Envoy Gateway Extension server design

This project implement a REST API invocation and sending the backend response process by extending envoy gateway using extension server.

In this project API invocation part handled by defining own cutstom resources for API, HTTPRoute and Backend.Before sending the desired xDS configurations to the envoy proxy, envoy gateway can configured calling an external server over gRPC calls. In this implementation for handling Kubernetes ingrss traffic through Envoy Gateway, resources used such as Gateway, HTTPRoute, BackendTrafficPolicy and etc.

Custom resource definition generation for API, generated by extension server and CRD will reconciled by envoy gateway controller. so when a user applying own CRs for API invocation, extension server have the ability to identify these resources and reconciling those resources correctly to route the request through HTTPRoute and send the correct response to the user.

In this implementation, swagger-petstore used as the backend.

Find the Docker image used for backend using following URL.

https://github.com/swagger-api/swagger-petstore/tree/master

Below given diagram shows how this was done using envoy gateway and it's extension server.

Extension-server-architecture

Extension-server-API-invoking-process

In this project Rancher desktop uses for kubernetes and Docker. This can be done also using minikube.

Prequisities

Before setting up the cluster and pods make ensure to install these Prequisities.

1. Linux
2. Rancher desktop or minikube
3. Install Go (version 1.23)
4. Install Visual Studio Code
5. Enable vs code extensions (YAML, kubernetes, Docker Extension Pack, Makefile)
6. Start Rancher Desktop

    a. When using Rancher Desktop make ensure to disable Traefik.

    i.   Open Rancher Desktop main window.
    ii.  Select Preferences tab 
    iii. Disable 'Enable Traefik' under options field.

Steps - Setting up the pods

1. Install Gateway API CRDs and Envoy Gateway with creating the namespace envoy-gateway-system:

helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.4 -n envoy-gateway-system --create-namespace 

2. Make ensure to check pods are running without any issue:

kubectl get pods -n envoy-gateway-system  

3. clone the repo:

git clone https://github.com/GitAvi001/Envoy-gateway---Extension-server.git 

4. Move to the directory where Makefile is located:

cd /Envoy-gateway---Extension-server/examples/extension-server

5. Build the extension server and push the docker image to the docker hub: (Make sure to correctly tag the image if you are using your own docker hub repository)

make image

6. Move to the directory where extension server's values.yaml file is located :

cd /Envoy-gateway---Extension-server/examples/extension-server/charts/extension-server

(update image.repository field as <dockerhub_username>/<repository_name>)

7. Make ensure to check pods are running without any issue:

kubectl get pods -n envoy-gateway-system  

8. Check the logs for each pod if any issues and fix them:

i. kubectl get pods -n envoy-gateway-system 

ii. kubectl logs -n envoy-gateway-system <pod_name>

Steps - Apply custom resource definitions(CRD)

a. Use Makefile to generate desired CRD

cd ./examples/extension-server

i. make generate 

ii. make manifests

(CRD can generate with desired versions removing the commented lines in manifests commands)

Steps - Edit /etc/hosts file

This implementation based on hosting the gateway pod at hostname called "www.example.com". this testing part only applicable with the local setup. Traffic comes from localhost's 8080 port and gateway pod accept the traffic by port 80.

i. sudo nano /etc/hosts

ii. Add the desired hostname with the correct localhost ip-address(127.0.0.1) under "To allow the same kube context to work on the host and the container:" section

iii. Add <localhost_ip_address> www.example.com

iv. Enter ctrl + X to save the etc/hosts file.

Steps - Apply custom resources and cluster role binding to the generated custom resource definition.

i. cd ./examples/extension-server/project/apk-cr

ii. kubectl apply -f .-n envoy-gateway-system

Steps - Check pods and services.

i. kubectl get pods -n envoy-gateway-system

ii. kubectl get svc -n envoy-gateway-system

Steps - Check API

kubectl get apis -n envoy-gateway-system

Steps - Check HTTPRoute and backend.

a. Use Envoy gateway config dump to check whether configured HTTPRoutes applied successfully.

i. kubectl get pods -n envoy-gateway-system

ii. kubectl port-forward -n envoy-gateway-system <envoy_gateway_pod> 19000:19000

b. port-forward to the backend service and test the backend first directly.

i. kubectl get svc -n envoy-gateway-system

ii. kubectl port-forward -n envoy-gateway-system svc/<envoy_gateway_service> 8080:80

c. First, import this curl command to postman and directly test the backend.

curl -v -H "Host: www.example.com" "http://localhost:8080/apk-http-route/api/v3/pet/findByStatus?status=available"

Steps - Edit server.go and redeploy extension server.

To extract the basePath or context path correctly from the applied API CR and map to the correct backend resource server.go needed to edit correctly.

After editing the server.go correctly extension-server should redpoly to the kubernetes cluster make sure to enable execute permissions for the script file.

For testing purpose server.go already modified to extract basePath and HTTPRoute from applied CR dynamically.

i. cd ./examples/extension-server

ii. chmod +x deploy-server.sh

iii. ./deploy-server.sh

Steps - Invoke API

curl command using to test the API request call to the API endpoint and check the correct backend response.

a. port-forward to envoy-gateway service.

i. kubectl get svc -n envoy-gateway-system

ii. kubectl port-forward -n envoy-gateway-system svc/<envoy_gateway_service> 8080:80

b. Import this curl command to postman and invoke the API.

curl -v -H "Host: www.example.com" "http://localhost:8080/my-api/apk-http-route/api/v3/pet/findByStatus?status=available"

Steps - Enable Rate Limiting

Rate limiting feature applied for this implementation only for Gateway level. Also rate limiting can enable for HTTPRoute level.

Check more about rate limiting using Envoy Gateway: https://gateway.envoyproxy.io/contributions/design/rate-limit/

i. cd ./examples extension-server/rateLimiting-global

ii. kubectl apply -f . -n envoy-gateway-system

Steps- error checking

Check if any errors in the logs.

i. kubectl logs -n envoy-gateway-system <envoy_gateway_pod>

ii. kubectl logs -n envoy-gateway-system <extension_server_pod>

🔗 Links

Rancher Desktop installation: https://docs.rancherdesktop.io/getting-started/installation/

Go(version 1.23.3) installation: https://go.dev/doc/install

Visual studio Code installation: https://code.visualstudio.com/download

Envoy Gateway: https://gateway.envoyproxy.io/

Envoy Gateway resources: https://gateway.envoyproxy.io/docs/concepts/concepts_overview/

Envoy Gateway Extension Server: https://gateway.envoyproxy.io/v1.1/tasks/extensibility/extension-server/

Envoy Gateway Rate limit design: https://gateway.envoyproxy.io/contributions/design/rate-limit/