Gateway APIs, Envoy Gateway, and API Gateways
0 likes77 views
Up until now, Ingress routes into K8s clusters have been defined by the Ingress kind, or by vendor-specific CRDs. Neither of these were satisfactory, so a new set of built-in k8s APIs was developed - the Gateway API. In this talk, Matt will cover the motivation for a new API, its design, and show some examples of its use. He’ll then also cover implimentations of it today and in the future, and talk about the exciting merging of several of the existing ingress controllers into one new de facto standard - Envoy Gateway.
![Gateway APIs and API Gateways @mt165
Outline
● Recap: Ingress
● Gateway API
● Envoy Gateway
● [Envoy] [API] Gateway
● Where Next?](https://image.slidesharecdn.com/20221004kubehuddleedinburgh-221005122608-e07e1d41/85/Gateway-APIs-Envoy-Gateway-and-API-Gateways-3-320.jpg)
![Gateway APIs and API Gateways @mt165
HTTPRoute
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: http-log
spec:
parentRefs: [{name: my-gateway}]
hostnames: ["www.example.com"]
rules:
- matches:
- path: {value: /http-log, type: PathPrefix}
backendRefs:
- {group: "", kind: Service, name: http-log, port: 80, weight: 1}](https://image.slidesharecdn.com/20221004kubehuddleedinburgh-221005122608-e07e1d41/85/Gateway-APIs-Envoy-Gateway-and-API-Gateways-33-320.jpg)
More Related Content
Similar to Gateway APIs, Envoy Gateway, and API Gateways (20)
More from Matt Turner (20)
Recently uploaded (20)
Gateway APIs, Envoy Gateway, and API Gateways
- 1. Gateway APIs and API Gateways @mt165 Modern Ingress Demystified Gateway APIs and API Gateways Matt Turner KubeHuddle, Edinburgh UK | October 2022 @mt165 | mt165.co.uk
- 2. Gateway APIs and API Gateways @mt165 THE ENTERPRISE SERVICE MESH COMPANY
- 3. Gateway APIs and API Gateways @mt165 Outline ● Recap: Ingress ● Gateway API ● Envoy Gateway ● [Envoy] [API] Gateway ● Where Next?
- 4. Gateway APIs and API Gateways @mt165 Ingress Networking
- 5. Gateway APIs and API Gateways @mt165 Service A Backend *.example.com Service A Service A
- 6. Gateway APIs and API Gateways @mt165 Service A Backend Load Balancer *.example.com Service A Service A
- 7. Gateway APIs and API Gateways @mt165 Service A Backend Load Balancer Node port *.example.com Service A Service A
- 8. Gateway APIs and API Gateways @mt165 Backend Load Balancer Node port Cluster IP *.example.com Service A Service A Service A
- 9. Gateway APIs and API Gateways @mt165 Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port Cluster IP *.example.com Service A Service A Service A
- 10. Gateway APIs and API Gateways @mt165 Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port Cluster IP *.example.com Cluster IP Service A Service A
- 11. Gateway APIs and API Gateways @mt165 Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port Cluster IP *.example.com Cluster IP Service A Service A
- 12. Gateway APIs and API Gateways @mt165 Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port *.example.com Service A Service A Ingress Controller Service A
- 13. Gateway APIs and API Gateways @mt165 Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port *.example.com Service A Service A Ingress Controller Service A K8s API Server etcd
- 14. Gateway APIs and API Gateways @mt165 Service A Backend Proxy Proxy Proxy Proxy Ingress Load Balancer Node port *.example.com Service A Service A Ingress Controller Service A K8s API Server etcd Ingress
- 15. Gateway APIs and API Gateways @mt165 😅
- 16. Gateway APIs and API Gateways @mt165 The Ingress API
- 17. Gateway APIs and API Gateways @mt165 Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress spec: rules: - host: example.com http: paths: - path: /test backend: service: name: test port: number: 80
- 18. Gateway APIs and API Gateways @mt165 Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: example.com http: paths: - path: /test backend: service: name: test port: number: 80
- 19. Gateway APIs and API Gateways @mt165 Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: example.com http: paths: - path: /test backend: service: name: test port: number: 80
- 20. Gateway APIs and API Gateways @mt165 Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx rules: - host: example.com http: paths: - path: /test pathType: Prefix backend: service: name: test port: number: 80
- 21. Gateway APIs and API Gateways @mt165 Ingress API apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: nginx spec: controller: example.com/nginx-ingress-controller
- 22. Gateway APIs and API Gateways @mt165 Ingress API apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: nginx spec: controller: example.com/nginx-ingress-controller --- kind: Deployment spec: template: spec: containers: - name: nginx args: - /nginx-ingress-controller - '--ingress-class=k8s.io/nginx' - '--controller-class=example.com/nginx-ingress-controller'
- 23. Gateway APIs and API Gateways @mt165 Ingress API apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "Request-Id: $req_id"; spec: ingressClassName: nginx rules: - host: example.com http: …
- 24. Gateway APIs and API Gateways @mt165 Ingress API: Implementations ● Nginx ● Haproxy ● Apache ● Traefik ● Contour ● Ambassador ● Kong ● Tyk ● Avi ● Istio ● etc
- 25. Gateway APIs and API Gateways @mt165 😅😅
- 26. Gateway APIs and API Gateways @mt165 Gateway API
- 27. Gateway APIs and API Gateways @mt165 xkcd, Creative Commons Attribution 2.5
- 28. Gateway APIs and API Gateways @mt165 Recap: The Storage API StorageClass PersistentVolume Pod PersistentVolume Claim Pod Pod (AWS, gp2) (10Gi, ReadOnce) PersistentVolume Claim Infra provider / cluster builder: Infra admin: App dev: PersistentVolume
- 29. Gateway APIs and API Gateways @mt165 The Gateway API
- 30. Gateway APIs and API Gateways @mt165 The Gateway API ● Not built-in yet; packaged as CRDs ● >1 resource ● gateway.networking.k8s.io ○ GatewayClass/v1beta1 ○ Gateway/v1beta1 ○ HTTPRoute/v1beta1 ○ TLSRoute/v1alpha1 - SNI routing ○ GRPCRoute/v1alpha1 ○ TCPRoute/v1alpha1 ○ UDPRoute/v1alpha1
- 31. Gateway APIs and API Gateways @mt165 GatewayClass apiVersion: gateway.networking.k8s.io/v1beta1 kind: GatewayClass metadata: name: my-class spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller
- 32. Gateway APIs and API Gateways @mt165 apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: name: my-gateway spec: gatewayClassName: my-class listeners: - name: http protocol: HTTP port: 80 - name: https protocol: HTTPS port: 443 Gateway
- 33. Gateway APIs and API Gateways @mt165 HTTPRoute apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: http-log spec: parentRefs: [{name: my-gateway}] hostnames: ["www.example.com"] rules: - matches: - path: {value: /http-log, type: PathPrefix} backendRefs: - {group: "", kind: Service, name: http-log, port: 80, weight: 1}
- 34. Gateway APIs and API Gateways @mt165 What else does it look like? ● Heavily based on the Istio API ● In turn, Istio implements the Gateway API ○ Currently beta ○ Will be default when gw-api hits v1 ● Also implemented by the SMI Meshes (Linkerd2, Consul, Open Service Mesh, etc)
- 35. Gateway APIs and API Gateways @mt165 A Mesh API? ● Gain resources to describe East-West (service mesh) ● GAMMA group trying to get meshes to adopt the GW API, and conversely to get GW API to model mesh concerns (https://gateway-api.sigs.k8s.io/contributing/gamma/)
- 36. Gateway APIs and API Gateways @mt165 Reference Implementation: Envoy Gateway
- 37. Gateway APIs and API Gateways @mt165 What’s a standard? Nginx-ingress currently the de facto standard ● Surely the most common, certainly when you discount cloud providers’ ingress ● Only one mentioned in the main upstream docs
- 38. Gateway APIs and API Gateways @mt165 An Envoy-Based Gateway ● But nginx isn’t very modern ○ Reads its config from a file, not an API ○ The operator hides this, and that’s fine; that’s its job ○ But those reload events cause the drop of in-flight requests, which isn’t ok ○ Plus other operational issues ○ Hard to extend ● Envoy is more modern, and designed for this kinda stuff ○ xDS API ○ It’s proven itself as Ingress, Sidecar, even GFE ● A new gateway in town!
