Streamlining configuration and operations for any NATS deployment
In this talk, Seth Back, Engineering Manager at Synadia, provides an update on Synadia Control Plane.
Whether on Synadia Cloud (SaaS) or Synadia Platform (self-hosted/managed or managed BYOC), Control Plane serves as a central management hub for NATS infrastructure, simplifying day-to-day administration tasks like account creation, Jetstream asset management, and cross-account sharing that would otherwise be complex and error-prone.
It provides comprehensive visibility into cluster performance with analytics and metrics, while also integrating Synadia's platform components like HTTP gateway, workloads, connectors, and authenticators through an intuitive UI backed by a REST API. The platform particularly excels at streamlining complex operations like cross-account Jetstream sharing and authentication callouts, reducing tasks that would typically take significant time and troubleshooting down to simple, guided workflows that can be completed in seconds.
"So, again, some of the parts about creating these authentication microservices that you have to manage, like, is it healthy?
Is it responding? What's happening to it? What are the logs and metrics? We wanted to to abstract all that away and have it available via the via Control Plane so that you can just focus on writing the authentication piece.
If we go back to Auth Callout, and we look at our authenticators, now we can see that we actually have an OIDC that's available because it's connected to Control Plane, its heartbeat is healthy, and now we can use start using it inside our system"
— Seth Back, Engineering Manager at Synadia
Go Deeper
Full Transcript
Seth Back:
And welcome to the Synadia Control Plane demo. My name is Seth Back. I'm a engineer working on the platform and cloud teams here at Synadia, and I'm excited to show you today some of the things that we've been working on in Control Plane and how they can simplify managing your NATS infrastructure at scale. So first, I'm we're gonna do kind of a quick overview of what Control Plane is, but I really think the best way or the easiest way for you to get a feel for for what it's all about is just to go ahead and use it. So this will be very demo heavy.
We'll do an overview of kind of what you expect feature wise in Synadia Control Plane, then we'll just dive right in and start start start using it. So, yeah, overview. What is Synadia Control Plane? Well, think of it as a central hub for all of your day two NATS management task. So cluster visibility, connections, messages sent and received, all of those sorts of metrics, accounts creating it, obviously, and editing accounts and pushing them out to the server.
Jetstream assets, both managing them, like things like consumers creating them and viewing them, but also sharing them across street across accounts. NATS users, creating NATS users, but also providing sort of a self-service way for individuals to download those credentials themselves, keeping track of those issuances, and then revoking them if necessary. And then automation. So everything we're gonna look at today in the UI is backed by a REST based API. And so there's lots of opportunities in your IAC pipelines to use service accounts and sort of script some of your common, maybe NATS management management tasks or cluster management tasks there.
Second, it's the sort of the the common way that we integrate and expose the management of Synadia platform components. So we think HTTP gateway, the upcoming workloads and connectors, authenticators, all the sort of the platform components that Synadia is developing and publishing. Control Plane is gonna be the central, you know, view of ways that you would access those, configure them, and and interact with them. So, yeah, that's a high overview. It's just basically a central way to make all your life easier when you're managing your NATS cluster.
So let's just go ahead and take a look. So I have Synadia Control Plane deployed locally here, and it's connected to my super cluster in the cloud. And this is very similar to how you would deploy it if you were running it locally. You would, you know, put potentially in your Kubernetes cluster and expose it to your to your enterprise internally, or of course, Synadia is managing your NATS cluster and Control Plane for you, you would, you know, very similar ways that you would get limited access to it. But let's go ahead and log in.
So we're gonna log in as admin. And we come right to our main dashboard here, and we can see the systems we have configured. We've got one that's demo and a system is really just the view of a cluster. So if we click on it, we'll get a better idea of that. This is my super cluster in AWS.
We've got two regions, East US East 1 And 2, and then US West. If we zoom in a little bit closer, we can see that we're filtering based on connections. So this is the number of active connections to each one of these nodes in the cluster. So kind of a quick visual overview of the of what's happening. We can also go down and, you know, get filter based on mess messages sent and received, bytes sent and received.
And then if we click on any one of these individual nodes, it zooms in and it gives us, you know, what version the server is running, gives us some information on the CPU member usage, the number of connections, inscriptions. So kind of a quick way to get an idea of what's actually happening with your servers and and potentially their server health. And kind of along those lines of understanding what's going on with your infrastructure, we click on the analytics tab. This gives you a an overview of all of your metrics across your system. And every one of these metrics here can be shipped with Prometheus remote right, or we also provide a Prometheus scraping endpoint.
So, again, we wanna give you quick and easy way to understand what's going on with your cluster right through Synadia Control Plane, but also make it very easy to ship those same metrics to whatever additional analytical or or tools that you use internally. So looking at some other things that you can do, we'll kind of focus on accounts now. Click on accounts. It gives you a list as you would expect. Here's some accounts that are preconfigured for us.
If we look at factories, we'll just look at that one. We can see that we've got an overview now of what's happening, but in the context of this particular account. So this is not across the system. This is just what's connected with this account. And if we click on the connections, we can actually take a look and see all of the active connections, what type it is, it's client, NATS client.
We can get an act quick look at what the round trip time is. And again, there's gives us options to filter filter on on any of these things. The usual other things you would do, Jetstream users, you know, you can create users and download their credentials at you know, see when they have recent activity, any issuances for when they've downloaded those credentials, sharing, and then settings. You know, setting imports, exports, connections, all the connection settings that you might wanna update for your account. But one thing that really excited me when I was working on Control Plane was the cross account Jetstream sharing.
So I'm sure it's something that some of you have done, and I know at least when I did it before Control Plane, I'd always have to remember, look, go and dig in the docs, you know, what what subjects need to be exported, what subjects need to be imported. You've got the Jetstream API. You've got the flow control, the response subject, all the things. And I I always did it wrong the first time, it never worked, and then I have to come back and and and fiddle with it and get it done. So kinda in the spirit of making your day to day management task very easy, let's go ahead and share this order data stream.
It's got just a few messages in it, but let's go ahead and share it from this account into another one. So we click on the sharing tab, and we click on our streams. I'm gonna go ahead and export this stream and order data. It's private. I don't want everyone to be able to see it.
I don't wanna have to approve them. So I've just exported it. Now it's there's no accounts that have it. I'm gonna go ahead and export it over to let's do the business hub here. Add that account.
And now it's shared with the business hub, and it gives us a easy link here inside of Control Plane to hop right over to the business hub and the imports. I'm gonna say I wanna import an available stream for me. I can see now it's an order data. It's coming from Factory East. Let's go ahead and import and then mirror that.
So it's imported it. We wanna mirror it to order data. That looks good. Three replicas. We'll save that.
And now we have the business hub order data mirror inside of our business hub account coming from the Factory East. So, you know, stuff that would take me, you know, a long time to get right and I wouldn't get it right the first time is now, what, thirty seconds, and you can share it across across accounts. So that was one of the things that really got me psyched about Control Plane is just how it eases tasks like this, makes tasks like this very, very easy to accomplish. So one final thing I wanted to highlight with Control Plane is the functionality for platform components. And to do that, I first, I wanna kinda talk to you about auth call out.
So auth call out, we have a tab here for configuring for the system. Auth call out is just a way to tell NATS server that, you know, when a user connects to this particular account, I want some sort of microservice to be forwarded that request. It gets to decide, you know, should that user connect and what account that user should connect to, and then responds to the server, and the server acts accordingly. So we've made configuring that very easy through Control Plane. We'll just do it now.
We have auth call out. Let's configure a control account. I have one conveniently called off call out control that we'll use, and then we'll go in and manage that. I wanna create users. These are the users that will you know, if you have your microservice that's doing the authentication, the user credential that when it connects, it bypasses that sort of off call out and it just the server allows it to connect based on the credentials that it has.
So I've created one here, factory east to them, but we could create a new one if we wanted. And then target accounts, this is just a list of accounts that you're saying when this authenticator makes its decision. The logic that I've run to makes its decision for whether or not this user can authenticate, what are the accounts that it's allowed to essentially transfer into? And we'll just we'll just say business hub. We'll save that there.
And so now we can see the overview. We have the callout overview. So one of the key parts of implementing auth callout is you have to write the microservice that does the actual authentication, connects to the control account, does the actual authentication, interacts with with Control Plane. And you have to do or interacts with NATS server. And you have to, you know, do all the things that are, you know, around building that, the building and managing that, and we wanted to bring that into Synadia Control Plane.
So if you click on settings over here, we look at our platform components. We have this option to enable off call out authenticators. And we're gonna go ahead and enable off call out authenticators and run a little OIDC authenticator I've written that will actually tie in to Control Plane and show you how that works. It it's an OIDC authenticator that kind of follows very close closely to the YouTube video. If you go to our YouTube channel, Jeremy there kinda gives you a tutorial on how authentic how AuthCallout works, and this is this tracks that fairly fairly similarly.
So let's go ahead and enable auth callout authenticators. We're gonna say that we want it to use the authenticator's account and the config bucket to to handle its configs. And so this is just when an authenticator accounts, this is where it's gonna this is where it's gonna go. We'll hit submit there. The component token, I'll talk about in just a minute, but let's go back to our auth call out.
And we can see now in our configuration, we have this authenticator's tab. And this authenticator tab right now is empty because, you know, there's no authenticators available. There's nothing connected in registered control plane. But now, at least we know platform components authenticators are are enabled and we can configure them through here. So let's come back here.
We'll grab this component token now, and I'm going to connect that to my authenticator code that I've got here. So it's just OIDC. We give it the string of the Synadia Control Plane server and then this token, and that's how it interacts with Control Plane and will will get and will register itself and then become available in the UI. So let me just get here. We'll paste this token in to connect.
And so we can see it's it's connected to our you know, this this demo control plane. It's registered. It's connected. It says the registration connection is is success, and it started a heartbeat message. So, again, some of the parts about creating these authentication microservices that you have to manage, like, is it healthy?
Is it responding? What's happening to it? What are the logs and metrics? We wanted to to abstract all that away and have it available via the via Control Plane so that you can just focus on writing the authentication piece. So if we come up here and we go back to our account list, let's just shell check your authenticators when you see connections, we can see that our platform component authenticator is connected to our our our authenticators.
But then if we go back to Auth Callout and we look at our authenticators, now we can see that we actually have an OIDC that's available because it's connected to Control Plane, its heartbeat is healthy, and now we can use start using it inside of our inside of our our system or our demo system here. So I'm gonna go ahead and enable it. And not only did it register itself, it also, in that registration process, tells Control Plane what it needs to be configured in order to run correctly. So in this case, we need a client ID, and then we also the OIDC services that it's connected with right now is just connected with Google. So we'll go ahead and enable it here.
We'll save those changes. And if you can see the logs that came through here, it received an update on the particular key value that it was watching. It connected into the control account that we have configured here with Synadia with Synadia Control Plane. It started logging and is shipping its logs over a particular subject, and then it started its OIDC service and lets us know that it's healthy. So a lot of these interactions with the logs, the metrics, the getting your configuration, all of that is abstracted away, and you can interact with it and manage it directly through Control Plane, and then just really focus on implementing the actual function that gives your authentication.
So a lot of this code, look for it to come to the authcallout.go packages, and we'll be, you know, publishing essentially these these convenience these convenient ways for you to hook up your authenticators into Control Plane, you know, via the authenticator packages. So, yeah, that's kind of an overview of of the things that we're doing with Control Plane. If you're interested in it and this excites you, you can actually get access to it right now. It's called Synadia Cloud. And Synadia Cloud, I'll just click over here, it looks very familiar because Synadia Cloud is Synadia Control Plane, just running at scale and fronting our NGS, which is just our NATS global supercluster.
It's a global supercluster that's in all the different cloud providers across across the globe. And so if you create a free account, you can get access to, you know, access to interacting with NGS. You can create accounts on there. All the things that we just went through, Jetstreams, cross account sharing, users, all of the things that's available right now for you to try out on NGS. The other interesting thing about about Synadia Cloud is you're able to actually bring your own local NATS system and connect it in to the to the cloud UI, and that's with remote systems.
So in in that case, you would just have your system that you're running locally, and you would import it directly into essentially the UI of Synadia cloud. All of the assets and everything remain in your cluster in your cloud, but now you get to use essentially Control Plane as your window into managing your remote system. So that's something that's available there for you today to use today. You don't have access in the remote systems to the platform components for a variety of reasons. Those are kind of separate in the way those interact with the NATS cluster, but it definitely gives you all the NATS user management, the Jetstream assets, you know, creation and management, the clusters, you know, sort of the overview with the stats and analytics and all and all of those things.
So, yeah, I appreciate your time and listening as we've kinda gone through what Synadia Control Plane is. If you want more information, we've got resources. The Synadia platform docs at docs.synadia.com, a great place, a great resource for all the information about platform and how to interact with it. Synadia cloud, obviously, cloud.synadia.com, and then docs around around around that. But I really appreciate your time.
Thanks for listening, and, yeah, I look forward to interacting with you either on the NATS Slack or or in in the future. Thanks.
