Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Envoy as an API Gateway

Yuki Ito
August 22, 2022

Envoy as an API Gateway

Yuki Ito

August 22, 2022
Tweet

More Decks by Yuki Ito

Other Decks in Technology

Transcript

  1. Envoy as an API Gateway Yuki Ito (@mrno110) DP Engineering

    Monday
  2. Kauche Architect Yuki Ito @mrno110

  3. None
  4. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization
  5. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization
  6. What is Envoy https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/what_is_envoy Envoy is an L7 proxy and

    communication bus designed for large modern service oriented architectures. The project was born out of the belief that:ɹ The network should be transparent to applications. When network and application problems do occur it should be easy to determine the source of the problem.
  7. Envoy Con fi gurations Listener Cluster Endpoint Endpoint Cluster Endpoint

    Endpoint Route
  8. Envoy Con fi gurations 0.0.0.0:5000 Service-1 10.28.1.11 10.28.1.12 Service-2 10.28.1.13

    10.28.1.14 Route Path: /service-1 Path: /service-2
  9. Static Con fi gurations static_resources: listeners: - address: socket_address: protocol:

    TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml
  10. Static Con fi gurations > envoy -c envoy.yaml

  11. Dynamic Con fi gurations Control Plane xDS API Cluster Route

    Listener
  12. x Discovery Service API •Listener Discovery Service •Route Discovery Service

    •Cluster Discovery Service •Endpoint Discovery Service
  13. e.g. Cluster Discovery Service service ClusterDiscoveryService { rpc StreamClusters(stream discovery.v3.DiscoveryRequest)

    returns (stream discovery.v3.DiscoveryResponse) { } rpc DeltaClusters(stream discovery.v3.DeltaDiscoveryRequest) returns (stream discovery.v3.DeltaDiscoveryResponse) { } rpc FetchClusters(discovery.v3.DiscoveryRequest) returns (discovery.v3.DiscoveryResponse) { } } cds.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/cluster/v3/cds.proto
  14. Control Plane Control Plane xDS API Cluster Route Listener

  15. Control Plane - e.g. Istio istiod xDS API Cluster Route

    Listener
  16. Control Plane - e.g. Istio https://istio.io/v1.14/docs/ops/deployment/architecture/

  17. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization
  18. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization
  19. Architecture Run Tasks Pub/Sub Mobile App External Service Mobile API

    Web Hook API Job API Scheduler
  20. API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile

    API Web Hook API Job API Scheduler
  21. API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile

    API Web Hook API Job API Scheduler API Gateway
  22. O ffl oading Cross-Cutting Concerns to the API Gateway ✓

    Authentication / Authorization ✓ Transcoding ✓ Being Internet facing (TLS / Domain / CDN / IP ...) ✓ ...
  23. Why Envoy? • Extensibility with WebAssembly • Dynamic Con fi

    gurations • Easy to setup • Widely used in the Cloud Native World
  24. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization
  25. Envoy Architecture https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request#http- fi lter-chain-processing

  26. HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

  27. HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

  28. Wasm Filter Compile

  29. proxy-wasm https://github.com/proxy-wasm/spec/blob/c8 ff 5a8ac7b18a65360fe8ab843a6291b8947682/docs/WebAssembly-in-Envoy.md

  30. Wasm Filter http_filters: - name: envoy.filters.http.wasm typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url:

    type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: vm_config: runtime: envoy.wasm.runtime.v8 code: local: filename: /etc/envoy/proxy-wasm-cloud-logging-trace-context.wasm configuration: '@type': type.googleapis.com/google.protobuf.StringValue value: |- { "project_id": "x-asia-kauche-dev" } - name: envoy.filters.http.router typed_config: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  31. e.g. Fetching access tokens from Google Cloud Metadata Server API

    Gateway Upstream Microservice Metadata Server Access Token Access Token Get Access Token Request
  32. e.g. Integrating with Google CloudLogging https://github.com/kauche/proxy-wasm-cloud-logging-trace-context kauche / proxy-wasm-cloud-logging-trace-context

  33. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization
  34. Static Con fi gurations static_resources: listeners: - address: socket_address: protocol:

    TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml
  35. Con fi gurations for Various Environments • Local • CI

    • Lab • Dev • Prod ~ 60% consists of the same con fi gurations for each environment.
  36. Building Con fi gurations with CUE https://cuelang.org/ CUE is an

    open source language, with a rich set of APIs and tooling, for de fi ning, generating, and validating all kinds of data: con fi guration, APIs, database schemas, code, … you name it.
  37. Building Con fi gurations with CUE package config #Input: {

    upstreams: [...#Upstream] // ... } #Upstream: { name: string address: string // ... } #Bootstrap: { input: #Input config: { static_resources: { clusters: [ for upstream in input.upstreams { // ... }, ] // ... } } }
  38. Building Con fi gurations with CUE package dev import ".../envoy/config"

    bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "....run.app" // ... }, config.#Upstream & { name: "partner" address: "....run.app" // ... }, ] } } package local import ".../envoy/config" bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "localhost" // ... }, config.#Upstream & { name: "partner" address: "localhost" // ... }, ] } } dev/con fi g.cue local/con fi g.cue
  39. Building Con fi gurations with CUE Generate YAML

  40. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization
  41. External Authorization Envoy Upstream External Authorization Service OK / NG

    (+ Token) Token Context / Headers Request
  42. External Authorization service Authorization { // Performs authorization check based

    on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. rpc Check(CheckRequest) returns (CheckResponse) { } } message CheckRequest { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest"; // The request attributes. AttributeContext attributes = 1; } external_auth.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/auth/v3/external_auth.proto
  43. External Authorization Envoy Upstream External Authorization Service OK / NG

    (+ JWT) JWT Context / Headers Request
  44. Agenda • What is Envoy • Envoy as an API

    Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization