欢迎关注我的公众号:

envoy介绍_.net

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

​istio多集群探秘,部署了50次多集群后我得出的结论​

​istio多集群链路追踪,附实操视频​

​istio防故障利器,你知道几个,istio新手不要读,太难!​

​istio业务权限控制,原来可以这么玩​

​istio实现非侵入压缩,微服务之间如何实现压缩​

​不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限​

​不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs​

​不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了​

​不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization​

​不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs​

​不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs​

​不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr​

​不懂envoyfilter也敢说精通istio系列-08-连接池和断路器​

​不懂envoyfilter也敢说精通istio系列-09-http-route filter​

​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​

​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​

​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​

学习目标

envoy介绍_.net_02

envoy架构

envoy介绍_数据库_03

envoy基本概念

Host:能够进行网络通信的实体(在手机或服务器等上的应用程序)。在 Envoy 中主机是指逻辑网络应用程序。只要每台主机都可以独立寻址,一块物理硬件上就运行多个主机。

Downstream:下游(downstream)主机连接到 Envoy,发送请求并或获得响应。

Upstream:上游(upstream)主机获取来自 Envoy 的链接请求和响应。

Cluster: 集群(cluster)是 Envoy 连接到的一组逻辑上相似的上游主机。Envoy 通过[服务发现]发现集群中的成员。Envoy 可以通过[主动运行状况检查]来确定集群成员的健康状况。Envoy 如何将请求路由到集群成员由[负载均衡策略]确定。

Mesh:一组互相协调以提供一致网络拓扑的主机。Envoy mesh 是指一组 Envoy 代理,它们构成了由多种不同服务和应用程序平台组成的分布式系统的消息传递基础。

运行时配置:与 Envoy 一起部署的带外实时配置系统。可以在无需重启 Envoy 或 更改 Envoy 主配置的情况下,通过更改设置来影响操作。

Listener: 侦听器(listener)是可以由下游客户端连接的命名网络位置(例如,端口、unix域套接字等)。Envoy 公开一个或多个下游主机连接的侦听器。一般是每台主机运行一个 Envoy,使用单进程运行,但是每个进程中可以启动任意数量的 Listener(监听器),目前只监听 TCP,每个监听器都独立配置一定数量的(L3/L4)网络过滤器。Listenter 也可以通过 Listener Discovery Service(LDS)动态获取。

Listener filter:Listener 使用 listener filter(监听器过滤器)来操作链接的元数据。它的作用是在不更改 Envoy 的核心功能的情况下添加更多的集成功能。Listener filter 的 API 相对简单,因为这些过滤器最终是在新接受的套接字上运行。在链中可以互相衔接以支持更复杂的场景,例如调用速率限制。Envoy 已经包含了多个监听器过滤器。

