wip: blog

Author: frodesundby

package.json

@@ -21,6 +21,7 @@
 		"eslint-config-prettier": "^9.1.0",
 		"eslint-plugin-svelte": "^2.36.0",
 		"globals": "^15.0.0",
+		"mdsvex": "^0.12.3",
 		"prettier": "^3.3.2",
 		"prettier-plugin-svelte": "^3.2.6",
 		"svelte": "^5.0.0",

src/lib/Header.svelte

@@ -33,7 +33,7 @@
 	</button>
 	<nav class="main-menu" class:isOpen>
 		<ul class="main-menu-list">
-			<li><a class="main-menu-item" href="https://nais.io/blog/">Artikler</a></li>
+			<li><a class:isActive={isActive("blogg")} href="/blog">Blogg</a></li>
 			<li><a class="main-menu-item" href="https://docs.nais.io">Dokumentasjon</a></li>
 			<!-- <li><a class="main-menu-item" href="/annonseringer" class:isActive={isActive('annonseringer')}>Annonseringer</a></li> -->
 			<!-- <li>

src/routes/blog/+page.server.ts

@@ -0,0 +1,23 @@
+interface Post {
+	route: string;
+	content: string;
+	metadata: {
+		title: string;
+		date: string;
+		description: string;
+		tags: string[];
+		author: string;
+	};
+}
+export async function load() {
+	const postFiles = import.meta.glob<boolean, string, Post>("./posts/*/+page.md");
+	let posts = await Promise.all(
+		Object.entries(postFiles).map(async ([path, post]) => {
+			const { metadata } = await post();
+            const route = "/blog/" + path.split("/").slice(1, 3).join("/");
+			return { metadata, route } as Post;
+		}),
+	);
+    posts = posts.sort((a, b) => new Date(b.metadata.date).getTime() - new Date(a.metadata.date).getTime());
+	return { posts };
+}

src/routes/blog/+page.svelte

@@ -0,0 +1,11 @@
+<script lang="ts">
+	import type { PageData } from "./$types";
+
+	let { data }: { data: PageData } = $props();
+
+</script>
+
+{#each data.posts as post}
+<a href="{post.route}"><h1>{post.metadata.title}</h1></a>
+	<p>{post.metadata.description}</p>
+{/each}

