Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

System Design Doc #16

Merged
merged 10 commits into from
May 2, 2022
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions design/SYSTEM_DESIGN.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
### Architecture
![Architecture](images/architecture.png)

### Configuration

#### User Config
This configuration is based on the [Gateway API](https://gateway-api.sigs.k8s.io) and will provide:
* Infrastructure Management capabilities for the Infrastructure Administrator to provision the infrastructure required to run EnvoyProxy.
arkodg marked this conversation as resolved.
Show resolved Hide resolved
This is expressed using the [Gateway resource](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Envoy proxy config is expressed using GC and GW resources. The GC optionally contains Envoy config parameters. If not parameterRefs are provided, then a matching GW instance will cause EG to provision an Envoy fleet with its default config (we should specify what Envoy's default config is).

* Ingress and API Gateway capabilities for the application developer to define networking and security intent for their incoming traffic.
This is expressed using [HTTPRoute](https://gateway-api.sigs.k8s.io/concepts/api-overview/#httproute), [TLSRoute](https://gateway-api.sigs.k8s.io/concepts/api-overview/#tlsroute),
[TCPRoute or UDPRoute](https://gateway-api.sigs.k8s.io/concepts/api-overview/#tcproute-and-udproute).
danehans marked this conversation as resolved.
Show resolved Hide resolved

arkodg marked this conversation as resolved.
Show resolved Hide resolved
#### Bootstrap Config
This is the configuration provided by the Infrastructure Administrator that allows them to bootsrap and configure various internal aspects of EnvoyGateway controller.
arkodg marked this conversation as resolved.
Show resolved Hide resolved
This can either be specified as a commandline argument or be expressed as part of the [GatewayClass resource](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gatewayclass)
that is consumed by a separate process, the EnvoyGateway Operator to create an instance of EnvoyGateway.
danehans marked this conversation as resolved.
Show resolved Hide resolved

### Components

#### Config Sources
This component is responsible for consuming the user configuration from various platforms. Data persistence should be tied to the specific config source’s capabilities. For e.g. in Kubernetes, the resources will persist in etcd, if using the path watcher, the resources will persist in a file.

##### Kubernetes
The Kubernetes controller watches the Kubernetes API Server for resources, fetches them, and publishes it to the translators for further processing.

##### Path Watcher
It watches for file changes in a path, allowing the user to configure EnvoyGateway using resource configurations saved in a file or directory.

#### Config Server
This is a HTTP/gRPC Server (TBD) allowing EnvoyGateway to be configured from a remote endpoint.

danehans marked this conversation as resolved.
Show resolved Hide resolved
#### Intermediate Representation (IR)
This is an internal data model that user facing APIs are translated into allowing for internal services & components to be decoupled.

#### Config Manager
This component consumes the Bootstrap Config, and spawns the appropriate internal services in EnvoyGateway based on the config.
arkodg marked this conversation as resolved.
Show resolved Hide resolved

#### Message Service
This component allows internal services to publish message / data types as well as subscribe to them. A message bus architecture allows components to be loosely coupled
, work in an asynchronous manner and also scale out into multiple processes if needed. It can also aggregate resources from multiple publishers allowing configuration from
individual config sources to be aggregated before being processed by the translation layers.

#### Service Resolver
This optional component preprocesses the IR resources and resolves the services into endpoints enabling precise load balancing and resilience policies.
For e.g. in Kubernetes, a controller service could watch for EndpointSlice resources, converting Services to Endpoints, allowing for Envoyproxy to skip kube-proxy’s
load balancing layer. This component is tied to the platform where it is running. When disabled, the services will be resolved by the underlying DNS resolver or
by explicitly specifying IPs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does a non-k8s use case exist for the "Service Resolver"? If not, then this should be a sub-component of the k8s config source.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you could get user config from platform like k8s but you could connect to a separate service registry like consul for resolving services

#### Gateway API Translator
This is a platform agnostic translator that translates Gateway API resources to an Intermediate Representation.

#### EnvoyProxy Translator
This component translates the IR into EnvoyProxy Resources.
arkodg marked this conversation as resolved.
Show resolved Hide resolved

#### xDS Server
This component is a xDS gRPC Server based on the [Envoy Go Control Plane](https://github.com/envoyproxy/go-control-plane) project that implements the xDS Server Protocol
and is responsible for configuring EnvoyProxy resources in EnvoyProxy.

#### Provisioner
The provisioner configures any infrastruture needed based on the IR.

##### Envoy
Provisions a Envoy based Load balancer service. This is a platform specific component.
arkodg marked this conversation as resolved.
Show resolved Hide resolved
For example, a Terraform or Ansible provisioner could be added in the future to provision the Envoy infra in a non-k8s env.
arkodg marked this conversation as resolved.
Show resolved Hide resolved

##### Auxiliary Control Planes
These components are responsible for handling out of band control plane traffic sent by EnvoyProxy.
danehans marked this conversation as resolved.
Show resolved Hide resolved

###### Rate Limit service
This is based on the [Envoy Rate Limit Service](https://github.com/envoyproxy/ratelimit) and will consume the IR and translate it into the server side rate limiting config.
A similar EnvoyProxy translator sub component would translate the IR into Envoy’s ratelimit filter.
arkodg marked this conversation as resolved.
Show resolved Hide resolved

### Design Decisions
* A single EnvoyGateway instance will consume many [Gateway resources](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) to manage a fleet of EnvoyProxies with different configurations.
arkodg marked this conversation as resolved.
Show resolved Hide resolved
* The goal is to make the Provisioner & Translator layers extensible, but for the near future, extensibility can be achieved using xDS support that EnvoyGateway will provide.

### Open Questions
* Which APIGateway and Ingress features will EnvoyGateway introduce in the near future ?
arkodg marked this conversation as resolved.
Show resolved Hide resolved

arkodg marked this conversation as resolved.
Show resolved Hide resolved
The draft for this document is [here](https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit)
Binary file added design/images/architecture.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.