Traefik: A Scalable and Highly Available Edge Router by Damien Duportalt

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone happy to be there yeah you look sleepy hey comment welcome to the traffic talk about scalable and highly available Edgewater if you want to follow the slides you can take the bark out right now you have 30 seconds and then let's go the slide are already online so you can see them after the talk as well okay sounds good let's go first of all it's where you can find me on the Internet just in case but we don't really care I'm currently working at a freelancer for containers the company behind traffic projects if you want to use the slides it's not for right now so containers is a company believe in open source and providing traffic and support for traffic that's all one need to hit by making money so before jumping on the technical details I just want to start with the why why did we build traffic so the consideration of evolution around software design is a bit of cyclic history always the same kind of trends and then you change and you change so the current trends is micro services what micro services in the software architectures bring the premise was everyone happy something clean so you can focus on building application providing values however everyone here know what up and when you start a new architecture you start fighting fighting the system the other teams you start running in trouble and shaving yaks spending time on non valuable things so main concern when dealing with that bunch of services is where is located the service I wanna reach there were a lot of tools that exist since years that provides facilities features to deal with that I are not going to have an exhaustive list from container to service mesh you have a bunch of tools but we came to the realization that for each of these tools there were some complexity in deeds so that one is a common joke about Yamal which is a language for describing configuration that has its pros and cons one of the bacons is the tabla ssin today all these tools are using Yama meaning you need to write configuration so for each tool you need to go to the documentation find the right element and iterate until you can do whatever you want and for us in the area of undoing the platform with an edge holder or reverse proxy you might have tried a lot of tools each time you have to write configuration configuration and also it means it's quite static or you need to start templating and doing stuff you don't want to deal about that's the reason why we build traffic we wanting we wanted something simple it might not cover all use cases of course but the goal is to stop wasting time on writing configuration let traffic deal with your application back-end system and focus on writing code and deploying that code in production that's the idea traffic itself the project it's an open source project that you can access for free the source code is on github it's on MIT license it has a lot of stores contributor download so of course it's not a project like kubernetes is not that big but it start to be a trans table project and obviously it's open source so you can make it your own you can contribute from the documentation the type on the dock to a new feature you will want to simplement it it's not our project it's you project as well a tiny one that I like you have an issue with traffic we even talked deep dive to the community you just have to use the binary to create an issue on github so you don't have to search for where should I write my first issue it will take care of everything on your mission so the meaning is we trust the community and without the community we will not be on the current state of the project so a bit of school concern the core concept in traffic how does it work I mean it's a tools in action torque right so remember that big diagram yeah so let's start simple just to to understand the concept before showing the code so you have external user that want to in enter your platform that's what we call ingress in Cuba natives because people want to reach your platform from the outside so we are not talking about service to service communication we are speaking about edge rotting under a new platform so you got you external users that will use your external domain name and traffic will take care of passing the request to the right server collection of server load balancer whatever back-end system on your platform this is the concept we call sometime this reverse proxy inside traffic the main concept is a provider traffic need to be fed with information about where is your application or where are your application because we are a micro service remember so in that example we connect traffic to a docker daemon it could be docker swarm it could be kubernetes it could be as your service fabric console and the list of provider is long enough to cover units once you have configured traffic to listen to provider traffic as the knowledge of which service come come in come out scale up scale down whatever you do with your deployments so that's the third concept traffic fits in self with provider then the only thing you have to configure after the provider its the entry points because that part cannot be automated I mean how can I know in advance the domain for your application so that part you have to configure at least the base or name and you can also have the information for your certificate system we'll see an example if you want to add identification so these rules are your rules that's the only valuable part that you need to configure on the other side we have the backends so you don't have to take care of that you can you can define statically or with an API but that's not the point the point is traffic already know and watch in that example docker each time a new container with an application comes in then it creates internally the knowledge for that application it's a back-end so the backend can do load balancing you can had canary bass or green blue a lot of different way to send the request to the backend so we have traffic provider fronting that you configure for entering the platform and back-end which is internal traffic knowledge about your application inside your providers finally we have the concept of front ends which link entry point and back ends so the front ends are as well configured automatically this is where your routing rules are implemented once traffic know that if you want one to the platform with that path or based on that host it will determine determine which back-end to use this is done automatically as well so the only points you have to manage in traffic or provider configuration I want to correct Panetta's and the entry points traffic takes care of the rest let's see that on a real life request with a bit of dynamic so you have your HTTP request under in your platform so untrue point is listening receive the request and determine which front and shall we should delay question to and that the front end will say okay I will apply a set of rules I do the rotating part and finally I have to find the right back ends to send my request and then the requests are forwarded to your back-end server once the response come back traffic just give the response to the requester that's a reverse proxy in practice if you reach back office domain.com its HTTP on that example so it reached the port 80 then you have routing system in the front-end that detects the aust adder let's say how I need to send it to that back-end which correspond to a docker container and back and knows the private IP of the container so it will send the request to that container obviously traffic has a lot more feature we cannot cover everything on such bulk and since it's a tools in action let's see how it works so first example is with docker can you raise your hand if you are not at his with docker or docker compose okay one person so sorry I will try to keep it simple so the this is an example of docker compose in UML syntax where I declare so that docker compose for describing application run on docker I need to create that application on three point which contains traffic and I configure traffic with four flags I tell him listen to docker that's the provider we saw earlier and I tell him by default the domain is my company dot org every application will be under that domain I also want to configure HTTPS by default we support let's encrypt out of the box so in that case you don't have to care about certificate just add your credential for let's encrypt and one this application will be started it will generate a certificate and install it it will also take care of renewing it two weeks before the end of the certificate so you don't have to care about requesting certificate and validating traffic is doing that for you the last line the volume is just to provide a path for traffic to access doko if you would have used let's say as your service fabric you had to put some variable with your credential to let traffic being able to request the API that example is the most simple we can find that works for a lot of cases obviously we can also provide very long configuration file internal formats but that's not the point it's for you advanced use case let's encrypt can you raise your hand if you're not at ease with let's encrypt so it's a system where you can have free SSL certificates the idea is that you request a certificate for a domain and in order to get that certificate you need to prove to let's encrypt that you are the right person just to be sure not someone else can reach a certificate for your whole domain so there are two main validation system by HTTP or by DNS in the ver case in HTTP let's encrypt say okay you want a certificate for that domain can you prove by writing that token on that URL behind that domain so you have to create a temporary active text file on your web server then let's encrypt we'll see oh I see the token okay so you're the person you claim to be here is your certificate it's free it's backed by the Mozilla Foundation a lot of big names and it provides even wildcard certificates the only thing is all certificates are only free bond valid for a good reason because they provide you a way to automate those requests so that's why we integrated that in traffic you don't have to care about renewing certificate anymore the second validation is based on DNS you just have to add the country on your DNS name to prove that you're the owner and traffic automates both of this verification if you have an automated DNS provider like AWS route 43 you just have to add your credential and traffic will add and clean up everything in the DNS so again you don't have to care about this just configure traffic one time and then certificate for everyone so now we have traffic configured to listen docker and traffic is also configure to provide HTTPS by default so we can start a simple web server that's the most simple so here is Ingenix which is a webserver and you just need to configure using labels so the idea in traffic is the developer in charge of starting the application will know the right information in that case the website is www.seannal.com label and once you start this container traffic will gain knowledge and start routing to that application remember we configured with the default domain my company dot org so all requests coming to my company dot org will still be not phone pages because here we configure www so we configure the simple subdomain we could configure whatever we want for whatever application WebSocket is built out of the box so you can have whatever WebSocket application it just fruit correctly it's an HTTP protocol so it works in that case that's a nice application to provide web terminal if you don't want to deal with the CMD or bash of you want users and it's running inside the containers and you can use whatever web browser even a tablet to access it we can context I used to work for cloud base and I'm a tease with Jenkins so in that case Jenkins is an application you can configure to say a unser request when they come in slash Jenkins so in that case if you access the my company dot org with two labels we say to traffic hey everything coming on slash Jenkins on the default domain send it as its to the back end chorus to the corresponding container we also had to manage multi-port by default Jenkins exposed two ports one for HTTP and one for the agents so in that case you have to tell traffic hey you have two ports it's automated you remember so you have to explain which port is the one you you want to route the application to because it cannot know in advance some example with a rewrite so in that case it's an application serving request on localhost 3000 slash and nothing else so I change the rule compared to Jenkins it's not path prefix but pass prefix trip so in that case traffic received the request in my company to talk / git server remove the stash git server and send the request to the backends so this is the simple you could also had custom leverage rules with leggings and a lot of more configuration but here I already covered let's say 60% of the use cases just with a few labels same example here get ESS a git server that you can run locally a lock it up and it contains two ports one for the get in HTTP or HTTPS the one we are using 3,000 but you also have SSH so we want to tell traffic don't route the HTTP request with SH which does not make sense whoa here is that is with kubernetes raise your hand if you are a tease with kubernetes okay so we do kubernetes since it's also the new trends it work so the idea is to say traffic is inside what we call inning instead of other you have different provider and so the ingress takes care of feed me with the routing information that I will implement them to send request inside the pods so it works exactly as in docker but with the native kubernetes integration so this is a standard ingress declaration in Cuba notice sorry for present not at his so need only difference with the default one which is generally Ingenix as a de facto standard for ingress you command out or replace engine eeks by traffic and it just walk as it was working before so you don't have to choose you install both and you can select the one which is more fit for you so we don't have a lot of time I missed a lot of thing we could do tracing we could do a lot of back-end system mirroring routing rules for circuit breaking patterns there are so much feature but I wanted to focus on the message we want to keep things simple if you want to build something very big and complex traffic might not be the tool you want to use the goal is to not waste your time on configuring this kind of edge rotting focus on your service measure your application something more valuable so we talked about I availability the thing with traffic is its single not based since one year and a half we have baked beta function name cluster that allows to run multiple traffic instance so if one instance goes down then your traffic is still routed by the other which seems logical it's not that easy especially when you deal with certificates with all that automation out to be sure that at any moment you don't have two separated instances because a network failure that try to gain a new certificate at the same time once the cluster goes back to an LC group of traffic's which one will have the right certificate how do you manage that you know there are some indeed some complication so that's why I want to present you a very secret project that we are working on since a few months now so the goal of that project is to provide an ID available traffic if one not gas down that secret project will be able to route and shared load on all the other nodes to solve the problem of a complexity unlock and distribution we have a separation of concern that kind of cluster have to kind of nodes so you have the routing nodes or data nodes data plane in network language which take care of taking the load if a new server under because you scale your application new deployment there is a control node the tiny one on top right that detects the change in the provider as we saw before normal traffic and that control node will say oh there is a new one so I will push that configuration so one node our collection of node has to reach CRO home and decide the distribution and detect events and once they have that kind of event they push that to the routing node the data node that takes care only of the of the load the ordem is just route traffic they don't have any knowledge so this allows us to have a scalable traffic we can have more nodes to under more load so this is our secret project and so for the teaser here is a simple example that I will show you in a video because I don't want to run on demo effects so we have a kubernetes cluster that contains one five nodes so five virtual machines cluster I've deployed the very secret project and I've deployed an application waa my which just prints a bunch of HTTP headers of each request show me which machine tweets my request that's a basic web server minimalist dick and I've configured that with an English that say every request entering my platform with what my daughter lost or my domain name here will be sent and load balance on one of the two container so here is the video I will comment it so on that video on the Left port you have my loader it's a service that we just send a bunch of requests to my platform to show you that if one nut goes down you will still keep a request coming and without the house on right stop you have the one my application you see that Saddam web server that just prints out the information from my requests and on the bottom part you see the web UI of the very secret projects so let's start it so here that's the initial configuration you have the free entry points and contents the concept I show you in normal traffic so we have one for the web UI itself the request need wondered that application one which is for woo am i and the third is just for validation you see the test on the left because I mean it's a sass that send a bunch of requests so you need to prove that you are the owner or it's just the DDoS attack so I have free application one for proving I'm the owner the dashboard and my test wah my my cluster consists of three control nodes and for that a node the free control nodes are just discussing between each other and the data not routes traffic we have embedded metrics that show as the state use of HTTP if I reload the application you see everything change because it's not balanced between the two container so once that sanity check is done I launch the test and while the tests are to sending bunch of requests to my platform I will switch to my terminal and I just kill virtual machine in my cluster so one of the VM goes down with everything inside that can happen so what you see is that all the cluster is starting to react in order to keep you availability for your application to kubernetes reschedule birds restart container we detect that one nod is going down the red one and you see some requests it's not still perfect some requests are still in time outs because kubernetes takes time to detect the change because it's default config you see that we still don't have HTTP over inside the cluster is just client that have a timeout which is way different and the cluster recover by itself the virtual machine will restart kubernetes will restart pods and everything will go back but main part of our requests are still in HTTP 200 so we see one machine down on it free data nodes the failure the failed node has disappeared still our matrix providing insight about ok how traffic see the load from inside wild on the left from the outside and finally the machine come back and immediately the nodes come back online and start sending traffic again so this is our walking project which is built upon the open source traffic so to know more about that just stay tuned okay we have three minute and a half for questions that's all for me don't forget to rate me and any feedback or question are welcome thank you very much [Applause] so the question is why would we change from nginx to kubernetes to traffic inside kubernetes so my answer is because both are doing different things they are still Edgewater and genex is at the Earth's web server but if you have nginx you need also to spend time automating the configuration in the case of nginx in kubernetes you don't have a availability and also if you have an issue on the template wondering because it just a listener on kubernetes that render the nginx that come file and reload the web server so you still have to automate some things at the routing level also SSL if you want to simplify the SSL certificate you can have more pods and more application that will feed engine eeks but using traffic here will hit your life just say traffic used at SSL still I don't say you should replace again in the case of cube Anytus you can have both tied by side that's not an issue you could install for ingress even engine EEGs sto traffic and use the right tool for the right job it just depend on what you aim do you want something simple fast do you want engineers for complex performance of migrating from outside kubernetes with already Ingenix installed depend on you use case so I don't say use it or replace it I just a consider it does not cut anything to have both in your crew cluster so the question is how do you configure that you external requests reach traffic in the case of Cuban it is right so in this is a purely kubernetes question you have two main ways that are both to proceed by traffic and the secret project as well you can if you are lucky enough to run kubernetes inside the cloud the magical cloud AWS with the case IKS the Google compute X cetera they provide the facilities for that they have plugins inside your kubernetes cluster that will take care of creating external load balancer for you dynamically when you create services in cuban itís not have enough time but when you have the concept of a service it create external access so when you install the traffic ingress controller it creates one single service that will take your certificate and single entry point for the ingress controller if you are not lucky I recommend you to check metal lb which is a load balancer using IP vs that can be hooked to kubernetes if you're running kubernetes on metal it even works with raspberry PI's who are M architectures and it's built by gugak by Google artist and they provide the same facilities if you don't you should configure traffic as a service of kind not port meaning each nation of your cluster will have a no located port let's say ten thousand and so you have to manually configure your external load balancer to send the traffic on all machines and then once traffic the traffic under one mission Cuban a test will take care of rotting this to the right port right or whatever so in in all cases you just have to configure one service is it a service a community service of kind load balancer or not port if you are running on metal you need an external system manage by yourself and then it just was time's up if you want to ask question come see me after and we have a bunch of stickers if you want some thank you very much and enjoy the conf [Applause]

Info

Channel: Devoxx

Views: 22,035

Rating: 4.8449612 out of 5

Keywords: Devoxx2018, Devoxx

Id: AqiGcLsVMeI

Channel Id: undefined

Length: 31min 12sec (1872 seconds)

Published: Tue Nov 13 2018