Envoy Gateway CNCF Canada Toronto

Slide 1

Slide 1 text

Gateway APIs and API Gateways Modern Ingress Demystified Sergey Marunich, Tetrate.io

Slide 2

Slide 2 text

Outline ● Recap: Ingress ● Gateway API ● Envoy Gateway ● [Envoy] [API] Gateway ● Where Next?

Slide 3

Slide 3 text

Ingress Networking

Slide 4

Slide 4 text

Service A Backend *.example.com Service A Service A

Slide 5

Slide 5 text

Service A Backend Load Balancer *.example.com Service A Service A

Slide 6

Slide 6 text

Service A Backend Load Balancer Node port *.example.com Service A Service A

Slide 7

Slide 7 text

Backend Load Balancer Node port Cluster IP *.example.com Service A Service A Service A

Slide 8

Slide 8 text

Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port Cluster IP *.example.com Service A Service A Service A

Slide 9

Slide 9 text

Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port Cluster IP *.example.com Cluster IP Service A Service A

Slide 10

Slide 10 text

Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port Cluster IP *.example.com Cluster IP Service A Service A

Slide 11

Slide 11 text

Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port *.example.com Service A Service A Ingress Controller Service A

Slide 12

Slide 12 text

Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port *.example.com Service A Service A Ingress Controller Service A K8s API Server etcd

Slide 13

Slide 13 text

Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port *.example.com Service A Service A Ingress Controller Service A K8s API Server etcd Ingress

Slide 14

Slide 14 text

😅

Slide 15

Slide 15 text

The Ingress API

Slide 16

Slide 16 text

Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress spec: rules: - host: example.com http: paths: - path: /test backend: service: name: test port: number: 80

Slide 17

Slide 17 text

Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: example.com http: paths: - path: /test backend: service: name: test port: number: 80

Slide 18

Slide 18 text

Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: example.com http: paths: - path: /test backend: service: name: test port: number: 80

Slide 19

Slide 19 text

Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx rules: - host: example.com http: paths: - path: /test pathType: Prefix backend: service: name: test port: number: 80

Slide 20

Slide 20 text

Ingress API apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: nginx spec: controller: example.com/nginx-ingress-controller

Slide 21

Slide 21 text

Ingress API apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: nginx spec: controller: example.com/nginx-ingress-controller --- kind: Deployment spec: template: spec: containers: - name: nginx args: - /nginx-ingress-controller - '--ingress-class=k8s.io/nginx' - '--controller-class=example.com/nginx-ingress-controller'

Slide 22

Slide 22 text

Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "Request-Id: $req_id"; spec: ingressClassName: nginx rules: - host: example.com http: …

Slide 23

Slide 23 text

Ingress API: Implementations ● Nginx ● Haproxy ● Apache ● Traefik ● Contour ● Ambassador ● Kong ● Tyk ● Avi ● Istio ● etc

Slide 24

Slide 24 text

😅😅

Slide 25

Slide 25 text

Gateway API

Slide 26

Slide 26 text

xkcd, Creative Commons Attribution 2.5

Slide 27

Slide 27 text

Recap: The Storage API StorageClass PersistentVolume Pod PersistentVolume Claim Pod Pod (AWS, gp2) (10Gi, ReadOnce) PersistentVolume Claim Infra provider / cluster builder: Infra admin: App dev: PersistentVolume

Slide 28

Slide 28 text

The Gateway API

Slide 29

Slide 29 text

The Gateway API ● Not built-in yet; packaged as CRDs ● >1 resource ● gateway.networking.k8s.io ○ GatewayClass/v1beta1 ○ Gateway/v1beta1 ○ HTTPRoute/v1beta1 ○ TLSRoute/v1alpha1 - SNI routing ○ GRPCRoute/v1alpha1 ○ TCPRoute/v1alpha1 ○ UDPRoute/v1alpha1

Slide 30

Slide 30 text

GatewayClass apiVersion: gateway.networking.k8s.io/v1beta1 kind: GatewayClass metadata: name: my-class spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller

Slide 31

Slide 31 text

apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: name: my-envoy-gateway spec: gatewayClassName: my-class listeners: - name: http protocol: HTTP port: 80 - name: https protocol: HTTPS port: 443 Gateway

Slide 32

Slide 32 text

HTTPRoute apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: http-log spec: parentRefs: [{name: my-gateway}] hostnames: ["www.example.com"] rules: - matches: - path: {value: /http-log, type: PathPrefix} backendRefs: - {group: "", kind: Service, name: http-log, port: 80, weight: 1}

Slide 33

Slide 33 text

HTTPRoute apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: http-log spec: parentRefs: [{name: my-gateway}] hostnames: ["www.example.com"] rules: - matches: - path: {value: /http-log, type: PathPrefix} filters: - {type: URLRewrite, urlRewrite: {path: {type: ReplacePrefixMatch, replacePrefixMatch: / }}} backendRefs: - {group: "", kind: Service, name: http-log, port: 80, weight: 1}

Slide 34

Slide 34 text

What else does it look like? ● Heavily based on the Istio API ● In turn, Istio implements the Gateway API ○ Currently beta ○ Will be default when gw-api hits v1 ● Also implemented by the SMI Meshes (Linkerd2, Consul, Open Service Mesh, etc)

Slide 35

Slide 35 text

A Mesh API? ● Gain resources to describe East-West (service mesh) ● GAMMA group trying to get meshes to adopt the GW API, and conversely to get GW API to model mesh concerns (https://gateway-api.sigs.k8s.io/contributing/gamma/) ● Istio 1.16: Kubernetes Gateway API Implementation Promoted to Beta Istio’s implementation of the Gateway API has been promoted to Beta. This is a significant step toward our goal of making the Gateway API the default API for traffic management in the future.

Slide 36

Slide 36 text

Reference Implementation: Envoy Gateway

Slide 37

Slide 37 text

What’s a standard? Nginx-ingress currently the de facto standard ● Surely the most common, certainly when you discount cloud providers’ ingress ● Only one mentioned in the main upstream docs

Slide 38

Slide 38 text

An Envoy-Based Gateway ● But nginx isn’t very modern ○ Reads its config from a file, not an API ○ The operator hides this, and that’s fine; that’s its job ○ But those reload events cause the drop of in-flight requests, which isn’t ok ○ Plus other operational issues ○ Hard to extend ● Envoy is more modern, and designed for this kinda stuff ○ xDS API ○ It’s proven itself as Ingress, Sidecar, even GFE ● A new gateway in town!

Slide 39

Slide 39 text

Another One? ● Contour, Emissary (formerly Ambassador) agreed to rebase onto the EG code, but will keep their brands, add value

Slide 40

Slide 40 text

Demo!

Slide 41

Slide 41 text

🍺 An offering to the demo gods...

Slide 42

Slide 42 text

👀

Slide 43

Slide 43 text

An Adventure in Metrics ● Pod: ○ Container : no metrics port ○ Container kube-rbac-proxy: https metrics port, just controller_runtime’s default stats ● Pod: ○ Container Envoy: prom-format metrics on admin at localhost:19000 (unreachable)

Slide 44

Slide 44 text

Other Features ● cert-manager has experimental support (hard to demo locally)

Slide 45

Slide 45 text

A Work-in-Progress ● v0.3 targeting December ○ Full compliance to the Gateway API ○ Doesn’t seem to mean other basics, like metrics ● To follow the project ○ https://github.com/envoyproxy/gateway ○ Envoy Slack #gateway-dev

Slide 46

Slide 46 text

Gateway API API Gateway

Slide 47

Slide 47 text

What Even is an API Gateway? You might think ● TLS termination ● Load Balancing ● L7 Routing ● WAF ● Rate-limiting and quotas ● Bot-blocking ● OIDC auth ● Caching ● Body validation and transformation ● Version and staging support ● etc

Slide 48

Slide 48 text

What Even is an API Gateway? “Basic” features ● TLS termination ● Load Balancing ● L7 Routing “API Gateway” features ● WAF ● Rate-limiting and quotas ● Bot-blocking ● OIDC auth ● Caching ● Body validation and transformation ● Version and staging support ● etc

Slide 49

Slide 49 text

Envoy (API) Gateway ● Extensible code ● Extensible API ● New, clean codebase

Slide 50

Slide 50 text

Gateway API models API Gateways ● Gain resources to describe API Gateway features ○ Auth one in progress ● On-going discussion about making the API extensible to model the different features in all the implementations, but in a consistent, first-class way ● “GEP” - Gateway Enhancement Proposal (https://gateway-api.sigs.k8s.io/contributing/gep/) ● Graduation path ○ Vendor extension ○ GW-API extension ○ GW-API core

Slide 51

Slide 51 text

A Work-in-the-Future ● Needs the API ● Needs the Extensions ● None being worked on yet (that I know of) ● Except Coraza: a Golang implementation of mod_security

Slide 52

Slide 52 text

Recap

Slide 53

Slide 53 text

Where Next? ● Release of Envoy Gateway 0.3 ● Emissary, Contour rebasing eventually ● Get Gateway API into upstream k8s ● Extend the GW-API to model API-GW concerns ○ Solve problems like modelling deploy of redis for global ratelimits ● Build API-GW feature plugins ● Gateway API v1? ● Envoy Gateway 1.0?

Slide 54

Slide 54 text

Recap ● Ingress API sucks ● Gateway API doesn’t ○ Ingress ○ East-West ○ API Gateway ● Envoy Gateway exists. It hasn’t got far but you can try it at home. ● Envoy Gateway will become an API Gateway ○ That needs lots of work

Slide 55

Slide 55 text

Thanks! Slides Videos Demo code tetratelabs Questions @smarunich