Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Envoy

Introduction to Envoy

An introduction to Envoy given at the Cloud Native Computing Johannesburg July 2018 Meetup. 5 topics covered:

- What is Envoy?
- The network proxy landscape
- Envoy’s API: Discovery Services
- Service mesh: abstracting the network
- The Envoy ecosystem

Jamie Hewland

July 02, 2018
Tweet

More Decks by Jamie Hewland

Other Decks in Technology

Transcript

  1. Who am I? • Site Reliability Engineer (SRE) @ Praekelt.org

    • 10% of time => “Tech Ambassador” • Grew up in Cape Town, graduated UCT in 2014, in JHB since 2015
  2. My limitations • Haven’t used Kubernetes in production—we’re Mesosphere DC/OS

    users (for now) • Haven’t used Service Meshes in production • At some point I will say “Eh-nvoy” instead of “Ah-nvoy”
  3. My expertise • Have written a Discovery Service for Envoy

    • Have significant experience with Nginx & HAProxy • Have experience running container orchestration systems at a reasonable level of scale
  4. 1. What is Envoy? 2. The network proxy landscape 3.

    Envoy’s API: Discovery Services 4. Service mesh: abstracting the network 5. The Envoy ecosystem
  5. “Proxy”? • Reverse proxy/load-balancer • Like Nginx, HAProxy • Also

    not like Nginx/Apache, not a web server • Doesn’t serve files • Doesn’t cache (but can buffer) • Won’t do CGI/uWSGI/etc. “an intermediary for requests from clients seeking resources from other servers”
  6. Envoy features • It has an API! No more templated

    config files, seamless reloads. • First-class HTTP/2 support (downstream & upstream) • Supports other application protocols (Redis, Mongo), with more incoming (Thrift, Kafka) • Built-in metrics (Prometheus, statsd) & tracing (OpenTracing) • Advanced load-balancing tools: complex health checks, circuit breakers, zone-aware routing, traffic shifting, canarying
  7. A brief timeline (pre-K8S) • 1995: Apache (httpd) initial release

    • 2001: HAProxy initial release • 2004: Nginx initial release • 2009: AWS ELB (probably HAProxy-based) • 2013: Airbnb’s SmartStack (HAProxy-based) • 2014: HashiCorp Consul v0.1.0 • 2014 June: Kubernetes first commit on GitHub • 2014 November: Netflix Prana (sidecar for non-JVM apps)
  8. A brief timeline (post-K8S) • 2015 July: Kubernetes hits 1.0

    and moves to CNCF • 2016 February: Linkerd initial release (v0.1.0) • 2016 July: Traefik v1.0.0 • 2016 September: Envoy open-sourced by Lyft • ~2016 October: Linkerd starts using the phrase “Service Mesh” widely • 2017 January: nginx-ingress-controller: First beta • 2017 January: Linkerd joins CNCF as 5th hosted project • 2017 May: Istio initial release (v0.1.0) • 2017 September: Envoy joins CNCF as 11th hosted project • 2017 November: HAProxy adds HTTP/2 support (v1.8.0) • 2018 March: Nginx adds gRPC support (v1.13.10)
  9. Eventual consistency Discovery status Health Check OK Health Check failed

    Discovered Route Don’t route Absent Route Don’t route & delete
  10. Discovery Services • Very flexible, can use all the Discovery

    Services (dynamic), or define everything in YAML (static), or mix • Streaming gRPC or polling REST-JSON • Protocol defined in protobufs (see envoyproxy/data- plane-api) • New (non-Discovery) Services being developed: Rate limit service, access log service…
  11. Envoy development • Envoy written in modern C++ “for developer

    productivity” • Leverages several 3rd-party libraries, e.g. • Node.js HTTP parser • nghttp2 for HTTP/2 • BoringSSL for TLS • Bazel build system • CircleCI: unit, integration, coverage, address sanitisers… • GitHub repo, Slack channel, community meetings…
  12. Service mesh benefits • Reliability: • Retries, timeouts, circuit breakers

    • Traffic shifting, canary releases • Visibility: • Metrics for all requests • Tracing • Security: • Encrypt connections (TLS) • Access control, policy
  13. Ambassador • API gateway & load-balancer for Kubernetes • Not

    a Service Mesh, also not an ingress controller • Authentication (basic, OpenID, OAuth) • Rate limiting • Other Envoy features: TLS, Canary releases, gRPC, WebSockets, …
  14. Thank you • Questions? • Official Envoy blog: https:// blog.envoyproxy.io

    • Learn Envoy by Turbine Labs: https://www.learnenvoy.io • Is a Service Mesh right for you? https://www.infoq.com/ articles/service-mesh- promise-peril • Twitter: @jayhewland • Medium: @jamiehewland