Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SPIFFE Meetup Tokyo #2 LT: Envoy SDS

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for taiki45 taiki45
October 02, 2019
Technology
850
0

SPIFFE Meetup Tokyo #2 LT: Envoy SDS

SPIFFE Meetup Tokyo #2 https://spiffe-jp.connpass.com/event/142393/

Avatar for taiki45

taiki45

October 02, 2019

More Decks by taiki45

See All by taiki45
Mocking in Rust Applications
Avatar for taiki45 taiki45
2
770
Error Handling in Rust Applications
Avatar for taiki45 taiki45
3
860
Efficient Platform for Security and Compliance
Avatar for taiki45 taiki45
6
1.7k
RustでAWS Lambda functionをいい感じに書く
Avatar for taiki45 taiki45
2
860
builderscon Tokyo 2019: Intro Service Mesh
Avatar for taiki45 taiki45
6
3.7k
NoOps Meetup Tokyo #7: 入門サービスメッシュ
Avatar for taiki45 taiki45
4
2k
CloudNative Days Tokyo 2019: Understanding Envoy
Avatar for taiki45 taiki45
3
3.6k
Cloud Native Meetup Tokyo #8 ServiceMesh Day Recap
Avatar for taiki45 taiki45
2
430
EnvoyCon 2018: Building and operating service mesh at mid-size company
Avatar for taiki45 taiki45
3
4.6k

Other Decks in Technology

See All in Technology
2026TECHFRESH畢業分享會 - Lightning Talk - E起 See See : 電商推薦讀心術? 數據說了算
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.3k
Kubernetesにおける学習基盤とLLMOpsの概要
Avatar for ry ry
1
320
GitHub Copilot app最速の発信の裏側
Avatar for tomokusaba tomokusaba
1
190
ぼっちではじめた登壇が「51名」「241件」の発信に化けた
Avatar for subroh_0508 subroh0508
1
240
あなたの知らないPDFのアクセシビリティ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
220
2026 TECHFRESH 畢業分享會 - AI-Native 重塑軟體工程與虛擬講師
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.3k
Oracle AI Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
2k
Oracle AI Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.5k
手塩にかけりゃいいってもんじゃない
Avatar for ming ming_ayami
0
610
AI駆動開発を通して感じた、 AI時代のデザイナーの役割変化
Avatar for WHIsaiyo whisaiyo
4
2.3k
SONiCのLinuxベースを活かしたZabbix監視
Avatar for SONiC Users Group Japan sonic
0
230
SONiCの統計情報を取得したい
Avatar for SONiC Users Group Japan sonic
0
230

Featured

See All Featured
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
360
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3.1k
What does AI have to do with Human Rights?
Avatar for Per Axbom axbom
PRO
1
2.2k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
220k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
Avatar for Mike Taylor tmiket
0
370
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
New Earth Scene 8
Avatar for Sydney Stone popppiees
3
2.3k
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
290
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
39
3.2k
Side Projects
Avatar for Sacha Greif sachag
455
43k
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.7k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3.1k

Transcript

  1. Taiki Ono SPIFFE Meetup Tokyo #2 Envoy SDS

  2. Envoy おさらい • LB/service discovery/retry, timeout/logging, metrics/TLS handling とか やってくれるいい感じプロキシー

    • App と同じ pod にデプロイ (side-car model) or app と同じホストにデプロ イして iptables とかで app からの/へのトラフィックを envoy にリダイレ クトする • 上の機能の設定を中央のマネージメントサーバーから配信することで全体に 散らばった envoy を統一的に管理する • このマネージメントサーバーと envoy 間の設定通信プロトコルを「xDS プロ トコル」と呼んでいる 2
  3. None
  4. None

  5. Envoy Architecture 5

  6. Envoy と TLS config • Per-cluster: outgoing requests ◦ tls_context:

    auth.UpstreamTlsContext ▪ Common_tls_context: auth.CommonTlsContext • Per-listener-filter-chain: incoming requests ◦ tls_context: auth.DownstreamTlsContext ▪ Common_tls_context: auth.CommonTlsContext ▪ Require_client_certificate: Bool • auth.CommonTlsContext ◦ tls_certificates or tls_certificate_sds_secret_config ◦ validation_context or validation_context_sds_secret_config ▪ 証明書を検証する時の設定 (e.g. trusted_ca) 6

  7. tls_ceritificates • Body: private_key, certificate_chain, password • データの指定: filename, inline_bytes,

    inline_string 7

  8. Static vs SDS • tls_certificates の情報をどう渡すかの違い • Static: Envoy が動く場所の

    FS に置いておいて file name で指定 • SDS: SDS サーバーに置いておいて inline bytes で配信 ◦ SDS サーバーに置いてある「どの ceritificate を使うか」を決めるのが “tls_certificate_sds_secret_configs.name” をキーにして決める 8

  9. Envoy Architecture 9 SDS server Certificates Trusted CA

  10. Go tetrate.io/about-us/careers/ !