Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Envoy as an API Gateway

Yuki Ito
August 22, 2022

Envoy as an API Gateway

Yuki Ito

August 22, 2022
Tweet

More Decks by Yuki Ito

Other Decks in Technology

Transcript

  1. Envoy as an API Gateway
    Yuki Ito (@mrno110)
    DP Engineering Monday

    View Slide

  2. Kauche


    Architect
    Yuki Ito


    @mrno110

    View Slide

  3. View Slide

  4. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  5. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  6. What is Envoy
    https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/what_is_envoy
    Envoy is an L7 proxy and communication bus
    designed for large modern service oriented
    architectures. The project was born out of the
    belief that:ɹ


    The network should be transparent to
    applications. When network and application
    problems do occur it should be easy to
    determine the source of the problem.

    View Slide

  7. Envoy Con
    fi
    gurations
    Listener
    Cluster
    Endpoint Endpoint
    Cluster
    Endpoint Endpoint
    Route

    View Slide

  8. Envoy Con
    fi
    gurations
    0.0.0.0:5000
    Service-1
    10.28.1.11 10.28.1.12
    Service-2
    10.28.1.13 10.28.1.14
    Route
    Path: /service-1 Path: /service-2

    View Slide

  9. Static Con
    fi
    gurations
    static_resources:


    listeners:


    - address:


    socket_address:


    protocol: TCP


    address: 0.0.0.0


    port_value: 5000


    #...


    clusters:


    - name: service-1


    connect_timeout: 1s


    type: STRICT_DNS


    lb_policy: ROUND_ROBIN


    #...
    envoy.yaml

    View Slide

  10. Static Con
    fi
    gurations
    > envoy -c envoy.yaml

    View Slide

  11. Dynamic Con
    fi
    gurations
    Control Plane
    xDS API
    Cluster
    Route
    Listener

    View Slide

  12. x Discovery Service API
    •Listener Discovery Service


    •Route Discovery Service


    •Cluster Discovery Service


    •Endpoint Discovery Service

    View Slide

  13. e.g. Cluster Discovery Service
    service ClusterDiscoveryService {


    rpc StreamClusters(stream discovery.v3.DiscoveryRequest)


    returns (stream discovery.v3.DiscoveryResponse) {


    }


    rpc DeltaClusters(stream discovery.v3.DeltaDiscoveryRequest)


    returns (stream discovery.v3.DeltaDiscoveryResponse) {


    }


    rpc FetchClusters(discovery.v3.DiscoveryRequest)


    returns (discovery.v3.DiscoveryResponse) {


    }


    }
    cds.proto
    https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/cluster/v3/cds.proto

    View Slide

  14. Control Plane
    Control Plane
    xDS API
    Cluster
    Route
    Listener

    View Slide

  15. Control Plane - e.g. Istio
    istiod
    xDS API
    Cluster
    Route
    Listener

    View Slide

  16. Control Plane - e.g. Istio
    https://istio.io/v1.14/docs/ops/deployment/architecture/

    View Slide

  17. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  18. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  19. Architecture
    Run
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View Slide

  20. API Gateway Pattern
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View Slide

  21. API Gateway Pattern
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler
    API Gateway

    View Slide

  22. O
    ffl
    oading Cross-Cutting Concerns to the API Gateway
    ✓ Authentication / Authorization


    ✓ Transcoding


    ✓ Being Internet facing (TLS / Domain / CDN / IP ...)


    ✓ ...

    View Slide

  23. Why Envoy?
    • Extensibility with WebAssembly


    • Dynamic Con
    fi
    gurations


    • Easy to setup


    • Widely used in the Cloud Native World

    View Slide

  24. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  25. Envoy Architecture
    https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request#http-
    fi
    lter-chain-processing

    View Slide

  26. HTTP Filters
    JWT Authentication
    RBAC
    Modify HTTP Headers
    Request

    View Slide

  27. HTTP Filters
    JWT Authentication
    RBAC
    Modify HTTP Headers
    Request

    View Slide

  28. Wasm Filter
    Compile

    View Slide

  29. proxy-wasm
    https://github.com/proxy-wasm/spec/blob/c8
    ff
    5a8ac7b18a65360fe8ab843a6291b8947682/docs/WebAssembly-in-Envoy.md

    View Slide

  30. Wasm Filter
    http_filters:


    - name: envoy.filters.http.wasm


    typed_config:


    '@type': type.googleapis.com/udpa.type.v1.TypedStruct


    type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm


    value:


    config:


    vm_config:


    runtime: envoy.wasm.runtime.v8


    code:


    local:


    filename: /etc/envoy/proxy-wasm-cloud-logging-trace-context.wasm


    configuration:


    '@type': type.googleapis.com/google.protobuf.StringValue


    value: |-


    {


    "project_id": "x-asia-kauche-dev"


    }


    - name: envoy.filters.http.router


    typed_config:


    '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router


    View Slide

  31. e.g. Fetching access tokens from Google Cloud Metadata Server
    API Gateway
    Upstream Microservice
    Metadata Server
    Access Token Access Token
    Get Access Token
    Request

    View Slide

  32. e.g. Integrating with Google CloudLogging
    https://github.com/kauche/proxy-wasm-cloud-logging-trace-context
    kauche / proxy-wasm-cloud-logging-trace-context

    View Slide

  33. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  34. Static Con
    fi
    gurations
    static_resources:


    listeners:


    - address:


    socket_address:


    protocol: TCP


    address: 0.0.0.0


    port_value: 5000


    #...


    clusters:


    - name: service-1


    connect_timeout: 1s


    type: STRICT_DNS


    lb_policy: ROUND_ROBIN


    #...
    envoy.yaml

    View Slide

  35. Con
    fi
    gurations for Various Environments
    • Local


    • CI


    • Lab


    • Dev


    • Prod
    ~ 60% consists of the same
    con
    fi
    gurations for each
    environment.

    View Slide

  36. Building Con
    fi
    gurations with CUE
    https://cuelang.org/
    CUE is an open source language, with a
    rich set of APIs and tooling, for de
    fi
    ning,
    generating, and validating all kinds of
    data: con
    fi
    guration, APIs, database
    schemas, code, … you name it.

    View Slide

  37. Building Con
    fi
    gurations with CUE
    package config


    #Input: {


    upstreams: [...#Upstream]


    // ...


    }


    #Upstream: {


    name: string


    address: string


    // ...


    }


    #Bootstrap: {


    input: #Input


    config: {


    static_resources: {


    clusters: [


    for upstream in input.upstreams {


    // ...


    },


    ]


    // ...


    }


    }


    }

    View Slide

  38. Building Con
    fi
    gurations with CUE
    package dev


    import ".../envoy/config"


    bootstrap: config.#Bootstrap & {


    input: config.#Input & {


    upstreams: [


    config.#Upstream & {


    name: "api"


    address: "....run.app"


    // ...


    },


    config.#Upstream & {


    name: "partner"


    address: "....run.app"


    // ...


    },


    ]


    }


    }
    package local


    import ".../envoy/config"


    bootstrap: config.#Bootstrap & {


    input: config.#Input & {


    upstreams: [


    config.#Upstream & {


    name: "api"


    address: "localhost"


    // ...


    },


    config.#Upstream & {


    name: "partner"


    address: "localhost"


    // ...


    },


    ]


    }


    }
    dev/con
    fi
    g.cue local/con
    fi
    g.cue

    View Slide

  39. Building Con
    fi
    gurations with CUE
    Generate
    YAML

    View Slide

  40. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  41. External Authorization
    Envoy
    Upstream
    External Authorization Service
    OK / NG (+ Token) Token
    Context / Headers
    Request

    View Slide

  42. External Authorization
    service Authorization {


    // Performs authorization check based on the attributes associated with the


    // incoming request, and returns status `OK` or not `OK`.


    rpc Check(CheckRequest) returns (CheckResponse) {


    }


    }


    message CheckRequest {


    option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest";


    // The request attributes.


    AttributeContext attributes = 1;


    }
    external_auth.proto
    https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/auth/v3/external_auth.proto

    View Slide

  43. External Authorization
    Envoy
    Upstream
    External Authorization Service
    OK / NG (+ JWT) JWT
    Context / Headers
    Request

    View Slide

  44. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide