Slide 1

Slide 1 text

Envoy as an API Gateway Yuki Ito (@mrno110) DP Engineering Monday

Slide 2

Slide 2 text

Kauche Architect Yuki Ito @mrno110

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Slide 5

Slide 5 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Slide 6

Slide 6 text

What is Envoy https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/what_is_envoy Envoy is an L7 proxy and communication bus designed for large modern service oriented architectures. The project was born out of the belief that:ɹ The network should be transparent to applications. When network and application problems do occur it should be easy to determine the source of the problem.

Slide 7

Slide 7 text

Envoy Con fi gurations Listener Cluster Endpoint Endpoint Cluster Endpoint Endpoint Route

Slide 8

Slide 8 text

Envoy Con fi gurations 0.0.0.0:5000 Service-1 10.28.1.11 10.28.1.12 Service-2 10.28.1.13 10.28.1.14 Route Path: /service-1 Path: /service-2

Slide 9

Slide 9 text

Static Con fi gurations static_resources: listeners: - address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml

Slide 10

Slide 10 text

Static Con fi gurations > envoy -c envoy.yaml

Slide 11

Slide 11 text

Dynamic Con fi gurations Control Plane xDS API Cluster Route Listener

Slide 12

Slide 12 text

x Discovery Service API •Listener Discovery Service •Route Discovery Service •Cluster Discovery Service •Endpoint Discovery Service

Slide 13

Slide 13 text

e.g. Cluster Discovery Service service ClusterDiscoveryService { rpc StreamClusters(stream discovery.v3.DiscoveryRequest) returns (stream discovery.v3.DiscoveryResponse) { } rpc DeltaClusters(stream discovery.v3.DeltaDiscoveryRequest) returns (stream discovery.v3.DeltaDiscoveryResponse) { } rpc FetchClusters(discovery.v3.DiscoveryRequest) returns (discovery.v3.DiscoveryResponse) { } } cds.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/cluster/v3/cds.proto

Slide 14

Slide 14 text

Control Plane Control Plane xDS API Cluster Route Listener

Slide 15

Slide 15 text

Control Plane - e.g. Istio istiod xDS API Cluster Route Listener

Slide 16

Slide 16 text

Control Plane - e.g. Istio https://istio.io/v1.14/docs/ops/deployment/architecture/

Slide 17

Slide 17 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Slide 18

Slide 18 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Slide 19

Slide 19 text

Architecture Run Tasks Pub/Sub Mobile App External Service Mobile API Web Hook API Job API Scheduler

Slide 20

Slide 20 text

API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile API Web Hook API Job API Scheduler

Slide 21

Slide 21 text

API Gateway Pattern Tasks Pub/Sub Mobile App External Service Mobile API Web Hook API Job API Scheduler API Gateway

Slide 22

Slide 22 text

O ffl oading Cross-Cutting Concerns to the API Gateway ✓ Authentication / Authorization ✓ Transcoding ✓ Being Internet facing (TLS / Domain / CDN / IP ...) ✓ ...

Slide 23

Slide 23 text

Why Envoy? • Extensibility with WebAssembly • Dynamic Con fi gurations • Easy to setup • Widely used in the Cloud Native World

Slide 24

Slide 24 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Slide 25

Slide 25 text

Envoy Architecture https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request#http- fi lter-chain-processing

Slide 26

Slide 26 text

HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

Slide 27

Slide 27 text

HTTP Filters JWT Authentication RBAC Modify HTTP Headers Request

Slide 28

Slide 28 text

Wasm Filter Compile

Slide 29

Slide 29 text

proxy-wasm https://github.com/proxy-wasm/spec/blob/c8 ff 5a8ac7b18a65360fe8ab843a6291b8947682/docs/WebAssembly-in-Envoy.md

Slide 30

Slide 30 text

Wasm Filter http_filters: - name: envoy.filters.http.wasm typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm value: config: vm_config: runtime: envoy.wasm.runtime.v8 code: local: filename: /etc/envoy/proxy-wasm-cloud-logging-trace-context.wasm configuration: '@type': type.googleapis.com/google.protobuf.StringValue value: |- { "project_id": "x-asia-kauche-dev" } - name: envoy.filters.http.router typed_config: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

Slide 31

Slide 31 text

e.g. Fetching access tokens from Google Cloud Metadata Server API Gateway Upstream Microservice Metadata Server Access Token Access Token Get Access Token Request

Slide 32

Slide 32 text

e.g. Integrating with Google CloudLogging https://github.com/kauche/proxy-wasm-cloud-logging-trace-context kauche / proxy-wasm-cloud-logging-trace-context

Slide 33

Slide 33 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Slide 34

Slide 34 text

Static Con fi gurations static_resources: listeners: - address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 5000 #... clusters: - name: service-1 connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN #... envoy.yaml

Slide 35

Slide 35 text

Con fi gurations for Various Environments • Local • CI • Lab • Dev • Prod ~ 60% consists of the same con fi gurations for each environment.

Slide 36

Slide 36 text

Building Con fi gurations with CUE https://cuelang.org/ CUE is an open source language, with a rich set of APIs and tooling, for de fi ning, generating, and validating all kinds of data: con fi guration, APIs, database schemas, code, … you name it.

Slide 37

Slide 37 text

Building Con fi gurations with CUE package config #Input: { upstreams: [...#Upstream] // ... } #Upstream: { name: string address: string // ... } #Bootstrap: { input: #Input config: { static_resources: { clusters: [ for upstream in input.upstreams { // ... }, ] // ... } } }

Slide 38

Slide 38 text

Building Con fi gurations with CUE package dev import ".../envoy/config" bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "....run.app" // ... }, config.#Upstream & { name: "partner" address: "....run.app" // ... }, ] } } package local import ".../envoy/config" bootstrap: config.#Bootstrap & { input: config.#Input & { upstreams: [ config.#Upstream & { name: "api" address: "localhost" // ... }, config.#Upstream & { name: "partner" address: "localhost" // ... }, ] } } dev/con fi g.cue local/con fi g.cue

Slide 39

Slide 39 text

Building Con fi gurations with CUE Generate YAML

Slide 40

Slide 40 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization

Slide 41

Slide 41 text

External Authorization Envoy Upstream External Authorization Service OK / NG (+ Token) Token Context / Headers Request

Slide 42

Slide 42 text

External Authorization service Authorization { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. rpc Check(CheckRequest) returns (CheckResponse) { } } message CheckRequest { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest"; // The request attributes. AttributeContext attributes = 1; } external_auth.proto https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/auth/v3/external_auth.proto

Slide 43

Slide 43 text

External Authorization Envoy Upstream External Authorization Service OK / NG (+ JWT) JWT Context / Headers Request

Slide 44

Slide 44 text

Agenda • What is Envoy • Envoy as an API Gateway @ Kauche • WebAssembly Module • CUE for Con fi guration Management • External Authorization