Http Route Table:HTTP 的路由规则,例如请求的域名,Path 符合什么规则,转发给哪个 Cluster。

Health checking:健康检查会与SDS服务发现配合使用。但是,即使使用其他服务发现方式,也有相应需要进行主动健康检查的情况。

xds

xds 是lds,rds,cds,eds,sds的总称,即发现服务,也就是他后2个字母ds是discovery service

lds

l即envoy的监听端口,lds用于动态发现envoy需要监听哪些端口

rds

r即路由,rds用于发现路由配置

cds

c即cluster,cds用于动态发现cluster上游cluster信息

eds

e即endpoint,eds用于动态发现服务端点

sds

s即秘钥,sds用于动态发现tls证书

xDS以及各个资源之间的关系

envoy介绍_.net_04

filter种类

listener filter

envoy.filters.listener.http_inspector

envoy.filters.listener.original_dst

envoy.filters.listener.original_src

envoy.filters.listener.proxy_protocol

envoy.filters.listener.tls_inspector

envoy.filters.udp_listener.dns_filter

envoy.filters.udp_listener.udp_proxy

network filter

envoy.filters.network.client_ssl_auth

envoy.filters.network.direct_response

envoy.filters.network.dubbo_proxy

envoy.filters.network.echo

envoy.filters.network.ext_authz

envoy.filters.network.http_connection_manager

envoy.filters.network.kafka_broker

envoy.filters.network.local_ratelimit

envoy.filters.network.mongo_proxy

envoy.filters.network.mysql_proxy

envoy.filters.network.postgres_proxy

envoy.filters.network.ratelimit

envoy.filters.network.rbac

envoy.filters.network.redis_proxy

envoy.filters.network.rocketmq_proxy

envoy.filters.network.sni_cluster

envoy.filters.network.sni_dynamic_forward_proxy

envoy.filters.network.tcp_proxy

envoy.filters.network.thrift_proxy

envoy.filters.network.wasm

envoy.filters.network.zookeeper_proxy

http filter

envoy.filters.http.adaptive_concurrency

envoy.filters.http.admission_control

envoy.filters.http.aws_lambda

envoy.filters.http.aws_request_signing

envoy.filters.http.buffer

envoy.filters.http.cache

envoy.filters.http.cache.simple_http_cache

envoy.filters.http.cdn_loop

envoy.filters.http.composite

envoy.filters.http.compressor

envoy.filters.http.cors

envoy.filters.http.csrf

envoy.filters.http.decompressor

envoy.filters.http.dynamic_forward_proxy

envoy.filters.http.dynamo

envoy.filters.http.ext_authz

envoy.filters.http.ext_proc

envoy.filters.http.fault

envoy.filters.http.grpc_http1_bridge

envoy.filters.http.grpc_http1_reverse_bridge

envoy.filters.http.grpc_json_transcoder

envoy.filters.http.grpc_stats

envoy.filters.http.grpc_web

envoy.filters.http.gzip

envoy.filters.http.header_to_metadata

envoy.filters.http.health_check

envoy.filters.http.ip_tagging

envoy.filters.http.jwt_authn

envoy.filters.http.kill_request

envoy.filters.http.local_ratelimit

envoy.filters.http.lua

envoy.filters.http.oauth2

envoy.filters.http.on_demand

envoy.filters.http.original_src

envoy.filters.http.ratelimit

envoy.filters.http.rbac

envoy.filters.http.router

envoy.filters.http.squash

envoy.filters.http.tap

envoy.filters.http.wasm

envoy配置示例

envoy.yaml

# envoy.yaml
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }

static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match: { prefix: "/" }
route:
cluster: echo_service
max_grpc_timeout: 0s
cors:
allow_origin_string_match:
- prefix: "*"
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: "1728000"
expose_headers: custom-header-1,grpc-status,grpc-message
http_filters:
- name: envoy.filters.http.grpc_web
- name: envoy.filters.http.cors
- name: envoy.filters.http.router
clusters:
- name: echo_service
connect_timeout: 0.25s
type: logical_dns
http2_protocol_options: {}
lb_policy: round_robin
load_assignment:
cluster_name: cluster_0
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: server
port_value: 50052
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }

static_resources:
listeners:
- name: listener1
address:
socket_address: { address: 0.0.0.0, port_value: 5858 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: grpc_json
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match: { prefix: "/wind_power.WindServer" }
route: { cluster: grpc, timeout: { seconds: 60 } }
http_filters:
- name: envoy.filters.http.grpc_json_transcoder
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder
proto_descriptor: "/etc/envoy/proto.pb"
services: ["wind_power.WindServer"]
print_options:
add_whitespace: true
always_print_primitive_fields: true
always_print_enums_as_ints: false
preserve_proto_field_names: false
- name: envoy.filters.http.router

clusters:
- name: grpc
connect_timeout: 1.25s
type: logical_dns
lb_policy: round_robin
dns_lookup_family: V4_ONLY
http2_protocol_options: {}
upstream_connection_options:
tcp_keepalive:
keepalive_time: 300
load_assignment:
cluster_name: grpc
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 0.0.0.0
port_value: 50052

配置简介

Bootstrap

{
"node": "{...}",
"static_resources": "{...}",
"dynamic_resources": "{...}",
"cluster_manager": "{...}",
"hds_config": "{...}",
"flags_path": "...",
"stats_sinks": [],
"stats_config": "{...}",
"stats_flush_interval": "{...}",
"stats_flush_on_admin": "...",
"watchdog": "{...}",
"watchdogs": "{...}",
"tracing": "{...}",
"layered_runtime": "{...}",
"admin": "{...}",
"overload_manager": "{...}",
"enable_dispatcher_stats": "...",
"header_prefix": "...",
"stats_server_version_override": "{...}",
"use_tcp_for_dns_lookups": "...",
"bootstrap_extensions": [],
"fatal_actions": [],
"default_socket_interface": "..."
}

node : 节点标识,配置的是 Envoy 的标记信息,management server 利用它来标识不同的 Envoy 实例。参考 core.Node

static_resources : 定义静态配置,是 Envoy 核心工作需要的资源,由 Listener、Cluster 和 Secret 三部分组成。

dynamic_resources : 定义动态配置,通过 xDS 来获取配置。可以同时配置动态和静态。

cluster_manager : 管理所有的上游集群。它封装了连接后端服务的操作,当 Filter 认为可以建立连接时,便调用 cluster_manager 的 API 来建立连接。cluster_manager 负责处理负载均衡、健康检查等细节。

hds_config : 健康检查服务发现动态配置。

stats_sinks : 状态输出插件。可以将状态数据输出到多种采集系统中。一般通过 Envoy 的管理接口 /stats/prometheus 就可以获取 Prometheus 格式的指标,这里的配置应该是为了支持其他的监控系统。

stats_config : 状态指标配置。

stats_flush_interval : 状态指标刷新时间。

watchdog : 看门狗配置。Envoy 内置了一个看门狗系统,可以在 Envoy 没有响应时增加相应的计数器,并根据计数来决定是否关闭 Envoy 服务。

tracing : 分布式追踪相关配置。

layered_runtime : 层级化的运行时状态配置。可以静态配置,也可以通过 RTDS 动态加载配置。

admin : 管理接口。

overload_manager : 过载过滤器。

header_prefix : Header 字段前缀修改。例如,如果将该字段设为 X-Foo,那么 Header 中的 x-envoy-retry-on 将被会变成 x-foo-retry-on。

use_tcp_for_dns_lookups : 强制使用 TCP 查询 DNS。可以在 Cluster 的配置中覆盖此配置。

Listener

{
"name": "...",
"address": "{...}",
"stat_prefix": "...",
"filter_chains": [],
"use_original_dst": "{...}",
"default_filter_chain": "{...}",
"per_connection_buffer_limit_bytes": "{...}",
"metadata": "{...}",
"drain_type": "...",
"listener_filters": [],
"listener_filters_timeout": "{...}",
"continue_on_listener_filters_timeout": "...",
"transparent": "{...}",
"freebind": "{...}",
"socket_options": [],
"tcp_fast_open_queue_length": "{...}",
"traffic_direction": "...",
"udp_listener_config": "{...}",
"api_listener": "{...}",
"connection_balance_config": "{...}",
"reuse_port": "...",
"access_log": [],
"tcp_backlog_size": "{...}",
"bind_to_port": "{...}"
}

Cluster

{
"transport_socket_matches": [],
"name": "...",
"alt_stat_name": "...",
"type": "...",
"cluster_type": "{...}",
"eds_cluster_config": "{...}",
"connect_timeout": "{...}",
"per_connection_buffer_limit_bytes": "{...}",
"lb_policy": "...",
"load_assignment": "{...}",
"health_checks": [],
"max_requests_per_connection": "{...}",
"circuit_breakers": "{...}",
"upstream_http_protocol_options": "{...}",
"common_http_protocol_options": "{...}",
"http_protocol_options": "{...}",
"http2_protocol_options": "{...}",
"typed_extension_protocol_options": "{...}",
"dns_refresh_rate": "{...}",
"dns_failure_refresh_rate": "{...}",
"respect_dns_ttl": "...",
"dns_lookup_family": "...",
"dns_resolvers": [],
"use_tcp_for_dns_lookups": "...",
"outlier_detection": "{...}",
"cleanup_interval": "{...}",
"upstream_bind_config": "{...}",
"lb_subset_config": "{...}",
"ring_hash_lb_config": "{...}",
"maglev_lb_config": "{...}",
"original_dst_lb_config": "{...}",
"least_request_lb_config": "{...}",
"common_lb_config": "{...}",
"transport_socket": "{...}",
"metadata": "{...}",
"protocol_selection": "...",
"upstream_connection_options": "{...}",
"close_connections_on_host_health_failure": "...",
"ignore_health_on_host_removal": "...",
"filters": [],
"track_timeout_budgets": "...",
"upstream_config": "{...}",
"track_cluster_stats": "{...}",
"preconnect_policy": "{...}",
"connection_pool_per_downstream_connection": "..."
}

route configuration

{
"name": "...",
"virtual_hosts": [],
"vhds": "{...}",
"internal_only_headers": [],
"response_headers_to_add": [],
"response_headers_to_remove": [],
"request_headers_to_add": [],
"request_headers_to_remove": [],
"most_specific_header_mutations_wins": "...",
"validate_clusters": "{...}",
"max_direct_response_body_size_bytes": "{...}"
}