Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Envoy as an API Gateway

Yuki Ito
August 22, 2022
Technology
0
110

Envoy as an API Gateway

Yuki Ito

August 22, 2022
Tweet

More Decks by Yuki Ito

See All by Yuki Ito
Cloud Run CI/CD + QA @ KAUCHE
110y
1
220
Microservices on Cloud Run @ KAUCHE
110y
0
68
KAUCHE Loves Go
110y
0
190
Evolution of Architecture @ Kauche
110y
3
260
Microservices on Cloud Run + VPC Network
110y
0
250
How We Use Cloud Run and its Friends
110y
0
240
Custom Kubernetes Controllers at Mercari
110y
1
480
What Is the Go Workspace Mode
110y
4
1.1k
What Are We Doing as Merpay Architect
110y
0
1.3k

Other Decks in Technology

See All in Technology
CloudFront + S3環境から Cloudflare R2 + Workers環境に移行した話
teckl
3
1.2k
自動運転レベル4解禁にあたり求められる遠隔監視技術
sbtechnight
PRO
0
490
「新卒エンジニアが1年間で顔を売るために取った行動100連発」/YAPC::Kyoto 2023 前日祭 ネコトーストラボ杯争奪東西対抗LTマッチ
arthur1
0
270
事業をエンジニアリングする技術者たちを支援する技術広報&DevRelの裏側 / devreljapan2023
carta_engineering
4
2.5k
Product Minded Software Engineers: Understanding the Product with a code-first approach
cembasaranoglu
0
210
dbtと仲良し!クラスメソッドのModern Data Stack
sagara
0
550
"Accelerate State of DevOps" ウェブアプリケーションのdeliveryを考えるとき、今何をすればいいのか
renjikari
3
160
知識拡張型言語モデルLUKE
ikuyamada
1
260
GitHub Actionsと"仲良くなる"ための練習方法
tsubakimoto_s
2
120
Exadata Database Cloud (Exadata Cloud Service) サービス技術詳細
oracle4engineer
PRO
0
26k
最先端の質問応答技術の研究開発と迅速な実用化ーStudio Ousiaでの取り組みー
ikuyamada
2
340
Spring Boot 3.0へのアップデートのハマり所 / Findings in Migrating our Application to Spring Boot 3.0
line_developers
PRO
3
300

Featured

See All Featured
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
Statistics for Hackers
jakevdp
785
210k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
Mobile First: as difficult as doing things right
swwweet
213
7.9k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
Testing 201, or: Great Expectations
jmmastey
25
5.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
The Invisible Customer
myddelton
113
12k
GraphQLとの向き合い方2022年版
quramy
21
10k
The Power of CSS Pseudo Elements
geoffreycrofte
53
4.4k

Transcript

  1. Envoy as an API Gateway
    Yuki Ito (@mrno110)
    DP Engineering Monday

    View Slide

  2. Kauche


    Architect
    Yuki Ito


    @mrno110

    View Slide

  3. View Slide

  4. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  5. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  6. What is Envoy
    https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/what_is_envoy
    Envoy is an L7 proxy and communication bus
    designed for large modern service oriented
    architectures. The project was born out of the
    belief that:ɹ


    The network should be transparent to
    applications. When network and application
    problems do occur it should be easy to
    determine the source of the problem.

    View Slide

  7. Envoy Con
    fi
    gurations
    Listener
    Cluster
    Endpoint Endpoint
    Cluster
    Endpoint Endpoint
    Route

    View Slide

  8. Envoy Con
    fi
    gurations
    0.0.0.0:5000
    Service-1
    10.28.1.11 10.28.1.12
    Service-2
    10.28.1.13 10.28.1.14
    Route
    Path: /service-1 Path: /service-2

    View Slide

  9. Static Con
    fi
    gurations
    static_resources:


    listeners:


    - address:


    socket_address:


    protocol: TCP


    address: 0.0.0.0


    port_value: 5000


    #...


    clusters:


    - name: service-1


    connect_timeout: 1s


    type: STRICT_DNS


    lb_policy: ROUND_ROBIN


    #...
    envoy.yaml

    View Slide

  10. Static Con
    fi
    gurations
    > envoy -c envoy.yaml

    View Slide

  11. Dynamic Con
    fi
    gurations
    Control Plane
    xDS API
    Cluster
    Route
    Listener

    View Slide

  12. x Discovery Service API
    •Listener Discovery Service


    •Route Discovery Service


    •Cluster Discovery Service


    •Endpoint Discovery Service

    View Slide

  13. e.g. Cluster Discovery Service
    service ClusterDiscoveryService {


    rpc StreamClusters(stream discovery.v3.DiscoveryRequest)


    returns (stream discovery.v3.DiscoveryResponse) {


    }


    rpc DeltaClusters(stream discovery.v3.DeltaDiscoveryRequest)


    returns (stream discovery.v3.DeltaDiscoveryResponse) {


    }


    rpc FetchClusters(discovery.v3.DiscoveryRequest)


    returns (discovery.v3.DiscoveryResponse) {


    }


    }
    cds.proto
    https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/cluster/v3/cds.proto

    View Slide

  14. Control Plane
    Control Plane
    xDS API
    Cluster
    Route
    Listener

    View Slide

  15. Control Plane - e.g. Istio
    istiod
    xDS API
    Cluster
    Route
    Listener

    View Slide

  16. Control Plane - e.g. Istio
    https://istio.io/v1.14/docs/ops/deployment/architecture/

    View Slide

  17. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  18. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  19. Architecture
    Run
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View Slide

  20. API Gateway Pattern
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View Slide

  21. API Gateway Pattern
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler
    API Gateway

    View Slide

  22. O
    ffl
    oading Cross-Cutting Concerns to the API Gateway
    ✓ Authentication / Authorization


    ✓ Transcoding


    ✓ Being Internet facing (TLS / Domain / CDN / IP ...)


    ✓ ...

    View Slide

  23. Why Envoy?
    • Extensibility with WebAssembly


    • Dynamic Con
    fi
    gurations


    • Easy to setup


    • Widely used in the Cloud Native World

    View Slide

  24. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  25. Envoy Architecture
    https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request#http-
    fi
    lter-chain-processing

    View Slide

  26. HTTP Filters
    JWT Authentication
    RBAC
    Modify HTTP Headers
    Request

    View Slide

  27. HTTP Filters
    JWT Authentication
    RBAC
    Modify HTTP Headers
    Request

    View Slide

  28. Wasm Filter
    Compile

    View Slide

  29. proxy-wasm
    https://github.com/proxy-wasm/spec/blob/c8
    ff
    5a8ac7b18a65360fe8ab843a6291b8947682/docs/WebAssembly-in-Envoy.md

    View Slide

  30. Wasm Filter
    http_filters:


    - name: envoy.filters.http.wasm


    typed_config:


    '@type': type.googleapis.com/udpa.type.v1.TypedStruct


    type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm


    value:


    config:


    vm_config:


    runtime: envoy.wasm.runtime.v8


    code:


    local:


    filename: /etc/envoy/proxy-wasm-cloud-logging-trace-context.wasm


    configuration:


    '@type': type.googleapis.com/google.protobuf.StringValue


    value: |-


    {


    "project_id": "x-asia-kauche-dev"


    }


    - name: envoy.filters.http.router


    typed_config:


    '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router


    View Slide

  31. e.g. Fetching access tokens from Google Cloud Metadata Server
    API Gateway
    Upstream Microservice
    Metadata Server
    Access Token Access Token
    Get Access Token
    Request

    View Slide

  32. e.g. Integrating with Google CloudLogging
    https://github.com/kauche/proxy-wasm-cloud-logging-trace-context
    kauche / proxy-wasm-cloud-logging-trace-context

    View Slide

  33. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  34. Static Con
    fi
    gurations
    static_resources:


    listeners:


    - address:


    socket_address:


    protocol: TCP


    address: 0.0.0.0


    port_value: 5000


    #...


    clusters:


    - name: service-1


    connect_timeout: 1s


    type: STRICT_DNS


    lb_policy: ROUND_ROBIN


    #...
    envoy.yaml

    View Slide

  35. Con
    fi
    gurations for Various Environments
    • Local


    • CI


    • Lab


    • Dev


    • Prod
    ~ 60% consists of the same
    con
    fi
    gurations for each
    environment.

    View Slide

  36. Building Con
    fi
    gurations with CUE
    https://cuelang.org/
    CUE is an open source language, with a
    rich set of APIs and tooling, for de
    fi
    ning,
    generating, and validating all kinds of
    data: con
    fi
    guration, APIs, database
    schemas, code, … you name it.

    View Slide

  37. Building Con
    fi
    gurations with CUE
    package config


    #Input: {


    upstreams: [...#Upstream]


    // ...


    }


    #Upstream: {


    name: string


    address: string


    // ...


    }


    #Bootstrap: {


    input: #Input


    config: {


    static_resources: {


    clusters: [


    for upstream in input.upstreams {


    // ...


    },


    ]


    // ...


    }


    }


    }

    View Slide

  38. Building Con
    fi
    gurations with CUE
    package dev


    import ".../envoy/config"


    bootstrap: config.#Bootstrap & {


    input: config.#Input & {


    upstreams: [


    config.#Upstream & {


    name: "api"


    address: "....run.app"


    // ...


    },


    config.#Upstream & {


    name: "partner"


    address: "....run.app"


    // ...


    },


    ]


    }


    }
    package local


    import ".../envoy/config"


    bootstrap: config.#Bootstrap & {


    input: config.#Input & {


    upstreams: [


    config.#Upstream & {


    name: "api"


    address: "localhost"


    // ...


    },


    config.#Upstream & {


    name: "partner"


    address: "localhost"


    // ...


    },


    ]


    }


    }
    dev/con
    fi
    g.cue local/con
    fi
    g.cue

    View Slide

  39. Building Con
    fi
    gurations with CUE
    Generate
    YAML

    View Slide

  40. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide

  41. External Authorization
    Envoy
    Upstream
    External Authorization Service
    OK / NG (+ Token) Token
    Context / Headers
    Request

    View Slide

  42. External Authorization
    service Authorization {


    // Performs authorization check based on the attributes associated with the


    // incoming request, and returns status `OK` or not `OK`.


    rpc Check(CheckRequest) returns (CheckResponse) {


    }


    }


    message CheckRequest {


    option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest";


    // The request attributes.


    AttributeContext attributes = 1;


    }
    external_auth.proto
    https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/auth/v3/external_auth.proto

    View Slide

  43. External Authorization
    Envoy
    Upstream
    External Authorization Service
    OK / NG (+ JWT) JWT
    Context / Headers
    Request

    View Slide

  44. Agenda
    • What is Envoy


    • Envoy as an API Gateway @ Kauche


    • WebAssembly Module


    • CUE for Con
    fi
    guration Management


    • External Authorization

    View Slide