Docker : Ambassador - Envoy API Gateway on Kubernetes

Ambassador is an open source Kubernetes-Native API Gateway built on the Envoy Proxy.

API Gateway is an entry point for all client requests. The requests are proxied/routed to the appropriate services. Usually, traffic management, authentication, and monitoring are implemented in the API Gateway hiding the details from our services.

Ambassador operates as a specialized control plane to expose Envoy's functionality as Kubernetes annotations.

Here's what Ambassador does:

1. Makes it easy to change and add to your Envoy configuration via Kubernetes annotations
2. Adds the out-of-the-box configuration necessary for production Envoy, e.g., monitoring, health/liveness checks, and more
3. Extends Envoy with traditional API Gateway functionality such as authentication
4. Integrates with Istio, for organizations who need a full-blown service mesh

In this post, we will see how we can deploy Envoy on Kubernetes via Ambassador.

Ambassador only deploys in Kubernetes. This means that Ambassador delegates all the hard parts of scaling and availability to Kubernetes.

Fore more about API gateway, please check Microservices API Gateways vs. Traditional Enterprise API Gateways and Envoy vs NGINX vs HAProxy: Why the open source Ambassador API Gateway chose Envoy.

We'll use minikube:

$ minikube start
There is a newer version of minikube available (v0.32.0).  Download it here:
https://github.com/kubernetes/minikube/releases/tag/v0.32.0

To disable this notification, run the following:
minikube config set WantUpdateNotification false
Starting local Kubernetes v1.10.0 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Setting up certs...
Connecting to cluster...
Setting up kubeconfig...
Starting cluster components...
Kubectl is now configured to use the cluster.
Loading cached images from config file.
$

To check if we're using a cluster with RBAC enabled. We should see the API version .rbac.authorization.k8s.io/v1 if RBAC is enabled:

$ kubectl api-versions
...
rbac.authorization.k8s.io/v1
...

Current status of the cluster looks like this:

$ kubectl get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   8h

$ kubectl get pods
No resources found.

To install Ambassador/Envoy on Kubernetes, run the following:

$ kubectl apply -f https://www.getambassador.io/yaml/ambassador/ambassador-rbac.yaml
service/ambassador-admin created
clusterrole.rbac.authorization.k8s.io/ambassador created
serviceaccount/ambassador created
clusterrolebinding.rbac.authorization.k8s.io/ambassador created
deployment.extensions/ambassador created

Now we have a Kubernetes deployment for Ambassador that includes readiness and liveness checks. By default, it will also create 3 instances of Ambassador. Each Ambassador instance consists of an Envoy proxy along with the Ambassador control plane.

$ kubectl get pods
NAME                          READY   STATUS              RESTARTS   AGE
ambassador-67595bccdb-4nkn2   0/1     ContainerCreating   0          24s
ambassador-67595bccdb-6ddbj   0/1     ContainerCreating   0          24s
ambassador-67595bccdb-t4tzz   0/1     ContainerCreating   0          24s

$ kubectl get svc
NAME               TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
ambassador-admin   NodePort    10.99.19.183   <none>        8877:30384/TCP   32s
kubernetes         ClusterIP   10.96.0.1      <none>        443/TCP          9h

In order to deploy this service, we must create a Kubernetes manifest that specifies the desired end state of the service. For example, the my-service service could be defined as below:

kind: Service
apiVersion: v1
metadata:
  name: my-service
spec:
  selector:
    app: MyApp
  ports:
  - protocol: TCP
    port: 80
    targetPort: 9376

Because a Kubernetes service is the fundamental abstraction by which new services are exposed to other services and end users, Ambassador extends the service with custom annotations. For example:

kind: Service
apiVersion: v1
metadata:
  name: my-service
  annotations:
    getambassador.io/config: |
      ---
        apiVersion: ambassador/v0
        kind:  Mapping
        name:  my_service_mapping
        prefix: /my-service/
        service: my-service
spec:
  selector:
    app: MyApp
  ports:
  - protocol: TCP
    port: 80
    targetPort: 9376

Now, we need to create a Kubernetes service to point to the Ambassador deployment. We'll use a LoadBalancer service. If our cluster doesn't support LoadBalancer services, we may want to change to a NodePort or ClusterIP.

As we can see, the routing configuration for Ambassador is associated with each individual service. In other words, with this approach, there is no centralized Ambassador configuration file.

An a practical example, we'll use http://httpbin.org as shown in following ambassador-svc.yaml configuration:

---
apiVersion: v1
kind: Service
metadata:
  labels:
    service: ambassador
  name: ambassador
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind:  Mapping
      name:  httpbin_mapping
      prefix: /httpbin/
      service: httpbin.org:80
      host_rewrite: httpbin.org
spec:
  type: LoadBalancer
  ports:
  - name: ambassador
    port: 80
    targetPort: 80
  selector:
    service: ambassador

Let's deploy this service to Kubernetes:

$ kubectl apply -f ambassador-svc.yaml
service/ambassador created

Envoy is now running on our cluster, along with the Ambassador control plane.

$ kubectl get svc
NAME               TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
ambassador         LoadBalancer   10.100.2.208   <pending>     80:32649/TCP     46s
ambassador-admin   NodePort       10.99.19.183   <none>        8877:30384/TCP   18h
kubernetes         ClusterIP      10.96.0.1      <none>        443/TCP          1d

By using Kubernetes annotations, Ambassador integrates transparently into our existing Kubernetes deployment workflow.

Ambassador will detect the change to our Kubernetes annotation and add the route to Envoy. Note that we used a dummy service in this example; typically, we would associate the annotation with our real Kubernetes service.

In order to get access to our microservices through Ambassador, we need an external URL to Ambassador's service interface. Let's start by getting the external IP address of Ambassador. You can get the IP address by running kubectl describe service ambassador and looking at the LoadBalancer Ingress line:

$ kubectl describe service ambassador
Name:                     ambassador
Namespace:                default
Labels:                   service=ambassador
Annotations:              getambassador.io/config:
                            ---
                            apiVersion: ambassador/v0
                            kind:  Mapping
                            name:  httpbin_mapping
                            prefix: /httpbin/
                            service: httpbin.org:80
                            host_rewrite: httpbin.org
                          kubectl.kubernetes.io/last-applied-configuration:
                            {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"getambassador.io/config":"---\napiVersion: ambassador/v0\nkind:  Mapping\n...
Selector:                 service=ambassador
Type:                     LoadBalancer
IP:                       10.100.2.208
Port:                     ambassador  80/TCP
TargetPort:               80/TCP
NodePort:                 ambassador  32649/TCP
Endpoints:                172.17.0.7:80,172.17.0.8:80,172.17.0.9:80
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

On Minikube, we'll need to use minikube service --url ambassador:

minikube service --url ambassador
http://192.168.99.100:32649

We can now speak to the httpbin service using Ambassador. Let's send a request via curl, then Ambassador routes the request to the httpbin service:

$ curl $(minikube service --url ambassador)/httpbin/ip
{
  "origin": "108.239.135.40"
}

$ curl $(minikube service --url ambassador)/httpbin/user-agent
{
  "user-agent": "curl/7.54.0"
}


$ curl $(minikube service --url ambassador)/httpbin/headers
{
  "headers": {
    "Accept": "*/*", 
    "Connection": "close", 
    "Host": "httpbin.org", 
    "User-Agent": "curl/7.54.0", 
    "X-Envoy-Expected-Rq-Timeout-Ms": "3000", 
    "X-Envoy-Original-Path": "/httpbin/headers"
  }
}

Here is the list of URIs of the http://httpbin.org:

1. http://httpbin.org/ip Returns Origin IP.
2. http://httpbin.org/user-agent Returns user-agent.
3. http://httpbin.org/headers Returns header dict.
4. http://httpbin.org/get Returns GET data.
5. http://httpbin.org/post Returns POST data.
6. http://httpbin.org/put Returns PUT data.
7. http://httpbin.org/delete Returns DELETE data
8. http://httpbin.org/gzip Returns gzip-encoded data.
9. http://httpbin.org/status/:code Returns given HTTP Status code.
10. http://httpbin.org/response-headers?key=val Returns given response headers.
11. http://httpbin.org/redirect/:n 302 Redirects n times.
12. http://httpbin.org/relative-redirect/:n 302 Relative redirects n times.
13. http://httpbin.org/cookies Returns cookie data.
14. http://httpbin.org/cookies/set/:name/:value Sets a simple cookie.
15. http://httpbin.org/basic-auth/:user/:passwd Challenges HTTPBasic Auth.
16. http://httpbin.org/hidden-basic-auth/:user/:passwd 404'd BasicAuth.
17. http://httpbin.org/digest-auth/:qop/:user/:passwd Challenges HTTP Digest Auth.
18. http://httpbin.org/stream/:n Streams n–100 lines.
19. http://httpbin.org/delay/:n Delays responding for n–10 seconds.

Docker & K8s

1. Docker install on Amazon Linux AMI
2. Docker install on EC2 Ubuntu 14.04
3. Docker container vs Virtual Machine
4. Docker install on Ubuntu 14.04
5. Docker Hello World Application
6. Nginx image - share/copy files, Dockerfile
7. Working with Docker images : brief introduction
8. Docker image and container via docker commands (search, pull, run, ps, restart, attach, and rm)
9. More on docker run command (docker run -it, docker run --rm, etc.)
10. Docker Networks - Bridge Driver Network
11. Docker Persistent Storage
12. File sharing between host and container (docker run -d -p -v)
13. Linking containers and volume for datastore
14. Dockerfile - Build Docker images automatically I - FROM, MAINTAINER, and build context
15. Dockerfile - Build Docker images automatically II - revisiting FROM, MAINTAINER, build context, and caching
16. Dockerfile - Build Docker images automatically III - RUN
17. Dockerfile - Build Docker images automatically IV - CMD
18. Dockerfile - Build Docker images automatically V - WORKDIR, ENV, ADD, and ENTRYPOINT
19. Docker - Apache Tomcat
20. Docker - NodeJS
21. Docker - NodeJS with hostname
22. Docker Compose - NodeJS with MongoDB
23. Docker - Prometheus and Grafana with Docker-compose
24. Docker - StatsD/Graphite/Grafana
25. Docker - Deploying a Java EE JBoss/WildFly Application on AWS Elastic Beanstalk Using Docker Containers
26. Docker : NodeJS with GCP Kubernetes Engine
27. Docker : Jenkins Multibranch Pipeline with Jenkinsfile and Github
28. Docker : Jenkins Master and Slave
29. Docker - ELK : ElasticSearch, Logstash, and Kibana
30. Docker - ELK 7.6 : Elasticsearch on Centos 7
31. Docker - ELK 7.6 : Filebeat on Centos 7
32. Docker - ELK 7.6 : Logstash on Centos 7
33. Docker - ELK 7.6 : Kibana on Centos 7
34. Docker - ELK 7.6 : Elastic Stack with Docker Compose
35. Docker - Deploy Elastic Cloud on Kubernetes (ECK) via Elasticsearch operator on minikube
36. Docker - Deploy Elastic Stack via Helm on minikube
37. Docker Compose - A gentle introduction with WordPress
38. Docker Compose - MySQL
39. MEAN Stack app on Docker containers : micro services
40. MEAN Stack app on Docker containers : micro services via docker-compose
41. Docker Compose - Hashicorp's Vault and Consul Part A (install vault, unsealing, static secrets, and policies)
42. Docker Compose - Hashicorp's Vault and Consul Part B (EaaS, dynamic secrets, leases, and revocation)
43. Docker Compose - Hashicorp's Vault and Consul Part C (Consul)
44. Docker Compose with two containers - Flask REST API service container and an Apache server container
45. Docker compose : Nginx reverse proxy with multiple containers
46. Docker & Kubernetes : Envoy - Getting started
47. Docker & Kubernetes : Envoy - Front Proxy
48. Docker & Kubernetes : Ambassador - Envoy API Gateway on Kubernetes
49. Docker Packer
50. Docker Cheat Sheet
51. Docker Q & A #1
52. Kubernetes Q & A - Part I
53. Kubernetes Q & A - Part II
54. Docker - Run a React app in a docker
55. Docker - Run a React app in a docker II (snapshot app with nginx)
56. Docker - NodeJS and MySQL app with React in a docker
57. Docker - Step by Step NodeJS and MySQL app with React - I
58. Installing LAMP via puppet on Docker
59. Docker install via Puppet
60. Nginx Docker install via Ansible
61. Apache Hadoop CDH 5.8 Install with QuickStarts Docker
62. Docker - Deploying Flask app to ECS
63. Docker Compose - Deploying WordPress to AWS
64. Docker - WordPress Deploy to ECS with Docker-Compose (ECS-CLI EC2 type)
65. Docker - WordPress Deploy to ECS with Docker-Compose (ECS-CLI Fargate type)
66. Docker - ECS Fargate
67. Docker - AWS ECS service discovery with Flask and Redis
68. Docker & Kubernetes : minikube
69. Docker & Kubernetes 2 : minikube Django with Postgres - persistent volume
70. Docker & Kubernetes 3 : minikube Django with Redis and Celery
71. Docker & Kubernetes 4 : Django with RDS via AWS Kops
72. Docker & Kubernetes : Kops on AWS
73. Docker & Kubernetes : Ingress controller on AWS with Kops
74. Docker & Kubernetes : HashiCorp's Vault and Consul on minikube
75. Docker & Kubernetes : HashiCorp's Vault and Consul - Auto-unseal using Transit Secrets Engine
76. Docker & Kubernetes : Persistent Volumes & Persistent Volumes Claims - hostPath and annotations
77. Docker & Kubernetes : Persistent Volumes - Dynamic volume provisioning
78. Docker & Kubernetes : DaemonSet
79. Docker & Kubernetes : Secrets
80. Docker & Kubernetes : kubectl command
81. Docker & Kubernetes : Assign a Kubernetes Pod to a particular node in a Kubernetes cluster
