Introduction to Envoy

Transcript

1. Introduction to Envoy July CNCJ Meetup Jamie Hewland 2 July

   2018

2. Who am I? • Site Reliability Engineer (SRE) @ Praekelt.org

   • 10% of time => “Tech Ambassador” • Grew up in Cape Town, graduated UCT in 2014, in JHB since 2015

3. My limitations • Haven’t used Kubernetes in production—we’re Mesosphere DC/OS

   users (for now) • Haven’t used Service Meshes in production • At some point I will say “Eh-nvoy” instead of “Ah-nvoy”

4. My expertise • Have written a Discovery Service for Envoy

   • Have significant experience with Nginx & HAProxy • Have experience running container orchestration systems at a reasonable level of scale

5. 1. What is Envoy? 2. The network proxy landscape 3.

   Envoy’s API: Discovery Services 4. Service mesh: abstracting the network 5. The Envoy ecosystem

6. What is Envoy?

7. ENVOY IS AN OPEN SOURCE EDGE AND SERVICE PROXY, DESIGNED

   FOR CLOUD-NATIVE APPLICATIONS

8. “Proxy”? • Reverse proxy/load-balancer • Like Nginx, HAProxy • Also

   not like Nginx/Apache, not a web server • Doesn’t serve files • Doesn’t cache (but can buffer) • Won’t do CGI/uWSGI/etc. “an intermediary for requests from clients seeking resources from other servers”

9. Edge/front proxy Reverse proxy/load-balancer pattern North-South traffic

10. Service proxy Service mesh pattern East-West traffic

11. Envoy features • It has an API! No more templated

    config files, seamless reloads. • First-class HTTP/2 support (downstream & upstream) • Supports other application protocols (Redis, Mongo), with more incoming (Thrift, Kafka) • Built-in metrics (Prometheus, statsd) & tracing (OpenTracing) • Advanced load-balancing tools: complex health checks, circuit breakers, zone-aware routing, traffic shifting, canarying
12. None

13. Reverse proxy landscape

14. A brief timeline (pre-K8S) • 1995: Apache (httpd) initial release

    • 2001: HAProxy initial release • 2004: Nginx initial release • 2009: AWS ELB (probably HAProxy-based) • 2013: Airbnb’s SmartStack (HAProxy-based) • 2014: HashiCorp Consul v0.1.0 • 2014 June: Kubernetes first commit on GitHub • 2014 November: Netflix Prana (sidecar for non-JVM apps)

15. A brief timeline (post-K8S) • 2015 July: Kubernetes hits 1.0

    and moves to CNCF • 2016 February: Linkerd initial release (v0.1.0) • 2016 July: Traefik v1.0.0 • 2016 September: Envoy open-sourced by Lyft • ~2016 October: Linkerd starts using the phrase “Service Mesh” widely • 2017 January: nginx-ingress-controller: First beta • 2017 January: Linkerd joins CNCF as 5th hosted project • 2017 May: Istio initial release (v0.1.0) • 2017 September: Envoy joins CNCF as 11th hosted project • 2017 November: HAProxy adds HTTP/2 support (v1.8.0) • 2018 March: Nginx adds gRPC support (v1.13.10)
16. None

17. Envoy’s API: Discovery Services

18. None
19. None
20. None

21. Eventual consistency Discovery status Health Check OK Health Check failed

    Discovered Route Don’t route Absent Route Don’t route & delete

22. Discovery Services • Very flexible, can use all the Discovery

    Services (dynamic), or define everything in YAML (static), or mix • Streaming gRPC or polling REST-JSON • Protocol defined in protobufs (see envoyproxy/data- plane-api) • New (non-Discovery) Services being developed: Rate limit service, access log service…

23. Envoy development • Envoy written in modern C++ “for developer

    productivity” • Leverages several 3rd-party libraries, e.g. • Node.js HTTP parser • nghttp2 for HTTP/2 • BoringSSL for TLS • Bazel build system • CircleCI: unit, integration, coverage, address sanitisers… • GitHub repo, Slack channel, community meetings…

24. Service mesh: abstracting the network

25. Microservices communication Imagine you are writing Service A that speaks

    to Service B

26. Microservices communication

27. Microservices communication

28. Microservices communication

29. Service mesh at the pod level

30. Service mesh

31. Service mesh benefits • Reliability: • Retries, timeouts, circuit breakers

    • Traffic shifting, canary releases • Visibility: • Metrics for all requests • Tracing • Security: • Encrypt connections (TLS) • Access control, policy

32. 2018 The Year of the Service Mesh?

33. The Envoy ecosystem

34. None

35. Istio

36. None
37. None

38. Ambassador • API gateway & load-balancer for Kubernetes • Not

    a Service Mesh, also not an ingress controller • Authentication (basic, OpenID, OAuth) • Rate limiting • Other Envoy features: TLS, Canary releases, gRPC, WebSockets, …
39. None

40. Thank you • Questions? • Official Envoy blog: https:// blog.envoyproxy.io

    • Learn Envoy by Turbine Labs: https://www.learnenvoy.io • Is a Service Mesh right for you? https://www.infoq.com/ articles/service-mesh- promise-peril • Twitter: @jayhewland • Medium: @jamiehewland