Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Envoy

Introduction to Envoy

An introduction to Envoy given at the Cloud Native Computing Johannesburg July 2018 Meetup. 5 topics covered:

- What is Envoy?
- The network proxy landscape
- Envoy’s API: Discovery Services
- Service mesh: abstracting the network
- The Envoy ecosystem

057b08bc8e895dd5ba70c63c859366c0?s=128

Jamie Hewland

July 02, 2018
Tweet

More Decks by Jamie Hewland

Other Decks in Technology

Transcript

  1. Introduction to Envoy July CNCJ Meetup Jamie Hewland 2 July

    2018
  2. Who am I? • Site Reliability Engineer (SRE) @ Praekelt.org

    • 10% of time => “Tech Ambassador” • Grew up in Cape Town, graduated UCT in 2014, in JHB since 2015
  3. My limitations • Haven’t used Kubernetes in production—we’re Mesosphere DC/OS

    users (for now) • Haven’t used Service Meshes in production • At some point I will say “Eh-nvoy” instead of “Ah-nvoy”
  4. My expertise • Have written a Discovery Service for Envoy

    • Have significant experience with Nginx & HAProxy • Have experience running container orchestration systems at a reasonable level of scale
  5. 1. What is Envoy? 2. The network proxy landscape 3.

    Envoy’s API: Discovery Services 4. Service mesh: abstracting the network 5. The Envoy ecosystem
  6. What is Envoy?

  7. ENVOY IS AN OPEN SOURCE EDGE AND SERVICE PROXY, DESIGNED

    FOR CLOUD-NATIVE APPLICATIONS
  8. “Proxy”? • Reverse proxy/load-balancer • Like Nginx, HAProxy • Also

    not like Nginx/Apache, not a web server • Doesn’t serve files • Doesn’t cache (but can buffer) • Won’t do CGI/uWSGI/etc. “an intermediary for requests from clients seeking resources from other servers”
  9. Edge/front proxy Reverse proxy/load-balancer pattern North-South traffic

  10. Service proxy Service mesh pattern East-West traffic

  11. Envoy features • It has an API! No more templated

    config files, seamless reloads. • First-class HTTP/2 support (downstream & upstream) • Supports other application protocols (Redis, Mongo), with more incoming (Thrift, Kafka) • Built-in metrics (Prometheus, statsd) & tracing (OpenTracing) • Advanced load-balancing tools: complex health checks, circuit breakers, zone-aware routing, traffic shifting, canarying
  12. None
  13. Reverse proxy landscape

  14. A brief timeline (pre-K8S) • 1995: Apache (httpd) initial release

    • 2001: HAProxy initial release • 2004: Nginx initial release • 2009: AWS ELB (probably HAProxy-based) • 2013: Airbnb’s SmartStack (HAProxy-based) • 2014: HashiCorp Consul v0.1.0 • 2014 June: Kubernetes first commit on GitHub • 2014 November: Netflix Prana (sidecar for non-JVM apps)
  15. A brief timeline (post-K8S) • 2015 July: Kubernetes hits 1.0

    and moves to CNCF • 2016 February: Linkerd initial release (v0.1.0) • 2016 July: Traefik v1.0.0 • 2016 September: Envoy open-sourced by Lyft • ~2016 October: Linkerd starts using the phrase “Service Mesh” widely • 2017 January: nginx-ingress-controller: First beta • 2017 January: Linkerd joins CNCF as 5th hosted project • 2017 May: Istio initial release (v0.1.0) • 2017 September: Envoy joins CNCF as 11th hosted project • 2017 November: HAProxy adds HTTP/2 support (v1.8.0) • 2018 March: Nginx adds gRPC support (v1.13.10)
  16. None
  17. Envoy’s API: Discovery Services

  18. None
  19. None
  20. None
  21. Eventual consistency Discovery status Health Check OK Health Check failed

    Discovered Route Don’t route Absent Route Don’t route & delete
  22. Discovery Services • Very flexible, can use all the Discovery

    Services (dynamic), or define everything in YAML (static), or mix • Streaming gRPC or polling REST-JSON • Protocol defined in protobufs (see envoyproxy/data- plane-api) • New (non-Discovery) Services being developed: Rate limit service, access log service…
  23. Envoy development • Envoy written in modern C++ “for developer

    productivity” • Leverages several 3rd-party libraries, e.g. • Node.js HTTP parser • nghttp2 for HTTP/2 • BoringSSL for TLS • Bazel build system • CircleCI: unit, integration, coverage, address sanitisers… • GitHub repo, Slack channel, community meetings…
  24. Service mesh: abstracting the network

  25. Microservices communication Imagine you are writing Service A that speaks

    to Service B
  26. Microservices communication

  27. Microservices communication

  28. Microservices communication

  29. Service mesh at the pod level

  30. Service mesh

  31. Service mesh benefits • Reliability: • Retries, timeouts, circuit breakers

    • Traffic shifting, canary releases • Visibility: • Metrics for all requests • Tracing • Security: • Encrypt connections (TLS) • Access control, policy
  32. 2018 The Year of the Service Mesh?

  33. The Envoy ecosystem

  34. None
  35. Istio

  36. None
  37. None
  38. Ambassador • API gateway & load-balancer for Kubernetes • Not

    a Service Mesh, also not an ingress controller • Authentication (basic, OpenID, OAuth) • Rate limiting • Other Envoy features: TLS, Canary releases, gRPC, WebSockets, …
  39. None
  40. Thank you • Questions? • Official Envoy blog: https:// blog.envoyproxy.io

    • Learn Envoy by Turbine Labs: https://www.learnenvoy.io • Is a Service Mesh right for you? https://www.infoq.com/ articles/service-mesh- promise-peril • Twitter: @jayhewland • Medium: @jamiehewland