- 39. Gateway APIs and API Gateways @mt165 Another One? ● Contour, Emissary (formerly Ambassador) agreed to rebase onto the EG code, but will keep their brands, add value
- 40. Gateway APIs and API Gateways @mt165 Demo!
- 41. Gateway APIs and API Gateways @mt165 🍺 An offering to the demo gods...
- 42. Gateway APIs and API Gateways @mt165 👀
- 43. Gateway APIs and API Gateways @mt165 An Adventure in Metrics ● Pod: <EG Operator> ○ Container <main>: no metrics port ○ Container kube-rbac-proxy: https metrics port, just controller_runtime’s default stats ● Pod: <Envoy Instance> ○ Container Envoy: prom-format metrics on admin at localhost:19000 (unreachable)
- 44. Gateway APIs and API Gateways @mt165 Other Features ● cert-manager has experimental support (hard to demo locally)
- 45. Gateway APIs and API Gateways @mt165 A Work-in-Progress ● v0.2 targeting KubeCon ○ Full compliance to the Gateway API ○ Doesn’t seem to mean other basics, like metrics ● To follow the project ○ https://github.com/envoyproxy/gateway ○ Envoy Slack #gateway-dev
- 46. Gateway APIs and API Gateways @mt165 Gateway API API Gateway
- 47. Gateway APIs and API Gateways @mt165 What Even is an API Gateway? You might think ● TLS termination ● Load Balancing ● L7 Routing ● WAF ● Rate-limiting and quotas ● Bot-blocking ● OIDC auth ● Caching ● Body validation and transformation ● Version and staging support ● etc
- 48. Gateway APIs and API Gateways @mt165 What Even is an API Gateway? “Basic” features ● TLS termination ● Load Balancing ● L7 Routing “API Gateway” features ● WAF ● Rate-limiting and quotas ● Bot-blocking ● OIDC auth ● Caching ● Body validation and transformation ● Version and staging support ● etc
- 49. Gateway APIs and API Gateways @mt165 Envoy (API) Gateway ● Extensible code ● Extensible API ● New, clean codebase
- 50. Gateway APIs and API Gateways @mt165 Gateway API models API Gateways ● Gain resources to describe API Gateway features ○ Auth one in progress ● On-going discussion about making the API extensible to model the different features in all the implementations, but in a consistent, first-class way ● “GEP” - Gateway Enhancement Proposal (https://gateway-api.sigs.k8s.io/contributing/gep/) ● Graduation path ○ Vendor extension ○ GW-API extension ○ GW-API core
- 51. Gateway APIs and API Gateways @mt165 A Work-in-the-Future ● Needs the API ● Needs the Extensions ● None being worked on yet (that I know of) ● Except Coraza: a Golang implementation of mod_security
- 52. Gateway APIs and API Gateways @mt165 Recap
- 53. Gateway APIs and API Gateways @mt165 Where Next? ● Release of Envoy Gateway 0.2 for KubeCon Detroit ● Emissary, Contour rebasing eventually ● Get Gateway API into upstream k8s ● Extend the GW-API to model API-GW concerns ○ Solve problems like modelling deploy of redis for global ratelimits ● Build API-GW feature plugins ● Gateway API v1? ● Envoy Gateway 1.0?
- 54. Gateway APIs and API Gateways @mt165 Recap ● Ingress API sucks ● Gateway API doesn’t ○ Ingress ○ East-West ○ API Gateway ● Envoy Gateway exists. It hasn’t got far but you can try it at home. ● Envoy Gateway will become an API Gateway ○ That needs lots of work
- 55. Gateway APIs and API Gateways @mt165 Thanks! Slides Videos Demo code mt165.co.uk Questions @mt165