82. Docker & Kubernetes : Configure a Pod to Use a ConfigMap
83. AWS : EKS (Elastic Container Service for Kubernetes)
84. Docker & Kubernetes : Run a React app in a minikube
85. Docker & Kubernetes : Minikube install on AWS EC2
86. Docker & Kubernetes : Cassandra with a StatefulSet
87. Docker & Kubernetes : Terraform and AWS EKS
88. Docker & Kubernetes : Pods and Service definitions
89. Docker & Kubernetes : Service IP and the Service Type
90. Docker & Kubernetes : Kubernetes DNS with Pods and Services
91. Docker & Kubernetes : Headless service and discovering pods
92. Docker & Kubernetes : Scaling and Updating application
93. Docker & Kubernetes : Horizontal pod autoscaler on minikubes
94. Docker & Kubernetes : From a monolithic app to micro services on GCP Kubernetes
95. Docker & Kubernetes : Rolling updates
96. Docker & Kubernetes : Deployments to GKE (Rolling update, Canary and Blue-green deployments)
97. Docker & Kubernetes : Slack Chat Bot with NodeJS on GCP Kubernetes
98. Docker & Kubernetes : Continuous Delivery with Jenkins Multibranch Pipeline for Dev, Canary, and Production Environments on GCP Kubernetes
99. Docker & Kubernetes : NodePort vs LoadBalancer vs Ingress
100. Docker & Kubernetes : MongoDB / MongoExpress on Minikube
101. Docker & Kubernetes : Load Testing with Locust on GCP Kubernetes
102. Docker & Kubernetes : MongoDB with StatefulSets on GCP Kubernetes Engine
103. Docker & Kubernetes : Nginx Ingress Controller on Minikube
104. Docker & Kubernetes : Setting up Ingress with NGINX Controller on Minikube (Mac)
105. Docker & Kubernetes : Nginx Ingress Controller for Dashboard service on Minikube
106. Docker & Kubernetes : Nginx Ingress Controller on GCP Kubernetes
107. Docker & Kubernetes : Kubernetes Ingress with AWS ALB Ingress Controller in EKS
108. Docker & Kubernetes : Setting up a private cluster on GCP Kubernetes
109. Docker & Kubernetes : Kubernetes Namespaces (default, kube-public, kube-system) and switching namespaces (kubens)
110. Docker & Kubernetes : StatefulSets on minikube
111. Docker & Kubernetes : RBAC
112. Docker & Kubernetes Service Account, RBAC, and IAM
113. Docker & Kubernetes - Kubernetes Service Account, RBAC, IAM with EKS ALB, Part 1
114. Docker & Kubernetes : Helm Chart
115. Docker & Kubernetes : My first Helm deploy
116. Docker & Kubernetes : Readiness and Liveness Probes
117. Docker & Kubernetes : Helm chart repository with Github pages
118. Docker & Kubernetes : Deploying WordPress and MariaDB with Ingress to Minikube using Helm Chart
119. Docker & Kubernetes : Deploying WordPress and MariaDB to AWS using Helm 2 Chart
120. Docker & Kubernetes : Deploying WordPress and MariaDB to AWS using Helm 3 Chart
121. Docker & Kubernetes : Helm Chart for Node/Express and MySQL with Ingress
122. Docker & Kubernetes : Deploy Prometheus and Grafana using Helm and Prometheus Operator - Monitoring Kubernetes node resources out of the box
123. Docker & Kubernetes : Deploy Prometheus and Grafana using kube-prometheus-stack Helm Chart
124. Docker & Kubernetes : Istio (service mesh) sidecar proxy on GCP Kubernetes
125. Docker & Kubernetes : Istio on EKS
126. Docker & Kubernetes : Istio on Minikube with AWS EC2 for Bookinfo Application
127. Docker & Kubernetes : Deploying .NET Core app to Kubernetes Engine and configuring its traffic managed by Istio (Part I)
128. Docker & Kubernetes : Deploying .NET Core app to Kubernetes Engine and configuring its traffic managed by Istio (Part II - Prometheus, Grafana, pin a service, split traffic, and inject faults)
129. Docker & Kubernetes : Helm Package Manager with MySQL on GCP Kubernetes Engine
130. Docker & Kubernetes : Deploying Memcached on Kubernetes Engine
131. Docker & Kubernetes : EKS Control Plane (API server) Metrics with Prometheus
132. Docker & Kubernetes : Spinnaker on EKS with Halyard
133. Docker & Kubernetes : Continuous Delivery Pipelines with Spinnaker and Kubernetes Engine
134. Docker & Kubernetes : Multi-node Local Kubernetes cluster : Kubeadm-dind (docker-in-docker)
135. Docker & Kubernetes : Multi-node Local Kubernetes cluster : Kubeadm-kind (k8s-in-docker)
136. Docker & Kubernetes : nodeSelector, nodeAffinity, taints/tolerations, pod affinity and anti-affinity - Assigning Pods to Nodes
137. Docker & Kubernetes : Jenkins-X on EKS
138. Docker & Kubernetes : ArgoCD App of Apps with Heml on Kubernetes
139. Docker & Kubernetes : ArgoCD on Kubernetes cluster
140. Docker & Kubernetes : GitOps with ArgoCD for Continuous Delivery to Kubernetes clusters (minikube) - guestbook