Cloud Native Computing Foundation / EnvoyCon 2020 - Virtual

Authorization with Envoy at Square - Jelle Vanhorenbeke

Every organization has different authentication and authorization needs and it is not always clear how Envoy can help to abstract this from the application layer. In this talk we will show you how Square leverages Envoy's ’s ext_authz filter and how our centralized authorization service has become the new source of truth for hundreds of services. We will cover how we migrated multiple authorization libraries to this centralized authorization service and how we rolled out these changes to production. This process has benefited other teams and allowed them to launch new features that were previously not possible.

Building idiomatic Envoy SDKs for Rust and Go - Yaroslav Skopets, Takeshi Yoneda

Support for WebAssembly is slowly coming into upstream Envoy.

Eager to get our hands dirty, we've embarked on a journey to develop our very first Envoy extensions in Rust and Go - languages beloved by the Cloud Native Community.

It's been a bumpy ride and we're happy we've made it :)

In this session we will share our learnings from building Envoy SDKs for Rust and Go:
* what challenges we've met
* what issues remain open
* what makes SDK ergonomic

We will give a demo of practical extensions that have been made possible so far and, most certainly, will beg Envoy folks to give us even more features we miss so much :)

Our goal is to raise awareness in the community about the current state of Wasm, and to invite everyone to collaborate on the SDK for the language of their choice.

CacheFilter: Flexible HTTP Caching in Envoy - Josiah Kiehl, Todd Greer

Web traffic relies extensively on caching proxies, and Envoy needs robust HTTP caching support to perform that role, but scaling and feature requirements vary too much for a "one size fits all" implementation. CacheFilter is an Envoy filter that handles the many caching-related request and response headers and directives, with the customizability and extensibility to support anything from single-server deployments to planetary-scale caching systems with extensive bespoke needs.

Changing Oil for a Fast Running (Side) Car Quickly and Safely - Fuyuan Bie

While we all want our features in production ASAP, safety - on the other hand - is the last thing we should sacrifice. At Pinterest, mesh configuration story looks like this: - thousands clusters - under 25 minutes to fully deploy through all stages and availability zones serially - 0 incidents during xDS v3 migration - every change is validated individually - full visibility into change and client history Thanks to comprehensive pre-deploy validation, holistic health checks and a specially designed feedback channel based on xDS, configuration roll-out is safe and yet very fast. The machinery carries every config change to VMs, dockerized hosts, and k8s automatically. Should an issue happen, it can spot the problem within a minute. In this talk, we will share the architecture, design considerations, good practices, and lessons learned along our path towards configuration nirvana.

Community and Extensibility: Building Envoy's Flexible Compression Subsystem - Mikko Ylinen, Jose Nino

HTTP compression is used by web proxies to compress data before sending it out over the wire. This saves network bandwidth and speeds up transfers. Until its v1.15 release, Envoy implemented limited unidirectional Gzip compression. Through a cross-company (also cross-continent!) collaboration, compression was generalized to its own extension subsystem to make it possible to add new compression schemes, custom implementations of existing formats, and have fully bidirectional (de)decompression. This talk will walk the audience through the evolution of compression in Envoy, highlighting the flexibility of the extension system, and dive into two use cases now possible with compression subsystem: 0-touch bidirectional (de)compression between mobile clients and edge; and new compression implementations now possible, e.g., a compressor utilizing HW accelerators to optimize server compute.

Creating request buffering filters for edge devices - Seiichi Koizumi, Tomoya Amachi

We are developing a proxy for edge devices that work on an unstable network. Using custom envoy-filters.This session will speak how to manage request data when changed network interfaces and network statuses.

Our proxy use cases on the following lines:

1: Run applications that do not suppose in an unstable network onto vehicles. Even if the network is unstable, misaki-proxy buffers the request in a queue. So that the application does not need to add retransmission processing.

2: Upload large files only when vehicles are connected to a WiFi network. 3G/4G network is more expensive than WiFi. Therefore, only with WiFi can you be able to request large amounts of data. You can set the type of network you want to use for each destination domain.

Envoy on Kittens: Improving Developer and Maintainer Velocity - Itay Donanhirsh

In this talk Itay will present RepoKitteh (https://repokitteh.io), a lightweight, rapid and low cost approach for GitHub automation. The presenter will explain the necessity for GitHub automation, how RepoKitteh approaches the problem and how it compares to the alternatives, such hand crafted custom integrations and GitHub actions. The integration with Envoy will be detailed, and a demonstration of implementing new automations will be given. At the end of this talk, Envoy contributors will be empowered and inspired to add their own RepoKitteh integrations.

Envoy on Windows: Use-cases, roadmap, and more - Sunjay Bhatia, David Schott

Ready to dive a little deeper into the world of Envoy on Windows? Learn about the ongoing efforts to enable the vast ecosystem of Windows applications to leverage the Envoy proxy, what it can do now, and what is coming next. Contributors have been hard at work bringing Windows platform support to Envoy. The project hopes to enable the vast ecosystem of Windows application architectures to leverage Envoy’s rich feature set and benefit from the vibrant Envoy open source community. This talk will show how Envoy users can start to use and evaluate Envoy on Windows, demonstrate how Envoy can be used to enable cloud-native applications on Windows, and discuss the roadmap ahead.

Failing forward to 1 million requests per second - Axel Liljencrantz, Mikael Sundberg

Many companies claim to have a work culture that celebrates failures, but few companies have tested that claim as thoroughly as Spotify did during our migration to Envoy. Come hear war stories of trying, failing, and failing some more with Envoy, and learn how to make sure you learn something new every time you fail.

Hands-on WASM filters and singletons - Emmanuel Mayssat

In this presentation, Emmanuel will start by introducing the basics of WASM extensions, but will quickly move on to his project of developing a custom authz/authn with WASM. He will talk about his decision making process and introduce his development environments on k8s and docker-compose. He will be covering his software architecture, such as the use of a singleton stack and chained WASM filters. Covered topics also includes WASM bytecode download (LDS), policy download, prometheus metrics, library integration, data sharing, hidden headers, code testing, debugging technics, performance measurements for a real project! This presentation will also touch on practical issues such as programming languages choice (C++, rust, assembly script, tinyGo), learning curves, build pipelines, and development velocity (carvel/ytt)

How Niantic switched Pokémon GO to use Envoy - Renana Yacobi

Niantic are the creators of Pokemon GO. As one of the world's most popular mobile games, Niantic needs to serve ##'s of players all across the world, concurrently, necessitating the need of a truly planet-scale solution. In this presentation, Rennana Yacobi, Server Core Infrastructure Lead, explains why Niantic made the transition from NGINX to Envoy, starting with the most important question of ‘Why Envoy?’, then reviewing Niantic’s journey with extending Envoy to support our proprietary protocol which includes websockets and player leasing, using xDS to minimize disruptions when scaling, load testing to ensure Envoy can handle millions of QPS at Pokemon GO's scale, where things fall apart, all the way until consolidating everything to the final launch.

How Tinder implemented Envoy global rate limiting at scale
Virtual - Yuki Sawa

Tinder recently completed a migration to Envoy based service mesh in their Kubernetes based infrastructure. A big win was moving rate limiting logic out of the application and into the network layer by leveraging Envoy's powerful global rate limiting capabilities. Previously implementations relied on home-grown code inside the application or features built into proxies like Nginx — which were difficult to maintain and did not offer the configurability and observability of Envoy. This talk covers how Envoy global rate limiting works at Tinder, how we migrated to it, and what steps were taken to ensure it performs at scale. We'll also discuss the unique rate limiting features available in Envoy, how to configure it and how we extended upon it.

Improving performance of RPCs with envoy at Wikimedia - Giuseppe Lavagetto

Performance of remote procedure calls between services depend on a lot of factors, but when you start doing RPCs over a high latency network and/or using TLS (so when you have to perform RPCs across different datacenters, for example), the cost of establishing a connection is very steep. This is particularly problematic for environment which don't support persistent connection pools - one notable example being the PHP language, that we use to run MediaWiki. This talk will go through how Wikimedia introduced envoy in its mixed on-prem/kubernetes environment, and how that allowed to improve the performance, reliability and observability of its stack. Particular focus will be put on: the performance effects for our PHP applications running at scale, the operational problems adopting envoy allowed solving, and the challenges introduced by moving to use it.

Incrementally Building Incremental - Alec Holmes

This talk walks through the development process of incremental xDS lead by Alec Holmes and Joshua Rutherford inside the open source repository “envoyproxy/go-control-plane” . It touches on differences between SOTW and Incremental xDS, implementation hurdles tackled when building out the new protocol, and design changes in the pre-existing codebase needed to build out Incremental. Alec will lay out the remaining goals, and discuss the next steps for the repository.

Multiplex tcp requests through Envoy HTTP/2 stack - Yuchen Dai

This talk will go over the recent update of HTTP/2 CONNECT support in Envoy. Envoy not only can terminate or proxy an H2 CONNECT, but also proxy the raw tcp plain text request in establish H2 CONNECT. In this talk, Yuchen will also go through the on going efforts to optimize the CONNECT dispatch. With these efforts, Yuchen will demonstrate istio sidecar proxy(which is literally Envoy) tunnels http requests and raw tcp requests into HTTP2, multiplexed in one TLS/TCP connection as if the request is directly established by application.

PostgreSQL Network Filter for EnvoyProxy - Fabrízio de Royes Mello, Christoph Pakulski

How do you monitor Postgres? What information can you get out of it, and to what degree does this information help to troubleshoot operational issues? What if you want/need to log all the queries? That may bring heavy trafficked databases down. At OnGres we’re obsessed with improving PostgreSQL’s observability. So we worked together with Tetrate folks on an Envoy’s Network Filter extension for PostgreSQL, to provide and extend observability of the traffic inout a cluster infrastructure. This extension is public and open source. You can use it anywhere you use Envoy. It allows you to capture automated metrics and to debug network traffic. This talk will be a technical deep-dive into PostgreSQL’s protocol decoding, Envoy proxy filters and will cover all the capabilities of the tool and its usage and deployment in any environment.

Safely deploying a 100K line Envoy YAML configuration to production - Jyoti Mahapatra, Lisa Lu

Have you ever caused a production incident due to an Envoy misconfiguration? You’re not alone! This talk is about how Lyft has built guardrails to prevent such failures. The presenters will share their experience operating Envoy configurations at scale. They will explore the challenges around handling constantly changing cluster and routing configurations and the tools used to guarantee accuracy and consistency in those changes. These tools empower service owners less familiar with Envoy to make configuration changes independently and quickly without approval barriers. This talk will introduce the audience to various Envoy configuration testing strategies:

Validating behavior for thousands of routes to avoid blackholing traffic
Auditing and safely removing unused routes and clusters
Safely deprecating fields between Envoy versions
Validating Envoy’s static and realtime configurations

Support Arm64 platform in Envoy - Lizan Zhou

Envoy Arm64 will be released from 1.16.0. In this LT Lizan will discuss about the effort to make Envoy officially support Arm64 based Linux. This includes some code / test change caused by different endian / memory layout and compiler defaults, how we identified these problems, and how we built CI infrastructure.

Understanding, maintaining and securing Envoy's supply chain - Michael Payne, Harvey Tuch

Envoy depends on over 60 external dependencies for its data and control plane functionality, as well as for its build, test and features such as observability. This talk will provide an overview of the third party dependencies that constitute the Envoy software supply chain. We will enumerate, categorize and describe the key dependencies, with a focus on security and how they relate to the Envoy threat model. The talk will cover how Envoy’s dependencies have been maintained, versioned and tested, how the Envoy community plans to evolve and increase confidence in the supply chain, as well as how organizations can apply strategies to minimize unnecessary dependencies.

Using VPP as Envoy's Network Stack - Florin Coras

Vector Packet Processing (VPP), part of fd.io, is a high performance, layer 2-7 scalable and multi-platform user space networking stack. Typical VPP use cases include, amongst others, deployments as a vSwitch/Router, Firewall, Load Balancer and TCP Proxy. This talk will discuss how some of the recent socket layer API changes can be leveraged to cleanly integrate Envoy with VPP's socket layer, the VPP Comms Library (VCL), and some of the potential benefits thereof.

Using Web Assembly to develop Envoy Filters for supporting Yahoo Headers - Mrunmayi Dhume, Michael Cieplak

Today at Verizon Media (formerly Yahoo), the on-prem Kubernetes platform spans 35 clusters across multiple data centers serving ~2500 apps. There are 2 ingress layers - Apache Traffic Server (ATS) serving 2M peak RPS and Istio Ingress based Envoy Proxy with a peak of 220K RPS. One of the key plugins of ATS is the verification/generation of Yahoo Headers, used by apps to obtain downstream client information such as the remote address/port, and a signature generated using a combination of base64, MD5, and a private key to ensure header integrity. To migrate all ATS traffic to Envoy, it is necessary to port all plugins from ATS with minimal changes. To achieve this, an Envoy Web Assembly (Wasm) filter was implemented using the Proxy Wasm standard, which is able to process these headers. This talk will provide an overview of the filter implementation and the learnings achieved along the way.

xDS Support in gRPC - Mark D. Roth

The xDS APIs originated as Envoy’s control plane APIs, but they are evolving toward a Universal Data Plane API (UDPA) that can be used to configure any data plane client. gRPC is the first non-Envoy client to support obtaining its configuration via xDS. This talk will cover how gRPC fits into the xDS ecosystem. It will explain the advantages of supporting xDS in gRPC, particularly for service mesh deployments, and identify the set of xDS features that gRPC currently supports and the additional features that are on the roadmap. It will also discuss changes that were made to the xDS data model to support non-proxy clients like gRPC and various edge cases in the xDS transport protocol that were addressed along the way. The talk will also discuss how control plane operators and vendors can support gRPC xDS clients alongside Envoy.

xDS transport and versioning evolution - Harvey Tuch, Mark D. Roth

Envoy’s xDS APIs are the foundation for its control plane ecosystem. We are in the process of evolving them towards the Universal Data Plane API (UDPA), supporting clients beyond Envoy (e.g. Google’s gRPC libraries). We also continue to improve support for versioning in xDS and are following on from last year's introduction of major versions with minor/patch versions.

In the first part of this talk, we will dive into UDPA. We will focus on the next steps in the xDS transport protocol evolution. We will provide an introduction to a new URI-centric resource naming scheme and how this will allow for transport simplifications and elimination of technical debt in both Envoy and the control plane. We will also cover advanced use cases, such as federation, caching, control plane scalability and reliability wins.

In the second part of this talk, we will provide a recap on Envoy's existing API versioning story and discuss the implementation of minor/patch versioning for xDS resources. This incremental strategy is the plan-of-record for xDS, managing the trade-off between Envoy/xDS technical debt and control plane complexity/implementation cost.

xds-relay: Performance initiatives for control plane management - Jessica Yuen, Jyoti Mahapatra

In this talk, presenters will share their experience running Envoy and Lyft’s control plane at scale. They will explore the challenges of operating Lyft’s service mesh to be reactive to Kubernetes’ dynamic infrastructure and evolving xDS versions. This talk is a deep dive into a new open source project, xds-relay, that the Lyft team has developed to bring their solutions to the greater community. xds-relay is a lightweight caching, aggregation, and low latency distribution layer for xDS compliant clients and servers. At scale, xds-relay reliably distributes xDS protos to thousands of xDS clients over gRPC. Join Lyft’s journey as the presenters share how Lyft envisions the future of control planes. The presenters will cover a range of topics including pluggable xDS transformations, automatic endpoint subsetting, API driven configurations, and State-of-the-world to Delta xDS conversion.