envoy - ghdrako/doc_snipets GitHub Wiki

• https://www.envoyproxy.io/docs/envoy/latest/start/building

https://www.envoyproxy.io/docs/envoy/latest/start/building is included. But the binary file's size is too large, 469MB. Can you figure out how to make it smaller? Any suggestion is appreciated.

bazel --server_javabase=/usr/lib/jvm/java-11-amazon-corretto --host_jvm_args=-Djavax.net.ssl.trustStore=$CI_PROJECT_DIR/keystore.jks --host_jvm_args=-Djavax.net.ssl.trustStorePassword=changeit test  --jobs=16 -c opt --config=sizeopt --copt=-DENVOY_IGNORE_GLIBCXX_USE_CXX11_ABI_ERROR=1 --verbose_failures --distdir=$CI_PROJECT_DIR/ext/ --distdir=$CI_PROJECT_DIR/ext2/ --distdir=$CI_PROJECT_DIR/ext4/ --repository_cache=$CI_PROJECT_DIR/ext --repository_cache=$CI_PROJECT_DIR/ext2 --repository_cache=$CI_PROJECT_DIR/ext4 --linkopt=-Wl,--strip-all //test/...

Yeah, as you see, I built it by gitlab ci, an environment without internet access, downloading external dependencies manually. I put external dependencies in ext, ext2, ext4. And I used llvm.

the easiest/most supported path for compiling is using the docker build container and the bazel targets, ie

$ ./ci/run_envoy_docker.sh './ci/do_ci.sh release.server_only'

which builds optimized, stripped bins for dist targets

the bazel target you are looking for for a single binary (non-contrib) is

$ bazel build ... --stripopt=--strip-all -c opt //source/exe:envoy-static.stripped

lmk if that helps - the dev docs are due some update in the near future

Envoy is a programmable L3/L4 and L7 proxy that powers today’s service mesh solutions including Istio, AWS App Mesh, Consul Connect, etc. At Envoy’s core lie several filters that provide a rich set of features for observing, securing, and routing network traffic to microservices.

Envoy exposes a set of APIs that let users and control planes statically and dynamically configure the proxy. By configuring a Listener, users can enable the flow of traffic through the proxy, and then enhance the data flow using several Filters. Using a combination of these filters, Envoy can measure, transform, and perform higher order access control operations.

                     |                                 |
LISTENER <---data--->| |filter|-->|filter|-->|filter|  |<--data--> SERVICE
                     |    filter chain                 |

Listener allows Envoy to listen to network traffic at a configured address. Each Listener then defines a set of filters that sit in the data path, collectively forming a filter chain. By composing and arranging a set of filters, users can configure Envoy to translate protocol messages, generate statistics, perform RBAC, etc. Envoy provides numerous built-in filters, and it also provides APIs to let you create your own!

Types of Filters

Envoy currently provides 3 types of filters that form a hierarchical filter chain.

• Listener Filters
• Network Filters
• HTTP Filters

Listener Filters access raw data and manipulate metadata of L4 connections during the initial (pre)connection phase. For example, the TLS Inspector Filter identifies if a connection is TLS encrypted and parses the TLS metadata associated with the connection.

Network Filters access and manipulate raw data on L4 connections i.e. TCP packets. For example, the TCP Proxy Filter routes client connection data to upstream hosts, and it also generates connection statistics.

HTTP Filters operate at L7 and are optionally created by a final Network filter i.e. the HTTP Connection Manager. These filters access and manipulate HTTP requests and responses. For example, the gRPC-JSON Transcoder Filter exposes a REST API for a gRPC backend and translates requests and responses into corresponding formats.

As outlined earlier, Envoy filters provide several benefits to users.

• Firstly, one can create an intermediate layer to handle clients gracefully when communicating with an incompatible server.
• Next, you can measure the usage of APIs and services in a transparent and consistent manner.
• Third, the proxy can perform protocol translation, allowing different protocols to interoperate.
• Yet another benefit is that the proxy can make intelligent routing decisions (e.g. rate limiting) via a filter.
• Finally, these filters can share data among each other via a mechanism called Filter State. By sharing state, a filter like the MySQL Filter can share information about the resources accessed and the operations performed with another filter like the RBAC Filter to provide a higher-order RBAC solution. Note that the current version of the MySQL filter relies on Dynamic Metadata to share state, which now stands deprecated in favor of Filter State.

$sudo cat /etc/systemd/system/envoy.service
[Unit]
Description=Envoy Proxy
After=network.target

[Service]
User=envoy
Group=envoy
WorkingDirectory=/opt/envoy
ExecStart=/opt/envoy/bin/envoy -c /etc/envoy/envoy.yaml
Restart=on-failure

[Install]
WantedBy=multi-user.target