Skip to main content
logoTetrate Enterprise Gateway for Envoy (TEG)Version: v0.0.0-latest

Advanced Traffic Management with Extended Kubernetes Gateway API in Envoy Gateway

This page shows on how to leverage the extended Kubernetes Gateway API features in Envoy Gateway, particularly BackendTrafficPolicy and ClientTrafficPolicy, to manage the traffic through gateway.

Prerequisites

Before starting, ensure the following steps are completed:

  1. Install TEG: Follow the get started guide to complete the installation of TEG.
  2. Deploy a sample application: Adhere to the basic ingress configuration guide to deploy a simple sample application.

Configuring Traffic Management Policies

Next, we will demonstrate how to use BackendTrafficPolicy and ClientTrafficPolicy to manage traffic.

Managing Backend Traffic with BackendTrafficPolicy

BackendTrafficPolicy allows for detailed traffic control over backend services, such as retry, timeout, and circuit breaker policies.

Example: Configuring Fault Injection Policy

Fault injection is a crucial aspect of testing the resilience of your application. By intentionally introducing errors such as service failures or abnormal status codes, you can verify how well your application and its retry mechanisms handle unexpected situations. This step is especially valuable in ensuring your traffic policies like retries and timeouts are properly triggered and managed.

Assuming there is a need to manage retries for the httpbin service traffic, here is how to configure it:

backend-traffic-policy.yaml
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: retry-policy
  namespace: httpbin
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: httpbin
  faultInjection:
    abort:
      httpStatus: 501
      percentage: 50
kubectl apply -f backend-traffic-policy.yaml

This configuration specifies a 50% fault injection policy for the httpbin HTTPRoute, where 50% of requests will return a 501 status code.

Managing Client Traffic with ClientTrafficPolicy

ClientTrafficPolicy is used to configure settings for client traffic entering the gateway, such as connection keep-alive and timeouts.

Example: Configuring Client IP Detection

To configure client IP detection, you can use the following setup:

client-traffic-policy.yaml
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: keepalive-policy
  namespace: httpbin
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: dedicated-gateway
  clientIPDetection:
    xForwardedFor:
      numTrustedHops: 2
kubectl apply -f client-traffic-policy.yaml

This client traffic policy configures the X-Forwarded-For header to trust up to 2 hops, accurately identifying the real IP address of the client.

Verifying Configuration

Use curl to repeatedly request the gateway to verify the configuration:

while 1;
	do curl -i http://${DEDICATED_GATEWAY_IP}/httpbin/headers;sleep 3;
done

You will see alternating responses like the following:

fault filter abort~
HTTP/1.1 200 OK
server: gunicorn/19.9.0
date: Fri, 16 Aug 2024 12:40:42 GMT
content-type: application/json
content-length: 241
access-control-allow-origin: *
access-control-allow-credentials: true

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "35.224.27.75",
    "User-Agent": "curl/8.7.1",
    "X-Envoy-External-Address": "123.120.227.173"
  },
  "origin": "123.120.227.173",
  "url": "http://35.224.27.75/get"
}

The value of X-Envoy-External-Address indicates the client's IP.