Introdução

Case

Introdução
Envoy

Live

Demo!

Q/A

Soluções e Features

Leandro Jaeger Lafin
Análista de sistemas no departamento de cardiologia (CI) da Philips

https://www.linkedin.com/in/llafin/

Departamento de cardiologia (CI) já existe desde os anos 90's

90's - Construía softwares desktop que realizavam leituras de máquinas

2007 - Começaram a nascer as primeiras soluções Web

2018 - Começaram os preparativos para ida para a Cloud

Construção de um plataforma para cardiologia em cloud

Ponto único de acesso para o tráfego Norte/Sul

Responsável por lidar com questões de segurança como:
- CORS
- Garantir que seja uma conexão HTTPS
- Autenticação/Autorização de usuário
- Certificados SSL

Realizar o balanceamento de carga entre as instâncias de micro serviço

Capacidade de interagir e manipular requisições

Capacidade de deploy para diferentes ambientes e provedores

Facilmente customizavel/reaproveitavel para conceitos de plataforma

Funcionar de maneira independente e agnóstica a tecnologia

Não aconteça variações de código por ambiente

ENVOY IS AN OPEN SOURCE EDGE AND SERVICE PROXY, DESIGNED FOR CLOUD-NATIVE APPLICATIONS

Qual

é a sua comunidade?

E afinal, quem o usa?

Por que usar? O que ele se propõe a solucionar?

Networking and Observability

Aprendizado de soluções como NGINX, HAProxy, balanceadores de carga de hardware e nuvem

Desenhado como proxy reverso para atender necessidades como: proxy distribuído, communication bus, service mesh

OUT OF PROCESS ARCHITECTURE

HTTP/2 AND GRPC SUPPORT

ADVANCED LOAD BALANCING

APIS FOR CONFIGURATION MANAGEMENT

OBSERVABILITY

YAML (YAML Ain't Markup Language)

E como podemos configura-lo e fazer a mágica acontecer......

 routes:
  # Defines a routing rule based on the path and headers of the incoming request.
  - match:
      prefix: /
      headers:
        - name: x-forwarded-proto
          exact_match: http
    redirect:
      # Forces a redirection to change the request from http to https.
      path_redirect: /
      https_redirect: true
  - match:
      prefix: /digihero/oauth2/
    route:
      cluster: oauth-proxy
  # Defines a routing rule for the path '/digihero/api/digimon/'
  - match:
      prefix: /digihero/api/digimon/
    route:
      # Redirect the incoming request to the external domain/cluster 'digimon-api'
      cluster: digimon-api
      # Rewrite the path from '/digihero/api/digimon/' to '/api/digimon/'
      prefix_rewrite: /api/digimon/
      host_rewrite_literal: ${DIGIMON_EXTERNAL_DOMAIN}
  # Defines an especific routing rule for the path '/digihero/api/Logger'
  - match:
      prefix: /digihero/api/Logger
    route:
      # Redirect the incoming request to the internal cluster 'dummy-api'
      cluster: dummy-api
      # Manipulates the requests according to the available API version
      # Rewrite the path from '/digihero/api/Logger' to '/v2/Logger'
      prefix_rewrite: /v2/Logger

Configurar e manipular rotas

 http_filters:
  # Sets Envoy to check the CORS policies on every request.
  - name: envoy.filters.http.cors
    typed_config: {}
  # Sets Envoy to check the user authentication on every request.
  - name: envoy.filters.http.ext_authz
    typed_config:
      '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
      transport_api_version: V3
      http_service:
        server_uri:
          uri: oauth2-proxy.apps.internal:8080
          cluster: oauth-proxy
          timeout: 4s
        authorization_request:
          allowed_headers:
            patterns:
              - exact: cookie
              - prefix: x-
        authorization_response:
          allowed_client_headers:
            patterns:
              - exact: set-cookie
          allowed_client_headers_on_success:
            patterns:
              - exact: set-cookie
          allowed_upstream_headers:
            patterns:
              - exact: set-cookie
              - contains: authorization
              - prefix: x-auth-request
  # Sets Envoy to execute the following Lua script in the incoming requests.
  - name: envoy.filters.http.lua
    typed_config:
      '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
      inline_code: |
        function envoy_on_request(request_handle)
          -- Retrieves the value of the header 'x-auth-request-access-token'
          local accessToken=request_handle:headers():get("x-auth-request-access-token")
          if not(accessToken == nil or accessToken == '') then 
            -- Adds the access token as the 'Authorization' header in the incoming request.
            request_handle:headers():replace("Authorization","Bearer "..accessToken)
          end
        end
   # Sets Envoy to use the routing configuration defined.
  - name: envoy.filters.http.router
    typed_config: {}

