EnRoute Kubernetes Ingress Gateway
EnRoute Kubernetes Ingress Gateway
EnRoute Universal Gateway
EnRoute Universal Gateway is a flexible API gateway built to support traditional and cloud-native use cases. It is designed to run either as a [Kubernetes Ingress Gateway, Standalone Gateway, Horizontally scaling L7 API gateway or a Mesh of Gateways] (/blog/enroute-topologies/) . Depending on the need of the user, the environment, the application, either one or many of these solutions can be deployed.
A consistent policy framework across all these network components makes the EnRoute Universal Gateway a versatile and powerful solution.
What this article covers
This article covers how to get started with the EnRoute Kubernetes Ingress Gateway. The minimum requirement is a working Kubernetes cluster.
To get a more detailed understanding of EnRoute Universal Gateway and its architecture, refer to the article here To run EnRoute outside of kubernetes as a standalone gateway, refer to the article on standalone gateway
EnRoute also supports several other topologies including a Standalone Gateway. Only the Kubernetes Ingress topology is covered in this article.
Configure EnRoute using helm
A simple non-SSL example of EnRoute gateway with Lua and Rate-Limit filters can be programmed using the EnRoute helm chart.
Add the helm chart -
helm repo add saaras https://getenroute.ioInstall the helm chart -
helm install enroute-demo saaras/enrouteThis installs the EnRoute Ingress API Gateway with a simple service called hello-enroute
$ kubectl get svc -n enroutedemo
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
enroute LoadBalancer 10.96.161.15 152.67.225.80 80:32584/TCP,443:32625/TCP 66s
hello-enroute ClusterIP 10.96.71.135 <none> 9090/TCP,9091/TCP 66sUse the External IP to send traffic
curl -s 152.67.225.80 | wc -lTrigger rate-limits by sending a burst of traffic
while true; do curl -vvv 152.67.225.80 ; doneUnderstanding EnRoute configuration setup in previous step
GatewayHost
GatewayHost is a way to expose your services running inside Kubernetes.
apiVersion: enroute.saaras.io/v1beta1
kind: GatewayHost
metadata:
labels:
app: hello-enroute
name: hello-enroute-gatewayhost-notls
namespace: enroutedemo
spec:
virtualhost:
fqdn: '*'
filters:
- name: luatestfilter
type: http_filter_lua
routes:
- conditions:
- prefix: /
header:
name: ":method"
exact: "GET"
filters:
- name: rl2
type: route_filter_ratelimit
services:
- name: hello-enroute
port: 9090Filters attached to GatewayHost can be used to control traffic flowing to the exposed service
Filter
Filters provide fine-grained control to control access to service. There are several features supported by EnRoute.
Lua Filter
This config invokes a function for an incoming request on request and response path
apiVersion: enroute.saaras.io/v1beta1
kind: HttpFilter
metadata:
labels:
app: hello-enroute
name: luatestfilter
namespace: enroutedemo
spec:
name: luatestfilter
type: http_filter_lua
httpFilterConfig:
config: |
function envoy_on_request(request_handle)
request_handle:logInfo("Hello World request");
end
function envoy_on_response(response_handle)
response_handle:logInfo("Hello World response");
endRate Limit config for Filter
The following config limits every http request from a unique IP. The x-forwarded-for provides the remote-ip and x-forwarded-proto is set to http for requests. A combination of IP address (from x-forwarded-for) and protocol (from x-forwarded-proto) is rate-limited to 2 requests per second.
apiVersion: enroute.saaras.io/v1beta1
kind: GlobalConfig
metadata:
labels:
app: hello-enroute
name: rl-global-config
namespace: enroutedemo
spec:
name: rl-global-config
type: globalconfig_ratelimit
config: |
{
"domain": "enroute",
"descriptors" :
[
{
"key": "x-forwarded-for",
"descriptors" :
[
{
"key" : "x-forwarded-proto",
"value" : "http",
"rate_limit" : { "unit" : "second", "requests_per_unit" : 2 }
}
]
}
]
}Adding SSL
The above config does not add SSL config. For SSL to work, we need a certificate installed with the appropriate domain name. As an example, we’ll use demo.saaras.io as the domain name.
- Create secret for
demo.saaras.io
kubectl -n enroutedemo create secret tls tls-demo --cert=demo.cert --key=demo.key- Reference the secret in
GatewayHost
1apiVersion: enroute.saaras.io/v1beta1
2kind: GatewayHost
3metadata:
4 labels:
5 app: hello-enroute
6 name: hello-enroute-gatewayhost-notls
7 namespace: enroutedemo
8spec:
9 virtualhost:
10 fqdn: 'demo.saaras.io'
11 tls:
12 secretName: tls-demo
13 filters:
14 - name: luatestfilter
15 type: http_filter_lua
16 routes:
17 - conditions:
18 - prefix: /
19 header:
20 name: ":method"
21 exact: "GET"
22 filters:
23 - name: rl2
24 type: route_filter_ratelimit
25 services:
26 - name: hello-enroute
27 port: 9090- A CNAME record that maps this domain to the public domain provided by
LoadBalancerservice by AWS. When passing traffic, we use this domain.
EnRoute Config Model across Kubernetes Ingress Gateway and Standalone Gateway
EnRoute can be used to protect services outside kubernetes using the standalone gateway or services running inside kubernetes.
EnRoute follows a configuration model similar to Envoy and is extensible using Filters. It uses filters to extend functionality at the global Service level and per-route level. The config objects used for this are - GatewayHost, Route, HttpFilter, RouteFilter and Service as shown here for Kubernetes gateway.
Regardless of where the workload runs, a consistent service policy can be defined once and applied to secure any service running inside or without Kubernetes using Envoy.
EnRoute provides key functionality using modular filters which make it easy to secure any service.
