Tweet
Tweet

Slide 1

Slide 1 text

Gloo Architecture Feb 26, 2020

Slide 2

Slide 2 text

2 | Copyright © 2020 Applications and Environments

Slide 3

Slide 3 text

3 | Copyright © 2020 API Gateway

Slide 4

Slide 4 text

4 | Copyright © 2020 Gloo API Gateway SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E

Slide 5

Slide 5 text

5 | Copyright © 2020 Gloo API Gateway SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E NORTH-SOUTH TRAFFIC

Slide 6

Slide 6 text

6 | Copyright © 2020 Gloo API Gateway SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E NORTH-SOUTH TRAFFIC

Slide 7

Slide 7 text

7 | Copyright © 2020 Why Envoy Proxy? • Neutral Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep signals telemetry out of the box • Versatile deployment options

Slide 8

Slide 8 text

8 | Copyright © 2020 Open Source Gloo Gateway Proxy ENVOY CONFIG CONTROL PLANE DATA PLANE END USERS SERVICE 1 SERVICE 2 SERVICE 3

Slide 9

Slide 9 text

9 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo

Slide 10

Slide 10 text

10 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo apiVersion: gloo.solo.io/v1 kind: Proxy metadata: name: gateway-proxy namespace: gloo-system spec: listeners: - bindAddress: '::' bindPort: 8080 httpListener: virtualHosts: - domains: - '*' routes: - matchers: - prefix: /contact routeAction: single: destinationSpec: aws: logicalName: contact-form:3

Slide 11

Slide 11 text

11 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo ... spec: listeners: - bindAddress: '::' bindPort: 8080 httpListener: virtualHosts: - domains: - '*' name: gloo-system.petclinic routes: - matchers: - prefix: /vets routeAction: single: upstream: name: default-petclinic-vets-8080 namespace: gloo-system - matchers: - prefix: / metadata:

Slide 12

Slide 12 text

12 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo ... routes: - matchers: - prefix: /contact routeAction: single: destinationSpec: aws: logicalName: contact-form:3 responseTransformation: true upstream: name: aws namespace: gloo-system ...

Slide 13

Slide 13 text

13 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo

Slide 14

Slide 14 text

14 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery

Slide 15

Slide 15 text

15 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery ➜ k get upstream -n gloo-system default-kubernetes-443 default-petclinic-8080 default-petclinic-db-3306 default-petclinic-db-petclinic-db-0-3306 default-petclinic-vets-8080 gloo-system-apiserver-ui-8080 gloo-system-apiserver-ui-gloo-8080 gloo-system-extauth-8083 gloo-system-gateway-443 gloo-system-gateway-proxy-443 gloo-system-gateway-proxy-80 gloo-system-gateway-proxy-gateway-proxy-443 gloo-system-gateway-proxy-gateway-proxy-80 gloo-system-gloo-9966 gloo-system-gloo-9977 gloo-system-gloo-9979 gloo-system-gloo-9988 gloo-system-glooe-grafana-80 gloo-system-glooe-prometheus-ku-460d37aaba5d9eee a0c7ef0b6194981

Slide 16

Slide 16 text

16 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery apiVersion: gloo.solo.io/v1 kind: Upstream metadata: labels: discovered_by: kubernetesplugin name: default-petclinic-vets-8080 namespace: gloo-system spec: discoveryMetadata: {} kube: selector: app: petclinic-vets serviceName: petclinic-vets serviceNamespace: default servicePort: 8080 status: reported_by: gloo state: 1

Slide 17

Slide 17 text

17 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery apiVersion: gloo.solo.io/v1 kind: Upstream metadata: name: aws namespace: gloo-system spec: aws: lambdaFunctions: - lambdaFunctionName: contact logicalName: contact qualifier: $LATEST - lambdaFunctionName: contact-form logicalName: contact-form qualifier: $LATEST - lambdaFunctionName: contact-form logicalName: contact-form:1 qualifier: "1" - lambdaFunctionName: contact-form logicalName: contact-form:2 qualifier: "2" ...

Slide 18

Slide 18 text

18 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery

Slide 19

Slide 19 text

19 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery Gateway apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: name: petclinic namespace: gloo-system spec: virtualHost: domains: - '*' routes: - matchers: - prefix: / routeAction: single: upstream: name: default-petclinic-8080 namespace: gloo-system status: reported_by: gateway state: 1 subresource_statuses:

Slide 20

Slide 20 text

20 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery Gateway ... options: timeout: 10s routes: - matchers: - prefix: / routeAction: single: upstream: name: default-petclinic-8080 namespace: gloo-system options: prefixRewrite: /api/petclinic headerManipulation: {...} transformations: requestTransformations: {...} ... tracing: {...} ...

Slide 21

Slide 21 text

21 | Copyright © 2020 Open Source Gloo Gateway Proxy Gloo Discovery Gateway apiVersion: gateway.solo.io/v1 kind: Gateway metadata: name: tcp namespace: gloo-system spec: bindAddress: '::' bindPort: 8000 tcpGateway: tcpHosts: - name: one destination: single: upstream: name: gloo-system-tcp-echo-1025 namespace: gloo-system useProxyProto: false

Slide 22

Slide 22 text

22 | Copyright © 2020 VIRTUAL SERVICE /foo /bar /cheese ROUTE TABLE ROUTE TABLE ROUTE TABLE UPSTREAM SERVICE UPSTREAM SERVICE UPSTREAM SERVICE Platform team Developers Platform Distributed Ownership and Delegation

Slide 23

Slide 23 text

23 | Copyright © 2020

Slide 24

Slide 24 text

24 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED

Slide 25

Slide 25 text

25 | Copyright © 2020 25 | Copyright © 2020 Gloo Enterprise

Slide 26

Slide 26 text

26 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH External Auth

Slide 27

Slide 27 text

27 | Copyright © 2020 Integrations API Key Auth Plugin

Slide 28

Slide 28 text

28 | Copyright © 2020 Web Application Firewall (WAF) Prevent harmful traffic from entering your environment • Implements Modsecurity open source WAF and Core Rule Set (CRS) • Inspects, monitors and blocks traffic • Applies to all inbound and outbound traffic SECURE WEB APPLICATION FIREWALL RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM

Slide 29

Slide 29 text

29 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH RATE LIMITING Rate Limiting

Slide 30

Slide 30 text

30 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH RATE LIMITING OBSERVABILITY Observability

Slide 31

Slide 31 text

31 | Copyright © 2020

Slide 32

Slide 32 text

32 | Copyright © 2020 Example: Data Plane and Control Plane Interaction

Slide 33

Slide 33 text

33 | Copyright © 2020 Envoy Proxy and Gloo: Control Path and Data Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER

Slide 34

Slide 34 text

34 | Copyright © 2020 Envoy Proxy and Gloo: Control Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER VirtualService : route: / -> svc1 auth: opa: allow = ... auth: opa: allow = ... route: / -> svc1

Slide 35

Slide 35 text

35 | Copyright © 2020 Envoy Proxy and Gloo: Data Path EXTERNAL AUTH RATE LIMITING GLOO gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER POST /dentists Content-Type: application/json Authorization: Bearer xyz {"name":”Dr. Seuss"} POST /com.example.DentistService/AddDentist Content-Type: application/grpc Authorization: Bearer xyz Binary protobuf: \x12\x011\x12\seuss { Method: "POST", Path: "/dentists", Headers: { "Content-Type”:"application/json", "Authorization": "Bearer xyz" } } OK Descriptors {generic_key: "add-drs"} OK

Slide 36

Slide 36 text

36 | Copyright © 2020 Envoy Proxy and Gloo: Data Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 201 Created Content-Type: application/json {"id": ”2301", "name":”Dr. Seuss"}

Slide 37

Slide 37 text

37 | Copyright © 2020 Envoy Proxy and Gloo: Data Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 201 Created Content-Type: application/json {"id": ”2301", "name":”Dr. Seuss"} RATE LIMITING

Slide 38

Slide 38 text

38 | Copyright © 2020 Envoy Proxy and Gloo: Data Path EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER GET /dentists/2301 Content-Type: application/json Authorization: Bearer xyz { Method: "POST", Path: "/dentists", Headers: { "Content-Type”:"application/json", "Authorization": "Bearer xyz" } } OK, ["id","name"]

Slide 39

Slide 39 text

39 | Copyright © 2020 Envoy Proxy and Gloo: Data Path EXTERNAL AUTH ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 200 OK Content-Type: application/json {"id": "2301", "name":"Dr. Seuss", "license":"32-23892" } 200 OK Content-Type: application/json {"id": "2301", "name":"Dr. Seuss"}

Slide 40

Slide 40 text

40 | Copyright © 2020 LEARN MORE solo.io/gloo SOLO COMMUNITY slack.solo.io Thank You!