Slide 1

Slide 1 text

Introduction to Envoy July CNCJ Meetup Jamie Hewland 2 July 2018

Slide 2

Slide 2 text

Who am I? • Site Reliability Engineer (SRE) @ Praekelt.org • 10% of time => “Tech Ambassador” • Grew up in Cape Town, graduated UCT in 2014, in JHB since 2015

Slide 3

Slide 3 text

My limitations • Haven’t used Kubernetes in production—we’re Mesosphere DC/OS users (for now) • Haven’t used Service Meshes in production • At some point I will say “Eh-nvoy” instead of “Ah-nvoy”

Slide 4

Slide 4 text

My expertise • Have written a Discovery Service for Envoy • Have significant experience with Nginx & HAProxy • Have experience running container orchestration systems at a reasonable level of scale

Slide 5

Slide 5 text

1. What is Envoy? 2. The network proxy landscape 3. Envoy’s API: Discovery Services 4. Service mesh: abstracting the network 5. The Envoy ecosystem

Slide 6

Slide 6 text

What is Envoy?

Slide 7

Slide 7 text

ENVOY IS AN OPEN SOURCE EDGE AND SERVICE PROXY, DESIGNED FOR CLOUD-NATIVE APPLICATIONS

Slide 8

Slide 8 text

“Proxy”? • Reverse proxy/load-balancer • Like Nginx, HAProxy • Also not like Nginx/Apache, not a web server • Doesn’t serve files • Doesn’t cache (but can buffer) • Won’t do CGI/uWSGI/etc. “an intermediary for requests from clients seeking resources from other servers”

Slide 9

Slide 9 text

Edge/front proxy Reverse proxy/load-balancer pattern North-South traffic

Slide 10

Slide 10 text

Service proxy Service mesh pattern East-West traffic

Slide 11

Slide 11 text

Envoy features • It has an API! No more templated config files, seamless reloads. • First-class HTTP/2 support (downstream & upstream) • Supports other application protocols (Redis, Mongo), with more incoming (Thrift, Kafka) • Built-in metrics (Prometheus, statsd) & tracing (OpenTracing) • Advanced load-balancing tools: complex health checks, circuit breakers, zone-aware routing, traffic shifting, canarying

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Reverse proxy landscape

Slide 14

Slide 14 text

A brief timeline (pre-K8S) • 1995: Apache (httpd) initial release • 2001: HAProxy initial release • 2004: Nginx initial release • 2009: AWS ELB (probably HAProxy-based) • 2013: Airbnb’s SmartStack (HAProxy-based) • 2014: HashiCorp Consul v0.1.0 • 2014 June: Kubernetes first commit on GitHub • 2014 November: Netflix Prana (sidecar for non-JVM apps)

Slide 15

Slide 15 text

A brief timeline (post-K8S) • 2015 July: Kubernetes hits 1.0 and moves to CNCF • 2016 February: Linkerd initial release (v0.1.0) • 2016 July: Traefik v1.0.0 • 2016 September: Envoy open-sourced by Lyft • ~2016 October: Linkerd starts using the phrase “Service Mesh” widely • 2017 January: nginx-ingress-controller: First beta • 2017 January: Linkerd joins CNCF as 5th hosted project • 2017 May: Istio initial release (v0.1.0) • 2017 September: Envoy joins CNCF as 11th hosted project • 2017 November: HAProxy adds HTTP/2 support (v1.8.0) • 2018 March: Nginx adds gRPC support (v1.13.10)

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Envoy’s API: Discovery Services

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Eventual consistency Discovery status Health Check OK Health Check failed Discovered Route Don’t route Absent Route Don’t route & delete

Slide 22

Slide 22 text

Discovery Services • Very flexible, can use all the Discovery Services (dynamic), or define everything in YAML (static), or mix • Streaming gRPC or polling REST-JSON • Protocol defined in protobufs (see envoyproxy/data- plane-api) • New (non-Discovery) Services being developed: Rate limit service, access log service…

Slide 23

Slide 23 text

Envoy development • Envoy written in modern C++ “for developer productivity” • Leverages several 3rd-party libraries, e.g. • Node.js HTTP parser • nghttp2 for HTTP/2 • BoringSSL for TLS • Bazel build system • CircleCI: unit, integration, coverage, address sanitisers… • GitHub repo, Slack channel, community meetings…

Slide 24

Slide 24 text

Service mesh: abstracting the network

Slide 25

Slide 25 text

Microservices communication Imagine you are writing Service A that speaks to Service B

Slide 26

Slide 26 text

Microservices communication

Slide 27

Slide 27 text

Microservices communication

Slide 28

Slide 28 text

Microservices communication

Slide 29

Slide 29 text

Service mesh at the pod level

Slide 30

Slide 30 text

Service mesh

Slide 31

Slide 31 text

Service mesh benefits • Reliability: • Retries, timeouts, circuit breakers • Traffic shifting, canary releases • Visibility: • Metrics for all requests • Tracing • Security: • Encrypt connections (TLS) • Access control, policy

Slide 32

Slide 32 text

2018 The Year of the Service Mesh?

Slide 33

Slide 33 text

The Envoy ecosystem

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

Istio

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

Ambassador • API gateway & load-balancer for Kubernetes • Not a Service Mesh, also not an ingress controller • Authentication (basic, OpenID, OAuth) • Rate limiting • Other Envoy features: TLS, Canary releases, gRPC, WebSockets, …

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Thank you • Questions? • Official Envoy blog: https:// blog.envoyproxy.io • Learn Envoy by Turbine Labs: https://www.learnenvoy.io • Is a Service Mesh right for you? https://www.infoq.com/ articles/service-mesh- promise-peril • Twitter: @jayhewland • Medium: @jamiehewland