Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Envoy as an API Gateway

Yuki Ito
August 22, 2022
Technology
0
160

Envoy as an API Gateway

Yuki Ito

August 22, 2022
Tweet

More Decks by Yuki Ito

See All by Yuki Ito
Architect / Platform Team at KAUCHE
110y
0
280
Cloud Run + Observability / Reliability @ KAUCHE
110y
0
240
Cloud Run CI/CD + QA @ KAUCHE
110y
1
290
Microservices on Cloud Run @ KAUCHE
110y
0
90
KAUCHE Loves Go
110y
0
250
Evolution of Architecture @ Kauche
110y
3
330
Microservices on Cloud Run + VPC Network
110y
0
310
How We Use Cloud Run and its Friends
110y
0
280
Custom Kubernetes Controllers at Mercari
110y
1
570

Other Decks in Technology

See All in Technology
Mutating Meetup with GraphQL
adavis
1
570
【IoT-Tech Meetup #5】IoTとは?WireGuard概要とIoTで通信を守る理由
soracom
PRO
0
110
LLMアプリケーションの安定性を高めるための精度評価・改善
nrryuya
3
990
LLM 時代におさえておきたい Azure Serverless ファミリーまとめ / serverlessdaystokyo2023-llm-aoai
miyake
5
810
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
11
29k
ChatGPTを前に頭が真っ白を乗り越え人が答えることが困難な認知負荷MAXなタフクエスチョンをどんどん回答させてプロダクト価値を爆速探求するぞ/cognitive_load_question_and_chatgpt
moriyuya
2
260
アジャイル開発と時代の流れに伴うサーバレスアーキテクチャの変化
yoshiitaka
5
3.1k
Advancing Equity and Inclusion for Deaf Students in Higher Education
3playmarketing
0
130
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
410
クラウドサイン事業本部 プロダクト組織 紹介資料
bengo4com
0
180
Renovate を使った ライブラリアップデート 仕組み化の取り組み
andpad
0
100
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
4.1k

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Into the Great Unknown - MozCon
thekraken
7
600
Building a Modern Day 
E-commerce SEO Strategy
aleyda
12
5.7k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Unsuck your backbone
ammeep
660
56k
The Cost Of JavaScript in 2023
addyosmani
9
1.5k
Why Our Code Smells
bkeepers
PRO
329
56k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.8k
Code Reviewing Like a Champion
maltzj
510
38k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Designing with Data
zakiwarfel
93
4.5k
Designing for humans not robots
tammielis
246
24k

Transcript

  1. Envoy as an API Gateway
    Yuki Ito (@mrno110)
    DP Engineering Monday

    View Slide

  2. Kauche


    Architect
    Yuki Ito


    @mrno110

    View Slide

  3. View Slide

  4. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  5. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  6. What is Envoy
    https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/what_is_envoy
    Envoy is an L7 proxy and communication bus
    designed for large modern service oriented
    architectures. The project was born out of the
    belief that:ɹ


    The network should be transparent to
    applications. When network and application
    problems do occur it should be easy to
    determine the source of the problem.

    View Slide

  7. Envoy Con
    fi
    gurations
    Listener
    Cluster
    Endpoint Endpoint
    Cluster
    Endpoint Endpoint
    Route

    View Slide

  8. Envoy Con
    fi
    gurations
    0.0.0.0:5000
    Service-1
    10.28.1.11 10.28.1.12
    Service-2
    10.28.1.13 10.28.1.14
    Route
    Path: /service-1 Path: /service-2

    View Slide

  9. Static Con
    fi
    gurations
    static_resources:


    listeners:


    - address:


    socket_address:


    protocol: TCP


    address: 0.0.0.0


    port_value: 5000


    #...


    clusters:


    - name: service-1


    connect_timeout: 1s


    type: STRICT_DNS


    lb_policy: ROUND_ROBIN


    #...
    envoy.yaml

    View Slide

  10. Static Con
    fi
    gurations
    > envoy -c envoy.yaml

    View Slide

  11. Dynamic Con
    fi
    gurations
    Control Plane
    xDS API
    Cluster
    Route
    Listener

    View Slide

  12. x Discovery Service API
    •Listener Discovery Service


    •Route Discovery Service


    •Cluster Discovery Service


    •Endpoint Discovery Service

    View Slide

  13. e.g. Cluster Discovery Service
    service ClusterDiscoveryService {


    rpc StreamClusters(stream discovery.v3.DiscoveryRequest)


    returns (stream discovery.v3.DiscoveryResponse) {


    }


    rpc DeltaClusters(stream discovery.v3.DeltaDiscoveryRequest)


    returns (stream discovery.v3.DeltaDiscoveryResponse) {


    }


    rpc FetchClusters(discovery.v3.DiscoveryRequest)


    returns (discovery.v3.DiscoveryResponse) {


    }


    }
    cds.proto
    https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/cluster/v3/cds.proto

    View Slide

  14. Control Plane
    Control Plane
    xDS API
    Cluster
    Route
    Listener

    View Slide

  15. Control Plane - e.g. Istio
    istiod
    xDS API
    Cluster
    Route
    Listener

    View Slide

  16. Control Plane - e.g. Istio
    https://istio.io/v1.14/docs/ops/deployment/architecture/

    View Slide

  17. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  18. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  19. Architecture
    Run
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View Slide

  20. API Gateway Pattern
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View Slide

  21. API Gateway Pattern
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler
    API Gateway

    View Slide

  22. O
    ffl
    oading Cross-Cutting Concerns to the API Gateway
    ✓ Authentication / Authorization


    ✓ Transcoding


    ✓ Being Internet facing (TLS / Domain / CDN / IP ...)


