Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SPIFFE Meetup Tokyo #2 LT: Envoy SDS

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for taiki45 taiki45
October 02, 2019
Technology
0
810

SPIFFE Meetup Tokyo #2 LT: Envoy SDS

SPIFFE Meetup Tokyo #2 https://spiffe-jp.connpass.com/event/142393/

Avatar for taiki45

taiki45

October 02, 2019
Tweet

More Decks by taiki45

See All by taiki45
Mocking in Rust Applications
Avatar for taiki45 taiki45
2
700
Error Handling in Rust Applications
Avatar for taiki45 taiki45
3
770
Efficient Platform for Security and Compliance
Avatar for taiki45 taiki45
6
1.6k
RustでAWS Lambda functionをいい感じに書く
Avatar for taiki45 taiki45
2
800
builderscon Tokyo 2019: Intro Service Mesh
Avatar for taiki45 taiki45
6
3.6k
NoOps Meetup Tokyo #7: 入門サービスメッシュ
Avatar for taiki45 taiki45
4
1.9k
CloudNative Days Tokyo 2019: Understanding Envoy
Avatar for taiki45 taiki45
3
3.6k
Cloud Native Meetup Tokyo #8 ServiceMesh Day Recap
Avatar for taiki45 taiki45
2
410
EnvoyCon 2018: Building and operating service mesh at mid-size company
Avatar for taiki45 taiki45
3
4.6k

Other Decks in Technology

See All in Technology
Cosmos World Foundation Model Platform for Physical AI
Avatar for Takuya MINAGAWA takmin
0
1k
AzureでのIaC - Bicep? Terraform? それ早く言ってよ会議
Avatar for Toru Makabe torumakabe
1
660
(技術的には)社内システムもOKなブラウザエージェントを作ってみた!
Avatar for Har1101 har1101
0
420
AWS DevOps Agent x ECS on Fargate検証 / AWS DevOps Agent x ECS on Fargate
Avatar for Masanori Yamaguchi kinunori
3
370
Oracle Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
1
1k
Oracle Base Database Service 技術詳細
Avatar for oracle4engineer oracle4engineer
PRO
15
93k
Codex 5.3 と Opus 4.6 にコーポレートサイトを作らせてみた / Codex 5.3 vs Opus 4.6
Avatar for ama-ch ama_ch
0
250
StrandsとNeptuneを使ってナレッジグラフを構築する
Avatar for やくも yakumo
1
140
日本の85%が使う公共SaaSは、どう育ったのか
Avatar for たけだ taketakekaho
1
270
旅先で iPad + Neovim で iOS 開発・執筆した話
Avatar for ZOZO Developers zozotech
PRO
0
170
22nd ACRi Webinar - 1Finity Tamura-san's slide
Avatar for Nao Sumikawa nao_sumikawa
0
120
AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest
Avatar for Jun Naito jonnojun
1
540

Featured

See All Featured
Code Reviewing Like a Champion
Avatar for maltzj maltzj
527
40k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
280
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4.2k
State of Search Keynote: SEO is Dead Long Live SEO
Avatar for Ryan Jones ryanjones
0
130
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
760
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
120
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
74
5k
Abbi's Birthday
Avatar for Violet Bock coloredviolet
1
4.8k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
12
1k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.3M
Kristin Tynski - Automating Marketing Tasks With AI
Avatar for Tech SEO Connect techseoconnect
PRO
0
160

Transcript

  1. Taiki Ono SPIFFE Meetup Tokyo #2 Envoy SDS

  2. Envoy おさらい • LB/service discovery/retry, timeout/logging, metrics/TLS handling とか やってくれるいい感じプロキシー

    • App と同じ pod にデプロイ (side-car model) or app と同じホストにデプロ イして iptables とかで app からの/へのトラフィックを envoy にリダイレ クトする • 上の機能の設定を中央のマネージメントサーバーから配信することで全体に 散らばった envoy を統一的に管理する • このマネージメントサーバーと envoy 間の設定通信プロトコルを「xDS プロ トコル」と呼んでいる 2
  3. None
  4. None

  5. Envoy Architecture 5

  6. Envoy と TLS config • Per-cluster: outgoing requests ◦ tls_context:

    auth.UpstreamTlsContext ▪ Common_tls_context: auth.CommonTlsContext • Per-listener-filter-chain: incoming requests ◦ tls_context: auth.DownstreamTlsContext ▪ Common_tls_context: auth.CommonTlsContext ▪ Require_client_certificate: Bool • auth.CommonTlsContext ◦ tls_certificates or tls_certificate_sds_secret_config ◦ validation_context or validation_context_sds_secret_config ▪ 証明書を検証する時の設定 (e.g. trusted_ca) 6

  7. tls_ceritificates • Body: private_key, certificate_chain, password • データの指定: filename, inline_bytes,

    inline_string 7

  8. Static vs SDS • tls_certificates の情報をどう渡すかの違い • Static: Envoy が動く場所の

    FS に置いておいて file name で指定 • SDS: SDS サーバーに置いておいて inline bytes で配信 ◦ SDS サーバーに置いてある「どの ceritificate を使うか」を決めるのが “tls_certificate_sds_secret_configs.name” をキーにして決める 8

  9. Envoy Architecture 9 SDS server Certificates Trusted CA

  10. Go tetrate.io/about-us/careers/ !