src/routes/blog/posts/changing-service-mesh/+page.md

@@ -0,0 +1,143 @@
+---
+title: "Changing Service Mesh"
+description: "How we swapped Istio with Linkerd with hardly any downtime"
+date: 2021-05-04T20:37:13+02:00
+draft: false
+author: Frode Sundby
+tags: [istio, linkerd, LoadBalancing]
+---
+
+
+## Why change?
+With an ambition of making our environments as secure as possible, we jumped on the service-mesh bandwagon in 2018 with Istio 0.7 and have stuck with it since.
+
+Istio is a large and feature rich system that brings capabilities aplenty.
+Although there are a plethora of nifty and useful things we could do with Istio, we've primarily used it for mTLS and authorization policies.
+
+One might think that having lots of features available but not using them couldn't possibly be a problem.
+However, all these extra capabilities comes with a cost - namely complexity; and we've felt encumbered by this complexity every time when configuring, maintaining or troubleshooting in our clusters.
+Our suspicions were that since we hardly used any of the capabilities, we could probably make do with a much simpler alternative.
+So, and after yet another _"Oh... This problem was caused by Istio!"_-moment, we decided the time was ripe to consider the alternatives out there.
+
+We looked to the grand ol' Internet for alternatives and fixed our gaze on the rising star Linkerd 2.
+Having honed in on our preferred candidate, we decided to take it for a quick spin in a cluster and found our suspicions to be accurate.
+
+Rarely has a meme depicted a feeling more strongly
+<!--![service-mesh-experiance](/blog/images/service-mesh-experience.jpg)-->
+
+Even though we'd invested a lot of time and built in quite a bit of Istio into our platform, we knew we had to make the change.
+
+## How did we do it?
+### Original architecture: 
+Let's first have a quick look at what we were dealing with:
+
+The first thing an end user encountered was our Google LoadBalancer configured by an IstioOperator.
+The traffic was then forwarded to the Istio Ingressgateway, who in turn sent it along via an mTLS connection to the application.
+Before the Ingressgateway could reach the application, both NetworkPolicies and AuthorizationPolicies were required to allow the traffic.
+We used an [operator](https://github.com/nais/naiserator) to configure these policies when an application was deployed.
+
+<!-- ![changing-service-mesh](/blog/images/changing-service-mesh-1.png) -->
+
+### New LoadBalancers and ingress controllers
+Since our LoadBalancers were configured by (and sent traffic to) Istio, we had to change the way we configured them.
+Separating LoadBalancing from mesh is a healthy separation of concern that will give us greater flexibility in the future as well.
+We also had to swap out Istio Ingressgateway with an Ingress Controller - we opted for NGINX.
+
+We started by creating IP-addresses and Cloud Armor security policies for our new LoadBalancers with [Terraform](https://www.terraform.io/).
+
+The loadbalancers themselves were created by an Ingress object:
+```yaml
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    networking.gke.io/v1beta1.FrontendConfig: <tls-config>
+    kubernetes.io/ingress.global-static-ip-name: <global-ip-name> 
+    kubernetes.io/ingress.allow-http: "false"
+  name: <loadbalancer-name>
+  namespace: <ingress-controller-namespace>
+spec:
+  backend:
+    serviceName: <ingress-controller-service>
+    servicePort: 443
+  tls:
+    - secretName: <kubernetes-secret-with-certificates>
+```
+
+We tied the Cloud Armor security policy to the Loadbalancer with a `BackendConfig` on the Ingress Controller's service:
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    cloud.google.com/app-protocols: '{"https": "HTTP2"}'
+    cloud.google.com/backend-config: '{"default": "<backendconfig-name>"}'
+    cloud.google.com/neg: '{"ingress": true}'
+    ...
+---
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+  name: <backendconfig-name>
+spec:
+  securityPolicy:
+    name: <security-policy-name>
+  ...
+```
+
+Alrighty. We'd now gotten ourselves a brand new set of independantly configured LoadBalancers and a shiny new Ingress Controller.
+<!-- ![changing-service-mesh](/blog/images/changing-service-mesh-2.png) -->
+
+However - if we'd started shipping traffic to the new components at this stage, things would start breaking as there were no ingresses in the cluster - only VirtualServices.
+To avoid downtime, we created an interim ingress that forwarded all traffic to the Istio IngressGateway:
+```yaml
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+spec:
+  rules:
+  - host: '<domain-name>'
+    http:
+      paths:
+      - backend:
+          serviceName: <istio-ingressgateway-service>
+          servicePort: 443
+        path: /
+  ...
+```
+<!-- ![changing-service-mesh](/blog/images/changing-service-mesh-3.png) -->
+With this ingress in place, we could reach all the existing VirtualServices exposed by the Istio Ingressgateway via the new Loadbalancers and Nginx.
+And we could point our DNS records to the new rig without anyone noticing a thing.
+
+### Migrating workloads from Istio to Linkerd
+Once LoadBalancing  and ingress traffic were closed chapters, we changed our attention to migrating workloads from Istio to Linkerd.
+When moving a workload to a new service-mesh, there's a bit more to it than swapping out the sidecar with a new namespace annotation.
+Our primary concerns were:
+- The new sidecar would require NetworkPolicies to allow traffic to and from linkerd. 
+- The application's VirtualService would have to be transformed into an Ingress.
+- Applications that used [scuttle](https://github.com/redboxllc/scuttle) to wait for the Istio sidecar to be ready had to be disabled.
+- We couldn't possibly migrate all workloads simultaneously due to scale.
+- Applications have to communicate, but they can't when they're in different service-meshes.
+
+Since applications have a tendency of communicating with eachother, and communication between different service-meshes was a bit of a bother, we decided to migrate workloads based on who they were communicating with to avoid causing trouble.
+Using the NetworkPolicies to map out who were communicating with whom, we found a suitable order to migrate workloads in.
+
+We then gave this list to our [operator](https://github.com/nais/naiserator), who in turn removed Istio resources, updated NetworkPolicies, created Ingresses and restarted workloads.
+Slowly but surely our linkerd dashboard was starting to populate, and the only downtime was during the seconds it took for the first Linkerd pod to be ready.
+One thing we didn't take into concideration (but should have), was that some applications shared a hostname. 
+When an ingress was created for a shared hostname, Nginx would stop forwarding requests for these hosts to Istio Ingressgateway, resulting in non-migrated applications not getting any traffic.
+Realizing this, we started migrating applications on the same hostname simultaneously too.
+
+<!-- ![changing-service-mesh](/blog/images/changing-service-mesh-4.png) -->
+And within a couple of hours, all workloads were migrated and we had ourselves a brand spanking new service-mesh in production.
+And then they all lived happily ever after...
+
+Except that we had to clean up Istio's mess.
+
+### Cleaning up
+What was left after the party was a fully operational Istio control plane, a whole bunch of Istio CRD's and a completely unused set of LoadBalancers. In addition we had to clean up everything related to Istio in a whole lot of pipelines and components
+
+
+<!-- ![changing-service-mesh](/blog/images/changing-service-mesh-5.png)
+![changing-service-mesh](/blog/images/changing-service-mesh-6.png) -->
+
+It has to be said - there is a certain satisfaction in cleaning up after a party that has been going on for too long.

src/routes/blog/posts/data_mesh_governance/+page.md

@@ -0,0 +1,93 @@
+---
+title: "Enable data teams to deliver high-quality data products"
+description: "How data governance adds value in a data mesh"
+date: 2022-05-11T09:27:57+02:00
+draft: false
+author: Louis Dieffenthaler
+tags: []
+---
+Using data to develop the world`s best welfare system is a bold mission we at the Norwegian Welfare and Labour Administration (NAV) have.
+Being able to estimate the impact of measures on youth unemployment to avoid social exclusion.
+Gaining more insight on how we can adjust our communication to different user groups so that we are more certain that the citizens get their benefits.
+To see how a new feature affects the click-through rate.
+Data plays a central role in solving each of these cases.
+So how do we get there?
+
+NAV has in recent years undergone a radical change in its approach to developing products.
+The traditional project-oriented approach of specifying “everything” up-front is replaced by a model where product teams are given the freedom to solve problems within boundaries.
+Enabling the teams to explore problems without being tied to a specified output allows us to gain knowledge about the value, the feasibility as well as other aspects of the product.
+Our ambition is to enable the teams to treat data in the same manner: as a product.
+
+## The case for data governance
+The shift from building data pipelines answering specific questions to sharing data as products that can solve a variety of problems not yet known is massive.
+To make this leap, we look to the [data mesh-approach](https://martinfowler.com/articles/data-mesh-principles.html) described by Zhamakh Deghani.
+The principle of shifting ownership upstream to domain teams supported by a platform reducing the cognitive burden resonates with how we do it on the operational side.
+We firmly believe that the product teams are best positioned to produce data that meets the consumers` needs related to for instance business definitions and quality.
+On the other side, we acknowledge that there are justifications for collaborating with other teams on reaching decisions.
+A few of those are:
+-	The need for coordination between teams. For instance, related to a common standard for communicating data quality
+-	The need to make sure the teams´ internal decisions do not conflict with the “greater good” of NAV. Policies could for instance be applied to a data product with multiple critical dependencies downstream
+-	The need to define policies related to compliance. GDPR is the prime example
+
+## Governance should not only control but enable.
+The word “governance” does not make people jump out of bed in the morning.
+Traditionally, governance has been focused more on making sure people don`t do stuff they should not do.
+Furthermore, data management – the management of business logic, access controls, etc. – has typically been the responsibility of a centralized team.
+This might work in a static environment.
+
+The cases presented in the introduction are not solved in a static environment.
+Data scientists, decision-makers and product teams all need to find, understand and get access to data quickly in order to explore solutions.
+At the same time, the usage of data needs to adhere to the organization`s policies.
+In other words, data governance should enable teams to a) produce data matching the analytical needs of NAV and b) stay compliant.
+
+## Principles and representation
+The data mesh-paradigm describes a federated model of data governance.
+The actors on the platform need to collaborate on developing policies that provide value and are feasible.
+The data producers are supported by the data platform in performing the data management.
+At NAV, we have approached this by setting up a “ground rules forum”.
+The principles underlying the group`s work are:
+1.	The responsibility of producing data as a product should be placed as close to the origin as possible
+2.	Policies that move responsibility away from the data producers should be justified by value either in the form of analytical use or compliance
+3.	The policies should be supported by the platform when this is feasible
+
+The forum consists of team members with different perspectives:
+-	Consumer: The value from an analytical perspective
+-	Producer: The value from a producer`s perspective in addition to the cost of implementing policies
+-	Platform: The knowledge of how the policies can be supported by the platform
+-	Legal: The value in terms of compliance
+-	Business owner: The overall business value
+
+In a complex organization with close to 100 product teams, it is important to scope down the complexity.
+Luckily for us, NAV is currently replacing legacy systems.
+We use people from teams affected by and involved in this effort to set up the forum.
+This makes it easier to reach decisions in the forum.
+The plan is to calibrate the organization and processes before scaling out to other parts of the organization.
+At the same time, we are also seeking input from other parts of the organization when forming policies.
+
+## Governance affects everyone – and should include everyone!
+Broad involvement of the people sharing and using data is crucial for at least two reasons:
+It increases both the chance of forming better policies and the legitimacy of these policies.
+The process we have set up from start is deliberately simple:
+1.	People on the platform use Slack to discuss problems governance policies might solve
+2.	The forum discusses suggested policies when enough input has piled up. The suggested policies are documented using an architectural decision record
+3.	People on the platform share their opinions on the suggested policies
+4.	Decisions are reached
+5.	The policy is implemented, preferably supported by the platform.
+
+Instead of engineering a complex process upfront, we start out with this and will calibrate it to fit our needs.
+
+## How technology supports process
+We are currently working on a feature that illustrates how the implementation of policy can be supported by technology.
+To protect privacy, we have a policy that states that the consumer of data needs to document the legal basis for using the data.
+On our marketplace – where the producers share data the consumers can find and understand – we are now working on a feature where the consumers can fill out a form to request access.
+This feature is integrated with the databases where the legal basis is documented, easing the process for the consumer.
+The request is sent to the data product owner`s site on the marketplace, where they can grant/reject access.
+The policy was already there, but by adding the platform to the mix, we:
+-	Eased the process for the consumer and the producer as the requests are now part of their workflow – not a Jira ticket completely on the side of everything
+-	Eased the evaluation of assessments done by the consumers since we are logging it
+-	Allowed for product thinking of this process. We can now set up metrics to see how long it takes for requests to be processed, the share of requests being rejected, etc. In turn, this can be used as input into the next iteration of the platform. This also covers the non-technical sides of the process: How can we change the policies to reduce frictions?
+
+## Summing up
+Governance is key to unlocking the value of data in a secure way.
+To achieve this, we need to approach this by supporting teams instead of controlling them.
+The approach we describe here is intentionally lightweight, and we will share our learning points as we progress.