30 October 2018

Meet the Passlayer


If you've read the architecture blogs, you'll know that TOPdesk is moving towards a (micro) service-oriented architecture. This architecture is full redesign of the TOPdesk product so that you benefit from new improvements in technology. However, redesigning the architecture also results in a number of challenges. One such challenge is the need to rebuild some of the basic building blocks from scratch. These components were built into the TOPdesk application, such as authentication, session management, authorization and logging, but need to be separated to offer the components as services. 

The Passlayer is the first block that is being rebuilt. But what is the Passlayer? The Passlayer is a gateway service that all requests from the outside need to pass through access TOPdesk services. It takes care of authentication and session management. Read on to find out how you benefit from the Passlayer.


The new architecture landscape


As the Passlayer is a gateway service, it must be secure: secure by design, and secure in practice. Taking into account that Broken Authentication management is still the 2nd highest risk in the OWASP top 10, authentication is important to get right. You want to be sure that you can trust the Passlayer. TOPdesk tackles authentication by keeping the Passlayer as simple as possible. The whole layer is composed of a few different services. Each of those services have a simple distinctive task, like managing sessions or validating authentication of incoming requests. 

Furthermore, TOPdesk is working with multiple security specialists to make sure security is central whenever we update the design or support new features. With extensive threat modeling sessions, we get an overview of all the theoretical risks, so we know what to focus on for future development. 

High Availability

When requests can't get through the Passlayer and you can't access TOPdesk, you can't work. By incorporating the Passlayer in a service architecture, you have access to the highest possible availability. To ensure high availability, TOPdesk uses the service orchestrator Kubernetes.

Services in TOPdesk are designed in a way that multiple instances can run parallel to each other. Multiple instances provides the system with the possibility of load sharing and high availability. TOPdesk monitors the health of each and every service, defining exactly under which conditions a service is considered unhealthy. If these conditions are matched, Kubernetes automatically terminates the service and starts a new one. In the meantime, other instances take over the work. Your downtime is kept to a minimum.

Your work is also no longer interrupted by updates, as you can access a previous version while other instances are being updated to the new version service. Want to read more in-depth information? Read how Kubernetes uses rolling updates to ensure you experience zero downtime.

The Passlayer has already shown it's resilience in practice during disruptions to TOPdesk's SaaS environments. Everything kept running smoothly. In the worst case, the Passlayer used a bit more system resources, or responded slightly slower than usual, but it was never unavailable or unresponsive. That is the true power of the service approach. It was like walking through a level 5 hurricane, with only your hair a bit messy because of the wind.

Quick access to new features

TOPdesk uses deployment pipelines to deploy the Passlayer and all other services. All the building, verifications, testing, staging and deploying is done in this pipeline. TOPdesk stays in control of the whole process, from development to deployment. TOPdesk ensures the correctness of services in every stage of the staged release lifecycle.

The continuous delivery approach, combined with the service architecture, allow you to experience effective deployment cycles, You have access to new releases and bug fixes much quicker than before. Instead of waiting months for new features, it only takes a few minutes to get updates to you.

High performance

More people are choosing SaaS. As such, the usage of new features through services can grow enormous amounts in a short period. To make sure that aren't negatively affected by the increase in traffic, the load is spread amongst multiple instances of the same service. When the number of instances won't suffice, more instances are added.

TOPdesk uses a metrics system to assess live data about the resource usage, along with performance metrics for each service. With all this information, new instances of a service are added in order to better handle the traffic. For the Passlayer, you are most affected by response times, number of connections and opened sessions. These metrics are tracked to make sure you experience the best performance. In the future, tracking will be done automatically so that you don't notice any hiccups.


Think of the entire TOPdesk application as a service. A big one, but still a service. One step to make the monolith behave more like a service, is to put it behind the Passlayer. In the first step, your authentication will go via the Passlayer instead of the built-in authentication in TOPdesk. After this, we'll safely extract functionalities from the monolith and transform them into new services. In time, you benefit from the service-oriented architecture for all features in TOPdesk. In the end, you'll notice a more reliable and resilient product than before. You'll have shorter maintenance period, increased availability, higher security and quicker access to new features.


Martijn van Lambalgen

Martijn van Lambalgen, Software developer