    ✓ ...

    View Slide

  23. Why Envoy?
    • Extensibility with WebAssembly


    • Dynamic Con
    fi
    gurations


    • Easy to setup


    • Widely used in the Cloud Native World

    View Slide

  24. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  25. Envoy Architecture
    https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request#http-
    fi
    lter-chain-processing

    View Slide

  26. HTTP Filters
    JWT Authentication
    RBAC
    Modify HTTP Headers
    Request

    View Slide

  27. HTTP Filters
    JWT Authentication
    RBAC
    Modify HTTP Headers
    Request

    View Slide

  28. Wasm Filter
    Compile

    View Slide

  29. proxy-wasm
    https://github.com/proxy-wasm/spec/blob/c8
    ff
    5a8ac7b18a65360fe8ab843a6291b8947682/docs/WebAssembly-in-Envoy.md

    View Slide

  30. Wasm Filter
    http_filters:


    - name: envoy.filters.http.wasm


    typed_config:


    '@type': type.googleapis.com/udpa.type.v1.TypedStruct


    type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm


    value:


    config:


    vm_config:


    runtime: envoy.wasm.runtime.v8


    code:


    local:


    filename: /etc/envoy/proxy-wasm-cloud-logging-trace-context.wasm


    configuration:


    '@type': type.googleapis.com/google.protobuf.StringValue


    value: |-


    {


    "project_id": "x-asia-kauche-dev"


    }


    - name: envoy.filters.http.router


    typed_config:


    '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router


    View Slide

  31. e.g. Fetching access tokens from Google Cloud Metadata Server
    API Gateway
    Upstream Microservice
    Metadata Server
    Access Token Access Token
    Get Access Token
    Request

    View Slide

  32. e.g. Integrating with Google CloudLogging
    https://github.com/kauche/proxy-wasm-cloud-logging-trace-context
    kauche / proxy-wasm-cloud-logging-trace-context

    View Slide

  33. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  34. Static Con
    fi
    gurations
    static_resources:


    listeners:


    - address:


    socket_address:


    protocol: TCP


    address: 0.0.0.0


    port_value: 5000


    #...


    clusters:


    - name: service-1


    connect_timeout: 1s


    type: STRICT_DNS


    lb_policy: ROUND_ROBIN


    #...
    envoy.yaml

    View Slide

  35. Con
    fi
    gurations for Various Environments
    • Local


    • CI


    • Lab


    • Dev


    • Prod
    ~ 60% consists of the same
    con
    fi
    gurations for each
    environment.

    View Slide

  36. Building Con
    fi
    gurations with CUE
    https://cuelang.org/
    CUE is an open source language, with a
    rich set of APIs and tooling, for de
    fi
    ning,
    generating, and validating all kinds of
    data: con
    fi
    guration, APIs, database
    schemas, code, … you name it.

    View Slide

  37. Building Con
    fi
    gurations with CUE
    package config


    #Input: {


    upstreams: [...#Upstream]


    // ...


    }


    #Upstream: {


    name: string


    address: string


    // ...


    }


    #Bootstrap: {


    input: #Input


    config: {


    static_resources: {


    clusters: [


    for upstream in input.upstreams {


    // ...


    },


    ]


    // ...


    }


    }


    }

    View Slide

  38. Building Con
    fi
    gurations with CUE
    package dev


    import ".../envoy/config"


    bootstrap: config.#Bootstrap & {


    input: config.#Input & {


    upstreams: [


    config.#Upstream & {


    name: "api"


    address: "....run.app"


    // ...


    },


    config.#Upstream & {


    name: "partner"


    address: "....run.app"


    // ...


    },


    ]


    }


    }
    package local


    import ".../envoy/config"


    bootstrap: config.#Bootstrap & {


    input: config.#Input & {


    upstreams: [


    config.#Upstream & {


    name: "api"


    address: "localhost"


    // ...


    },


    config.#Upstream & {


    name: "partner"


    address: "localhost"


    // ...


    },


    ]


    }


    }
    dev/con
    fi
    g.cue local/con
    fi
    g.cue

    View Slide

  39. Building Con
    fi
    gurations with CUE
    Generate
    YAML

    View Slide

  40. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  41. External Authorization
    Envoy
    Upstream
    External Authorization Service
    OK / NG (+ Token) Token
    Context / Headers
    Request

    View Slide

  42. External Authorization
    service Authorization {


    // Performs authorization check based on the attributes associated with the


    // incoming request, and returns status `OK` or not `OK`.


    rpc Check(CheckRequest) returns (CheckResponse) {


    }


    }


    message CheckRequest {


    option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest";


    // The request attributes.


    AttributeContext attributes = 1;


    }
    external_auth.proto
    https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/auth/v3/external_auth.proto

    View Slide

  43. External Authorization
    Envoy
    Upstream
    External Authorization Service
    OK / NG (+ JWT) JWT
    Context / Headers
    Request

    View Slide

  44. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide