Build an API Gateway with Envoy and use with .NET Core APIs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hollywood has given us plenty of examples where the protagonists will use or open a gateway to another dimension most usually actually always with disastrous consequences today we too are going to be using gateways but unlike a hollywood movie we're going to have wonderful consequences to our actions so if you're interested in the world of api gateways if you've heard of this thing called envoy or is it envoy why don't you come with me and journey into the magical world of api gateways [Music] well hello wherever you are whenever you are where am i melbourne australia as usual and when is it it's august 2020 so i hope wherever i find you and whenever i find you that you're happy safe and well so as i said in today's rather dramatic introduction today we're going to be looking at api gateways and more specifically we're going to be looking at something called envoy or i think as it's pronounced envoy but i'm going to be saying envoy i'll probably jump between the two and be really annoying but i'll probably say envoy for the most part so yes if the whole idea or the whole concept of api gateways interests you you're maybe not sure what they are or you kind of know what they are and you think maybe you want to use them this is the place to be and of course as usual we're going to be using.net core apis in this case as our route points for our api gateway so that sounds interesting you're in the right place so as usual um usual begging stuff if you've not subscribed think about subscribing you'll be notified when i put new stuff up if you do like the video maybe give it a like and to my patreon supporters thank you so much once again for your extra support and as usual your names are going to be coming up at the end of the video but for now we do have a lot to get through so i think we better jump into it so yes welcome to episode six of season three where we turn our attentions to envoy specifically as an api gateway so let's just go through what we're going to cover today now just before we go on go on i'll just say the usual housekeeping things code is on github so links below if you want to check out the code and look at that um there will be uh there is an article on my blog i'll put that below as well on this video so if you just want to follow along using that instead of the video you can go and check that out and finally the time codes for this video are below so if you just want to jump to a specific section of the video that i'm going to go through here you can just jump straight there rather than certain bits if you want to just see how we do a specific thing other than that let's keep going so i'm going to go through yeah i'm going through the introduction now an overview of what we're going to learn i will then take you through a bit of a demo and the architecture of what we're going to build as well as then the ingredients and the tooling that you'll need if you want to follow along we're then going to cover a bit of theory which i think we need to do before we go on to the build otherwise the concepts maybe just be a little too abstract so we'll look at what is an api gateway why you would use one what the pattern looks like but an alternative may be to it uh we'll then specifically look at what envoy is and then we will look at how envoy works at a fairly high level well then come on to the practical build section so in this section we're just kind of getting ourselves ready for the main event so in here we set up two apis very simple apis i'll show you those in the demo the.net core apis we will build them as images docker images we will configure them both for https as well which is a little bit of work and then we'll run both of those apis as services within docker compose now we use docker compose as the main vehicle to start up all our services including our envoy gateway which we do in the next section now just on this section i do everything step by step as usual but i have actually done a video on that kind of specific purple box there so in this video i go through it but i don't over explain it if you want to deep dive on that particular bit i've done another video that takes you through that in detail so some of the stuff i'm doing here doesn't make sense maybe check out that other video and come back but don't worry you do it all step by step here then we come on to the kind of main event where we set up envoy and we set up again in docker and ultimately in docker compose but we run it up with a default config and that just routes us through to google but it's a good exercise because number one it makes sure everything makes sure everything is running correctly and number two and we actually use that config as a kind of baseline config anyway and we build out from there uh you'll be added to dot com docker compose as i've said and then we will use uh go into our first use case which is http routing two or two apis second kind of high level use cases are all around https uh so in order to do that we need to set up a certificate for envoy and then we will go through a https termination example with envoy and one of our apis and then we will configure a cluster don't worry if you don't know what that means for https which means we have end to end https from envoy through to our apis and then we wrap up with some final thoughts and credits so i think now we move on to a bit of a demo all right so just before we go on with the demo let's go through the architecture of what you're going to end up building today i think that will probably help position the demo so we'll have a client in this case just a web browser then we're going to set up envoy envoy with listening on three ports so port 9901 is in this case the admin port you can administer the gateway pull stats out of it and all that kind of stuff i'll show you that and then we're going to listen on two other ports 10 000 for http and 1001 for https now these port numbers you can make them anything you like as long as another service on your desktop isn't using the same port but they can be anything they're just what we're using today and then you can see here that envoy uses a configuration file in this case called envoy yaml and that's where we will do most of our envoy work and i'll show you that quickly what that looks like very quickly uh let me take a look at the code um but as you'll have seen in terms of how we're going to step through this project we actually spin up our two apis first they're just.net core apis we've supplied some external port mappings as they're running in docker so that we can access them directly from the desktop but they also have of course the internal port mappings for http and https so very high level use case a client will make a request to envoy on either 10 000 or 1001 and again we'll step through the specific https use cases a bit later and i'm just showing you the routing example here so request comes in the client will form a url in a particular way and based on that url pattern envoy will determine which api it wants to route to and pull back information for the client so yeah basically that's our https routing scenario all these services are going to be running within docker compose it just makes it very easy to manage and the networking between our containers is all set up as well cool so a very quick overview of the code very quick and a very simple demo just of that routing example we will do the https stuff when we come to it so here's the project you'll end up with let me just go over here actually close this down it's running run up in a minute so if we come back to our project overview you'll have three projects one for your coffee api a standard.net core api project docker file to package it um same for the t api exactly the same just some minor differences and then envoy very simple docker file just to build an image and then as i said the envoy yaml file now you can see here it's quite quite verbose there's quite a lot of stuff in it even for our simple use cases don't worry i'll take you through uh not necessarily line by line but i'll take you through the main components of it and how it works so you'll have a good understanding and of course our docker compose file which defines our three services envoy gateway coffee api and t api so let's run this up docker compose up before we do that we'll move back over to docker just to see we have our three services here in fact we can even get rid of these no let's leave them let's leave them no point in building them we'll just spin them up again this is just a demo at the end of the day so we've got our three services up and running fantastic let's come over to uh browser and let's just go direct to one of our apis so localhost 8081. so this is our coffee api we're not using envoy at this point we're just going straight to the coffee api and it just pulls back the name of a coffee so long black cappuccino blah blah blah on black it's randomized okay so we're going straight to the api on https this is running within docker so a bit config required there you'll note the name of our controller t api is obviously very similar we can spell it right that would be great uh it's running on a different external port let's just have a quick look at that and it just pulls back different types of tea green peppermint chamomile blah blah blah so where does envoy come in well envoy comes in on a different url so you'll remember 1001 for https traffic um let's just put in a different url form so we're just doing forward slash c what will that what will happen with that well it takes us through to the coffee api and that's basically where the routing is coming in so we're going to envoy we're providing this i guess prefix and envoy will then route on that prefix um likewise if you put a t in for t you can see that same similar thing happens we go through to our t api and we'll talk a bit more about the https termination and routing and all that stuff when we come on to that a bit later cool so that's our demo that's what you're going to end up with again code is on github if you want to check out there while you're following along but now let's take a quick look at the ingredients you'll need to follow along okay let's look at the ingredients you'll need for today's video so vs code text editor dot net core sdk version 3.1 docker with docker compose windows 10 home users you may need to use a windows subsystem for linux if you want to use docker i've put a link below on how you can set that up client i'm just using a web browser which is fine but you can use either of those other ones as well if you like and we're going to be creating for the https component of this tutorial for envoy anyway we're going to need to use openssl to create our certificates windows users i'll kind of cover that when we come on to it linux users you probably already have open ssl available anyway but yes you'll need to install it if you want to use it obviously okay so what is an api gateway let's look at two patterns one of which is the api gateway but to put it in context let's look at the direct pattern so this is not the api gateway pattern so you can see we have four services four apis all providing some kind of business logic to anybody that wants to consume it and in the direct pattern the client just reaches out directly to those services individually and makes the requests for a functionality they provide likewise with client too so this is okay for smaller type applications although it's not ideal definitely not good for a single page applications or mobile apps because as you can see there it gets very chatty there's lots of requests multiple requests going out from the clients and multiple responses coming back obviously and that just doesn't lend itself well to those type of applications and you may argue it doesn't lend itself well to any type of application which would be a fair point and then of course when you add more services into the mix uh you know the the problem gets exacerbated and of course you're then almost really tying your services directly to your clients which is typically not something you ever really want to do certainly not in larger systems again okay for application smaller i don't want to completely demonize it but yeah generally probably not probably not something you'd build upon too much so that brings us on to the api gateway pattern and you know it's not that complex really we get the same four services we've now got this api gateway that sits in the middle as a an intermediary or a proxy and client requests go through the gateway and so we've only got you know a single request or what a request to one endpoint rather than four endpoints you might have still have the same number of actual requests potentially but you only are calling the one gateway depending on how you've set it up of course and then the same with a client two so it replaces multiple calls potentially and it acts as a reverse proxy so it kind of serves up content back to the clients as if the clients were directly requesting resources from the services it can do lots of stuff but we're going to be focusing on routing today so um you know client makes a request to the gateway and the gateway then determines where it goes and returns the relevant information back so that's the main thing we're going to be doing today but an api gateway does much more than just routing the whole to just to elevate what it does you really with an api gateway you're trying to bring out those cross-cutting concerns so rather than having authentication for example with every service or serving up static content with every service you want to abstract those things out those cross-cutting concerns out and an api gateway is a good candidate for where you would host those things are common to all your services and i've just listed a couple there a few there not everything that an api gateway can do and in short that's why you would use one and i don't think that i have it on there yeah i don't have it on here but we're going to also be doing this https termination or tls termination however you want to term it so https requests to the api gateway and then the gateway then just uses regular old http so it can do all that kind of stuff as well puts links to the envoy documentation below and it goes into all of that in a bit more detail so i wanted just to cover you probably noticed though you know is is the api gateway the ideal pattern potentially not because you've got to be really careful with it that it doesn't become a bloated monolith as of itself and what's a monolith just as the name would suggest it's just this big massive thing that you know is an anti-pattern really you know certainly people who advocate for micro services architecture monoliths are bad so um you know you've invested all this time and developing lots of lovely micro services but then you're just routing it all through a big monolithic gateway it kind of breaks the whole concept of why you would do that in the first place so you have to be careful and of course it can also become a single point failure which is again not a good thing and yes kind of what i said there it can violate the autonomy of micro services because you're kind of coupling them in to this gateway as well so you've got to be really careful with how you use them and again it kind of boils down to scale the larger your application becomes then you have to start thinking about how you adopt the api gateway pattern so you can solve it in a number of ways basically you'll break out your api gateways you can segregate them or break them out along different lines so business boundaries is one concept which possibly lends itself quite well to the idea of micro services which are all you know built around you know business context or bounded context so that's what's certainly one way you can do it or you can do it along client types so you have a gateway for your mobile apps you have a gateway for your single page apps you have a gateway for your desktop apps or whatever and in fact just on the next slide i thought it was worth just bringing this up for those of you that are not aware microsoft have this reference architecture for microservices called eshop on containers and i'll put the link below um and that's a github repo and there's also some documentation quite a lot of documentation and a book as well that you can download now this is the overall architecture that they've kind of defined as a reference point i don't think they're saying that this is the only way you can do something or this is the perfect way to do something but this is just a reference point and it's pretty good so you can see here in the middle they are using the api gateway pattern and they have segregated their gateways along the lines of uh aligning it with their client type so one for mobile one for traditional web apps which in this case is a an nvc web app and single page application and then yeah they kind of proxy the request to the relevant services microservices as required so that's yeah just fyi that's what they're doing they're actually they originally used something called ocelot as the gateway now they're using envoy as well so hence why well one of the reasons why i've chosen to do a video on it as well so good segue into what actually is envoy it was created at lyft now with the native computing foundation so they um kind of look after a lot of things i think kubernetes is something they also look after might be wrong but yeah it's got a lot of community support and it's really it's been more and more widely adopted so you're probably going to hear more and more about envoy envoy however you pronounce it as you move through your career so it's probably something you need to start learning about one thing i want you to take away from today's video don't i don't want you to think envoy is an api gateway or that's all it does um it's probably more correct to say envoy can act as an api gateway okay so it's one of the hacks it can wear almost other things but that's the context within uh within which we're going to be looking at it today so it can do routing which we're going to look at and i've put l7 routing which is routing basically at the url application level but at its core it's a level three stroke level four proxy yeah and as i say we're going to be using tls termination today in today's demo or https termination but it can also do things like retries which is actually really powerful um to have that built into your gateway load balancing you'll also see it used as or here it used something called a service proxy or a sidecar proxy where it kind of gets you you deploy envoy with each of your services so it's got this kind of partner and that means you're sort of starting to go into this realm of service meshes and all that kind of stuff which we're not going to cover today although i might do a video on it at some point all right so just finally how does envoy work this is a really fifty thousand foot level view of how it works um i think you'll probably understand that morrow may come on to using it within the so this is all done within the envoy yaml file that you'll remember hopefully from the kind of demo so within that you'll define listeners so listeners as the name would suggest or just you know ip address port um and we'll set up a number of listeners in today's demo and within those listeners you can have filters and then each filter will have a number of routes that we can no surprises route requests off to where do those route requests go to they go to a cluster and then within a cluster you will have a number of endpoints that ultimately relate to where you want to get this stuff routed to and an endpoint will have an address and a port all right so i think that's enough sort of theory enough powerpoint i think we i think it's time to get on and start building all right so the first thing we want to do is scaffold up our two apis now i will say i've done plenty of videos on detailed deep dives on how to write apis and also on packaging and api which was the last video i did packaging an api in docker with https support so basically just running through that same content again i'm not going to deep dive obviously i'll just be repeating myself and so what i'm going through here i'll go through all step by step don't worry but if what i'm doing here doesn't make sense maybe check out the last video that i did and then come back here but uh for now let's get on with it so i'm moving into my working directory i'm moving to season three i'm moving to episode six and i think i've got some archived stuff in there that's all right so the first thing we want to do is our first api so dot net new web api and we'll call it coffee api for reasons it will become glaringly obvious in a minute and then we're going to make another api and we're going to call this any guesses the t api coffee and tea there we go fantastic all right so listing okay so let's just open this up in code let me go all right so i've just basically opened our directory structure in in vs code fantastic doesn't matter that we've got this archived project in here we're not going to be using that but we do have our coffee and our tea projects fantastic now let's start with our coffee they're basically going to be exactly the same one just is going to return a random coffee type and the other one's going to return can you guess a random type of tea that's pretty much it there's nothing more exciting than that so i'm just going to get rid of the weather forecast model and i'm also going to get rid of the controller and recreate a new one so in controllers and the coffee api new file and we'll call it coffee controller.cs now i do not usually like cutting and pasting code that's something i avoid doing but in the interests of time and the interest of moving this thing along i am going to do that because it is very very simple as well let's go through what i just copied in here so i copied in the code for the coffee controller we've got some using statements the correct name space we have our coffee controller class called coffee controller and it inherits from controller base it's decorated with the api controller attribute which gives us some of the box stuff that we won't really be using today but we'll keep it in as it's good practice and then our route is just using this dynamic route which will be coffee at the end of the day it just lifts the name of our controller and uses that as the route and we then have one get action and all that does is it takes a string and returns a random uh one of these strings that's it pretty much uh using this rna using the random function here that's pretty much it so if we come over to properties and look at launch settings json again we're going to be putting these in docker so this doesn't really matter but for the moment we'll run it up locally run it up natively it's going to start with https on 5001 and http on 5000 and if you just double check that we do have i'm going into user certificate so run search button search open up manager certificates and if we come over here i just want to double check that we have our self signed uh local host certificate for development for a development environment and we do so let's save this off very importantly you save that and we'll do a dotnet run just to test that out uh oh and it would help so yes we're just in our um i guess you'd call it solution type folder we do need to move into coffee oh my goodness there we go all right dotnet run again there we go and it should run up fantastic it does let's open up edge and go localhost 5001 make sure