices, _, err := m.consulClient.Catalog().Services(&api.QueryOptions{
Namespace: m.consulNamespace,
})
if err != nil {
log.Printf("Failed to list Consul services: %v", err)
continue
}
// Check for services in Kubernetes but not in Consul
for _, svc := range k8sServices.Items {
// Skip Kubernetes system services
if svc.Namespace == "kube-system" || svc.Namespace == "default" && (svc.Name == "kubernetes" || svc.Name == "kube-dns") {
continue
}
// Check if service should be registered in Consul
if _, ok := svc.Annotations["consul.hashicorp.com/service-sync"]; !ok {
continue
}
serviceName := svc.Name
if customName, ok := svc.Annotations["consul.hashicorp.com/service-name"]; ok {
serviceName = customName
}
if _, ok := consulServices[serviceName]; !ok {
log.Printf("Service %s in namespace %s is missing from Consul", svc.Name, svc.Namespace)
m.updateServiceHealth(fmt.Sprintf("%s/%s", svc.Namespace, svc.Name), "inconsistent", 0, 1)
m.triggerAlert(fmt.Sprintf("Service %s in namespace %s is missing from Consul", svc.Name, svc.Namespace), "warning")
}
}
}
}
func (m *ServiceDiscoveryMonitor) updateServiceHealth(serviceName, status string, instancesUp, instancesAll int) {
m.healthMutex.Lock()
defer m.healthMutex.Unlock()
m.serviceHealth[serviceName] = ServiceHealth{
ServiceName: serviceName,
Status: status,
InstancesUp: instancesUp,
InstancesAll: instancesAll,
LastChecked: time.Now(),
}
}
func (m *ServiceDiscoveryMonitor) triggerAlert(message, severity string) {
// In a real implementation, this would send alerts to a monitoring system
log.Printf("[ALERT:%s] %s", severity, message)
}
func main() {
// Get configuration from environment
consulAddr := getEnv("CONSUL_ADDR", "consul-server.consul:8500")
consulNamespace := getEnv("CONSUL_NAMESPACE", "default")
checkIntervalStr := getEnv("CHECK_INTERVAL", "30s")
alertThresholdStr := getEnv("ALERT_THRESHOLD", "0.8")
namespacesStr := getEnv("MONITOR_NAMESPACES", "default,app")
// Parse check interval
checkInterval, err := time.ParseDuration(checkIntervalStr)
if err != nil {
log.Fatalf("Invalid check interval: %v", err)
}
// Parse alert threshold
var alertThreshold float64
_, err = fmt.Sscanf(alertThresholdStr, "%f", &alertThreshold)
if err != nil {
log.Fatalf("Invalid alert threshold: %v", err)
}
// Parse namespaces
namespaces := []string{}
for _, ns := range strings.Split(namespacesStr, ",") {
namespaces = append(namespaces, strings.TrimSpace(ns))
}
// Create monitor
monitor, err := NewServiceDiscoveryMonitor(consulAddr, consulNamespace, checkInterval, alertThreshold, namespaces)
if err != nil {
log.Fatalf("Failed to create service discovery monitor: %v", err)
}
// Set up context with cancellation
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
// Handle shutdown signals
sigCh := make(chan os.Signal, 1)
signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
go func() {
sig := <-sigCh
log.Printf("Received signal %v, shutting down", sig)
cancel()
}()
// Start monitor
log.Println("Starting service discovery monitor...")
monitor.Start(ctx)
}
func getEnv(key, defaultValue string) string {
if value, exists := os.LookupEnv(key); exists {
return value
}
return defaultValue
}
• Implemented a service mesh configuration for improved service discovery:
# Linkerd service mesh configuration
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: example-service.default.svc.cluster.local
namespace: default
spec:
routes:
- name: GET /api/v1/health
condition:
method: GET
pathRegex: /api/v1/health
responseClasses:
- condition:
status:
min: 200
max: 299
isSuccess: true
retryBudget:
ttl: 10s
minRetriesPerSecond: 10
retryRatio: 0.2
timeoutPolicy:
kind: fixed
milliseconds: 500
---
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: example-service-split
namespace: default
spec:
service: example-service
backends:
- service: example-service-v1
weight: 90
- service: example-service-v2
weight: 10
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
name: example-service
namespace: default
spec:
podSelector:
matchLabels:
app: example-service
port: 8080
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: example-service-auth
namespace: default
spec:
targetRef:
kind: Server
name: example-service
requiredAuthenticationRefs:
- kind: ServiceAccount
name: client-service
namespace: default
• Created a service discovery troubleshooting guide:
# Service Discovery Troubleshooting Guide
## Quick Checks
1. **Verify Consul Server Health**
kubectl exec -it consul-server-0 -n consul -- consul members
kubectl exec -it consul-server-0 -n consul -- consul operator raft list-peers
2. **Check Kubernetes DNS**
kubectl get pods -n kube-system -l k8s-app=kube-dns
kubectl logs -n kube-system -l k8s-app=kube-dns
kubectl get svc -n kube-system kube-dns
3. **Test Service Resolution**
kubectl run -it --rm debug --image=curlimages/curl -- sh
Inside the pod
curl http://example-service.default.svc.cluster.local:8080/health
curl http://example-service.consul:8080/health
## Common Issues and Solutions
### 1. Consul Server Unavailable
**Symptoms:**
- Services can't register or discover each other
- `consul members` shows missing nodes
- Consul UI unavailable
**Solutions:**
- Check Consul server pods:
kubectl get pods -n consul -l app=consul-server
- Verify Consul server logs:
kubectl logs -n consul -l app=consul-server
- Check for resource constraints:
kubectl describe nodes | grep -A 10 "Allocated resources"
- Restart Consul servers if necessary:
kubectl rollout restart statefulset/consul-server -n consul
### 2. Kubernetes DNS Issues
**Symptoms:**
- Services can resolve external domains but not internal services
- Intermittent DNS resolution failures
- Slow service discovery
**Solutions:**
- Check CoreDNS pods:
kubectl get pods -n kube-system -l k8s-app=kube-dns
- Verify CoreDNS configuration:
kubectl get configmap -n kube-system coredns -o yaml
- Check for CoreDNS overload:
kubectl top pods -n kube-system -l k8s-app=kube-dns
- Increase CoreDNS replicas if needed:
kubectl scale deployment/coredns -n kube-system --replicas=3
### 3. Service Registration Issues
**Symptoms:**
- Services visible in Kubernetes but not in Consul
- Services visible in Consul but with wrong addresses
- Stale service registrations
**Solutions:**
- Check service registration in Consul:
kubectl exec -it consul-server-0 -n consul -- consul catalog services
kubectl exec -it consul-server-0 -n consul -- consul catalog nodes
- Verify service annotations:
kubectl get svc example-service -o yaml | grep -A 5 annotations
- Check Consul connect injector logs:
kubectl logs -n consul -l app=consul-connect-injector
- Force re-registration by restarting pods:
kubectl rollout restart deployment/example-service
### 4. Network Policy Issues
**Symptoms:**
- Services can't communicate despite proper registration
- Connection timeouts between services
- One-way communication failures
**Solutions:**
- Check network policies:
kubectl get networkpolicies --all-namespaces
- Verify pod labels match network policy selectors:
kubectl get pods --show-labels
- Test connectivity with a debug pod:
kubectl run -it --rm debug --image=nicolaka/netshoot -- bash
- Temporarily disable network policies for testing:
kubectl delete networkpolicy restrictive-policy
### 5. Service Mesh Issues
**Symptoms:**
- mTLS failures between services
- Proxy sidecar errors
- Routing inconsistencies
**Solutions:**
- Check proxy status:
linkerd check --proxy
linkerd stat deployments
- Verify service profiles:
kubectl get serviceprofiles --all-namespaces
- Check for proxy configuration issues:
linkerd logs deployment/example-service
- Restart proxies if needed:
kubectl rollout restart deployment/example-service
## Advanced Troubleshooting
### Consul ACL Issues
If using Consul ACLs, verify token permissions:
kubectl exec -it consul-server-0 -n consul -- consul acl token read -self
### DNS Resolution Debugging
Create a DNS debugging pod:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: dnsutils
namespace: default
spec:
containers:
- name: dnsutils
image: gcr.io/kubernetes-e2e-test-images/dnsutils:1.3
command:
- sleep
- "3600"
EOF
Then run DNS queries:
kubectl exec -it dnsutils -- nslookup example-service.default.svc.cluster.local
kubectl exec -it dnsutils -- nslookup example-service.consul
### Network Connectivity Testing
Test TCP connectivity:
kubectl exec -it dnsutils -- nc -zv example-service.default.svc.cluster.local 8080
### Consul Snapshot and Restore
If Consul data is corrupted, restore from a snapshot:
Create snapshot
kubectl exec -it consul-server-0 -n consul -- consul snapshot save backup.snap
Copy to local machine
kubectl cp consul/consul-server-0:backup.snap ./backup.snap
Restore if needed
kubectl cp ./backup.snap consul/consul-server-0:backup.snap
kubectl exec -it consul-server-0 -n consul -- consul snapshot restore backup.snap
## Preventive Measures
1. **Regular Health Checks**
- Implement service discovery health monitoring
- Set up alerts for service registration inconsistencies
- Monitor Consul server and CoreDNS metrics
2. **Resilient Configuration**
- Use Consul server StatefulSet with PodDisruptionBudget
- Configure proper resource requests and limits
- Implement horizontal scaling for CoreDNS
3. **Backup and Recovery**
- Regular Consul snapshots
- Document recovery procedures
- Practice recovery scenarios
Lessons Learned:
Service discovery is a critical component of cloud native architectures and requires careful design and monitoring.
How to Avoid:
Implement redundancy in service discovery components.
Configure proper resource allocation for service discovery services.
Use service mesh for improved service discovery and connectivity.
Monitor service discovery health and set up alerts for failures.
Implement circuit breakers and retries for service-to-service communication.
>
cloud_native_scenario_04
output:
Cloud Native Architecture
Kubernetes, Istio, Microservices architecture
Summary:
No summary provided
What Happened:
After deploying an updated version of the payment processing microservice, multiple dependent services began reporting errors. Customer transactions started failing, and the monitoring system showed a spike in 500 errors across several services. The incident affected approximately 30% of all transactions for about 45 minutes before being resolved.
Diagnosis Steps:
Analyzed error logs from affected services.
Reviewed recent deployments and changes.
Examined API contract changes between versions.
Checked service mesh traffic routing configurations.
Tested API endpoints directly to reproduce the issues.
Root Cause:
The payment processing service was updated with breaking API changes without proper versioning or backward compatibility. Specifically: 1. Required fields were added to request payloads without making them optional 2. The response structure was changed, breaking JSON deserialization in client services 3. No API versioning strategy was in place to support multiple versions simultaneously 4. The service mesh was not configured to route traffic based on API version 5. Integration tests were insufficient and didn't catch the compatibility issues
Fix/Workaround:
• Short-term: Rolled back the payment service to the previous version:
# Rollback using kubectl
kubectl rollout undo deployment/payment-service -n payment-system
# Verify rollback was successful
kubectl rollout status deployment/payment-service -n payment-system
• Implemented proper API versioning with Istio routing:
# API versioning with Istio
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: payment-service
namespace: payment-system
spec:
hosts:
- payment-service
http:
- match:
- headers:
x-api-version:
exact: "v2"
route:
- destination:
host: payment-service
subset: v2
- route:
- destination:
host: payment-service
subset: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: payment-service
namespace: payment-system
spec:
host: payment-service
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
• Long-term: Implemented a comprehensive API management strategy:
// api_versioning.go - API versioning middleware
package middleware
import (
"net/http"
"strings"
"github.com/gin-gonic/gin"
)
// APIVersion represents a semantic version of an API
type APIVersion struct {
Major int
Minor int
Patch int
}
// VersioningConfig contains configuration for the versioning middleware
type VersioningConfig struct {
// DefaultVersion is the version to use if none is specified
DefaultVersion APIVersion
// HeaderName is the HTTP header to check for version information
HeaderName string
// URLPrefix is the URL prefix to check for version information (e.g., /v1/)
URLPrefix string
// QueryParam is the query parameter to check for version information
QueryParam string
// AvailableVersions is a map of version strings to handler functions
AvailableVersions map[string]gin.HandlerFunc
}
// NewVersioningMiddleware creates a new API versioning middleware
func NewVersioningMiddleware(config VersioningConfig) gin.HandlerFunc {
return func(c *gin.Context) {
var version string
// Check header
if config.HeaderName != "" {
version = c.GetHeader(config.HeaderName)
}
// Check URL prefix
if version == "" && config.URLPrefix != "" {
path := c.Request.URL.Path
for v := range config.AvailableVersions {
prefix := config.URLPrefix + v + "/"
if strings.HasPrefix(path, prefix) {
version = v
// Remove version from path
c.Request.URL.Path = strings.TrimPrefix(path, prefix)
break
}
}
}
// Check query parameter
if version == "" && config.QueryParam != "" {
version = c.Query(config.QueryParam)
}
// Use default version if none specified
if version == "" {
version = formatVersion(config.DefaultVersion)
}
// Get handler for version
handler, exists := config.AvailableVersions[version]
if !exists {
c.JSON(http.StatusBadRequest, gin.H{
"error": "Unsupported API version",
"supported_versions": getKeys(config.AvailableVersions),
})
c.Abort()
return
}
// Set version in context
c.Set("api_version", version)
// Call version-specific handler
handler(c)
}
}
// Helper functions
func formatVersion(v APIVersion) string {
return fmt.Sprintf("v%d", v.Major)
}
func getKeys(m map[string]gin.HandlerFunc) []string {
keys := make([]string, 0, len(m))
for k := range m {
keys = append(keys, k)
}
return keys
}
• Created an API contract testing framework:
// api-contract-testing.ts
import * as fs from 'fs';
import * as path from 'path';
import * as yaml from 'js-yaml';
import * as Ajv from 'ajv';
import axios from 'axios';
import { OpenAPIV3 } from 'openapi-types';
interface ContractTestConfig {
specPath: string;
baseUrl: string;
headers?: Record<string, string>;
testCases: TestCase[];
}
interface TestCase {
name: string;
path: string;
method: string;
request?: {
params?: Record<string, string>;
query?: Record<string, string>;
body?: any;
};
expectedStatus: number;
validateResponse: boolean;
}
interface TestResult {
name: string;
path: string;
method: string;
success: boolean;
statusMatch: boolean;
schemaValid: boolean;
error?: string;
responseTime?: number;
}
export class APIContractTester {
private spec: OpenAPIV3.Document;
private ajv: Ajv.default;
private config: ContractTestConfig;
constructor(config: ContractTestConfig) {
this.config = config;
this.ajv = new Ajv({ allErrors: true, strict: false });
this.spec = this.loadSpec(config.specPath);
}
private loadSpec(specPath: string): OpenAPIV3.Document {
const fileContent = fs.readFileSync(specPath, 'utf8');
const extension = path.extname(specPath).toLowerCase();
if (extension === '.json') {
return JSON.parse(fileContent);
} else if (extension === '.yaml' || extension === '.yml') {
return yaml.load(fileContent) as OpenAPIV3.Document;
} else {
throw new Error(`Unsupported specification format: ${extension}`);
}
}
private getResponseSchema(path: string, method: string, statusCode: number): any {
const pathObj = this.spec.paths[path];
if (!pathObj) {
throw new Error(`Path ${path} not found in API specification`);
}
const methodObj = pathObj[method.toLowerCase()] as OpenAPIV3.OperationObject;
if (!methodObj) {
throw new Error(`Method ${method} not found for path ${path} in API specification`);
}
const responses = methodObj.responses;
const response = responses[statusCode.toString()] || responses.default;
if (!response) {
throw new Error(`No response defined for status ${statusCode} in path ${path}, method ${method}`);
}
const responseObj = response as OpenAPIV3.ResponseObject;
const content = responseObj.content;
if (!content || !content['application/json']) {
throw new Error(`No JSON schema defined for response in path ${path}, method ${method}`);
}
return content['application/json'].schema;
}
private validateResponse(path: string, method: string, statusCode: number, response: any): boolean {
try {
const schema = this.getResponseSchema(path, method, statusCode);
const validate = this.ajv.compile(schema);
return validate(response);
} catch (error) {
console.error(`Schema validation error: ${error.message}`);
return false;
}
}
async runTests(): Promise<TestResult[]> {
const results: TestResult[] = [];
for (const testCase of this.config.testCases) {
const result: TestResult = {
name: testCase.name,
path: testCase.path,
method: testCase.method,
success: false,
statusMatch: false,
schemaValid: false,
};
try {
const startTime = Date.now();
const response = await axios({
method: testCase.method,
url: `${this.config.baseUrl}${testCase.path}`,
params: testCase.request?.query,
data: testCase.request?.body,
headers: this.config.headers,
validateStatus: () => true,
});
result.responseTime = Date.now() - startTime;
result.statusMatch = response.status === testCase.expectedStatus;
if (testCase.validateResponse && response.data) {
result.schemaValid = this.validateResponse(
testCase.path,
testCase.method,
testCase.expectedStatus,
response.data
);
} else {
result.schemaValid = true;
}
result.success = result.statusMatch && result.schemaValid;
} catch (error) {
result.error = error.message;
}
results.push(result);
}
return results;
}
generateReport(results: TestResult[]): string {
const totalTests = results.length;
const passedTests = results.filter(r => r.success).length;
const failedTests = totalTests - passedTests;
let report = `# API Contract Test Report\n\n`;
report += `- Total Tests: ${totalTests}\n`;
report += `- Passed: ${passedTests}\n`;
report += `- Failed: ${failedTests}\n\n`;
if (failedTests > 0) {
report += `## Failed Tests\n\n`;
for (const result of results.filter(r => !r.success)) {
report += `### ${result.name}\n`;
report += `- Path: ${result.path}\n`;
report += `- Method: ${result.method}\n`;
report += `- Status Match: ${result.statusMatch ? '✅' : '❌'}\n`;
report += `- Schema Valid: ${result.schemaValid ? '✅' : '❌'}\n`;
if (result.error) {
report += `- Error: ${result.error}\n`;
}
report += `\n`;
}
}
return report;
}
}
// Example usage
async function main() {
const config: ContractTestConfig = {
specPath: './openapi/payment-service.yaml',
baseUrl: 'http://payment-service:8080',
headers: {
'Content-Type': 'application/json',
'x-api-version': 'v1'
},
testCases: [
{
name: 'Get Payment Status',
path: '/payments/status/{id}',
method: 'GET',
request: {
params: { id: '12345' }
},
expectedStatus: 200,
validateResponse: true
},
{
name: 'Create Payment',
path: '/payments',
method: 'POST',
request: {
body: {
amount: 100.50,
currency: 'USD',
description: 'Test payment'
}
},
expectedStatus: 201,
validateResponse: true
}
]
};
const tester = new APIContractTester(config);
const results = await tester.runTests();
const report = tester.generateReport(results);
console.log(report);
fs.writeFileSync('contract-test-report.md', report);
}
main().catch(console.error);
Lessons Learned:
API versioning and backward compatibility are critical in microservices architectures.
How to Avoid:
Implement a clear API versioning strategy from the beginning.
Use semantic versioning for all services and APIs.
Maintain backward compatibility or support multiple versions simultaneously.
Implement comprehensive integration tests that validate API contracts.
Use service mesh capabilities to route traffic based on API version.
>
cloud_native_scenario_05
output:
Cloud Native Architecture
Kubernetes Federation v2 (KubeFed), Multiple Kubernetes clusters across regions, Istio, Cilium
Summary:
No summary provided
What Happened:
A company implemented a multi-cluster Kubernetes architecture using KubeFed to distribute their application across multiple regions for high availability and global presence. After a successful initial deployment, they began experiencing intermittent connectivity issues between services in different clusters. The issues escalated during a planned network configuration update, resulting in complete isolation of several clusters and service unavailability. Cross-cluster service discovery stopped working, and propagation of configuration changes failed across the federation.
Diagnosis Steps:
Analyzed network connectivity between clusters using ping, traceroute, and network policy tests.
Examined KubeFed controller logs for propagation errors.
Reviewed DNS resolution across clusters for service discovery issues.
Checked Istio and Cilium configurations for network policy conflicts.
Monitored cross-cluster traffic patterns and packet loss.
Root Cause:
The investigation revealed multiple issues with the multi-cluster networking implementation: 1. Overlapping IP CIDR ranges between clusters caused routing conflicts 2. Inconsistent network policies between clusters blocked essential traffic 3. DNS propagation delays caused service discovery failures 4. Istio and Cilium configurations had conflicting traffic management rules 5. Cross-cluster load balancing was not properly handling connection draining during updates
Fix/Workaround:
• Short-term: Implemented immediate fixes to restore connectivity
• Created a KubeFed network policy validator
• Implemented a cross-cluster connectivity checker
• Updated Istio configuration for multi-cluster compatibility
• Long-term: Implemented a comprehensive multi-cluster architecture with non-overlapping CIDRs
Lessons Learned:
Multi-cluster Kubernetes federations require careful network planning and consistent policies across clusters.
How to Avoid:
Design cluster networks with non-overlapping CIDR ranges from the start.
Implement consistent network policies across all federated clusters.
Test cross-cluster connectivity regularly with automated tools.
Establish clear change management procedures for network configurations.
Monitor cross-cluster traffic patterns and service discovery.
>
cloud_native_scenario_06
output:
Cloud Native Architecture
Kubernetes 1.23 to 1.24 upgrade, StatefulSets, PersistentVolumes, CSI drivers
Summary:
No summary provided
What Happened:
During a planned Kubernetes cluster upgrade from version 1.23 to 1.24, several stateful applications experienced data loss or corruption. After the control plane was upgraded, worker nodes were gradually drained and upgraded. When pods were rescheduled on the upgraded nodes, some applications reported missing or corrupted data. The incident affected multiple stateful services, including databases and message queues, leading to extended downtime and data recovery operations.
Diagnosis Steps:
Examined pod events and logs for volume mounting errors.
Checked PersistentVolume and PersistentVolumeClaim status.
Reviewed Kubernetes upgrade release notes for storage-related changes.
Analyzed CSI driver logs and version compatibility.
Verified volume attachment and detachment processes during node drains.
Root Cause:
The investigation revealed multiple issues with stateful application management: 1. The CSI driver version was incompatible with the new Kubernetes version 2. PersistentVolume reclaim policy was set to "Delete" instead of "Retain" 3. Volume snapshots were not taken before the upgrade 4. StatefulSet update strategy was incorrectly configured 5. Pod disruption budgets were not implemented for critical stateful services
Fix/Workaround:
• Restored data from the most recent backups where available
• Updated CSI drivers to compatible versions
• Implemented proper PersistentVolume reclaim policies
• Created a comprehensive stateful application upgrade procedure
• Improved backup and recovery processes for all stateful services
Lessons Learned:
Stateful applications in Kubernetes require special consideration during cluster upgrades.
How to Avoid:
Create pre-upgrade snapshots of all critical volumes.
Test upgrades in a staging environment with production data patterns.
Verify CSI driver compatibility with target Kubernetes version.
Implement proper PersistentVolume reclaim policies.
Configure appropriate StatefulSet update strategies and PDBs.
>
cloud_native_scenario_07
output:
Cloud Native Architecture
Kubernetes, Microservices, gRPC, Production environment
Summary:
No summary provided
What Happened:
A retail company's cloud-native application began experiencing increasing latency and intermittent failures during peak traffic periods. The application consisted of dozens of microservices communicating through a mix of REST, gRPC, and message queues. As traffic increased, certain services became bottlenecks, causing cascading failures across the platform. The operations team observed high CPU usage, network saturation, and increasing error rates across multiple services.
Diagnosis Steps:
Created service dependency maps to visualize communication patterns.
Analyzed network traffic between services using service mesh telemetry.
Profiled high-traffic services to identify performance bottlenecks.
Examined database query patterns and connection management.
Reviewed service-to-service authentication and retry mechanisms.
Root Cause:
The investigation revealed multiple issues with the microservices communication patterns: 1. Synchronous request chains spanning multiple services created cascading failures 2. Chatty communication patterns between services caused excessive network traffic 3. Improper retry mechanisms with exponential backoff led to retry storms 4. No circuit breaking or bulkheading to isolate failures 5. Inefficient serialization formats for high-volume data exchange
Fix/Workaround:
• Implemented immediate fixes to stabilize the platform
• Replaced synchronous chains with asynchronous messaging where appropriate
• Optimized data exchange formats and batch processing
• Implemented proper circuit breaking and retry mechanisms
• Created service interaction guidelines for developers
Lessons Learned:
Microservices communication patterns significantly impact system resilience and performance.
How to Avoid:
Design communication patterns based on service interaction requirements.
Implement circuit breaking and bulkheading for failure isolation.
Use asynchronous messaging for non-critical request chains.
Optimize serialization formats for high-volume data exchange.
Create and enforce service interaction guidelines.
>
cloud_native_scenario_08
output:
Cloud Native Architecture
Kubernetes, Consul, Microservices, Production environment
Summary:
No summary provided
What Happened:
A large e-commerce company using a microservices architecture deployed a new version of their service discovery system (Consul) during a scheduled maintenance window. After the deployment, services began reporting connection timeouts and failures when attempting to communicate with other services. The issue escalated rapidly, with cascading failures spreading across the platform as dependent services failed. Customer-facing applications experienced increased latency and eventually partial outages. The incident affected thousands of users and lasted for nearly two hours before being resolved.
Diagnosis Steps:
Analyzed service connectivity patterns and error logs.
Examined network traffic between services and the service discovery system.
Reviewed recent changes to the service discovery configuration.
Checked DNS resolution and service endpoint health.
Investigated the service discovery system's internal state and data consistency.
Root Cause:
The investigation revealed multiple issues with the service discovery system: 1. The new Consul version had a different ACL (Access Control List) enforcement behavior 2. Service registration was failing silently due to insufficient permissions 3. The service mesh sidecar proxies were caching stale service endpoints 4. Health check configurations were incompatible with the new version 5. The rollout didn't include proper validation of service discovery functionality
Fix/Workaround:
• Implemented immediate fixes to restore service
• Temporarily relaxed ACL enforcement to allow service registration
• Forced refresh of service endpoint caches across all proxies
• Updated health check configurations to be compatible with the new version
• Implemented comprehensive service discovery validation in the deployment pipeline
# Consul Service Discovery Configuration
# File: consul-config.yaml
# Global configuration
global:
name: consul
datacenter: dc1
image: hashicorp/consul:1.14.2
enableConsulNamespaces: true
acls:
manageSystemACLs: true
createReplicationToken: true
# Server configuration
server:
replicas: 3
bootstrapExpect: 3
disruptionBudget:
enabled: true
maxUnavailable: 1
resources:
requests:
memory: "4Gi"
cpu: "2000m"
limits:
memory: "8Gi"
cpu: "4000m"
storage:
enabled: true
storageClass: "premium-ssd"
size: 50Gi
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: DoesNotExist
# Client configuration
client:
enabled: true
grpc: true
exposeGossipPorts: false
resources:
requests:
memory: "100Mi"
cpu: "100m"
limits:
memory: "500Mi"
cpu: "500m"
# ACL configuration with proper defaults
acl:
enabled: true
defaultPolicy: "deny"
enableTokenReplication: true
# Critical fix: Add default token for service registration during migration
tokens:
agent: "${CONSUL_ACL_AGENT_TOKEN}"
default: "${CONSUL_ACL_DEFAULT_TOKEN}"
replication: "${CONSUL_ACL_REPLICATION_TOKEN}"
# Service mesh configuration
connectInject:
enabled: true
default: true
centralConfig:
enabled: true
defaultProtocol: "http"
proxyDefaults: |
{
"envoy_prometheus_bind_addr": "0.0.0.0:9102",
"envoy_stats_tags": ["service=${NOMAD_JOB_NAME}"],
"envoy_dogstatsd_url": "udp://127.0.0.1:9125",
"cache_refresh_interval": "30s"
}
# UI configuration
ui:
enabled: true
service:
type: ClusterIP
# Sync catalog configuration
syncCatalog:
enabled: true
default: true
toConsul: true
toK8S: true
k8sAllowNamespaces: ["*"]
k8sDenyNamespaces: ["kube-system", "kube-public"]
syncClusterIPServices: true
addK8SNamespaceSuffix: true
# Health check configuration
# Critical fix: Update health check configuration for compatibility
controller:
enabled: true
replicas: 1
logLevel: "debug"
// Service Discovery Health Check and Validation
// File: service_discovery_validator.go
package main
import (
"context"
"encoding/json"
"fmt"
"log"
"net/http"
"os"
"strings"
"time"
"github.com/hashicorp/consul/api"
)
// ServiceEndpoint represents a service instance
type ServiceEndpoint struct {
ServiceID string
ServiceName string
ServiceAddr string
ServicePort int
Healthy bool
LastChecked time.Time
}
// ValidationResult stores the result of validation
type ValidationResult struct {
Success bool
FailedServices []string
FailedConnections []string
RegistrationErrors []string
DiscoveryErrors []string
ACLErrors []string
}
func main() {
// Parse command line arguments
if len(os.Args) < 2 {
log.Fatal("Usage: service_discovery_validator [validate|monitor]")
}
command := os.Args[1]
switch command {
case "validate":
result := validateServiceDiscovery()
printResult(result)
if !result.Success {
os.Exit(1)
}
case "monitor":
startMonitoringServer()
default:
log.Fatalf("Unknown command: %s", command)
}
}
func validateServiceDiscovery() ValidationResult {
result := ValidationResult{
Success: true,
}
// Initialize Consul client
config := api.DefaultConfig()
config.Address = getEnv("CONSUL_HTTP_ADDR", "localhost:8500")
config.Token = getEnv("CONSUL_HTTP_TOKEN", "")
client, err := api.NewClient(config)
if err != nil {
result.Success = false
result.ACLErrors = append(result.ACLErrors, fmt.Sprintf("Failed to create Consul client: %v", err))
return result
}
// Validate ACL system
if err := validateACLSystem(client, &result); err != nil {
result.Success = false
result.ACLErrors = append(result.ACLErrors, fmt.Sprintf("ACL validation failed: %v", err))
}
// Get list of services
services, _, err := client.Catalog().Services(&api.QueryOptions{})
if err != nil {
result.Success = false
result.DiscoveryErrors = append(result.DiscoveryErrors, fmt.Sprintf("Failed to list services: %v", err))
return result
}
// Validate each service
for serviceName := range services {
// Skip consul service itself
if serviceName == "consul" {
continue
}
// Check service registration
serviceInstances, _, err := client.Catalog().Service(serviceName, "", &api.QueryOptions{})
if err != nil {
result.Success = false
result.DiscoveryErrors = append(result.DiscoveryErrors,
fmt.Sprintf("Failed to get instances for service %s: %v", serviceName, err))
continue
}
if len(serviceInstances) == 0 {
result.Success = false
result.RegistrationErrors = append(result.RegistrationErrors,
fmt.Sprintf("Service %s has no registered instances", serviceName))
continue
}
// Check health status
healthyInstances := 0
for _, instance := range serviceInstances {
checks, _, err := client.Health().Checks(serviceName, &api.QueryOptions{})
if err != nil {
result.Success = false
result.DiscoveryErrors = append(result.DiscoveryErrors,
fmt.Sprintf("Failed to get health checks for service %s: %v", serviceName, err))
continue
}
isHealthy := true
for _, check := range checks {
if check.ServiceID == instance.ServiceID && check.Status != "passing" {
isHealthy = false
break
}
}
if isHealthy {
healthyInstances++
}
}
if healthyInstances == 0 && len(serviceInstances) > 0 {
result.Success = false
result.FailedServices = append(result.FailedServices,
fmt.Sprintf("Service %s has no healthy instances", serviceName))
}
// Validate service connectivity
if err := validateServiceConnectivity(client, serviceName, &result); err != nil {
result.Success = false
result.FailedConnections = append(result.FailedConnections,
fmt.Sprintf("Connectivity validation failed for service %s: %v", serviceName, err))
}
}
return result
}
func validateACLSystem(client *api.Client, result *ValidationResult) error {
// Check if ACLs are enabled
_, _, err := client.ACL().TokenReadSelf(&api.QueryOptions{})
if err != nil {
if strings.Contains(err.Error(), "ACL not enabled") {
// ACLs not enabled, skip validation
return nil
}
return fmt.Errorf("failed to read ACL token: %v", err)
}
// Check if we can create a policy
policyName := fmt.Sprintf("test-policy-%d", time.Now().Unix())
policy := &api.ACLPolicy{
Name: policyName,
Description: "Test policy for validation",
Rules: `service "" { policy = "read" }`,
}
_, _, err = client.ACL().PolicyCreate(policy, &api.WriteOptions{})
if err != nil {
return fmt.Errorf("failed to create test policy: %v", err)
}
// Clean up
_, err = client.ACL().PolicyDelete(policyName, &api.WriteOptions{})
if err != nil {
log.Printf("Warning: Failed to delete test policy: %v", err)
}
return nil
}
func validateServiceConnectivity(client *api.Client, serviceName string, result *ValidationResult) error {
// Get service instances
serviceInstances, _, err := client.Catalog().Service(serviceName, "", &api.QueryOptions{})
if err != nil {
return fmt.Errorf("failed to get instances: %v", err)
}
if len(serviceInstances) == 0 {
return fmt.Errorf("no instances found")
}
// Try to connect to the first instance
instance := serviceInstances[0]
address := instance.ServiceAddress
if address == "" {
address = instance.Address
}
// Skip actual connection for non-HTTP services
// In a real implementation, you would use appropriate protocol handlers
if !isHTTPService(serviceName) {
return nil
}
// Try to connect
url := fmt.Sprintf("http://%s:%d/health", address, instance.ServicePort)
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
if err != nil {
return fmt.Errorf("failed to create request: %v", err)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
return fmt.Errorf("failed to connect: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
return fmt.Errorf("received error status code: %d", resp.StatusCode)
}
return nil
}
func startMonitoringServer() {
http.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
result := validateServiceDiscovery()
w.Header().Set("Content-Type", "application/json")
if !result.Success {
w.WriteHeader(http.StatusServiceUnavailable)
}
json.NewEncoder(w).Encode(result)
})
port := getEnv("PORT", "8080")
log.Printf("Starting monitoring server on port %s", port)
log.Fatal(http.ListenAndServe(":"+port, nil))
}
func printResult(result ValidationResult) {
fmt.Printf("Service Discovery Validation Result: %t\n", result.Success)
if len(result.FailedServices) > 0 {
fmt.Println("\nFailed Services:")
for _, service := range result.FailedServices {
fmt.Printf(" - %s\n", service)
}
}
if len(result.FailedConnections) > 0 {
fmt.Println("\nFailed Connections:")
for _, conn := range result.FailedConnections {
fmt.Printf(" - %s\n", conn)
}
}
if len(result.RegistrationErrors) > 0 {
fmt.Println("\nRegistration Errors:")
for _, err := range result.RegistrationErrors {
fmt.Printf(" - %s\n", err)
}
}
if len(result.DiscoveryErrors) > 0 {
fmt.Println("\nDiscovery Errors:")
for _, err := range result.DiscoveryErrors {
fmt.Printf(" - %s\n", err)
}
}
if len(result.ACLErrors) > 0 {
fmt.Println("\nACL Errors:")
for _, err := range result.ACLErrors {
fmt.Printf(" - %s\n", err)
}
}
}
func isHTTPService(serviceName string) bool {
// In a real implementation, this would check service metadata
// or configuration to determine the protocol
return true
}
func getEnv(key, fallback string) string {
if value, exists := os.LookupEnv(key); exists {
return value
}
return fallback
}
#!/bin/bash
# File: service-discovery-migration.sh
# Purpose: Safely migrate service discovery system with validation
set -e
# Configuration
CONSUL_VERSION="1.14.2"
CONSUL_NAMESPACE="consul"
BACKUP_DIR="/tmp/consul-backup-$(date +%Y%m%d-%H%M%S)"
VALIDATION_TIMEOUT=300 # seconds
ROLLBACK_ON_FAILURE=true
# Create backup directory
mkdir -p "$BACKUP_DIR"
echo "Starting Consul migration to version $CONSUL_VERSION"
# Step 1: Backup current configuration and data
echo "Backing up Consul configuration and data..."
kubectl get configmap -n "$CONSUL_NAMESPACE" -o yaml > "$BACKUP_DIR/configmaps.yaml"
kubectl get secret -n "$CONSUL_NAMESPACE" -o yaml > "$BACKUP_DIR/secrets.yaml"
kubectl get statefulset -n "$CONSUL_NAMESPACE" -o yaml > "$BACKUP_DIR/statefulsets.yaml"
kubectl get deployment -n "$CONSUL_NAMESPACE" -o yaml > "$BACKUP_DIR/deployments.yaml"
kubectl get service -n "$CONSUL_NAMESPACE" -o yaml > "$BACKUP_DIR/services.yaml"
# Backup Consul KV store
echo "Backing up Consul KV store..."
CONSUL_HTTP_ADDR=$(kubectl get svc -n "$CONSUL_NAMESPACE" consul-server -o jsonpath='{.spec.clusterIP}'):8500
CONSUL_HTTP_TOKEN=$(kubectl get secret -n "$CONSUL_NAMESPACE" consul-bootstrap-acl-token -o jsonpath='{.data.token}' | base64 -d)
kubectl exec -n "$CONSUL_NAMESPACE" consul-server-0 -- consul kv export > "$BACKUP_DIR/consul-kv.json"
# Step 2: Pre-migration validation
echo "Running pre-migration validation..."
kubectl apply -f service-discovery-validator.yaml
kubectl wait --for=condition=available deployment/service-discovery-validator --timeout=60s
PRE_VALIDATION_RESULT=$(kubectl exec -n "$CONSUL_NAMESPACE" deployment/service-discovery-validator -- /app/validator validate)
echo "$PRE_VALIDATION_RESULT" > "$BACKUP_DIR/pre-migration-validation.log"
if echo "$PRE_VALIDATION_RESULT" | grep -q "Service Discovery Validation Result: false"; then
echo "WARNING: Pre-migration validation failed. Check $BACKUP_DIR/pre-migration-validation.log for details."
echo "Do you want to continue anyway? (y/n)"
read -r CONTINUE
if [[ "$CONTINUE" != "y" ]]; then
echo "Migration aborted."
exit 1
fi
fi
# Step 3: Update Consul with new configuration
echo "Updating Consul configuration..."
kubectl apply -f consul-config.yaml
# Step 4: Wait for rollout to complete
echo "Waiting for Consul rollout to complete..."
kubectl rollout status statefulset/consul-server -n "$CONSUL_NAMESPACE" --timeout=300s
kubectl rollout status deployment/consul-client -n "$CONSUL_NAMESPACE" --timeout=300s
# Step 5: Post-migration validation
echo "Running post-migration validation..."
POST_VALIDATION_START_TIME=$(date +%s)
POST_VALIDATION_SUCCESS=false
while true; do
POST_VALIDATION_RESULT=$(kubectl exec -n "$CONSUL_NAMESPACE" deployment/service-discovery-validator -- /app/validator validate)
echo "$POST_VALIDATION_RESULT" > "$BACKUP_DIR/post-migration-validation.log"
if echo "$POST_VALIDATION_RESULT" | grep -q "Service Discovery Validation Result: true"; then
POST_VALIDATION_SUCCESS=true
break
fi
CURRENT_TIME=$(date +%s)
ELAPSED_TIME=$((CURRENT_TIME - POST_VALIDATION_START_TIME))
if [ "$ELAPSED_TIME" -ge "$VALIDATION_TIMEOUT" ]; then
echo "Validation timeout reached."
break
fi
echo "Validation failed, retrying in 10 seconds..."
sleep 10
done
# Step 6: Handle validation result
if [ "$POST_VALIDATION_SUCCESS" = true ]; then
echo "Migration completed successfully!"
else
echo "ERROR: Post-migration validation failed. Check $BACKUP_DIR/post-migration-validation.log for details."
if [ "$ROLLBACK_ON_FAILURE" = true ]; then
echo "Rolling back to previous version..."
kubectl apply -f "$BACKUP_DIR/statefulsets.yaml"
kubectl apply -f "$BACKUP_DIR/deployments.yaml"
kubectl apply -f "$BACKUP_DIR/services.yaml"
kubectl apply -f "$BACKUP_DIR/configmaps.yaml"
kubectl apply -f "$BACKUP_DIR/secrets.yaml"
echo "Waiting for rollback to complete..."
kubectl rollout status statefulset/consul-server -n "$CONSUL_NAMESPACE" --timeout=300s
kubectl rollout status deployment/consul-client -n "$CONSUL_NAMESPACE" --timeout=300s
echo "Rollback completed. Please check system status manually."
exit 1
else
echo "Rollback not enabled. Please check system status manually."
exit 1
fi
fi
# Step 7: Clean up
echo "Cleaning up..."
rm -rf "$BACKUP_DIR"
echo "Migration process completed."
Lessons Learned:
Service discovery is a critical component in microservices architectures and requires careful validation during upgrades.
How to Avoid:
Implement comprehensive pre and post-deployment validation for service discovery systems.
Test ACL changes in a staging environment that mirrors production.
Use canary deployments for service discovery updates.
Implement automatic rollback mechanisms for failed deployments.
Maintain backward compatibility during service discovery migrations.
>
cloud_native_scenario_09
output:
Cloud Native Architecture
Kubernetes, Consul, Multi-cluster deployment, Production environment
Summary:
No summary provided
What Happened:
A large financial services company was expanding their Kubernetes deployment from a single cluster to multiple clusters across different regions for improved resilience and latency. They implemented Consul for service discovery across clusters. After the migration, services in one cluster were unable to reliably discover and connect to services in other clusters. The issue manifested as intermittent connection failures, timeouts, and increased error rates for cross-cluster communications. The problem was particularly severe during peak traffic periods and affected critical transaction processing services.
Diagnosis Steps:
Analyzed connection failures and error patterns.
Examined Consul server logs across all clusters.
Reviewed network connectivity between clusters.
Tested service discovery in controlled environments.
Monitored DNS resolution and service endpoint updates.
Root Cause:
The investigation revealed multiple issues with the multi-cluster service discovery: 1. Consul servers were experiencing gossip protocol timeouts due to network latency between regions 2. The service registration TTL was too short for the inter-region network conditions 3. DNS caching in the application pods was inconsistent across clusters 4. Network policies were incorrectly configured, restricting some cross-cluster communication 5. The Consul federation setup had configuration inconsistencies between clusters
Fix/Workaround:
• Implemented immediate improvements to service discovery
• Adjusted Consul server configuration for higher latency environments
• Increased service registration TTL values
• Standardized DNS caching configuration across all clusters
• Corrected network policies to allow proper cross-cluster communication
• Implemented consistent Consul federation configuration
Lessons Learned:
Multi-cluster service discovery requires careful consideration of network conditions, latency, and consistent configuration across environments.
How to Avoid:
Test service discovery in environments with realistic network latency.
Configure appropriate timeouts and TTLs for multi-region deployments.
Implement consistent DNS caching across all clusters.
Verify network policies allow necessary cross-cluster communication.
Establish monitoring for service discovery health metrics.