Envoy as an API Gateway Yuki Ito (@mrno110) DP Engineering Monday

Kauche Architect Yuki Ito @mrno110

No content

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

What is Envoy https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/what_is_envoy Envoy is an L7 proxy and communication bus designed for large modern service oriented architectures. The project was born out of the belief that:ɹ The network should be transparent to applications. When network and application problems do occur it should be easy to determine the source of the problem.

Envoy Con fi gurations Listener Cluster Endpoint Endpoint Cluster Endpoint Endpoint Route

Envoy Con fi gurations 0.0.0.0:5000 Service-1 10.28.1.11 10.28.1.12 Service-2 10.28.1.13 10.28.1.14 Route Path: /service-1 Path: /service-2

Static Con fi gurations static_resources: listeners: - address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml

Static Con fi gurations > envoy -c envoy.yaml

Dynamic Con fi gurations Control Plane xDS API Cluster Route Listener

x Discovery Service API •Listener Discovery Service •Route Discovery Service •Cluster Discovery Service •Endpoint Discovery Service

e.g. Cluster Discovery Service service ClusterDiscoveryService { rpc StreamClusters(stream discovery.v3.DiscoveryRequest) returns (stream discovery.v3.DiscoveryResponse) { } rpc DeltaClusters(stream discovery.v3.DeltaDiscoveryRequest) returns (stream discovery.v3.DeltaDiscoveryResponse) { } rpc FetchClusters(discovery.v3.DiscoveryRequest) returns (discovery.v3.DiscoveryResponse) { } } cds.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/cluster/v3/cds.proto

Control Plane Control Plane xDS API Cluster Route Listener

Control Plane - e.g. Istio istiod xDS API Cluster Route Listener

Control Plane - e.g. Istio https://istio.io/v1.14/docs/ops/deployment/architecture/

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Architecture Run Tasks Pub/Sub Mobile App External Service Mobile API Web Hook API Job API Scheduler

API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile API Web Hook API Job API Scheduler

API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile API Web Hook API Job API Scheduler API Gateway

O ffl oading Cross-Cutting Concerns to the API Gateway ✓ Authentication / Authorization ✓ Transcoding ✓ Being Internet facing (TLS / Domain / CDN / IP ...) ✓ ...

Why Envoy? • Extensibility with WebAssembly • Dynamic Con fi gurations • Easy to setup • Widely used in the Cloud Native World

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Envoy Architecture https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request#http- fi lter-chain-processing

HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

Wasm Filter Compile

proxy-wasm https://github.com/proxy-wasm/spec/blob/c8 ff 5a8ac7b18a65360fe8ab843a6291b8947682/docs/WebAssembly-in-Envoy.md

Wasm Filter http_filters: - name: envoy.filters.http.wasm typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: vm_config: runtime: envoy.wasm.runtime.v8 code: local: filename: /etc/envoy/proxy-wasm-cloud-logging-trace-context.wasm configuration: '@type': type.googleapis.com/google.protobuf.StringValue value: |- { "project_id": "x-asia-kauche-dev" } - name: envoy.filters.http.router typed_config: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

e.g. Fetching access tokens from Google Cloud Metadata Server API Gateway Upstream Microservice Metadata Server Access Token Access Token Get Access Token Request

e.g. Integrating with Google CloudLogging https://github.com/kauche/proxy-wasm-cloud-logging-trace-context kauche / proxy-wasm-cloud-logging-trace-context

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Static Con fi gurations static_resources: listeners: - address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml

Con fi gurations for Various Environments • Local • CI • Lab • Dev • Prod ~ 60% consists of the same con fi gurations for each environment.

Building Con fi gurations with CUE https://cuelang.org/ CUE is an open source language, with a rich set of APIs and tooling, for de fi ning, generating, and validating all kinds of data: con fi guration, APIs, database schemas, code, … you name it.

Building Con fi gurations with CUE package config #Input: { upstreams: [...#Upstream] // ... } #Upstream: { name: string address: string // ... } #Bootstrap: { input: #Input config: { static_resources: { clusters: [ for upstream in input.upstreams { // ... }, ] // ... } } }

Building Con fi gurations with CUE package dev import ".../envoy/config" bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "....run.app" // ... }, config.#Upstream & { name: "partner" address: "....run.app" // ... }, ] } } package local import ".../envoy/config" bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "localhost" // ... }, config.#Upstream & { name: "partner" address: "localhost" // ... }, ] } } dev/con fi g.cue local/con fi g.cue

Building Con fi gurations with CUE Generate YAML

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

External Authorization Envoy Upstream External Authorization Service OK / NG (+ Token) Token Context / Headers Request

External Authorization service Authorization { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. rpc Check(CheckRequest) returns (CheckResponse) { } } message CheckRequest { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest"; // The request attributes. AttributeContext attributes = 1; } external_auth.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/auth/v3/external_auth.proto

External Authorization Envoy Upstream External Authorization Service OK / NG (+ JWT) JWT Context / Headers Request

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization