Tech Talk: Developing APIs the Easy Way – Streamline your API process with an endpoint-focused approach on Dec 5 at 11 am EST! Register now

Back to blog
KUBERNETES API GATEWAY

Part 2: Deploying Envoy with a Python Flask webapp and Kubernetes

Jake Beck
December 15, 2017 | 17 min read
Deploying Envoy with a Python Flask webapp

In the first post in this series, Getting Started with Lyft Envoy for microservice resilience, we explored Envoy a bit, dug into how it worked and deployed an application using Kubernetes, Postgres, Flask, and Envoy.

The Application

In this tutorial, we will deploy a straightforward REST-based user service: it can create users, read information about a user, and process simple logins. Obviously, this isn’t terribly interesting by itself, but it brings several real-world concerns together:

  • It requires persistent storage, so we’ll have to tackle that early.
  • It will let us explore scaling the different pieces of the application.
  • It will let us explore Envoy at the edge, where the user’s client talks to our application, and
  • It will let us explore Envoy internally, brokering communications between the various parts of the application.

Since Envoy is language-agnostic, we can use anything we like for the service itself. For this serious, we’ll pick on Flask, both because it’s simple and because I like Python. On the database side, we’ll use PostgreSQL – it has good Python support, and it’s easy to get running both locally and in the cloud. And we’ll manage the whole thing with Kubernetes.

Kubernetes

Kubernetes is Ambassador Labs' go-to container orchestrator these days, mostly because it lets you use the same tools, whether you're doing local development or deploying into the cloud for production. So to get rolling today, we'll need a Kubernetes cluster in which we'll work. Within our cluster, we'll create deployments that run the individual pieces of our application and then expose services provided by those deployments (and when we do that, we get to decide whether to expose the service to the world outside the cluster or only to other cluster members).

We’ll start out using Minikube to create a simple Kubernetes cluster running locally. The existence of Minikube is one of the things I really like about Kubernetes – it gives me an environment that’s almost like running Kubernetes somewhere out in the cloud. Still, it’s entirely local, and (with some care) it can keep working at 30000 feet on an airplane with no WiFi.

Note, though, that I said almost like running in the cloud. In principle, Kubernetes is Kubernetes, and where you’re running doesn’t matter. In reality, of course, it does matter: networking, in particular, varies a bit depending on how you’re running your cluster. So getting running in Minikube is a great first step, but we’ll have to be aware that things will probably break a little bit as we move into the cloud

Setting Up

Minikube

Of course you’ll need Minikube installed. See https://github.com/kubernetes/minikube/releases for more here. Mac users might also consider

brew cask install minikube

Once Minikube is installed, you’ll need to start it. Mac users may want the

xhyve
driver to avoiding needing to install VirtualBox:

minikube start --vm-driver xhyve

Alternately

minikube start

will fire things up with the default driver.

Kubernetes

To be able to work with Minikube, you’ll need the Kubernetes CLI,

kubectl
. Instructions are at https://kubernetes.io/docs/user-guide/prereqs/ — or, on a Mac, just use

brew install kubernetes-cli

Docker

You'll also need the Docker CLI,

docker
. Check out the Docker Community Edition if you're just getting started -- or, again, on a Mac use
brew
:

brew install docker

The Application

All the code and configuration we’ll use in this demo is in GitHub at

https://github.com/datawire/envoy-steps

Grab a clone of that, and

cd
into it. If you’re in the right place, you’ll see a
README.md
and directories named
postgres
,
usersvc
, etc. Each of the directories is for a Kubernetes deployment, and each can be brought up or down independently with

bash up.sh $service

or

bash down.sh $service

Obviously I’d prefer to simply include everything you need in this blog post, but between Python code, all the Kubernetes config, docs, etc, there’s just too much. So we’ll hit the highlights here, and you can look at the details to your heart’s content in your clone of the repo.

The Docker Registry

Minikube starts a Docker daemon when it starts up, which we'll need to use it for our Docker image builds so that the Minikube containers can load our images. To set up your Docker command-line tools for that:

eval $(minikube docker-env)

One of the benefits of Minikube is that a container can always pull your images from the local Docker daemon started by Minikube, so we don't need to push Docker images to any registry -- just building them using the Minikube Docker daemon is good enough. To tell the scripting we'll be using that we're using Minikube and nothing more is needed, run

bash prep.sh -

If you want to reset to a pristine condition later, you can use

bash clean.sh

Database Matters

Our database can be straightforward — we need a single table to store our user information. We can start by writing the Flask app to check at boot time and create our table if it doesn’t exist, relying on Postgres to ensure that only one table exists. (Later, as we look into multiple Postgres servers, we may need to change this — but let’s keep it simple for now.)

So the only thing we really need is a way to spin up a Postgres server in our Kubernetes cluster. Fortunately there’s a published Postgres 9.6 Docker image readily accessible, so creating the Postgres deployment is pretty easy. The relevant config file is

postgres/deployment.yaml
, which includes in its spec section the specifics of the image we’ll use:

spec:
containers:
- name: postgres
image: postgres:9.6

Given the deployment, we also need to expose the Postgres service within our cluster. That’s defined in

postgres/service.yaml
with highlights:

spec:
type: ClusterIP
ports:
- name: postgres
port: 5432
selector:
service: postgres

Note that we mark this with type

ClusterIP
, so that it can be seen only within the cluster.

To fire this up, just run

bash up.sh postgres

Once that’s done,

kubectl get pods
should show the
postgres
pod running:

NAME READY STATUS RESTARTS AGE
postgres-1385931004-p3szz 1/1 Running 0 5s

and

kubectl get services
should show its service:

NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
postgres 10.107.246.55 <none> 5432/TCP 5s

So we now have a running Postgres server, reachable from anywhere in the cluster at

postgres:5432
.

The Flask App

Our Flask app is really simple: basically it just responds to

PUT
requests to create users, and
GET
requests to read users and respond to health checks. You can see it in full in the GitHub repo.

The only real gotcha is that by default, Flask will listen only on the loopback address, which will prevent any connections from outside the Flask app’s container. We set the Flask app to explicitly listen on

0.0.0.0
instead, so that we can actually speak to it from elsewhere (whether from in the cluster or outside).

To get the app running in Kubernetes, we’ll need a Docker image that contains our app. We’ll build this on top of the

lyft/envoy
image, since we already know we’re headed for Envoy later — thus our Dockerfile (sans comments) ends up looking like this:

FROM lyft/envoy:latest
RUN apt-get update && apt-get -q install -y
curl
python-pip
dnsutils
WORKDIR /application
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY service.py .
COPY entrypoint.sh .
RUN chmod +x entrypoint.sh
ENTRYPOINT [ "./entrypoint.sh" ]

We’ll build that into a Docker image, then fire up a Kubernetes deployment and service with it. The deployment, in

usersvc/deployment.yaml
, looks basically the same as the one for
postgres
, just with a different image name:

spec:
containers:
- name: usersvc
image: usersvc:step1

Likewise,

usersvc/service.yaml
is much like its
postgres
sibling, but we’re using type LoadBalancer to indicate that we want the service exposed to users outside the cluster:

spec:
type: LoadBalancer
ports:
- name: usersvc
port: 5000
targetPort: 5000
selector:
service: usersvc

It may seem odd to be starting with

LoadBalancer
here — after all, we want to use Envoy to do load balancing, right? The point is walking before running: our first test will be to talk to our service without Envoy, and for that we need to expose the port to the outside world.

To build the Docker image and crank up the service, run

bash up.sh usersvc

At this point,

kubectl
get pods should show both the
usersvc
pod and the
postgres
pod running:

NAME READY STATUS RESTARTS AGE
postgres-1385931004-p3szz 1/1 Running 0 5m
usersvc-1941676296-kmglv 1/1 Running 0 5s

First Test!

And now for the moment of truth: let’s see if it works without Envoy before moving on! This will require us to get the IP address and mapped port number for the

usersvc
service. Since we’re using Minikube, we use

minikube service --url usersvc

to get a neatly-formed URL to our

usersvc
. (Obviously, this will change when we move beyond Minikube.)

Let’s start with a basic health check using

curl
 from the host system, reaching into the cluster to the
usersvc
, which in turn is talking within the cluster to
postgres
:

curl $(minikube service --url usersvc)/user/health

If all goes well, the health check should return something like

{
"hostname": "usersvc-1941676296-kmglv",
"msg": "user health check OK",
"ok": true,
"resolvedname": "172.17.0.10"
}

Next up we can try saving and retrieving a user:

curl -X PUT -H "Content-Type: application/json" \
-d '{ "fullname": "Alice", "password": "alicerules" }' \
$(minikube service --url usersvc)/user/alice

This should give us a user record for Alice, including her UUID but not her password:

{
"fullname": "Alice",
"hostname": "usersvc-1941676296-kmglv",
"ok": true,
"resolvedname": "172.17.0.10",
"uuid": "44FD5687B15B4AF78753E33E6A2B033B"
}

If we repeat it for Bob, we should get much the same:

curl -X PUT -H "Content-Type: application/json" \
-d '{ "fullname": "Bob", "password": "bobrules" }' \
$(minikube service --url usersvc)/user/bob

Note, of course, that Bob should have a different UUID:

{
"fullname": "Bob",
"hostname": "usersvc-1941676296-kmglv",
"ok": true,
"resolvedname": "172.17.0.10",
"uuid": "72C77A08942D4EADA61B6A0713C1624F"
}

Finally, we should be able to read both users back (again, minus passwords!) with

curl $(minikube service --url usersvc)/user/alice
curl $(minikube service --url usersvc)/user/bob

Enter Envoy

Given that all of that is working, it’s time to stick Envoy in front of everything, so it can manage to route when we start scaling the front end. As we discussed in the previous article, we have an edge Envoy and an application Envoy, each of which needs its own configuration. So we’ll crank up the edge Envoy first

Since the edge Envoy runs in its own container, we’ll need a separate Docker image for it. Here’s the Dockerfile:

FROM lyft/envoy:latest
RUN apt-get update && apt-get -q install -y
curl
dnsutils
COPY envoy.json /etc/envoy.json
CMD /usr/local/bin/envoy -c /etc/envoy.json

which is to say, we take

lyft/envoy:latest
, copy in our own Envoy config, and start Envoy running.

Our edge Envoy’s config is fairly simple, too, since it only needs to proxy any URL starting with

/user
to our
usersvc
. Here’s how you set up
virtual_hosts
for that:

"virtual_hosts": [
{
"name": "service",
"domains": [ "*" ],
"routes": [
{
"timeout_ms": 0,
"prefix": "/user",
"cluster": “usersvc"
}
]
}
]

and here’s the related

clusters
section:

"clusters": [
{
"name": “usersvc”,
"type": "strict_dns",
"lb_type": "round_robin",
"hosts": [
{
"url": “tcp://usersvc:80”
}
]
}
]

Note that we’re using

strict_dns
, which means that we’re relying on every instance of the
usersvc
appearing in the DNS. We’ll find out if this actually works shortly!

As usual, you can get the edge Envoy running with a single command:

bash up.sh edge-envoy

Sadly we can’t really test anything yet, since the edge Envoy is going to try to talk to application Envoys that aren’t running yet.

App Changes for Envoy

Once the edge Envoy is running, we need to switch our Flask app to use an application Envoy. We needn’t change the database at all, but the Flask app needs a few tweaks:

  • We need to have the Dockerfile copy in an Envoy config file.
  • We need to have the
    entrypoint.sh
    script start Envoy as well as the Flask app.
  • While we’re at it, we can switch back to having Flask listen only on the loopback interface, and
  • We’ll switch the service from a
    LoadBalancer
    to a
    ClusterIP
    .

The effect here is that we’ll have a running Envoy through which we can talk to the Flask app — but also that Envoy will be the only way to talk to the Flask app. Trying to go direct will be blocked in the network layer.

The application Envoy’s config, while we’re at it, is very similar to the edge Envoy’s. The

listeners
section is actually identical, and the
clusters
section nearly so:

"clusters": [
{
"name": “usersvc”,
"type": "static",
"lb_type": "round_robin",
"hosts": [
{
"url": “tcp://127.0.0.1:80”
}
]
}
]

Basically we just use a static single-member cluster, with only

localhost
listed.

All the changes to the Flask side of the world can be found in the

usersvc2
directory, which is literally a copy of the
usersvc
directory with the changes we discussed above for the Flask side of the world (and it tags its image
usersvc:step2
instead of
usersvc:step1
). We need to drop the old
usersvc
:

bash down.sh usersvc

and then bring up the new one:

bash up.sh usersvc2

Second Test!

Once all that is done, voilà: you should be able to retrieve Alice and Bob from before:

curl $(minikube service --url edge-envoy)/user/alice
curl $(minikube service --url edge-envoy)/user/bob

…but note that we’re using the

edge-envoy
service here, not the
usersvc
, which means that we are indeed talking through the Envoy mesh! In fact, if you try talking directly to
usersvc
, it will fail: that’s part of how we can be sure that Envoy is doing its job.

Scaling the Flask App

One of the promises of Envoy is helping with scaling applications. Let’s see how well it handles that by scaling up to multiple instances of our Flask app:

kubectl scale --replicas=3 deployment/usersvc

Once that’s done,

kubectl
get pods should show more
usersvc
instances running:

NAME READY STATUS RESTARTS AGE
edge-envoy-2874730579-7vrp4 1/1 Running 0 3m
postgres-1385931004-p3szz 1/1 Running 0 5m
usersvc-2016583945-h7hqz 1/1 Running 0 6s
usersvc-2016583945-hxvrn 1/1 Running 0 6s
usersvc-2016583945-pzq2x 1/1 Running 0 3m

and we should then be able to see

curl
getting routed to multiple hosts. Try running

curl $(minikube service --url edge-envoy)/user/health

multiple times, and look at the

hostname
element. It should be cycling across our three
usersvc
nodes.

But it’s not. Uhoh. What’s going on here?

Remembering that we’re running Envoy in

strict_dns
mode, a good first check would be to look at the DNS. We can do this by running
nslookup
from inside the cluster. Specifically, we can use a
usersvc
pod:

kubectl exec usersvc-2016583945-h7hqz /usr/bin/nslookup usersvc

(Make sure to use one of your pod names when you run this! Just pasting the line above is extremely unlikely to work.)

Running this check, we find that only one address comes back — so Envoy’s DNS-based service discovery simply isn’t going to work. Envoy can’t round-robin among our three service instances if it never hears about two of them.

The Service Discovery Service

What's going on here is that Kubernetes puts each service into its DNS, but it doesn't put each service endpoint into its DNS — and we need Envoy to know about the endpoints to load balance. Thankfully, Kubernetes knows each service's service endpoints, and Envoy knows how to query a REST service for discovery information. So we can make this work with a simple Python shim that bridges the Envoy "Service Discovery Service" (SDS) to the Kubernetes API.

There’s also the Istio project, which is digging into a more full-featured solution here.

Our SDS is in the

usersvc-sds
directory. It’s pretty straightforward: when Envoy asks it for service information, it uses the
requests
Python module to query the Kubernetes endpoints API, and reformats the results for Envoy. The most bizarre bit might be the token it reads at the start: Kubernetes is polite enough to install an authentication token on every container it starts, precisely so that this sort of thing is possible.

We also need to modify the edge Envoy’s config slightly: rather than using

strict_dns
mode, we need
sds
mode. In turn, that means we have to define an
sds
cluster (which uses DNS to locate its server at the moment — we may have to tackle that later, too, as we scale the SDS out!):

"cluster_manager": {
"sds": {
"cluster": {
"name": "usersvc-sds",
"connect_timeout_ms": 250,
"type": "strict_dns",
"lb_type": "round_robin",
"hosts": [
{
"url": "tcp://usersvc-sds:5000"
}
]
},
"refresh_delay_ms": 15000
},
"clusters": [
{
"name": "usersvc",
"connect_timeout_ms": 250,
"type": "sds",
"service_name": "usersvc",
"lb_type": "round_robin",
"features": "http2"
}
]
}

Look carefully: the

sds
cluster is not defined inside the
clusters
dictionary, but as a peer of
clusters
. Its value is a cluster definition, though. Once the
sds
cluster is defined, you can simply say
"type": "sds"
in a service cluster definition, and delete any
hosts
array for that cluster.

The

edge-envoy2
directory has everything set up for an edge Envoy running this config. So let’s crank up the SDS, then down the old edge Envoy and fire up the new:

bash up.sh usersvc-sds
bash down.sh edge-envoy
bash up.sh edge-envoy2

and now, repeating our health check should show you the round-robin around the hosts. But, of course, asking for the details of user Alice should always give the same results, no matter which host the database lookup

curl $(minikube service --url edge-envoy)/user/alice

If you repeat that a few times, the host information should change, but the user information should not.

Up Next

We have everything working, including using Envoy to handle round-robin traffic between our several Flask apps. With

kubectl scale
, we can easily change the number of instances of Flask apps we’re running. And, as you probably noticed, bringing Envoy in once our app was running wasn’t hard. It’s a pretty promising way to add a lot of flexibility without a lot of pain.

Next up: Google Container Engine and AWS. One of the promises of Kubernetes is being able to easily get stuff deployed in multiple environments, so we’re going to see whether that actually works.