One-Step Ingress
Secure and Connect Microservices using One Command
EnRoute Ingress allows you to configure any security policy for a service at Kubernetes Ingress in One Step
Examples Include -
- Get, Verify and Install SSL Certificate from Let’s Encrypt
- Rate Limit configuration for service
- JWT Validation for Service
- Attach Lua script to request/response path for the service
- Enable CORS for the service
Apart from this, in the near future, we plan on extending support for
- Setup external-dns to auto-create DNS records and setup DNS auto certificate renewal
- More security blocks like CSRF filter to prevent request forgery and IP Tagging to tag trusted IP addresses
- More programmability using WASM to provide Web Assembly code invocation capability out-of-the box
Truly Declarative
EnRoute model is truly declarative service policy. Service policy does not need configuration, declaring it is sufficient. Once declared, policy configuration is automatically created and enforced for the service.
For example, to enable the JWT plugin, simply invoke -
helm install httpbin-service-policy saaras/service-policy \
--set service.namespace=demo-service \
--set service.name=httpbin \
--set service.port=80 \
--set filters.jwt.enable=true \This enables the JWT plugin for the service httpbin
Update L7 Policy Blocks Using the Same Abstraction
L7 Policy blocks (like SSL, CORS, JWT, Rate-Limit etc.) can be included/excluded declaratively. They can be added or removed using a single helm command.
The helm chart supports enabling/disabling filters for the service
copy
helm upgrade httpbin-service-policy saaras/service-policy \
--set service.namespace=demo-service \
--set service.name=httpbin \
--set service.prefix=/get \
--set service.port=80 \
--set service.enableTLS=true \
--set autoTLS.certificateCN=httpbin.enroutedemo.com \
--set autoTLS.enableProd=true \
--set autoTLS.createIssuers=true \
--set autoTLS.email=contact@example.com \
--set filters.cors.enable=true \
--set filters.jwt.enable=false \Declarative policy can be specified using helm install. Declaratively modifying this policy using helm upgrade reconciles L7 policy for a service to new state.
High-Level Abstractions
EnRoute One-Step provides higher-level abstractions. This is similar to a higher-level programming language compared to assembly code.
Higher-level abstractions (and languages) simplify programming the Ingress.
EnRoute leverages existing Envoy filter abstraction and extends them to the Ingress layer. EnRoute keeps it simple to use a well-known tool like helm while working with well-known Envoy filter abstractions. It forms a lightweight shim for Envoy proxy.
Security First
EnRoute’s deep integration with Let’s Encrypt radically simplifies setting up certificates, verifying them, and installing them for a service.
Unpacking Details
The helm command creates GatewayHost and related artifacts to support installing different filters.
The helm code that creates the artifacts can be modified to meet create microservice connectivity and security profile.
Advantages Of Running Policy At EnRoute One-Step Ingress Controller
There are several distinct advantages of running an Ingress Controller and enforcing policies at Ingress.
- Ingress provides a portable mechanism to enforce policy inside the Kubernetes Cluster. Policies enforced inside a cluster are easier to port across clouds.
- Ingress can be scaled horizontally inside the Kubernetes Cluster. The elasticity of L7 fabric makes it easier to operate and scale it
- L7 policies can be hosted along with services inside the cluster with cluster-native state storage
- Keeping L7 policy closer to services simplifies policy enforcement and troubleshooting of services and APIs.
Conclusion
One-Step Ingress provides an opportunity to make Ingress extremely simple to understand and operate. It cuts down the number of artifacts required to configure service connectivity and policy options. When there are higher-level abstractions to work with, it improves operational velocity to work with Kubernetes without sacrificing DevOps agility
As Kubernetes is adopted as a standard to run microservices and adopt DevOps practices, working with fewer tools cuts down the number of moving parts. EnRoute One-Step Ingress drives simplicity and operational velocity by relying on existing tools like helm and Envoy.
Got Questions? Slack Send Us a Note
