Manage Envoy as an Application Gateway
Envoy Gateway is an open source project that will manage Envoy as an application gateway. It will provide a suite of services to drive adoption with users and throughout the cloud native ecosystem. Key features of Envoy Gateway are:
- An xDS control plane to manage a fleet of Envoys.
- An expressive API, based on Gateway API, with reasonable default settings to simplify the Envoy user experience.
- Support for heterogeneous environments. Note: The project initially targets Kubernetes.
- Extensibility to support a multitude of application gateway use cases.
- Envoy infrastructure provisioning and management.
- High-quality documentation, tooling, and a diverse group of project maintainers for support.
Envoy Gateway will make it easy for users to leverage the power of Envoy. With its support for multiple user personas, organizations can leave their existing operational models unchanged. For example, infrastructure admins can use Envoy Gateway to provision and manage fleets of Envoys while application developers can simply route application traffic to their backend services. Executives and decision-makers can find comfort in knowing that Envoy Gateway is backed by the Envoy community.
Envoy Background
Envoy is a highly successful open source project, as shown by its adoption in Istio, Tetrate Service Bridge, and its use in the enterprise – Lyft, Slack, and many others. Although Envoy has a wealth of capabilities, it can be daunting for a user to quickly learn and begin utilizing it. Envoy Gateway will abstract these complexities away from users. Envoy Gateway will support Envoy’s rich feature set, including:
- Traffic management
- Load-balancing algorithms
- Weight-based routing
- Priority routing
- Circuit breakers (and other resiliency features)
- Rate limiting
- Request transformations
- Authentication and authorization
- And many others
In other words, Envoy is a feature-rich application gateway. However, it was not initially designed for application developers who routinely author application networking and security policies. Envoy Gateway was created to unlock these capabilities for application developers.
Configuring Envoy Gateway
Although the project does not have an implementation yet, its user interface will be based on Gateway API, an open source project managed by the Kubernetes Network SIG. Here’s a common workflow that can be expected for Envoy Gateway in Kubernetes:
Install Envoy Gateway:
`kubectl apply -f /my/envoy/gateway/deployment.yaml`.
Create a GatewayClass:
apiVersion: gateway.networking.k8s.io/v1alpha2 kind: GatewayClass metadata: name: internet-facing spec: controllerName: envoyproxy.io/envoy-gateway
The GatewayClass is used to provide configuration parameters to Gateways of this class. The `controllerName` field tells Envoy Gateway that it’s responsible for managing Gateways of this class. Since the GatewayClass does not include a parameterRefs field, Gateways that reference this GatewayClass will use default settings.
Create a Gateway:
apiVersion: gateway.networking.k8s.io/v1alpha2 kind: Gateway metadata: name: example-gateway namespace: example spec: gatewayClassName: internet-facing listeners: - name: http protocol: HTTP port: 8080
The Gateway triggers Envoy Gateway to provision the Envoy infrastructure. This could mean deploying Envoy proxies to each node in the cluster, adding a listener to an existing Envoy, etc. The `gatewayClassName` field tells Envoy Gateway that any additional configuration parameters come from the GatewayClass named “internet-facing”. The Envoy infrastructure is now provisioned and is listening for HTTP connections on port 8080.
Create an HTTPRoute:
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: example-route
namespace: example
spec:
parentRefs:
- name: example-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /v1
backendRefs:
- name: example
port: 8080
The HTTPRoute exposes the backend Service named “example” through Gateway “example-gateway”. The route contains rules that provide a wealth of capabilities to match, filter, and forward application-level traffic. In this example, the configuration routes all HTTP traffic with a path prefix of “/v1” to the “example” service.
Envoy Gateway intends on providing a “batteries included” workflow by creating a default GatewayClass and Gateway. This streamlined workflow will be perfect for App Developers who simply need to route traffic to their backend services.
Resources