it's https and then we just put in the name of our controller which is coffee and it'll get the default get there you go americano americano cappuccino long black fantastic um just out of interest i mean these are the the coffee names that we use here in australia so you're going to any coffee shop in melbourne or anywhere in australia this is what you'll get i don't know if you call them the same things so my personal favorite is a flat white um but yeah i don't know comments below if those coffee names look weird to you or you use the same ones wherever you are all right so that's our coffee api done that's it done basically as far as setting up our api and we'll be using that later so it's ctrl c to kill that and then we just want to do a very very similar thing with our t api so over in here in our t api we'll just delete this model we don't need it yep and into our controller we'll delete your controller and we'll create a new controller we'll call it t controller and it is exactly the same except well i'm fairly sure you're gonna know what what the differences are uh it's called t controller uh so you know we'll put t in our url and we browse to it it's got exactly the same uh get action result and then we just have some different t types here all right fantastic now the only thing i might do just for safety purposes i might just give these different um different port mappings let's give this six thousand one and 6000 just in case we ever run them at the same time locally i don't think we will let's move out here and let's move into t and let's do that run just to make sure it's working not the most complex api you'll have or useful api you'll ever see but it will serve our purposes for today's video so running on https 6001 and 6000 for http if you come back over here let me just change our uh change your port number and change this to t obviously there we go chamomile and i'm sure if we refresh we'll get another one fantastic okay so that's the basic api setup now what we want to do is package them up and docker all right so the docker part is actually really quite easy um let's just kill that now so it's not running let's close these down so all we need to do for both of these is we need to introduce a docker file so let's make sure we have coffee api selected new file docker file excellent now actually as per docker's own sort of recommendations they recommend you actually put in this dot docker ignore file which we will do as well okay and all the docker ignore file i will actually type it in because it's very small it just contains two uh folders obj and bin that we just ignore fine in fact while we're at it let's do that in t api as well uh new folder file should i say dot docker ignore fantastic and let me just put in the same same stuff cool that's that done and while we're at it let's put in our docker file as well docker file darker so this docker file and i'll put a link below actually directly comes from the docker implement docker the docker documentation on how to dockerize a dot net core api or a.net core web app generally it's exactly the same file i've just lifted it and shifted it in here oh and yeah what you'll need to change obviously from their example is you'll need to put in for the entry point you'll need to put in the name of the the assembly the dll for the respective api so for coffee api that would be in bin and you'll just see it see your coffee api and be careful with the capitalization because that will come back later when we come to use docker compose to run it up so over on our t api let's just paste it in now we would need to change this to t api for a dll entry point my goodness what was that t api okay make sure we save everything off so everything is saved that looks good now it's in my nature to want to explain the stalker file i really want to explain it to you but i'm not going to i'm going to resist if you want if you don't understand what dockerfile's doing go and check out my other video i'm going to be tough on you today all right so we have our two docker files now we're ready just to theoretically build these into images i'm not going to do that yet because what we need to do next and what i want to do next is configure both these apis to run with https enabled at the moment they are not configured to do that so we're going to do that next all right so to get https working within our docker type environment with dotnet core we have to do a few things first thing we need to do is create two news well a certificate pair api that matches the dll name effectively and that gets read in to kestrel when the docker container starts and the other thing we need to do is well we should do is use user secrets to read in the certificate's password so when we create the certificate we get that password and we need to supply that password when we ingest it into docker so we'll do that using user secrets again i'm going to go through all step by step i'm not going to explain it though the other thing i will say i think i've said it a few times the code is on github so i'll put links below just if you know you want to obviously follow along the code is there for you to kind of go through it in your own detail and again i have fully explained all this in my previous videos so i'm going to be tough and not re-explain it in this video okay because it's not the main thrust of today's video all right so we want to create as i said two new certificates one for the coffee api and one for the t api and they are just effectively copies of the local uh development dev certificate that's really all they are okay there's no no real difference um other than the we export them as a separate file and give them their respective names so i'm going to open up my windows terminal uh let me kill that and let me kill you let's clear the screen okay so we're going to yes create two certificates one for each of our apis and we do that at the command line so it's dotnet dev certs https and then we want to specify an export path so ep now as i'm using a powershell i need to access my user profile so enb call on user p and then if you type tab that fills in the rest of it for us fantastic just learned that as a new little time saving trick from somebody on the channel so again thank you to you and then the full path to where we want to store our certificate the convention will be asp.net backslash https and then we give it the name of the certificate that we want to give it so in this case we'll do our first one coffee api dot p f x okay so this part here the name should really match the capitalization of the the dll here okay and then we want to specify a password so pa55wrd that's the password i use for everything my bank accounts everything um so you know oh maybe you shouldn't be giving it away online but i trust you guys i don't think any of you would ever try and hack my bank account so cool we'll hit enter now we get this message a valid https certificate already exists because as i said it's really just a local localhost development certificate so it claims that it's already there and indeed it is that's what this dev search tool that's all it really does um now just for just for completeness i'm just going to do this next bit just in case it catches us out in the future but it shouldn't dev sets h d t d s dash dash trust now we shouldn't need to do that we've already trusted the local development certificate and again it says exactly that here we'll get a pop-up if it wasn't trusted but again we do and then we'll just do an up key and we will just do exactly the same for a t api we use the same password highly secure password and and um i will do the same thing again just for completeness we don't need to do that though it's just my ocd kicking in so where do those certificates go well probably quite obvious where they go so or maybe not actually if you don't know where the user profile directs to so let's have a look at that shall we so if we go env user user p that's just here on my c drive users and then les j which is my folder so we go back here c users there's j asp.net https and you can see here coffee api and t api and this is the certificate from the previous video it's still hanging around all right fantastic so that's what certificates created the next thing we need to do to actually use these certificates is uh create a user secret in both applications when we come to reading in our certificate for use so let's do that now all right so user secret so let's just close this down now user secrets basically very quickly are a way for developers to store away sensitive information like passwords into a file called secrets.json that is protected by your file system so nobody else can get access to it other than you or whoever is logged in as you to your machine so it keeps development secrets secure and it's read in via the net core config api so that whatever is in there is available to your application it's pretty much as simple as that so though the thing we need to do first is to come over to we need to set up in both our coffee api and our t api we need to come over to the cs proj file for each one and we need to specify a user secrets id tag within our property group let's just copy that and paste that and we'll just make sure you terminate it with a backslash now what you need to put in here is just a unique id that's all and each project has their own folder area where the user secrets or the secrets json file sets so we just need to make sure there's a unique id in there i use a tool called insert guide here it's just a plugin for visual studio so if you want to install it just go actually let me show you very quickly go here type insert good and you can see it comes up i've already got it installed it's free i only ever use it for user secrets but you can generate goods any way you like or a unique id any way you like don't really mind but this needs to be unique to you so to use insert good i please place my cursor between these two tags hit f1 it's already selected and then it just generates some random goods for you fantastic now i'm just going to prefix this with coffee api just to help me distinguish it from all the other user secrets i'm using that's pretty much it really as far as the cs proj file goes so let's go back to our t api let's minimize that saved and come to t api cs proj file again user secrets id secrets i'm just making sure uh i wasn't doing a forest gump impression that is like a box of chocolates use the secrets uh user secrets um and then we just uh yeah i won't ever do that again that was that was terrible insert good select or good and then we can just put t api in here fantastic okay so coffee api put our user secrets tagging t api we put our user secrets tagging wonderful next thing we need to do for both of these is we need to actually create our user secret for both so let's we're in our t api project at the moment so doing a quick listing down here we can see where is it t api cs proj cool so we'll create a user secret for our t api now and the way you do that again is.net user secrets set and then it's just a key value pair so the key will be you'll see what that is in a second and then the value will be whatever password you used for the t api certificate so p a s s w o r d now insofar as the the key is concerned the key value we can kind of provide something in that's quite cool and it's just uh it's almost like a path that kestrel understands and when you pass it in via well user secrets or any of the config sources that you have in dot net core it will know instinctively instinctively absolutely what the value is in relation to so you don't need to mess around with actually coding in this is the password for our development certificate by providing in a very uh very clear obvious key path like this what that what that happens is when the configuration api reads us in it will pass this through to kestrel so kestrel certificates development password so it knows that this value is as it says there a development certificate password and it negates the need to do all sorts of coding and setting stuff up um within your program file or anything like that which i have done previously so it's a really nice way of kind of avoiding writing code okay so we're in our t api project folder and what this user secrets and command will do basically check to see that we have like a user secrets tag in the project file so that it can then create the secrets json file so i'll go off and do that fantastic and let's just move into our coffee api cd coffee coffee and we just do up key up key up key and do exactly the same thing we're going to create the same user secret um for our coffee api fantastic so let's go and see where they are we go in here and go into c drive it is in users there's j app data yeah so just make sure you have hidden items selected otherwise you won't see app data roaming microsoft user secrets and then this is what i was talking about you know i've got a few projects as i'm sure you will do as well and you know you'll have if you're using user secrets for all of them if you're just using goods it will get very difficult to read so what i've started doing is actually putting in um naming conventions here now you can see i have one here which i think must be for one of the test ones i've been using which is fine so um these are the two that i'm after here and if you go in and have a look and open one up you'll see what it looks like it's pretty simple there you go it's just a very simple json file it's not encrypted and we have the key which is this nice long verbose path effectively to our development password cool all right so i think with that we are now ready to package these up as docker images and run them and make sure that we have https enabled so let's give that a go now all right so now we want to basically package up both our apis as docker images and then run them as containers or ultimately as we're going to be doing running run them as services because we're going to jump straight to using docker compose i'm not going to use the docker cli to do this i'm just going to jump straight into creating a docker compose file you will thank me later uh i can assure you so if you if you're not too sure about what's the difference between doc i'm using the docker cli to do this and using docker compose then watch my last video docker compose we basically just specify yes or services effectively and we'll have three services we'll have both our apis and then we'll have our envoy or envoy um api gateway service that we'll specify in our docker compose file as well but we'll come on to that a bit later let's just get our apis up and running so uh docker compose yaml it's a yaml file fantastic and then we just start writing our yama file now i'll do this for the first api i'll copy and paste it for the second one all right so s5 version pretty much give it anything you like and then we just start specifying your services now the first service we're going to do is our coffee api i suggest you give this the same name as the assembly of your api in this case it doesn't need to be capitalized or anything but do give it the same name and the same name as the certificate as well and then we just specify a number of parameters under it now the main reason we're doing this is if we want well we want to run all these containers at the same time um but also because we want to use https within our containers we do need a bit of config and it's just much nicer to do it this way so the first thing you can either specify an image if you're just using a static image then you would just specify an image here but we're going to be using our our own bespoke code so we're going to specify the location of our docker file because we're going to use our compose file to build up using our docker file and build up our images so specify the build path to that and then you basically just specify where it can find the docker file for our coffee api so it's within the coffee api folder coffee api forward slash that's all you need to provide there and then we specify some ports and it's an array of ports so the first port will specify as the external port can be anything but we'll use 8080 and it maps to the internal http port of our container and then likewise for https we'll use 8081 and it will map to 443 which is the default https port we need to specify some environment flags environment okay now actually i might actually copy these over because i think it's just a bit boring to watch me type i'll take you through what they are though so three environment variables we need to tell our docker container and ultimately our kestrel web server that we want to listen on https and http it's kind of similar to what you would do in launch settings json but similar so we're saying yep for as panet core urls we require https and http we want a https port to be 8081 for this container and make sure it is the same as the port you specify here and then we're specifying our environment as development and then we need to specify some volumes so again i'm going to copy that over and i'll explain them if i type it in um i'm more than likely going to make a horrible mistake so i'm not going to do that so basically what we're seeing here and this is where the user secrets and the certificate come into play for this one here we are saying use the app data variable and if you want to see what that is it's just in powershell env app data that's just c users there's j app data roaming then microsoft user secret so find our user secrets file there for our coffee api and again that's where this comes into play and is important and then we just copy it to a location within the container and then likewise for the actual certificate itself it uses the user profile and it finds our certificate for our coffee api and i've just noticed i've spelt that wrong so that did not work there you go cool and that's basically it so that should work so if we save that and we make sure that we are in the right folder to do a listing so we're in the docker compose we can see docker components and we do docker compose up and we specify the build flag that will go away and it will build our coffee api image for us and run it up using docker compose so let's cross our fingers now it might take a while actually if we pop over here yes it will take a while so it's going into our docker file and let me show you the docker file it gives me an opportunity to explain it to you because i feel a bit rotten that i didn't do that um so yeah basically it's going away and it's stepping through this docker file for our coffee api and it's pulling down this first image it's been back over here so you can see what's happening it's pulling over the pulling down the sdk image because i don't have any locally and then it's just going to step through the rest of the steps which is basically to perform a restore on our project file and then it's going to do a.net publish to kind of build the whole thing using the sdk then because we don't want to have a runtime that has all the sdk stuff in it we pull down a second image and do this multi-part build where we use the runtime image to provide produce a runtime image that's a lot leaner and smaller so you can see here it's pulled down that image it's now here available for us to use so if we run this again and we will do it again it'll be much quicker we're not pulling down these images now obviously it will do a check at some point in time to make sure that the image is not out of date or whatever so it's running through here and then it's probably going to run down and it's going to yeah step 7 i presume is yeah it's pulling down this runtime image coming down quite quick um so yeah let's just let's just let that finish and then obviously finally we specify this entry point so docker knows what to start when we start the container running so we have our two base images pulled down and cached for future use and yeah there you go so it's just started up our coffee api it's running it as a container it's kind of giving it its own name we have an image now as well that we've just built and you can see down here that we are listening on port 443 and port 80 on any ip address so what that means if we go over here and this was if you remember this was our previous local running example we're now running in docker what we need to specify is if we come back over here we need to specify either one of these ports these are the external ports that we can access from our desktop these ports here 80 and 443 are internal to the docker container so let's try uh 8080 and see what happens and we need to make sure we change this to coffee [Applause] connection is not secure maybe because we still get https let's take that out fantastic give that a go that's better so what's happened is it's redirected so if you come back over to our code you'll probably remember that https redirection is on by default so what's happened there is we've attempted to use the http port it's been successful but we've then redirected to https um on 443 and you can see here we're using port 8081 and everything's secure and everything's working well we can just refresh that just to allay your fears are just to double check if we if we did i don't know i did that if we put in not 80 if we put in 443 for example it will just we'll just get an error that that port is not available to us it's only available internally and you'll see how that manifests later when we come on to using the envoy gateway or the envoy gateway cool all right so that's excellent so we control c that will bring down it should bring them there you go brings down our coffee api it stops it so all we need to do then really is do a bit of a cut and paste i'm sure you don't mind now you've seen how it works we'll have to make some minor adjustments to get it all working but we will copy it from here and then we will and this is where you've got to be really careful with yaml files you've got to make sure that you've got everything lined up correctly so we've got service one is basically coffee api with our credentials we're now specifying our t api service now we just need to make sure that we update these things as appropriate now these ports will stay exactly the same the internal ports are internal so they don't change but we can change these so we'll change this to 8082 and 8083 so 8082 for regular old http and 83 for 8083 for https and make sure you update that one as well and i think everything is the same now again these don't change because we know um we've got the tag the user secrets tag in our project files so it can find this stuff without having to do any other config wonderful i think that looks okay so let's save that off and then all we'll do again we'll do another docker compose build because we want to build our t or t api now this should be really quick because we've already got our base images so it doesn't need to pull them down let's go away it's building coffee api cool and that's really quick i was building t api and it should be equally as quick to be honest with you and unless we've made some horrible mistake there we go so they're both up and running two apis are running coffee api is up and running and you can see here you know nicely color coded uh differently ports are exactly the same four four three four four three eighty but the external ports are different so let's just pop over here and let's change the controller name to t let's change it to regular http and what was it 8082 80 8082 and that should redirect us and indeed it does to https port 8083 and we've got english breakfast chamomile peppermint english breakfast i'm trying to get oh my goodness did i put there we go oh great that's what i'm drinking right now so cheers um i'm gonna have a little drink of tea rest my throat i'm gonna come back and i'm gonna take you through the more exciting stuff which is envoy okay so back over on our project i'm just gonna do a ctrl c to kill our running containers clear the screen now just one thing i think i neglected to mention when i created the docker compose file and i'm probably stating the obvious but i just wanted to clarify yes the docker compose file should sit above the t and coffee apis it's a kind of root of our solution so just wanted to call that out i don't think i made that clear so uh yeah that's point number one point number two is we're going to come on to yeah configuring up envoy now and then the vast majority of that's going to be done within the envoy yaml file now viewers of my channel people have not been here before and what i usually like to do is type stuff out i don't like cutting and pasting however roles are there to be broken and in this instance given the nature of yaml files generally and the fact that they can be quite particular about white space and also the length of these yaml files they get quite verbose to be honest with you for me to type it out you don't want to watch me do that even if i sped up and put music over it you do not want to watch me do that so i felt um i'll copy and paste it but i will explain it as we go now if i make any minor tweaks or changes then i'll of course type that in but generally speaking as a baseline i'm going to be cutting and pasting stuff so hopefully that's a you know my explaining afterwards is a suitable compromise okay so the first thing we want to do is create a new folder called envoy for our envoy config and the first thing we need to do inside that is create a docker file so we're just going to do this step by step i'm not going to use docker compose just yet park docker compose for a minute we're just going to use docker file stand up our envoy gateway with a default config and make sure it all works okay and then we'll fold it into docker compose and then i'm going to fall off my seat here then we're going to actually do our config that will route to our apis okay so layering up bit by bit so the first step docker file and i'm actually going to start my cutting and pasting um endeavors i'm just going to copy this so i could probably type this out but again probably something to do it this way so we're just specifying the build image in this case it's inboy uh envoy from envoy proxy and i've specified a version here because um well i've designed this tutorial around this particular version so unlike with the docker files for our apis we're not building from source code we're just pulling down an image and we can adapt this as we need to when we move over to docker compose now the only other thing we need to do in our docker file is copy the envoy yaml file which does not exist yet but we'll in a second over to our image when we build up so we're going to run the do a docker build build our envoy image with this config is basically what we're going to do next [Applause] all right so copy envoy ammo which we'll put in here as well and we'll copy it over to this location cool so save that off and then we'll create our envoy uh yaml file here i probably should put a counter on screen every time i say envoy yaml because i'm going to say it quite a few times i've got a feeling uh through the course of this tutorial so um be prepared envoyamo uh is going to be mentioned quite a lot okay make sure to named it right okay perfect so where we're going to get our envoy yaml file from is if you move over to the enviro envoy documentation they have a quote of course of a getting started section and here they have a quick start and here they say we have a very minimal note those words very minimal envoy configuration that can be used to validate basic plain http proxy which is perfect for what we want so i'll open that in a new tab and that's just in github and i'm just going to copy this and i think it's 55 or so like 55 lines there you go i'm sure you would not want to see me type that in i certainly don't want to type it in so even if you did want to see me do it i'm not going to so we'll save that off now before we build our image i'm just going to change this ip address to any ip address 0 000 i'm not going to go through all of this but before we build i'll take you through a couple of things but before that maybe take a quick look at just to refresh um how envoy works you'll start with a listener a listener will have a filter and then filters have routes or routes depending on what part of the world you live in and then those roots basically map down to a cluster and the clusters can have multiple endpoints basically it so up here we have our first listener but it's really a special case listener it's an admin interface um on port 991 9901 excuse me and i'll show you that when we run it up and then we have our actual proper listeners which are listed as static resources you can have dynamic resources which we're not going to cover today which are and basically this con big is built dynamically we're just specifying it in a very simple static way and we have at this point in time one listener listening on any ip address on port 10000 okay and we'll come on to what it's doing below in a minute but let's for now make sure everything is saved let's move into our envoy folder and let me bring up this uh yeah docker plugin so you can see here we do not have a envoy image here so quick directory listing make sure you can see your docker file and do a docker build and then we'll tag it we'll give it a name envoy gateway and don't forget your build context so we're going to do a build using this docker file it's going to pull this image down and move our config into the image and we'll then run up when that's done okay so that was a super quick super quick actually anyway so you can see here that we have our base build image envoy from envoy proxy and then our actual image our envelope gateway which includes our config fantastic so coming back to the envoy yaml file we're going to run this up just using the docker cli we have two ports that we want to expose basically so let's do clear the screen and we'll do a docker run specify our first port now we're just going to use the same external port to internal port mapping so 9901 to 9901 and then we'll do one likewise for port 10000 which is our main http listener and then we just specify specify the name of our image in the boy gateway that's right okay and find out if it's not okay so it's run up our envoy gateway it's got a little green triangle now just a couple of uh observations if you've done anything wrong in your yaml file and i have frequently done lots of stuff wrong in my envoy ammo file what you'll probably find is that the container will run up and then it'll just crash and it will just be you won't see it running it will be stopped okay so that's a surefire sign you've done something wrong the other thing i've noticed is which is kind of a bit counterintuitive the more verbose you kind of have the more verbose messaging you kind of have here the healthier is i found out whenever i've the other situation i've had is i've run up the gateway it stays running and i'm thinking oh it's all cool it's all working really well but it's not there's something wrong that tends to manifest by a reduced amount of output that you can see here so just a couple of tips they're just my observations you might have a different experience but just a couple of tips for you so check that it's running it's not running you get an error if it is running just have a quick look at the verbosity of the output and if it's really only got a few lines of output when it runs up it's probably something not quite right okay so let's take a quick look at what we've got so we will move over and go to localhost and we will look at our admin interface which i'm not going to do too much with today but it's a good um test to make sure everything's up and running and you can just look at your clusters which we'll come on to in a bit you are listeners which is uh this one listener there cool um and then you can do a lot of really cool stuff like export your stats um which is basically just a lot of data into a tool called prometheus which is like a data aggregation tool and have dashboards and it gets really pretty cool actually so um i'll put a link to a really good video guided on taking stats out into prometheus it's really good so that's just our admin interface now going back to our yaml file we had one main listener which you know this is pretty obvious stuff listening in any address listening on port 10 000 there's quite a lot of fluff here but ultimately coming back to our diagram it's all necessary fluff isn't add we define a filter and then we define a route within the filter or multiple boats so here and you can have multiple filters as well obviously so you have a filter chain which can have multiple filters we only have one at this stage uh you give it a name it needs a type the type is basically just specifying what type of traffic it should be looking for um talking about stats here's something called the stat prefix so when you export stats out it will be prefixed in this instance with something called ingress http which you can use to report on all that kind of stuff and then we have our routing config and then you can name excuse me or have a number of routes so you create this virtual host tag which is basically the kind of key central aspect to specifying a number of routes just give it a name i don't think it does anything in particular and then you can specify the domains to filter on um this stuff gets it just blows up to be honest with you and you can do loads of stuff with it so this is really basic this is just kind of looking for all domains and then we specify one route so we're just going to match anything basically and we will come in when we come to routing to our apis we'll change this to look for specific um patterns and we will route off to our respective api so this is the stuff we're going to change but for this one this is just the default simple stuff and then ultimately the route that's being specified we're matching anything we're going to do a rewrite to google.com and then we map to this route to this cluster so coming back here you can see here it's really the route that maps maybe we bring this up it's the route that really maps to the cluster and then the cluster has a number of endpoints that have an address and a port so if we come back over here this is our route and it's mapping to this cluster down here so again here's our cluster definition and ultimately it jumps down to this cluster name here service google so you can see here service google maps to service google so it comes down here there's a whole hierarchy of endpoint definitions and this is where you can do load balancing and stuff like that we're not going to do that today but ultimately you end up down at an address and you specify where you want to route through to and we're going to route through to google.com on port 443 which is you probably is the https default port for using https then you have to specify this transport socket which is tls effectively cool so that's a very high level what everything is doing there we'll go through in a bit more detail when we come to doing our own config but let's test it out so what we should see is we're listening on any ip address we're listening on port ten thousand we are looking for basically any any prefix and then we're gonna route to google so let's come back over here let's go to port ten thousand and hit enter there you go so just routes off to google so not hugely impressive however it does work fantastic so the next thing we're going to do is we're now going to fold this default config into our docker compose so we can do a docker compose up and everything will come up together and then the main part of the tutorial is going to be then going back into envoy yaml and and editing it and updating it so that we can start to route to our apis okay so we want to move what we've done by and large from docker a docker file into docker compose basically so that when we we can start everything up together and we also get the benefits of the networking that comes with docker compose so let's just close down or kill our gateway by doing a right-click stop now if you uh if you're not using this plugin which i would really suggest you do use then please do a docker ps that will list your running containers and then just do a docker stop and copy the container id okay if you're not using this plugin i highly recommend it okay so we want to move over to back over to our docker compose file and we want to just essentially add a new service into here which will be our envoy gateway so i'm going to move it to the top just because revisiting our i should call it architecture it's kind of at the front end so i'm just it doesn't really matter where you put it to be honest with you it's just more my ocd kicking in so we'll give it a name service name envoy gateway seems like a good option and like we did with the apis we can specify a build location for the docker file now what you could do instead of specifying a docker file is you can just specify the envoy image in here and we could pretty much do away with the docker file altogether but i'm going to keep the docker file just in case i ever need to move back to and i want to use it in isolation so i'm going to do it that way anyhow but you could if you wanted just specify the image in here but we're gonna as i say go with this approach so envoy forward slash will take us into here and we'll use the dockerfile fantastic next we want to specify our ports that we want to be using so ports now it kind of follows a very similar pattern to what we have done here and we'll just specify 9012901 and we'll specify ten thousand to ten thousand and then finally we will specify volumes and this is where we will read in our envoy yaml file now what i'm going to do is i'm just going to copy from some config i have over here okay i'll just rename that as envoy there we go so basically we're going to copy from envoy and boy yeah thing and copy across to here now what we can do is we can just comment this out with a pound sign so all really all our docker file contains is the name of the image that we want and we'll see we could move that into here if you want and if you want to do that feel free i'm just leaving my docker file there all right so i think that's i think that's all we need to do to move it into docker compose mats uh let's run it up and we'll see how we go on so i'm gonna move over here i'm gonna kill all these and we're gonna do a docker actually clear the screen just to make it nice and clear docker actually needs to come out into the docker compose file so make sure yep you're in the correct folder but you can see your docker compose file and it's docker compose up i'm going to start specify the build flag and you can see it's actually going away in building or envoy gateway because even though we built it at the command line using docker when we're using docker compose it will build it in for a in its own image as its own image there we go so let's see what we've got so we've got all three things up and running and you can see here this is what i really like about uh docker composable and colour code the things differently you can see here we've got quite a lot of verbose output there really should be no difference uh we're just running it in docker compose that's all and all three of our services are now up and running and potentially networked together which is good so let's just check that that isn't indeed the case and it's still working let's just check our admin port that's all working cool so we're in docker compose now now we're going to move on to go back to the yaml file and uh we're going to start routing to our apis all right so now we're going to come on to the main part of today's tutorial which is to deep dive into the envoy yaml file and make some changes and and do some routing and do some other bits and pieces as well so first off let me just uh kill these running containers for the moment now yeah just stepping back i think for the most part we're going to just be really concentrating in the envoy yaml file we'll make a couple of additional in fact just one additional change to the uh the docker compose file when we come on to working with https but for now uh we're really just in the in my yaml file so let's start with what we're going to look at which is a routing to our apis so we'll end up with a client which will just be a web browser we have envoy there are two apis we've got all that but what we're going to add now is when a client makes a request to enboy uh we're going to route off to the correct api now we're going to do that based on like a url pattern so the client still needs to know that it needs the coffee api of course in this instance and it will form a url as such and then envoy will intercept that url look at the pattern and then go ah this is the coffee api or this one needs to go to the t api so on and so forth so that's what we're going to do now and we're going to work within the yaml file so let's set up our coffee api first routing to our coffee api first and we're just going to be using https sorry http ht plain old http the last few videos i've done have been on https so i'm so used to saying https but we're just doing plain old http all right so we're really going to repurpose most of the config that we already have now we're going to come down and just look at our listener so this is not going to change we're still going to listen on port 10 000 on any ip address we're still going to be using http and that's all fine so really where we're going to make our changes is to this route here okay or this is our collection of routes and we're going to make a change to this particular matching uh section here so rather than just looking at any prefix we're going to look for anything that starts with you can put anything you like here obviously but for our purposes we're going to use a short code of c for coffee so any time we get a requesting on any domain with a forward slash c so we're not going to do a host rewrite we are going to do a prefix rewrite and what we're going to do is we're going to rewrite it with the name of our actual uh controller which in this case is coffee okay so anytime we get a c find a forward slash c we're gonna uh do a rewrite or a prefix to coffee and we're gonna direct off to our and we'll call this uh service coffee really should be coffee service shouldn't i prefer that okay and we'll have to change that down below so just coming back to how uh envoy works just to refresh you one more time we're not changing our listener in this case and that port is 10 000 in our instance um we're not really changing our filters as such we are changing the the routing attributes and we will need to come down to our cluster next and make the necessary changes down there let me just change this to uh ten thousands just to come back it just makes it um more consistent so the first thing we want to do is update the name of our cluster so if we come down here it was called service google i'm gonna copy it and rename it coffee service and here as well okay and it's actually this name here that actually looks for actually matches on now just before we come down to that you can see here at the cluster level there are some other things you can set such as connection timeouts you can set retries and you can see here that there's a load balancing policy as well so we could have two coffee two instances or a copy api running and load balance between them and all that stuff but we're just doing fairly simple straightforward routing so when we come down here this is the main thing the address that we want to update um taking a quick step back this is where docker compose is really useful but this is where you have to know a little bit about docker compose networking so we've set up our coffee api service here and we've mapped these external ports to these internal ports now the external port mappings are there purely for me and for you to go in from your desktop and make sure the coffee api is working from a docker compose perspective all these containers are now networked together but the port that they have access to is not this external port the port they actually have access to are these internal ports so when we come over to our envoy ammo because the envoy proxy is running in a container and it wants to talk to our api container the port that we specify here for http is port 80. okay now that caught me out and if you um i've not done a lot docker compose stuff a lot of docker stuff the networking stuff will trip you up and just as a fyi if anything is going to trip you up if anything's not going to work here it's going to be down here more than likely it's going to be with the end point networking now the other only other thing with any update is this address so we're not wanting to write to google we're wanting to route to our coffee api so what do we put here um if you want to put localhost you can try and do that but that will not work so i actually ran into that um issue when i was testing this and developing this particular video i had my apis running natively i didn't have them running in containers and i used localhost and the thing didn't work doesn't like localhost and that's why i ended up making another video about custom domains and stuff like that anyway another lovely advantage of docker compose is that we don't need to worry about that we can just simply use the service name and because all these containers are running within docker compose anytime a container references service name docker compose does some nice translation for us and translates it into an ip address so that's not what we want we want to put in coffee api okay fantastic now the only other thing we want to take out for now is this the transport socket because this is not running over https it's just http and you will get an error if you leave that in and that's another bit of a gotcha i've left that in before and it it won't route go figure makes sense still really so i'm going to take this out as well because we don't want to keep that there fantastic so let's just refresh what we've done we've kept our listener the same on port 10 000 we've kept most of our filtering stuff the same but when we've come down to our routes and matching for you know patterns we have updated that so we're going to look for anything with a prefix of c and we're going to route it to our coffee service but before we do that we're going to rewrite the prefix to what we actually want and then we're going to route it to this endpoint and because we're running in docker compose we can simply specify the service name now the beautiful thing now with docker compose is we simply do a docker compose up and build just to rebuild everything and we'll test it to see if it works so again if you get any errors the chances are it's going to be down at this point here okay so are we going everything is green let's see how we're gonna go on so let's go back over here now we want to go yes to our envoy gateway but this time we want to provide uh forward slash c and it should hopefully there we go go over to our uh end point and it's serving up as a serving as up in americano very nice i could do with one of those right now now you can see what's actually happened though because we've still got https redirection uh within our api has redirected and you can actually see the actual um address of our api it's kind of rerouted now when we introduce https into envoy that wouldn't happen so we'll come back and we'll deal with that in a bit so that's our first bit of routing done so we're now going to embolden ourselves and we're going to add in our t api again just using https not https http and then the final part of the video we'll explore https a little bit as well so kill that for the moment and we'll come back up here now again we're just going to listen on our port 10000 and all we're really going to do is add some new stuff in here so as you can probably tell it's this stuff here that we just need to duplicate so again with yaml anything with a dash is kind of like a multiple array type item so we can have multiple routes or routes so let's just copy this and this is where you've got to be really really really careful with your indentation and this time we're just going to put t and here we're just going to put t and then here we're going to change that to t now we obviously don't have a t cluster we need to add that in so again you just sort of build this up you layer this up and it you know it becomes quite straightforward so i'm just going to basically copy all of this again you can see that you know we have you know an array element here so we're just going to copy this and by and large we can copy it down you just have to rename these things here i do appreciate i could do a find and replace but um i'm missing typing i don't like cutting and pasting and then let's just jump over to our docker compose to make sure we have the right name yep t apm cool let's copy that and we'll put that in here and again same internal port where we're using port 80 internally what we weren't doctors using port 80 internally with our t api so that's fine same port so we'll save that off and let's run that up see what we get everything's running now i do appreciate that we're only changing this yaml file we don't really need to rebuild the other containers but it's so quick that you know it just saved us some hassle so let's go we have to change this a little bit let's go back to http because we're going on that at the moment uh localhost ten thousand and let's try forward slash t and there you go we're getting routed through to our t api and it's doing the same thing it's redirecting us to https now because our envoy gateway isn't dealing with https at the moment um we just get a plain reroute which is which is okay fantastic okay so that's very simple routing and you can see how you could potentially build that out to become more i don't know more complicated but for now that's that's what we're going to do with routing and then the final thing we're going to want to do is actually configure the envoy gateway to use a local certificate um so it can deal with https termination and all that kind of stuff so we'll do that we'll do that next all right so we're going to move on to looking at https a little bit now um now what i'm going to do is i'm just going to show you uh last powerpoint of the day should be pleased to to find out but um actually you know what i i like to visualize stuff so i find diagrams are quite useful when it when trying to explain stuff so what we're going to do now is we're going to you have our client and we're going to configure envoy for https which we've not been doing as yet we've just been going uh with a http request so what we're going to do is we're going to configure our 1001 endpoint our listener with an envoy to basically be our https um endpoint for envoy as part of that we will need to set up our self-signed development certificate for envoy and we'll put that into the envoy yaml file and then the two scenarios we're going to have we're going to our pr t old api we're going to disable https redirect still going to have a https endpoint we're just going to turn off the redirection stuff and then what we're going to do is we'll just get envoy to route to it on http so this what you can kind of see on screen here this kind of idea is called tls termination or https termination now the idea is that your envoy gateway is kind of public facing and so clients public clients should be using https but once you become once you get your kind of internal domain then it's okay to use just plain old http to talk to your backend services now you know you'll see that used personally i don't like that i feel everything now i'm an advocate i'm a i'm a convert i think everything should be https yes there's a little bit more overhead involved but um i don't like that but i'm showing you enemy because it's definitely a config that you'll see and people will will advocate for this setup and that's fine there are advantages to it but for me i don't like it but nonetheless you'll see it and then we're going to retain um our good old coffee api is going to stay with http https redirection turned on and we're going to then actually create a new um cluster that will use https to coffee api so client will talk https to envoy and envoy will talk https to coffee api which is thumbs up for me my preferred approach but you will also see the other approach the first approach that i've shown you so the first thing we'll do is we'll turn off https redirection in the t api we'll then create our certificate for envoy and we'll add that into envoy and then we'll add our new cluster to envoy as well so that we can talk to the coffee api so i think with that we'll get we'll get started all right so let me just take this down let me just uh kill that off to stop our running containers and yes the next thing we want to do is we want to basically turn off https redirection on our t api so we're coming over here open up t api into startup and then just comment this out now we still have a https endpoint obviously we're not taking that out altogether but we're just not redirecting when we make a http call excuse me all right so that's saved off um i did lie when i said we weren't updating any other code hopefully you can forgive me though but i think that will be it for now but don't don't hold me to that so let's close that down now the next thing we need to do is create a certificate for envoy to use because coming back to well yeah we just went through it but coming back we need a certificate in order that it can talk https now unfortunately it's not as simple as doing dot net dev search like we did for the apis we need to use a tool called openssl which is i suppose a linux based tool for amongst other things creating self-signed certificates um so we need to make use of that so for windows the windows users out there you've got a couple of options if you have gets bash installed which will more than likely be installed when you installed git and if you accepted the install defaults you will have open ssl installed so you can use that or of course you can just google google it and download the binary or as i'm going to do i'm going to use um my version of ubuntu running on windows which is running on this wsl system windows subsystem for linux which is rather nice so i'm going to use that and i've opened ssl available to me from here so the first thing i'm going to do is open an explorer window which is quite cool so explorer x8 dot will open up windows explorer and it will take you to this network location where it gives you access to the linux file system which is really really nice so let's just minimize that for a minute uh no we know what we want we'll actually we'll re-maximize it because the first thing i need to do by way of creating a certificate is to create a bit of a config file which tells openssl how we want to create our certificate so new uh text document and we'll just call it https dots and we'll call it config okay i'll probably get a warning we do let's just open that in vs code so again it's really quite cool you can open files from this linux subsystem in in code now no surprises when you see this i'm just going to cut and paste it in so again the code is on github i'll make sure i put this up here as well and you can just use this now what you can see here is this is another project i was working on so we'll change that to localhost and we'll change this to localhost as well that's the domain that we are wanting to self sign our certificate for so common name localhost subject alt name localhost let's save that off these other um things here which maybe don't make a lot of sense are basically just the features that we want our certificate to have um i'm not going to go into that here so let's close that and i'm being the paranoid person i'm just going to reopen it to make sure that it took the changes and indeed it does okay perfect so the next thing we want to do is go back to our wsl session or ubuntu session we do a quick directory listing we should see the https config file there and so the first thing we want to do and i'm just going to copy this command over why ruin the habit of a lifetime is create our private key so open ssl well i'm not going to vote going to bother reading it out but we basically read in our uh our config file and then we generate out this csr batch we generate our key dot pen file so we do a directory listing we get a key pen file and the csr pen file as well and the key pen file is the one that we want okay and then the last command that we need to run actually generates our certificate and it takes in the takes in the csr pen file and then it signs out this https crt certificate okay there we go so we do a quick listing and these are the two files we need this key pen file and this https crt file these are the two files that envoy needs to read in and then basically use https cool now come back over here uh do a bit of a refresh f5 we have these files so https crt and key pen i'm going to copy these now just in the interest of i we could put them in with our other certificates but i'm just going to not do that because i feel that they are asp.net certificates so i don't want to really want to mix them up so i'm just going to put them in the root of our envoy envoy folder so it makes it a bit easier to define the paths to read them in but you can put them anywhere really that you want that makes sense to you so i think we're done with that let's come into here and we can see we have these files now fantastic so the next thing we want to do is we want to basically read those files in via docker compose so well we're in docker compose now and we need to add a couple of new volumes to our envoy gateway service and again i'm going to copy these in from some config i have at the side for different projects to make sure i have the right folder name here so we're coming in from docker compose we're going into the envoy folder here and then we're grabbing https crt which is here and then we're grabbing a key.pem which is here and then we are just mapping them into these locations within our envoy container so don't forget to save that off now what we will do while we are here as well we'll just add our https port which is thousand one to ten thousand and one so we don't have to come back and do that separately okay now you can see here there's nothing that this denotes that that's a https port we do that in the envoy yaml file and then talking of envoy yaml in order to ingest these certificates we need to do that from within here so let's do that next okay so we want to move over to our envoy yaml file now and we want to add in our https listener that uses the certificates that or the certificate that we just created in the last step so going back here we have our listeners section under static resources and we have this existing listener listening on port 10000 called listener 0 and you can see again denoted by the little minus sign that this is an array element so i'm just going to copy this and we're going to copy that config down to here and i think i've put it in the right place but let me just double check it's got to be aligned under here yep that looks like it's in the right place cool all right so let's just before we do anything else save that and let's just rename it as listener one yep and we'll come down here and we'll give it a port of ten thousand and one and everything else we're going to keep exactly the same even the routing for the moment we're going to keep the same it's just going to look for exactly the same patterns and route off to the api endpoints using our existing clusters on port 80 so http all right so coming back up here but the one thing we do have to add in to this new listener listener one is we need to add in the paths to our two files now i hope you don't mind but i am going to copy that in again and i just need to make sure i put it under the name of this listener oh my goodness it gets really difficult to to see you need to put it under this element here i really dislike yaml and you're supposed to be here let me just see tls context under the name yes that looks correct all right now basically all this is doing as you can see here it just we're defining a tls certificate section first thing we need to provide is is the certificate chain which is this crt file and then we need to provide the private key which is in the pen file so let's save that off now just coming back to our powerpoint just to kind of go through what we're trying to achieve here okay in case you've lost the plot we're going to make a client request this time to envoy using https on port 1001 with our new certificate now we do actually have to do one more thing in order to trust this certificate and i'll take you through that in a second and then what's going to happen we're going to use our existing routing to http port 80 using our existing cluster to our t api now remember we've taken out https redirection so this is effectively tls termination we're making a https request to our gateway and it's just going to route to our api using http which i don't like but it's a use case we're going through and then the last thing in the video we'll do is we'll actually create a new cluster that you will use https but before we do any of that we do have to come do come back and do one last thing but before we do it i'm going to just demonstrate what is not going to work properly so everything's saved i think it's time to do a docker actually just do a listing to make sure we're in the right place yep so you can see your docker compose file docker compose up dash now just rebuild everything as you're probably quite familiar with now but it shouldn't take too long and what i'm going to do yeah that's okay let me kill that for the moment okay so everything hopefully should be green refresh it yep everything's green so let's open up um edge and we're going to go to https localhost and we're going this time to our port 1001 but we're still going to try and retrieve our t api so what you can see here is we're getting this error we're using https but we're getting this your connection is not secure now the reason for that is that we haven't done one final thing and you might be going what haven't we done what we haven't done is we haven't added our new certificate to our trusted roots in windows here in this instance so back into set manager and i know you'll probably still have questions but let me just do this first so over here entrusted root certification authorities we come down here you'll go well hang on we already have a local host certificate why isn't it trusting it great question this local host certificate was created by net devcerts and you can see here you know asp.net core blah blah blah as the friendly name that's cool but the local host certificate we created was done in openssl so it's a completely different certificate really now if you wanted to get everything using the same certificate you can do that you can use then use openssl to create a pfx file that we could then re-import here and then get everything else or net core stuff to use i'm not going to do that i just didn't feel it would add that much value so we're going to import a second localhost self-signed certificate that we created with openssl into here okay so uh very simple to do all tasks import next and we browse to where we need to find it so just to take you a step back into my season three directory episode six into envoy and then we have our https crt certificate there we go open that in next make sure trusted certification authorities is checked next finish that off and you always get a warning say yes to that import was successful let's come down here let's do a quick refresh although i can see it there let's refresh it here so you can see now we have two localhost certificate this one here with its friendly name excuse me is for our dot net core stuff this one here is for envoy okay now what should happen i'm going to kill this well let's try it again but i think we'll still get and not secure because the browser needs to be closed down and refreshed i think i might be pleasantly surprised no get the same things let's kill that let's refresh it and when it opens it will hopefully get our newly self-signed certificate so https localhost ten thousand one forward slash t there we go fantastic so we're still going to our t api but to all intents and purposes it looks like we're using https but when in fact we know that when we've got the data from a t api it's not redirecting to https we're just getting over a http connection so that's us kind of proved out this use case here okay so https termination now let's just take a look and see what happens when we go to our coffee api you can see yes it does go to a coffee api but interestingly if you go back here when we called when we called our t api via envoy and we retrieved we got errol grey back it retained the view that it's going through envoy when we go to our coffee api it doesn't still retrieves it brings it back but the url changes to the actual native https endpoint for a coffee api why is that it's because of this https redirection thing and it's because when we go into envoy yaml um yeah it's we're hitting this listener endpoint 1001 we're hitting uh this uh route here we're going down to coffee service yep and we're hitting the coffee api on port 80 and it's then redirecting now because we don't have a secure https or tls connection from our envoy cluster that's why we get that now if we add in a new cluster that uses port 443 let's see what we get is we won't get this kind of redirected url we'll just it will look uh similar to this okay because envoy's dealing with it within its config all right so let's do that now all right so what we want to do now and the last thing we're going to do in this video because my voice is about to give in let's do ctrl c to kill our running containers and back over in our beloved envoy yaml file you want to add a new cluster so under clusters we have coffee service which is going to port 80 we have t service which is going to port 80. what we want to do is we want to add a secure effectively a secure cluster for our coffee endpoint we could add one for tea but we're just going to do coffee and you can add a second one at your own leisure so in a similar way that we did with our listeners and stuff and also with our clusters we're going to copy this entire cluster config ctrl c and i'm going to put it under here and i'm going to call this secure coffee service and we're going to keep pretty much everything the same apart from this i'm going to copy this paste that in oops okay and down here we're still going to go to coffee api but this time coming back to our docker compose file if we go down to coffee api we're going to map to port 443 this time now we have one more thing to do now you'll remember that well you probably don't remember now but when we copied in the original config from the github site there was a section for the transport socket so we just need to add that back in here because we're using https so we're using tls so i'm just going to copy that over and i need to paste that under load assignment i need to paste that here okay horrible isn't it all right so transport socket uh give it a name we've got another one of these types so you can see here it's using tls version 3 and it then uses this sni um and it's specifying the local host which is effectively the domain that it wants to use cool so i think that should be actually it's not enough we have one more thing to do we need to come up to our secure listener and then what we're going to do if it's listening on https as a listener and we get a t flat or a tea flag a coffee flag rather than going to the coffee service [Music] we're going to go to the secure coffee service so we'll come back up here and go to this cluster instead cool all right so hopefully that made sense let's see if the diagram makes sense if we go and have a look at it on you hopefully you're following along you're not falling asleep yet so what we're going to do is we're going to do a client https to port 1001 it's going to go to envoy we're going to have the t route effectively not the t the c route for coffee we get that for the moment and then it's going to yeah use https to go to port 443 all right so i think that says yaml file is saved um let's uh let's give it another go so docker can pause up build to build and see how we go all right everything's up and running um yeah it looks okay fantastic so we're gonna go here and just to remind you what happened last time when we hit the 1001 endpoint via envoy it did take us there but it then redirected to our native uh coffee endpoint we're gonna change that now we'll try something different now and go to c endpoint and indeed it does bring it back but this time it doesn't redirect because we're using ht https based cluster all right uh i think we are done so it's time for some final thoughts all right so once again we reach the end of another quite long video um i hope you enjoyed it and i hope you you learned what you wanted to learn so in terms of my final thoughts you've got a few things bubbling around in my mind couple of things for me on envoy it's a huge area so we only scratched the surface of it today but hopefully what we did do today provide you with a nice launch pad or baseline in which to take your own projects forward for me the other couple of things i'll mention i would maybe want to explore another video where we adopt the sidecar pattern for envoy and use it to build a kind of service mesh so that's something i will think about maybe doing in the future the other thing i will say is for me the documentation on envoy is not that great it's weird it's a weird scenario for me the documentation on envoy it's documented there's a lot of documentation there but i don't know if it's just me but i just find it really circular or i can't kind of find out what i want to find out i find it quite frustrating so maybe it is just me um but i'd be interested in your thoughts on the envoy documentation as well other than that my binge is over it's a great product and uh you know i'm sure we'll be using and seeing more of it in the future so for now um thank you again for watching if you liked the video give it a like if you've not done so already um think about subscribing and you'll be notified of all the new stuff i put up if you don't want to do that that's fine i'm just really glad you watched the video that's what means the most to me so thank you and finally to my patreon supporters as usual your names are coming up now but until i see you next time take care and stay [Music] safe [Music] [Music] [Music] [Music] so you

Info

Channel: Les Jackson

Views: 65,581

Rating: undefined out of 5

Keywords:

Id: UsoH5cqE1OA

Channel Id: undefined

Length: 111min 27sec (6687 seconds)

Published: Sun Aug 16 2020