Proxy Envoy

The first edition was written on 2020-08-30.

Demo

This Github repo has demos for some important types of envoy proxies.

Some issues I had at the time of using Envoy:

About Source Code

The protobuf plays a central role on Envoy configuration and every component in Envoy is defined by protobuf. Here I will show some of them I explored.

For example, in external authz gRPC server demo code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import (
auth_pb "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
)

func (s *service) Check(ctx context.Context,
r *auth_pb.CheckRequest)
(*auth_pb.CheckResponse, error) {
fmt.Println("received check request")
// return nil, fmt.Errorf("error")
return &auth_pb.CheckResponse{}, nil
}

func main() {
auth_pb.RegisterAuthorizationServer(grpcServer, s)
}

The Check handler is specified in module external_auth.pb.go#L704 and defined in proto file service external_auth.proto#L33.

Testing Facilities

There are some CLI and online facilities can help proxy testings:

For complex testing that multiple components are involved, utilizing docker compose to make them work together.

NOTE: nc and telnet can also work with HTTP server, but you need to input HTTP directives in connection, for example: GET /<path> HTTP/1.1

Envoy Training

So far the best Envoy learning series. The key takeaways are summarized in subsequent sections.

Episode 1: Intro to Envoy

The codelab Github repo.

  • Cloud Native L4/L7 proxy.
  • Extenability.
  • Control via API(usually gRPC): control plane/ data plane.
  • Observability: traces and metrics.

Core concepts and data flow, the same order in Envoy config yaml file:

1
2
3
4
5
6
7
8
9
Requests
-> Listeners
-> Filters(routing decision): chained and order matters.
-> TCP Filters
-> HCM(http_connection_manager) Filters: turns envoy to http L7 proxy.
-> HTTP Filters: operates on http header, body, etc.
-> Router Filters: sends traffic to upstream.
-> Clusters: upstream destinations
-> Endpoints/Cluster member/Cluster Load Assignment

Episode 05: Envoy filters

Envoy HTTP Filters:

  • Code that can interact with request/response.
  • Async IO.
  • Transparently work with HTTP 1.1 or 2/3.
  • Chained together.

Episode 15: Envoy + External Services

The external authz gRPC server is referenced from this episode, super helpful, see codelab

Other Learning Resources

Istio (as far as I understand it) is basically an Envoy discovery service that uses information from the Kubernetes API (eg the services in your cluster) to configure Envoy clusters/routes. It has its own configuration language.

0%