DEV Community: PiotrekSt The latest articles on DEV Community by PiotrekSt (@piotrekst). https://dev.to/piotrekst https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F27482%2Fe3394016-f248-413c-a7f2-f7548d553cb4.jpg DEV Community: PiotrekSt https://dev.to/piotrekst en Let's take a quick look at Project Loom. PiotrekSt Sun, 22 Nov 2020 16:31:32 +0000 https://dev.to/piotrekst/let-s-take-a-quick-look-at-project-loom-1d21 https://dev.to/piotrekst/let-s-take-a-quick-look-at-project-loom-1d21 <p>This article gives a quick look into Project Loom - one of the current buzzwords in the Java world.</p> <h3> What is Project Loom about? </h3> <p><a href="http://cr.openjdk.java.net/~rpressler/loom/loom/sol1_part1.html">Project Loom</a> started in late 2017. The main goal of the project is to reduce the complexity of creating and maintaining the high-throughput concurrent applications. It introduces the concept of a lightweight concurrency model based on virtual threads. What is the virtual thread? Virtual thread instead of being managed by the operating system as the standard one is scheduled by a Java virtual machine. It results in that such threads can be efficiently scheduled allowing synchronous code to be executed as well as asynchronous code in terms of performance. The implementation is based on an idea such as continuation and operations related to them defined as parking and unparking. </p> <p>If you would like to get more information about that idea, I highly recommend getting familiar with <a href="https://wiki.openjdk.java.net/display/loom/Main">project wiki site</a>. </p> <h3> Demo time </h3> <p><strong><em>Note:</em></strong> <em>The article is based on <a href="https://jdk.java.net/loom/">JDK from Project Loom Early Access Build - Build 16-loom+7-285 (2020/11/4)</a></em></p> <p>Assume we got some time-consuming tasks, which we want to run in the background of our application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="nc">Runnable</span> <span class="nf">timeConsumingTask</span><span class="o">(</span><span class="kt">int</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="o">()</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">format</span><span class="o">(</span><span class="s">"[%s][%s] Starting time consuming task [id=%s]"</span><span class="o">,</span> <span class="n">now</span><span class="o">(),</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">(),</span> <span class="n">id</span><span class="o">));</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">sleep</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">ofSeconds</span><span class="o">(</span><span class="mi">5</span><span class="o">));</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">InterruptedException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">format</span><span class="o">(</span><span class="s">"[%s][%s] Oops interruption occurred [id=%s]!"</span><span class="o">,</span> <span class="n">now</span><span class="o">(),</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">(),</span> <span class="n">id</span><span class="o">));</span> <span class="o">}</span> <span class="n">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">format</span><span class="o">(</span><span class="s">"[%s][%s] Ended time consuming task [id=%s]"</span><span class="o">,</span> <span class="n">now</span><span class="o">(),</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">(),</span> <span class="n">id</span><span class="o">));</span> <span class="o">};</span> <span class="o">}</span> </code></pre> </div> <p>As you can see the task definition is <strong>ridiculously</strong> simple: log start, sleep for 5 seconds, log end of the task.</p> <p>Let's start with the "classic" daemon thread. We will use for that the <code>ExecutorService</code> which is known since JDK 1.5.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="nc">ExecutorService</span> <span class="nf">standardSingleExecutorService</span><span class="o">()</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">factory</span> <span class="o">=</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">name</span><span class="o">(</span><span class="s">"standard-thread"</span><span class="o">).</span><span class="na">daemon</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">factory</span><span class="o">();</span> <span class="k">return</span> <span class="nc">Executors</span><span class="o">.</span><span class="na">newSingleThreadExecutor</span><span class="o">(</span><span class="n">factory</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>First of all, we create a thread factory with setting daemon option to true, and then an instance of a single thread executor which will use that factory. Next, our main goal is to execute four "time-consuming" tasks using the created executor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">InterruptedException</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">ex</span> <span class="o">=</span> <span class="n">standardSingleExecutorService</span><span class="o">();</span> <span class="kt">long</span> <span class="n">startTime</span> <span class="o">=</span> <span class="nc">System</span><span class="o">.</span><span class="na">nanoTime</span><span class="o">();</span> <span class="nc">IntStream</span><span class="o">.</span><span class="na">range</span><span class="o">(</span><span class="mi">0</span><span class="o">,</span> <span class="mi">4</span><span class="o">)</span> <span class="o">.</span><span class="na">forEach</span><span class="o">(</span><span class="n">id</span> <span class="o">-&gt;</span> <span class="n">ex</span><span class="o">.</span><span class="na">execute</span><span class="o">(</span><span class="n">timeConsumingTask</span><span class="o">(</span><span class="n">id</span><span class="o">)));</span> <span class="n">ex</span><span class="o">.</span><span class="na">shutdown</span><span class="o">();</span> <span class="n">ex</span><span class="o">.</span><span class="na">awaitTermination</span><span class="o">(</span><span class="nc">Long</span><span class="o">.</span><span class="na">MAX_VALUE</span><span class="o">,</span> <span class="nc">TimeUnit</span><span class="o">.</span><span class="na">NANOSECONDS</span><span class="o">);</span> <span class="kt">long</span> <span class="n">stopTime</span> <span class="o">=</span> <span class="nc">System</span><span class="o">.</span><span class="na">nanoTime</span><span class="o">();</span> <span class="n">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">format</span><span class="o">(</span><span class="s">"[%s][%s] Processing took = %s ms"</span><span class="o">,</span> <span class="n">now</span><span class="o">(),</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">(),</span> <span class="nc">TimeUnit</span><span class="o">.</span><span class="na">MILLISECONDS</span><span class="o">.</span><span class="na">convert</span><span class="o">(</span><span class="n">stopTime</span> <span class="o">-</span> <span class="n">startTime</span><span class="o">,</span> <span class="nc">TimeUnit</span><span class="o">.</span><span class="na">NANOSECONDS</span><span class="o">)));</span> <span class="o">}</span> </code></pre> </div> <p>The output looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>2020-11-22T17:15:54.303382][Thread[standard-thread,5,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>0] <span class="o">[</span>2020-11-22T17:15:59.323550][Thread[standard-thread,5,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>0] <span class="o">[</span>2020-11-22T17:15:59.324083][Thread[standard-thread,5,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>1] <span class="o">[</span>2020-11-22T17:16:04.324808][Thread[standard-thread,5,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>1] <span class="o">[</span>2020-11-22T17:16:04.325580][Thread[standard-thread,5,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>2] <span class="o">[</span>2020-11-22T17:16:09.330546][Thread[standard-thread,5,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>2] <span class="o">[</span>2020-11-22T17:16:09.331408][Thread[standard-thread,5,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>3] <span class="o">[</span>2020-11-22T17:16:14.335599][Thread[standard-thread,5,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>3] <span class="o">[</span>2020-11-22T17:16:14.336839][Thread[main,5,main]] Processing took <span class="o">=</span> 20064 ms </code></pre> </div> <p>Everything works as you probably expected. Our four tasks were executed one by one on the single thread pool. It results in the total time needed for execution to be about 20 seconds (4 tasks each with 5 seconds <code>Thread.sleep()</code>) <em>Yeah! The math still works, 4 times 5 equals 20.</em></p> <p>Now let's change our executor service to use the virtual threads. This change is quite simple. To be sure that our virtual thread is scheduled by a single carrier thread we can assign a specific one by specifying it in <code>virtual()</code> method. Carrier thread is a name for a scheduler worker thread that is responsible for executing a virtual thread. See the example below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="nc">ExecutorService</span> <span class="nf">virtualThreadExecutorService</span><span class="o">()</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">factory</span> <span class="o">=</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">name</span><span class="o">(</span><span class="s">"carrier"</span><span class="o">).</span><span class="na">daemon</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">factory</span><span class="o">();</span> <span class="kt">var</span> <span class="n">executor</span> <span class="o">=</span> <span class="nc">Executors</span><span class="o">.</span><span class="na">newSingleThreadExecutor</span><span class="o">(</span><span class="n">factory</span><span class="o">);</span> <span class="kt">var</span> <span class="n">virtualThreadFactory</span> <span class="o">=</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">name</span><span class="o">(</span><span class="s">"virtual-thread"</span><span class="o">,</span> <span class="mi">0</span><span class="o">).</span><span class="na">virtual</span><span class="o">(</span><span class="n">executor</span><span class="o">).</span><span class="na">factory</span><span class="o">();</span> <span class="k">return</span> <span class="nc">Executors</span><span class="o">.</span><span class="na">newThreadExecutor</span><span class="o">(</span><span class="n">virtualThreadFactory</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Now it is time to change the code of the main method to use the ExecutorService based on virtual threads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kt">var</span> <span class="n">executorService</span> <span class="o">=</span> <span class="n">virtualThreadExecutorService</span><span class="o">();</span> </code></pre> </div> <p>and the output should be similiar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>2020-11-22T17:16:49.114727][VirtualThread[virtual-thread0,carrier,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>0] <span class="o">[</span>2020-11-22T17:16:49.161798][VirtualThread[virtual-thread1,carrier,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>1] <span class="o">[</span>2020-11-22T17:16:49.162620][VirtualThread[virtual-thread2,carrier,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>2] <span class="o">[</span>2020-11-22T17:16:49.163415][VirtualThread[virtual-thread3,carrier,main]] Starting <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>3] <span class="o">[</span>2020-11-22T17:16:54.163348][VirtualThread[virtual-thread0,carrier,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>0] <span class="o">[</span>2020-11-22T17:16:54.164141][VirtualThread[virtual-thread1,carrier,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>1] <span class="o">[</span>2020-11-22T17:16:54.165216][VirtualThread[virtual-thread2,carrier,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>2] <span class="o">[</span>2020-11-22T17:16:54.166347][VirtualThread[virtual-thread3,carrier,main]] Ended <span class="nb">time </span>consuming task <span class="o">[</span><span class="nb">id</span><span class="o">=</span>3] <span class="o">[</span>2020-11-22T17:16:54.166858][Thread[main,5,main]] Processing took <span class="o">=</span> 5106 ms </code></pre> </div> <p>As you can see now the execution of the same four tasks takes about 5 seconds. All tasks run in parallel without blocking each other, using the given carrier thread. We achieved it just by changing the type of thread from standard one a virtual. <strong>Magic!</strong></p> <h3> Ok, cool... but how? </h3> <p>To understand how it is possible we need to dive into <code>Thread.sleep()</code> method.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">sleep</span><span class="o">(</span><span class="nc">Duration</span> <span class="n">duration</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">InterruptedException</span> <span class="o">{</span> <span class="kt">long</span> <span class="n">nanos</span> <span class="o">=</span> <span class="n">duration</span><span class="o">.</span><span class="na">toNanos</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">nanos</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="o">)</span> <span class="k">return</span><span class="o">;</span> <span class="nc">Thread</span> <span class="n">thread</span> <span class="o">=</span> <span class="n">currentThread</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">thread</span><span class="o">.</span><span class="na">isVirtual</span><span class="o">())</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="nc">ThreadSleepEvent</span><span class="o">.</span><span class="na">isTurnedOn</span><span class="o">())</span> <span class="o">{</span> <span class="nc">ThreadSleepEvent</span> <span class="n">event</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ThreadSleepEvent</span><span class="o">();</span> <span class="k">try</span> <span class="o">{</span> <span class="n">event</span><span class="o">.</span><span class="na">time</span> <span class="o">=</span> <span class="n">nanos</span><span class="o">;</span> <span class="n">event</span><span class="o">.</span><span class="na">begin</span><span class="o">();</span> <span class="o">((</span><span class="nc">VirtualThread</span><span class="o">)</span> <span class="n">thread</span><span class="o">).</span><span class="na">sleepNanos</span><span class="o">(</span><span class="n">nanos</span><span class="o">);</span> <span class="o">}</span> <span class="k">finally</span> <span class="o">{</span> <span class="n">event</span><span class="o">.</span><span class="na">commit</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="o">((</span><span class="nc">VirtualThread</span><span class="o">)</span> <span class="n">thread</span><span class="o">).</span><span class="na">sleepNanos</span><span class="o">(</span><span class="n">nanos</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="c1">// convert to milliseconds, ceiling rounding mode</span> <span class="kt">long</span> <span class="n">millis</span> <span class="o">=</span> <span class="no">MILLISECONDS</span><span class="o">.</span><span class="na">convert</span><span class="o">(</span><span class="n">nanos</span><span class="o">,</span> <span class="no">NANOSECONDS</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">nanos</span> <span class="o">&gt;</span> <span class="no">NANOSECONDS</span><span class="o">.</span><span class="na">convert</span><span class="o">(</span><span class="n">millis</span><span class="o">,</span> <span class="no">MILLISECONDS</span><span class="o">))</span> <span class="o">{</span> <span class="n">millis</span> <span class="o">+=</span> <span class="mi">1L</span><span class="o">;</span> <span class="o">}</span> <span class="n">sleep</span><span class="o">(</span><span class="n">millis</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>As you can see there is a conditional statement where the implementation of sleep behaves differently when is performed on a virtual thread. The <code>sleepNanos(long nanos)</code> method from <code>VirtualThread</code> class gives us a clue.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kt">void</span> <span class="nf">sleepNanos</span><span class="o">(</span><span class="kt">long</span> <span class="n">nanos</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">InterruptedException</span> <span class="o">{</span> <span class="o">...</span> <span class="k">while</span> <span class="o">(</span><span class="n">remainingNanos</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="n">parkNanos</span><span class="o">(</span><span class="n">remainingNanos</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">getAndClearInterrupt</span><span class="o">())</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">InterruptedException</span><span class="o">();</span> <span class="o">}</span> <span class="n">remainingNanos</span> <span class="o">=</span> <span class="n">nanos</span> <span class="o">-</span> <span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">nanoTime</span><span class="o">()</span> <span class="o">-</span> <span class="n">startNanos</span><span class="o">);</span> <span class="o">}</span> <span class="o">...</span> <span class="o">}</span> </code></pre> </div> <p>There is a line that says that our virtual thread will be <strong>parked</strong> (<code>parkNanos(remainingNanos)</code>). Parking a virtual thread means yielding its continuation. Virtual thread parked for some time? Let's use that time for other virtual threads!</p> <p>Finally, after going deeper and deeper into the implementation of park operation we reached the part of the code which is responsible for scheduling the <strong>unparking</strong> of the given virtual thread. Unparking the virtual thread results in that its continuation is being resubmitted to the scheduler. In our case means that after 5 seconds of sleep our virtual thread can be continued and able to print the ending log.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="cm">/** * Schedules this thread to be unparked after the given delay. */</span> <span class="nd">@ChangesCurrentThread</span> <span class="kd">private</span> <span class="nc">Future</span><span class="o">&lt;?&gt;</span> <span class="n">scheduleUnpark</span><span class="o">(</span><span class="kt">long</span> <span class="n">nanos</span><span class="o">)</span> <span class="o">{</span> <span class="c1">//assert Thread.currentThread() == this;</span> <span class="nc">Thread</span> <span class="n">carrier</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">carrierThread</span><span class="o">;</span> <span class="c1">// need to switch to carrier thread to avoid nested parking</span> <span class="n">carrier</span><span class="o">.</span><span class="na">setCurrentThread</span><span class="o">(</span><span class="n">carrier</span><span class="o">);</span> <span class="k">try</span> <span class="o">{</span> <span class="k">return</span> <span class="no">UNPARKER</span><span class="o">.</span><span class="na">schedule</span><span class="o">(</span><span class="k">this</span><span class="o">::</span><span class="n">unpark</span><span class="o">,</span> <span class="n">nanos</span><span class="o">,</span> <span class="no">NANOSECONDS</span><span class="o">);</span> <span class="o">}</span> <span class="k">finally</span> <span class="o">{</span> <span class="n">carrier</span><span class="o">.</span><span class="na">setCurrentThread</span><span class="o">(</span><span class="k">this</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The <code>UNPARKER</code> is the default <code>ScheduledExecutorService</code> which is created for virtual threads purposes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">ScheduledExecutorService</span> <span class="no">UNPARKER</span> <span class="o">=</span> <span class="n">createDelayedTaskScheduler</span><span class="o">();</span> </code></pre> </div> <p>This example was based on analyzing the <code>Thread.sleep()</code> method, but also other blocking methods from different libraries were optimized for usage by virtual threads. The list of "virtual threads friendly" methods can be found <a href="https://wiki.openjdk.java.net/display/loom/Blocking+Operations">here</a>. </p> <h3> Summary </h3> <p>In my opinion Project Loom and the benefits it provides can be a game-changer in Java world. Providing the lightweight concurrency built-in standard libraries and performance of asynchronous code in synchronous implementations can be the fast and easy way to increase the efficiency of existing systems. I'm curious how the project will change the approach to concurrency in Java and its impact on popular libraries and frameworks.</p> <p>Code samples can be found on <a href="https://github.com/PiotrekSt/project-loom-demo">here</a>.</p> <p>Follow <a href="https://twitter.com/PiotrekSta">me on Twitter</a>.</p> java concurrency loom Move your mTLS configuration from the codebase to a service mesh! PiotrekSt Fri, 13 Nov 2020 15:20:31 +0000 https://dev.to/piotrekst/move-your-mtls-configuration-from-the-codebase-to-a-service-mesh-50dg https://dev.to/piotrekst/move-your-mtls-configuration-from-the-codebase-to-a-service-mesh-50dg <p>Have you ever wondered if you can move the implementation related to communication over mTLS from the code level to a higher layer of abstraction? In this article, I will try to show you one approach on how to make your codebase lighter.</p> <p><strong><em>Note: The code samples will be based on Java, Spring Boot and Istio</em></strong></p> <h3> The case! </h3> <p>You've got service with business logic and some external system for which communication has to be established over mTLS connection.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Faqhu0dui6wy7cka5nk8o.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Faqhu0dui6wy7cka5nk8o.png" alt="Scheme1"></a></p> <p>In the picture above, there is an external service (the "red" one) managed by a third party to which we should perform requests using mTLS. On the other hand, service "blue" is managed by your team where you are responsible for providing the implementation of a secured connection to the external system.</p> <h3> First approach </h3> <p>The first solution that comes to our mind is to handle such a connection directly from the code. In this case, you create a dedicated HTTP client and supply it with all required data - such as keystore (with client certificate and private key), truststore (with server certificates), or a protocol version. </p> <p>Sample solution of RestTemplate for handling mTLS connection can look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span><span class="o">(</span><span class="s">"externalServiceRestTemplate"</span><span class="o">)</span> <span class="nc">RestTemplate</span> <span class="nf">restTemplate</span><span class="o">(</span><span class="nc">RestTemplateBuilder</span> <span class="n">restTemplateBuilder</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">restTemplateBuilder</span> <span class="o">.</span><span class="na">requestFactory</span><span class="o">(</span><span class="k">this</span><span class="o">::</span><span class="n">requestFactory</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">ClientHttpRequestFactory</span> <span class="nf">requestFactory</span><span class="o">()</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">KeyStore</span> <span class="n">keyStore</span> <span class="o">=</span> <span class="nc">KeyStore</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"PKCS12"</span><span class="o">);</span> <span class="n">keyStore</span><span class="o">.</span><span class="na">load</span><span class="o">(</span><span class="n">keyStoreResource</span><span class="o">.</span><span class="na">getInputStream</span><span class="o">(),</span> <span class="n">keyStorePassword</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">());</span> <span class="nc">KeyStore</span> <span class="n">trustStore</span> <span class="o">=</span> <span class="nc">KeyStore</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"JKS"</span><span class="o">);</span> <span class="n">trustStore</span><span class="o">.</span><span class="na">load</span><span class="o">(</span><span class="n">trustStoreResource</span><span class="o">.</span><span class="na">getInputStream</span><span class="o">(),</span> <span class="n">trustStorePassword</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">());</span> <span class="kd">final</span> <span class="nc">SSLConnectionSocketFactory</span> <span class="n">socketFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">SSLConnectionSocketFactory</span><span class="o">(</span> <span class="k">new</span> <span class="nf">SSLContextBuilder</span><span class="o">()</span> <span class="o">.</span><span class="na">loadKeyMaterial</span><span class="o">(</span><span class="n">keyStore</span><span class="o">,</span> <span class="n">keyStorePassword</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">())</span> <span class="o">.</span><span class="na">loadTrustMaterial</span><span class="o">(</span><span class="n">trustStore</span><span class="o">,</span> <span class="k">new</span> <span class="nc">TrustSelfSignedStrategy</span><span class="o">())</span> <span class="o">.</span><span class="na">setProtocol</span><span class="o">(</span><span class="s">"TLSv1.2"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="kd">final</span> <span class="nc">HttpClient</span> <span class="n">httpClient</span> <span class="o">=</span> <span class="nc">HttpClients</span><span class="o">.</span><span class="na">custom</span><span class="o">()</span> <span class="o">.</span><span class="na">setSSLSocketFactory</span><span class="o">(</span><span class="n">socketFactory</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="kd">final</span> <span class="nc">ClientHttpRequestFactory</span> <span class="n">requestFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HttpComponentsClientHttpRequestFactory</span><span class="o">(</span><span class="n">httpClient</span><span class="o">);</span> <span class="k">return</span> <span class="n">requestFactory</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">e</span><span class="o">.</span><span class="na">printStackTrace</span><span class="o">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="s">"Could not create client request factory"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>As you can see there is a lot of data such as files and passphrases which is needed to be passed directly to your source code (e.g. via K8S secrets, FlexVolumes, AWS Secret Manager, etc.). </p> <p>Then calling the destination service is based on wiring a correct instance of RestTemplate and performing the HTTPS request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Autowired</span> <span class="nd">@Qualifier</span><span class="o">(</span><span class="s">"externalServiceRestTemplate"</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">RestTemplate</span> <span class="n">restTemplate</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/client-endpoint"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">clientEndpoint</span><span class="o">()</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Received request. Calling server via mTLS"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">response</span> <span class="o">=</span> <span class="n">restTemplate</span><span class="o">.</span><span class="na">getForObject</span><span class="o">(</span><span class="s">"https://external.system.com/secured-endpoint"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Received response from external server {response={}}"</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="n">response</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <h3> Service mesh to the rescue! </h3> <p>In this article I will not dive into the concept of what Service Mesh is. If you are not familiar with that term, I recommend you <a href="https://buoyant.io/service-mesh-manifesto/" rel="noopener noreferrer">this article by William Morgan</a></p> <p>The example below is based on Istio, which is one of the leading open source service mesh implementations. If you are interested in Istio <a href="https://istio.io/latest/docs/setup/getting-started" rel="noopener noreferrer">jump to their documentation and get familiar with sample <strong>BookInfo</strong> application</a></p> <p>The idea behind this solution is to move the responsibility for establishing a connection via mTLS to the layer outside our application. Let's let <strong>Istio</strong> do it!</p> <p>The figure below shows a simplified explanation of how it will work. We've got our service, in front of it there is an istio-proxy container. It will be responsible for handling a mTLS communication in our case. </p> <p>Our service will call the external system as a normal HTTP system and the proxy will upgrade the connection to HTTPS and handle stuff related to mTLS.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F0uim53c279ehsvtfp10j.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F0uim53c279ehsvtfp10j.png" alt="Scheme2"></a></p> <p>The configuration is as simple as it can. </p> <p>Follow these steps:</p> <ol> <li> <p>Create a secret in K8S cluster, which contains required data. The structure of secret should look like:<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="s">kind</span><span class="err">:</span> <span class="s">Secret</span> <span class="s">type</span><span class="err">:</span> <span class="s">Opaque</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-system-mtls-data</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">$YOUR_NAMESPACE</span> <span class="na">data</span><span class="pi">:</span> <span class="na">cert</span><span class="pi">:</span> <span class="s">$CLIENT_PEM_CERTIFICATE_IN_BASE64</span> <span class="na">key</span><span class="pi">:</span> <span class="s">$CLIENT_PEM_KEY_IN_BASE64</span> <span class="na">cacert</span><span class="pi">:</span> <span class="s">$TRUSTED_CERTIFICATE_PEM_IN_BASE64</span> </code></pre> <p>and then apply it:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F69t9fv3muxdcvt80xj20.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F69t9fv3muxdcvt80xj20.gif" alt="secret"></a></p> </li> <li> <p>Add resources specific for Istio:</p> <ul> <li> <a href="https://istio.io/latest/docs/reference/config/networking/service-entry/" rel="noopener noreferrer">ServiceEntry</a> - describes the API which is external to the mesh </li> <li> <a href="https://istio.io/latest/docs/reference/config/networking/virtual-service/" rel="noopener noreferrer">VirtualService</a> - routes the traffic to external system on port 80 (http) to port 443 (http to https)</li> <li> <a href="https://istio.io/latest/docs/reference/config/networking/destination-rule/" rel="noopener noreferrer">DestinationRule</a> - defines a policy to apply mTLS when traffic is routed to the external system and specifies the directory of certificates to use </li> </ul> <pre class="highlight yaml"><code><span class="c1">#ServiceEntry--</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceEntry</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-system-service-entry</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">project</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">external.system.com</span> <span class="na">location</span><span class="pi">:</span> <span class="s">MESH_EXTERNAL</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-port</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="pi">-</span> <span class="na">number</span><span class="pi">:</span> <span class="m">443</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https-port</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">resolution</span><span class="pi">:</span> <span class="s">DNS</span> <span class="c1">#DestinationRule</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-system-dest-rule</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">project</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">external.system.com</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">portLevelSettings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">443</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">MUTUAL</span> <span class="na">clientCertificate</span><span class="pi">:</span> <span class="s">/etc/mtlsfiles/cert</span> <span class="na">privateKey</span><span class="pi">:</span> <span class="s">/etc/mtlsfiles/key</span> <span class="na">caCertificates</span><span class="pi">:</span> <span class="s">/etc/mtlsfiles/cacert</span> <span class="na">sni</span><span class="pi">:</span> <span class="s">external.system.com</span> <span class="c1">#VirtualService</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-system-virtual-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">project</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">external.system.com</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">external.system.com</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">443</span> </code></pre> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F1ynjufwe1t8icf3ag8rb.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F1ynjufwe1t8icf3ag8rb.gif" alt="Istio-resources"></a></p> </li> <li> <p>Adjust your deployment to mount files with certificates. For these purposes, the annotations <code>sidecar.istio.io/userVolume</code> and <code>sidecar.istio.io/userVolumeMount</code> are used.<br> Below you can find a sample deployment with applied changes.<br> </p> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">devel</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sample-app</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sample-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sample-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">sidecar.istio.io/inject</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">sidecar.istio.io/userVolume</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"name":"external-system-mtls-data","secret":{"secretName":"external-system-mtls-data"}}]'</span> <span class="na">sidecar.istio.io/userVolumeMount</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"mountPath":"/etc/mtlsfiles","name":"external-system-mtls-data","readonly":true}]'</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sample-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sample-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">your-application-image:latest</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">300Mi</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">450Mi</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">750m</span> </code></pre> <p>Notice that in <code>sidecar.istio.io/userVolume</code> the name of secret created in Step 1 has to be used. In <code>sidecar.istio.io/userVolumeMount</code> path for volume mount must be consistent with one provided in definition of DestinationRule. </p> </li> <li> <p>Verify the configuration.</p> <p>First of all you can verify that your certificates are correctly mounted. To do that, just go inside your pod and verify files under the configured directory.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fj628covfliu2bt02n73d.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fj628covfliu2bt02n73d.gif" alt="certs"></a></p> <p>Next, it is time to verify the handling of mTLS connection. Now execute the <strong>HTTP</strong> request to the external system inside an application container.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F99wslg6qol6ppsy8f09z.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F99wslg6qol6ppsy8f09z.gif" alt="http-call"></a></p> <p><strong>VoilĂ !</strong> HTTP call is proxied via sidecar and mTLS connection established successfully on top of that. </p> </li> <li> <p>Adjust your application code. In my example application code will be simplified to:<br> </p> <pre class="highlight java"><code> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">RestTemplate</span> <span class="n">restTemplate</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/client-endpoint"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">clientEndpoint</span><span class="o">()</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Received request. Calling server via mTLS"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">response</span> <span class="o">=</span> <span class="n">restTemplate</span><span class="o">.</span><span class="na">getForObject</span><span class="o">(</span><span class="s">"http://external.system.com/secured-endpoint"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Received response from external server {response={}}"</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="n">response</span><span class="o">);</span> <span class="o">}</span> </code></pre> <p>Without any special configuration of <code>RestTemplate</code> - just simple HTTP call to destination service.</p> </li> </ol> <h3> Summary </h3> <p>It was quite simple to achieve moving the implementations from the application code to the service mesh. Thanks to that, it is transparent for our application to know how the connection is secured. The application's codebase is easier to understand and independent from external system security requirements. </p> <p>Istio provides also an easy way to implement other patterns typical for microservices such as retry policies, circuit breaking, or API versioning. </p> <p>If you have any thoughts or questions feel free to comment. The code samples can be found on <a href="https://github.com/PiotrekSt/mtls-demo" rel="noopener noreferrer">my GitHub</a>. Follow me on <a href="https://twitter.com/PiotrekSta" rel="noopener noreferrer">Twitter</a>.</p> java istio kubernetes microservices