Aplicar filtros por requisição

 clusters:
  - name: oauth-proxy
    connect_timeout: 4s
    type: logical_dns
    load_assignment:
      cluster_name: oauth-proxy
      endpoints:
        - lb_endpoints:
            - endpoint:
                address:
                  # Defines the endpoint and port for the cluster. See: docker-compose.yml the network config for the container oauth2-proxy.
                  socket_address:
                    address: digihero.oauth2-proxy.apps.internal
                    port_value: 8080
  - name: google
    connect_timeout: 10s
    type: logical_dns
    load_assignment:
      cluster_name: google
      endpoints:
        - lb_endpoints:
            - endpoint:
                address:
                  # Defines the endpoint and port for the cluster.
                  socket_address:
                    # Gets the external domain endpoint from environment variables. See: .env.gateway file.
                    address: google.com
                    port_value: 443
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

Configurar comunicações, cargas, certificados...

um portão para aplicações cloud native?

Construção de um plataforma para cardiologia em cloud

YAML (YAML Ain't Markup Language)

And that's all, Thank you

Q

U

E

S

T

I

O

N

S

?

	routes:
	# Defines a routing rule based on the path and headers of the incoming request.
	- match:
	prefix: /
	headers:
	- name: x-forwarded-proto
	exact_match: http
	redirect:
	# Forces a redirection to change the request from http to https.
	path_redirect: /
	https_redirect: true
	- match:
	prefix: /digihero/oauth2/
	route:
	cluster: oauth-proxy
	# Defines a routing rule for the path '/digihero/api/digimon/'
	- match:
	prefix: /digihero/api/digimon/
	route:
	# Redirect the incoming request to the external domain/cluster 'digimon-api'
	cluster: digimon-api
	# Rewrite the path from '/digihero/api/digimon/' to '/api/digimon/'
	prefix_rewrite: /api/digimon/
	host_rewrite_literal: ${DIGIMON_EXTERNAL_DOMAIN}
	# Defines an especific routing rule for the path '/digihero/api/Logger'
	- match:
	prefix: /digihero/api/Logger
	route:
	# Redirect the incoming request to the internal cluster 'dummy-api'
	cluster: dummy-api
	# Manipulates the requests according to the available API version
	# Rewrite the path from '/digihero/api/Logger' to '/v2/Logger'
	prefix_rewrite: /v2/Logger

	http_filters:
	# Sets Envoy to check the CORS policies on every request.
	- name: envoy.filters.http.cors
	typed_config: {}
	# Sets Envoy to check the user authentication on every request.
	- name: envoy.filters.http.ext_authz
	typed_config:
	'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
	transport_api_version: V3
	http_service:
	server_uri:
	uri: oauth2-proxy.apps.internal:8080
	cluster: oauth-proxy
	timeout: 4s
	authorization_request:
	allowed_headers:
	patterns:
	- exact: cookie
	- prefix: x-
	authorization_response:
	allowed_client_headers:
	patterns:
	- exact: set-cookie
	allowed_client_headers_on_success:
	patterns:
	- exact: set-cookie
	allowed_upstream_headers:
	patterns:
	- exact: set-cookie
	- contains: authorization
	- prefix: x-auth-request
	# Sets Envoy to execute the following Lua script in the incoming requests.
	- name: envoy.filters.http.lua
	typed_config:
	'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
	inline_code: \|
	function envoy_on_request(request_handle)
	-- Retrieves the value of the header 'x-auth-request-access-token'
	local accessToken=request_handle:headers():get("x-auth-request-access-token")
	if not(accessToken == nil or accessToken == '') then
	-- Adds the access token as the 'Authorization' header in the incoming request.
	request_handle:headers():replace("Authorization","Bearer "..accessToken)
	end
	end
	# Sets Envoy to use the routing configuration defined.
	- name: envoy.filters.http.router
	typed_config: {}

	clusters:
	- name: oauth-proxy
	connect_timeout: 4s
	type: logical_dns
	load_assignment:
	cluster_name: oauth-proxy
	endpoints:
	- lb_endpoints:
	- endpoint:
	address:
	# Defines the endpoint and port for the cluster. See: docker-compose.yml the network config for the container oauth2-proxy.
	socket_address:
	address: digihero.oauth2-proxy.apps.internal
	port_value: 8080
	- name: google
	connect_timeout: 10s
	type: logical_dns
	load_assignment:
	cluster_name: google
	endpoints:
	- lb_endpoints:
	- endpoint:
	address:
	# Defines the endpoint and port for the cluster.
	socket_address:
	# Gets the external domain endpoint from environment variables. See: .env.gateway file.
	address: google.com
	port_value: 443
	transport_socket:
	name: envoy.transport_sockets.tls
	typed_config:
	'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext