►
Description
Follow along how Waylay integrated Gloo Edge into their new SaaS platform to achieve on-demand, multi-tenant deployments. The talk will focus on the integration of authentication, metrics and dynamic, claim-based routing.
A
A
We
need
to
talk
about
how
whaley
integrated
the
api
gateway
of
glue
onto
our
on-demand
platform
and
also
our
other
enterprise
production
platforms,
so
to
go
over
talk
short
introduction
by
me
and
then
there's
a
second
part,
technical
parts
which
is
taken
up
by
olivier
my
colleague,
who
is
sitting
next
to
me
here
so
introduction
we
are
really
founded
and
still
is
hiding
against.
Currently
we
are
an
iot
automation
and
a
data
analytics
platform,
and
we
we
provide
actually
a
rules
engine.
A
This
is
definitely
already
an
older
picture
by
now,
so
in
full
growth,
as
we
speak,
to
give
you
some
id
over
a
platform
here,
some
numbers,
so
half
a
million
of
connected
devices-
and
another
number
I
can
give
is,
for
example,
313
million
api
calls
that
trigger
about
1.5
billion
service
functions,
which
is
35
000
per
minutes.
So
yeah
we
are
quite
busy
people.
Our
clients
are
quite
busy
on
our
platform
to
go
over
architecture.
A
A
It's
as
we
were
early
adopters,
also
of
kubernetes.
We
are
using
google
cloud
and
currently
or
we
used
to
be
use.
We
used
to
use
the
google
cloud
load
balancer
with
together
with
the
kubernetes
engines
controller,
but
that's
something
that
we
also
wanted
to
move
away
with.
We
wanted
to
go
into
more
complex
routing
way.
We
wanted
to
have
that
unified
api
gateway,
for
example.
A
A
A
A
Then
we,
of
course,
because
we
had
this
on
demand
deployments.
We
also
went
into
a
usage
based
billing
process,
so
we
needed
to
have
information
of
those
tenants.
It
was
important
that
whatever
was
happening
automatically
gave
us
some
feedback,
also
that
this
platform
was
seen
as
a
platform,
so
a
unified
gateway
was
one
of
the
requirements
of
that
api
gateway,
where
the
users
would
talk
to
one
api
and
not
two
components
left
and
right,
don't
need
to
know
the
specifics
of
what
is
happening
in
the
background.
A
A
Metrics
was
very
important.
How
can
we
retrieve
information
from
one
tenant?
Who
is
calling
a
multi-tenant
component?
So
those
were
all
problems
that
we
wanted
to
solve,
of
course,
intuitive
conflict.
We
as
everyone
else,
don't
like
when
config
gets
messy
and
is
not
easily
readable,
then
also
extensive
traffic
management.
A
A
So
the
clear
reason
was:
it
met
all
the
requirements,
great
articles,
even
before
we
tried
it.
While
we
did
the
trial,
we
already
got
super
great
supports
video.
There
was
a
slack
channel
open,
so
it's
it
felt
like
we
were
already
involved
and,
and
adoption
came
from
both
sides.
Let's
say
it
like
that.
The
documentation
was
great
and
I
think
one
of
the
also
greater
things
was
that
it
was
based
on
envoy,
which
is
heavily
maintained.
So
it's
active
development
and
white
adoption,
and
I
think
this
is
the
part
where
I'll
give.
B
It
to
my
colleague,
olivia
hello,
everyone.
Thank
you
for
this
nice
introduction.
Caftan
I'll
continue
with
four
topics
which
are
more
related
to
the
technical
parts
and
how
we
got
working
with
glue,
integrating
it
into
our
whaley
io
platform.
The
four
topics
I
want
to
discuss
are
authentication
rate
limiting
metrics
and
claim-based
routing.
So
let's
start
off
with
authentication.
B
B
Not
only
are
user
requests
but
also
enter
microservice
traffic
heavily
relies
on
authentication
and
authorization
features,
so
we
have
two
options:
requests
can
either
have
basic
authentication
so
basic,
so
api,
key
secret
pairs
or
requests
can
be
authenticated
using
jwt
tokens
for
the
api
key
secret
pairs.
We
used
to
have
a
legacy
component,
doing
the
exchange
for
jwt
tokens,
appending
them
to
the
request
before
forwarding
them
further
on
to
the
other
microservices,
but
using
glue.
B
We
had
the
perfect
opportunity
to
deprecate
that
service
and
to
move
the
functionality
straight
at
the
api
gateway
level
by
implementing
an
external
out
plugin.
This
plugin
yeah
uses
the
provided,
golang
sdk
and
is
loaded
in
the
external
authentication
server
upon
startup,
and
it
allows
us
to
use
or
move.
B
Straight
into
the
glue
api
gateway-
and
this
has
the
advantage
that
we
have
a
very
lightweight
and
simple
approach
to
do
the
exchange
and
we
don't
need
an
extra
network
hop
or
an
external
service.
We
need
to
maintain
to
do
jwt
token,
fetching
quick
side.
Note.
The
external
art
plugin
provides
an
ideal
opportunity
to
implement
or
to
have
some
extra
business
logic
into
glue,
even
if
it's
completely
not
authentication
related.
B
So
a
brief
overview
of
how
a
request
comes
into
the
authentication
flow,
so
it
arrives
either
using
basic
out
so
api
key
secret
pairs
or
a
jwt
token,
and
the
latter
in
the
latter
case,
the
plugin
just
forwards.
The
request
to
the
validation
stage,
which
does
a
validation
of
the
token
based
upon
keys
using
jwks
url
for
our
remote
authentication
service
when
api
key
secret
pair
is
provided
in
the
request.
B
The
basic
output,
the
external
outplugin,
sorry,
will
fetch
a
token
from
the
way
layout
service
and
we
can
even
implement
some
caching.
So
we
don't
need
that
extra
call.
Every
time
in
case,
there's
no
authentication
provided
at
all
or
the
api
key
secret
pairs
are
invalid.
The
response
code
will
be
in
unauthorized
or
401
status.
B
The
same
goes
for
the
validation
stage
if
it
fails
yeah.
Another
reason
we
heavily
rely
on
this
jwt
structure
is:
we
include
the
tenant
identifier
in
each
token,
so
this
provides
me
with
the
perfect
segue
to
the
next
part
rate,
limiting
which
is
most
commonly
used
to
protect
underlying
services
and
resources,
but
we
found
this
functionality
extremely
useful
to
implement
user
quota
depending
on
their
subscriptions.
B
Limiting
functionality
built
into
glue,
and
how
do
we
do
this?
As
I
mentioned,
we
have
for
each
request
a
tenant
identifier,
and
we
couple
this
with
the
rate
limiting
setup
of
glue.
So
on
the
left
side,
you
see
a
very
basic
fictional
example
of
a
jwt
configuration
and
at
the
bottom
here
you
see
the
claims
to
header
step
which
will
extract
the
tenant
claim
from
the
token
and
append
it
as
a
header
with
key
tenant
identifier
to
the
request.
B
B
B
B
It's
a
really
small
and
basic
example,
but
it's
really
powerful.
For
example,
it's
possible
to
extend
the
rate
limiting
configuration
with
extra
descriptors
or
even
child
descriptors.
So,
for
example,
we
could
set
up
a
rate
limiting
config,
where
each
of
our
microservices
has
a
an
upper
bound,
which
is
completely
different
than
the
global
tenant
upper
bound.
B
In
the
same
context
of
usage
based
subscriptions,
it
was
also
a
big
requirement
for
us
to
keep
track
of
how
many
traffic
a
tenant
generates
upstream
and
downstream
to
our
services
and
glue
via
envoy,
already
provides
a
lot
of
metrics
out
of
the
box.
They
are.
There
are
some
categories
displayed
here.
There
are
a
lot
and
really
a
lot
of
metrics
available
for
the
whole
gateway,
but
also
on
an
upstream
level
per
http
status
code
and
so
on,
and
so
on.
B
B
Okay,
this
led
to
the
following
setup:
we
create
tenant
namespaces
inside
of
our
kubernetes
clusters,
with
their
upstream
configuration
and
also
some
other
config
and
services,
and
we
replicate
this
for
each
tenant.
So,
as
our
tenants
grow,
our
namespaces
grow
and
the
number
of
upstream
configuration
grows
as
well.
B
Routing
arrows
so
to
say
to
the
different
namespaces
for
the
respective
upstreams,
so
the
waylay
services
can
be
reached.
This,
however,
doesn't
really
scale
well.
So,
for
example,
imagine
we
have
a
thousand
tenants
this.
This
would
mean
we
have
errors,
arrows,
excuse
me
or
routing
decisions
based
on,
for
example,
header
value
or
other
requirement
criteria
to
all
those
different
name
spaces
and
those
are
yeah
evaluated
in
order
which
we
really
want
to
avoid,
because
it's
not
very
effective.
So
this
is
not
the
way
to
go.
B
Luckily,
we
could
take
advantage
of
a
more
recent
introduction
or
new
recent
feature,
and
that
is
routing
based
upon
a
cluster
header.
So
here
we
see
a
small
example
on
how
we
do
this
in
practice.
So
at
the
top
you
see
again
the
claims
to
headers
code
block
which,
which
results
in
extracting
the
tenant
claim
from
the
jwt
token
into
the
tenant
identifier
header.
We
also
used
this
earlier
on
for
the
radiant
ink
configuration
at
the
bottom
part.
You
see
that
we
do
a
transformation.
B
Let
glue
decide
which,
upstream,
the
request
should
be
forwarded
to
do
note
that
we
have
to
clear
route
cache
set
to
true
and
that's
because
incoming
requests
already
get
a
part
assigned
to
them
when
they
are
evaluated
at
this
stage.
So
we
definitely
need
to
reset
routing
cache
so
that
the
upstream
header
that
is
set
here
will
be
taken
into
account
when
doing
this
evaluation.
B
Okay,
so
this
results
in
the
following
diagram,
so
we
have
our
virtual
service
using
a
single
domain
name
as
we
required,
and
then
we
have
an
yeah
and
an
identifying
amount
of
namespaces.
So
it
doesn't
really
matter
how
many
we
have
it
scales
perfectly.
With
with
how
many
we
have
it's
just
a
mapping
using
the
cluster
header
which,
as
designates
the
upstream,
we
require
for
a
set
tenant
based
upon
the
the
information
we
include
into
that
header
at
runtime,
and
then
those
upstreams
correlate
to
their
respective
kubernetes
services
in
the
back
end.
B
A
B
B
B
This
also
allows
us
to
make
it
very
generic,
which
is
which
has
the
advantage
that
if
we
want
to
do
an
api
update,
we
don't
have
to
change
all
tenant
configurations
and
a
whole
bunch
of
name
spaces.
No,
we
have
one
chart
one
release
where
all
our
bots
and
route
tables
are
defined,
which
is
really
really
sweet
to
do,
updates
to
quickly
iterate
to
do
versioning
of
apis
and
so
on
and
so
on.
So
that's
a
real
big
plus
point
for
our
deployment.
B
Then
the
tenant
specific
configuration
is,
as
hectare
already
mentioned,
created
whenever
a
tenant
is
yeah,
also
created
or
registered.
So
together
with
some
more
account
and
more
whaley
specific
actions.
There
are
also
some
upstream
crds
which
are
created
in
the
tenant
namespace
that
allow
glue
to
route
incoming
requests
dynamically
to
a
new
tenant
without
even
having
to
update
the
glue
deployment
or
the
helm
chart
which
is
listed
as
a
second
point.
B
B
B
Okay,
so
this
was
a
quick
overview
of
how
we
got
started
with
glue
only
I
think
now
a
bit
more
than
two
months
ago,
and
how
we
got
actually
up
and
running
very
quickly
and
achieved
all
our
requirements
together
with
a
little
help
from
the
glue
team.
When
we
needed
some
support,
then
of
course
there
are
still
some
things
on
our
roadmap,
as
we
just
have
met
our
own
requirements,
but
it's
far
from
ready.
So
a
few
things
that
we
want
to
check
out
next
is
a
federation
and
high
availability.
B
B
Also,
alerting
and
monitoring
is
up
next,
for
example,
it
would
be
nice
to
have
some
alerting
whenever
rate
limiting
quotas
are
exceeded
or
for
health
monitoring
and
so
on,
and
then,
of
course,
canary
routing
is
also
very
a
very
nice
thing.
We'll
have
to
look
at
next,
for
example,
whenever
releasing
new
releases,
we
can
do
some
gradual
changes
of
the
routes
and
see
if
everything
goes
well,
and
that
of
course
also
comes
together
nicely
with
the
alerting
and
monitoring
and
also
for
internal
routing.
B
Thank
you
for
your
attention.
Thank
you
for
yeah.
Listening
through
me,
bambling,
and
I
hope
you,
you
found
it
a
good
talk
and
in
case
you
have
some
more
questions
or
if
you
want
to
reach
out,
get
to
know
what
we
do
at
weyland
play
around
with
our
platform
feel
free
to
reach
out.
You
find
our
contact
information
below.
We
also
have
some
videos,
some
white
papers
for
you
to
follow
along,
and
if
you
have
any
more
questions,
let
us
know
we'll
be
glad
to
try
and
answer
them.
Thank
you.