Cloud-native applications are increasingly spanning across hybrid and multi-cloud environments such as on-premise data centers, in the cloud (Amazon EKS, Azure AKS, Google Cloud GKE) and at the edge. Customers need to ensure security and resiliency for their cloud-native applications while managing releases through reliable, consistent deployment and runtime policies. In this session, we’ve partnered with Tetrate to showcase how to effectively manage advanced deployments using Weave GitOps. Managing application configurations by different teams across multiple Kubernetes clusters is made possible with Weave GitOps and Tetrate Service Bridge. Using familiar Git workflows, Weave Policy-as-Code enables application engineers to quickly deliver new features safely. Join us as we demonstrate the scenarios where: - All changes to application configuration are managed through Git workflows. - GitOps provides an extra layer of security by removing the need for direct access to Kubernetes clusters. - Policy-as-Code guarantees security, resilience and coding standards compliance. - Tetrate Service Bridge provides dynamic configuration of application workloads and failover across multiple Kubernetes clusters.

1. 1
Security and Resiliency
of Cloud Native
Applications with
Weave GitOps and
Tetrate Service Bridge
In partnership with:

2. 2
Webinar Platform - FAQs
Using Zoom
• You are in listen only mode
• This webinar is being recorded
• Q&A session will follow the presentation, please use the Q&A panel to
submit questions
• Hit escape to exit full screen
• Slides and recording will be shared after the webinar
Technical Issues - please visit Zoom Help
https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions

3. 3
Petr McAllister
Partner Engineer,
Tetrate
Petr wears multiple hats in Tetrate and serves as
a tunnel between Customers/Partners and
Engineering. For an extended period of his
career, Petr has focused on Network and Security
aspects of IT infrastructure. Petr is a huge fan of
Open Source and contributes whenever the
opportunity presents.
Saptak Sen
VP, Strategic Alliances,
Tetrate
Saptak heads Partner Integration and Alliances at
Tetrate. Before joining Tetrate, Saptak led the
partner integration and ecosystem initiatives at the
AWS Container Services team for Amazon EKS,
AWS Fargate and AWS AppMesh. In his past life, he
has also focussed on Partner Engineering, Product
Management and Developer Evangelism at
Hortonworks and Microsoft.
Steve Waterworth
Technical Marketing
Manager, Weaveworks
Steve brings years of experience having worked in
technical roles in the APM space since 2004 for
companies including Wily Technology and
AppDynamics. In that time, Steve has seen
numerous technical revolutions and market
disruptions giving him a unique insight into the
rapidly changing DevOps environment. He has a
background in electronics and programming before
moving to software solutions.
Speaker introductions

4. Solution architecture with Tetrate & Weave GitOps
Problem
How do application operators safely release new
application features and control routing across
environments?
Value Proposition
Weave GitOps uses Git as the single source of truth
automatically reconciling the desired state with the
actual state.
All changes are made via regular Git workflows, reducing
the need for direct access to Kubernetes thus enhancing
security.
Weave GitOps Policy-as-Code validates changes at
multiple points in the SDLC, eliminating bottlenecks,
speeding up delivery.
TSB Provides platform to manage multicluster
ServiceMesh in Enterprise environments
TSB focuses on Access Control, Management,
Observability, Resilience and Security
Reliability: Simple Releases With Automatic Failover
Catalog
VM
Product
POD
Product
POD
“B” Version
“A” Version
Shipping
POD
Catalog
VM
Catalog
POD
2%
98%
25%
75%
50%
50%

5. 5
Weaveworks the GitOps Company
Weaveworks is backed by solid investors
Weaveworks is a key partner with all the
major infrastructure and Kubernetes vendors
Weaveworks is deeply committed
to the Open Source Community

6. 6
Financial Services Technology Other Industries

7. 7
● DevOps automation platform
● Cluster management in the cloud, in your data
centre or at the edge
● Continuous Trusted Delivery
○ Policy-as-Code
○ Progressive deployments
○ Fleet deployments
○ Lifecycle pipelines: Dev, Test, Staging, Production
● RBAC
● OIDC
Weave GitOps

8. 8
● Automation via regular Git workflows
● Enhanced security via no requirement for direct access
● Manual review / approval can be a bottleneck
GitOps

9. 9
Policy-as-Code

10. 10
● Built on OPA standard - Rego
● Curated library of 100+ policies
● SOC II, PCI-DSS, GDPR, HIPAA, MITRE ATTACK
● Security, resilience and coding standards
● Validation throughout SDLC
○ Commit, Pull Request
○ Build
○ Deploy
○ Runtime
● Automatic remediation via pull request
Weave GitOps PaC

11. Tetrate
Defining microservice security standards
with NIST:
Joint collaboration with NIST: SP 800-204A,
SP 800-204B, SP 800-204C
Community and industry leader:
Leading networking & data plane WGs
Bringing you the official stable, secure builds for
Envoy and Istio
Provide the only Certification available for Istio via
Tetrate Academy
Co-Creators of:
Istio, gRPC, Apache Skywalking
Lizan Zhou
Senior Maintainer, Envoy
Zack Butcher
Istio Steering Committee
Jeyappragash (JJ)
Co-founder
Chair CNCF SIG Security
Varun Talwar
Co-founder
Co-creator gRPC, Istio
Sheng Wu
Creator, SkyWalking
Adrian Cole
Maintainer, OpenZipkin
Top contributors to Envoy, Istio:
2nd Largest contributor to Envoy proxy
& 5th Largest contributor to Istio
project
Istio
NGAC
Trusted by

12. What’s a Service Mesh
Deploy a sidecar proxy next to every application instance, which
intercepts traffic in and out to achieve:
● L7 application identity & encryption in transit
● Per request policy and controls
● Service discovery, load balancing, and resiliency
● Operational telemetry: metrics, logs, and traces
Then control the proxies central with declarative configuration and
dynamic update.

13. End to End Application Networking Platform
N/w Edge App Edge
GW
Workload
(Service)
POD
VM
Workload
VM
VM
Workload
VM
Workload
(Service)
POD
Workload
(Service)
POD
Workload
(Service)
POD
Workload
(Service)
POD
Workload
(Service)
POD
Workload
(Service)
POD
App Ingress
GW
Service Mesh
An application networking platform should handle end to end application traffic & provide:
Traffic management for
applications like canary, retry
Consistent identity and
secure access
Performance mgmt. &
troubleshooting
One [Application] Platform for Enterprises with scale and complexity

14. Compute
Edge DC Central Office Data Centers Cloud
Tetrate Service Bridge - Cross-Cluster Layer
Tetrate Istio Distribution (TID/TIS)
Continuous
Upgrade
Config Distribution
Cluster Status
Reporting
Cross-Cluster
Service Discovery
Locality Aware
Routing
Cross-Cluster
Failover
Tetrate Service Bridge (TSB)

15. Global Visibility
with Topology
Compute
Edge DC Central Office Data Centers Cloud
Tetrate Service Bridge - Management Layer
Tetrate Istio Distribution (TID/TIS)
Tetrate Service Bridge (TSB)
Service Inventory
Audit Logging
Multitenancy with
Access Control
Workflows
SLOs and Alerting

16. Namespace
Namespace
Namespace
Hierarchy, Abstraction, & Ownership
Combine with restrictions down the hierarchy, we can ensure
controls across our infrastructure while enabling teams to move
fast.
16
Workspace
Team
Organization
Tenant

17. Cluster 1
Gateway
Istio
Workload
(Service)
POD
Workload
(Service)
POD
Cluster 2
Gateway
Istio
Workload
(Service)
POD
Workload
(Service)
POD
Cluster 3
Gateway
Istio
Workload
(Service)
POD
Workload
(Service)
POD
TSB: Management plane for multi-DC, k8s, compute
Management
Plane (s)
Cluster 1
Gateway
Istio
Workload
(Service)
POD
Workload
(Service)
POD
Global Control Plane(s) Service Discovery
Multi Tenancy Service Inventory Workflows Extension Reg Integrations Compliance Audit SLO mgmt
Failover
Ingress/Egress Controls
Cluster 2
Gateway
Istio
Workload
(Service)
POD
Workload
(Service)
POD
Cluster 3
Gateway
Istio
Workload
(Service)
POD
Workload
(Service)
POD
DC1 DC2 DC3

18. DEMO
- Application developer
- submits a new (green) to GitHub
- additionally configures ingress cluster to start routing 10% of traffic to the
cluster with blue application
- Weaveworks recognizes the change in application definition and updates but
- Not allowing the change - as one of the objects has “Organisation”
spelling of the manifest kind
- After the problem is fixed the changes are hold until Maintenance window
opens and job is not suspended anymore
- Finally the change is allowed and Flux submits changes to Kubernetes API
- Kubernetes deploy the application definitions
- Tetrate Service Bridge picks the objects that define Service Mesh and deploys
(or updates) Tenant, Workspace, Gateway Group and Gateway definitions
- Developer can continue gradually change traffic distribution between Blue
(stable) and Green (latest) versions of application.

19. Demo Deployment Architecture
Istio Control
Plane
ingress-gcp-webinar
Tetrate Service Bridge Istio Control
Plane
blue-v1-aws-webinar
Webinar-app-v1
Gateway
Ingress
Gateway
Istio Control
Plane
green-v2-gcp-webinar
Webinar-app-v2
Gateway

20. 20
Questions?

21. For any further questions, feel free to contact us at info@tetrate.io
Thank You
Tetrate Academy
academy.tetrate.io
Service Mesh Handbook
tetrate.io/service-mesh-handbook/
@tetrateio Tetrate www.tetrate.io

22. 22
Whitepaper: Progressive Delivery
https://bit.ly/3K8oZwU
Learn more about Weave GitOps
www.weave.works/enterprise
Request a personal demo
www.weave.works/contact
Thank You