Envoy as an API Gateway

Transcript

1. Envoy as an API Gateway Yuki Ito (@mrno110) DP Engineering

   Monday

2. Kauche Architect Yuki Ito @mrno110

3. None

4. Agenda • What is Envoy • Envoy as an API

   Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

5. Agenda • What is Envoy • Envoy as an API

   Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

6. What is Envoy https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/what_is_envoy Envoy is an L7 proxy and

   communication bus designed for large modern service oriented architectures. The project was born out of the belief that:ɹ The network should be transparent to applications. When network and application problems do occur it should be easy to determine the source of the problem.

7. Envoy Con fi gurations Listener Cluster Endpoint Endpoint Cluster Endpoint

   Endpoint Route

8. Envoy Con fi gurations 0.0.0.0:5000 Service-1 10.28.1.11 10.28.1.12 Service-2 10.28.1.13

   10.28.1.14 Route Path: /service-1 Path: /service-2

9. Static Con fi gurations static_resources: listeners: - address: socket_address: protocol:

   TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml

10. Static Con fi gurations > envoy -c envoy.yaml

11. Dynamic Con fi gurations Control Plane xDS API Cluster Route

    Listener

12. x Discovery Service API •Listener Discovery Service •Route Discovery Service

    •Cluster Discovery Service •Endpoint Discovery Service

13. e.g. Cluster Discovery Service service ClusterDiscoveryService { rpc StreamClusters(stream discovery.v3.DiscoveryRequest)

    returns (stream discovery.v3.DiscoveryResponse) { } rpc DeltaClusters(stream discovery.v3.DeltaDiscoveryRequest) returns (stream discovery.v3.DeltaDiscoveryResponse) { } rpc FetchClusters(discovery.v3.DiscoveryRequest) returns (discovery.v3.DiscoveryResponse) { } } cds.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/cluster/v3/cds.proto

14. Control Plane Control Plane xDS API Cluster Route Listener

15. Control Plane - e.g. Istio istiod xDS API Cluster Route

    Listener

16. Control Plane - e.g. Istio https://istio.io/v1.14/docs/ops/deployment/architecture/

17. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

18. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

19. Architecture Run Tasks Pub/Sub Mobile App External Service Mobile API

    Web Hook API Job API Scheduler

20. API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile

    API Web Hook API Job API Scheduler

21. API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile

    API Web Hook API Job API Scheduler API Gateway

22. O ffl oading Cross-Cutting Concerns to the API Gateway ✓

    Authentication / Authorization ✓ Transcoding ✓ Being Internet facing (TLS / Domain / CDN / IP ...) ✓ ...

23. Why Envoy? • Extensibility with WebAssembly • Dynamic Con fi

    gurations • Easy to setup • Widely used in the Cloud Native World

24. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

25. Envoy Architecture https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request#http- fi lter-chain-processing

26. HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

27. HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

28. Wasm Filter Compile

29. proxy-wasm https://github.com/proxy-wasm/spec/blob/c8 ff 5a8ac7b18a65360fe8ab843a6291b8947682/docs/WebAssembly-in-Envoy.md

30. Wasm Filter http_filters: - name: envoy.filters.http.wasm typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url:

    type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: vm_config: runtime: envoy.wasm.runtime.v8 code: local: filename: /etc/envoy/proxy-wasm-cloud-logging-trace-context.wasm configuration: '@type': type.googleapis.com/google.protobuf.StringValue value: |- { "project_id": "x-asia-kauche-dev" } - name: envoy.filters.http.router typed_config: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

31. e.g. Fetching access tokens from Google Cloud Metadata Server API

    Gateway Upstream Microservice Metadata Server Access Token Access Token Get Access Token Request

32. e.g. Integrating with Google CloudLogging https://github.com/kauche/proxy-wasm-cloud-logging-trace-context kauche / proxy-wasm-cloud-logging-trace-context

33. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

34. Static Con fi gurations static_resources: listeners: - address: socket_address: protocol:

    TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml

35. Con fi gurations for Various Environments • Local • CI

    • Lab • Dev • Prod ~ 60% consists of the same con fi gurations for each environment.

36. Building Con fi gurations with CUE https://cuelang.org/ CUE is an

    open source language, with a rich set of APIs and tooling, for de fi ning, generating, and validating all kinds of data: con fi guration, APIs, database schemas, code, … you name it.

37. Building Con fi gurations with CUE package config #Input: {

    upstreams: [...#Upstream] // ... } #Upstream: { name: string address: string // ... } #Bootstrap: { input: #Input config: { static_resources: { clusters: [ for upstream in input.upstreams { // ... }, ] // ... } } }

38. Building Con fi gurations with CUE package dev import ".../envoy/config"

    bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "....run.app" // ... }, config.#Upstream & { name: "partner" address: "....run.app" // ... }, ] } } package local import ".../envoy/config" bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "localhost" // ... }, config.#Upstream & { name: "partner" address: "localhost" // ... }, ] } } dev/con fi g.cue local/con fi g.cue

39. Building Con fi gurations with CUE Generate YAML

40. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

41. External Authorization Envoy Upstream External Authorization Service OK / NG

    (+ Token) Token Context / Headers Request

42. External Authorization service Authorization { // Performs authorization check based

    on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. rpc Check(CheckRequest) returns (CheckResponse) { } } message CheckRequest { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest"; // The request attributes. AttributeContext attributes = 1; } external_auth.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/auth/v3/external_auth.proto

43. External Authorization Envoy Upstream External Authorization Service OK / NG

    (+ JWT) JWT Context / Headers Request

44. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization