Part 2: Deploying Envoy with a Python Flask webapp and Kubernetes
The Application
Kubernetes
Setting Up
The Docker Registry
Database Matters
The Flask App
First Test!
Enter Envoy
App Changes for Envoy
Second Test!
Scaling the Flask App
The Service Discovery Service
Up Next
In the first post in this series, Getting Started with Lyft Envoy for microservice resilience, we explored Envoy a bit, dug into how it worked and deployed an application using Kubernetes, Postgres, Flask, and Envoy.
The Application
In this tutorial, we will deploy a straightforward REST-based user service: it can create users, read information about a user, and process simple logins. Obviously, this isn’t terribly interesting by itself, but it brings several real-world concerns together:
- It requires persistent storage, so we’ll have to tackle that early.
- It will let us explore scaling the different pieces of the application.
- It will let us explore Envoy at the edge, where the user’s client talks to our application, and
- It will let us explore Envoy internally, brokering communications between the various parts of the application.
Since Envoy is language-agnostic, we can use anything we like for the service itself. For this serious, we’ll pick on Flask, both because it’s simple and because I like Python. On the database side, we’ll use PostgreSQL – it has good Python support, and it’s easy to get running both locally and in the cloud. And we’ll manage the whole thing with Kubernetes.
Kubernetes
Kubernetes is Ambassador Labs' go-to container orchestrator these days, mostly because it lets you use the same tools, whether you're doing local development or deploying into the cloud for production. So to get rolling today, we'll need a Kubernetes cluster in which we'll work. Within our cluster, we'll create deployments that run the individual pieces of our application and then expose services provided by those deployments (and when we do that, we get to decide whether to expose the service to the world outside the cluster or only to other cluster members).
We’ll start out using Minikube to create a simple Kubernetes cluster running locally. The existence of Minikube is one of the things I really like about Kubernetes – it gives me an environment that’s almost like running Kubernetes somewhere out in the cloud. Still, it’s entirely local, and (with some care) it can keep working at 30000 feet on an airplane with no WiFi.
Note, though, that I said almost like running in the cloud. In principle, Kubernetes is Kubernetes, and where you’re running doesn’t matter. In reality, of course, it does matter: networking, in particular, varies a bit depending on how you’re running your cluster. So getting running in Minikube is a great first step, but we’ll have to be aware that things will probably break a little bit as we move into the cloud
Setting Up
Minikube
Of course you’ll need Minikube installed. See https://github.com/kubernetes/minikube/releases for more here. Mac users might also consider
brew cask install minikube
Once Minikube is installed, you’ll need to start it. Mac users may want the
xhyve
minikube start --vm-driver xhyve
Alternately
minikube start
will fire things up with the default driver.
Kubernetes
To be able to work with Minikube, you’ll need the Kubernetes CLI,
kubectl
brew install kubernetes-cli
Docker
You'll also need the Docker CLI,
docker
brew
brew install docker
The Application
All the code and configuration we’ll use in this demo is in GitHub at
https://github.com/datawire/envoy-steps
Grab a clone of that, and
cd
README.md
postgres
usersvc
bash up.sh $service
or
bash down.sh $service
Obviously I’d prefer to simply include everything you need in this blog post, but between Python code, all the Kubernetes config, docs, etc, there’s just too much. So we’ll hit the highlights here, and you can look at the details to your heart’s content in your clone of the repo.
The Docker Registry
Minikube starts a Docker daemon when it starts up, which we'll need to use it for our Docker image builds so that the Minikube containers can load our images. To set up your Docker command-line tools for that:
eval $(minikube docker-env)
One of the benefits of Minikube is that a container can always pull your images from the local Docker daemon started by Minikube, so we don't need to push Docker images to any registry -- just building them using the Minikube Docker daemon is good enough. To tell the scripting we'll be using that we're using Minikube and nothing more is needed, run
bash prep.sh -
If you want to reset to a pristine condition later, you can use
bash clean.sh
Database Matters
Our database can be straightforward — we need a single table to store our user information. We can start by writing the Flask app to check at boot time and create our table if it doesn’t exist, relying on Postgres to ensure that only one table exists. (Later, as we look into multiple Postgres servers, we may need to change this — but let’s keep it simple for now.)
So the only thing we really need is a way to spin up a Postgres server in our Kubernetes cluster. Fortunately there’s a published Postgres 9.6 Docker image readily accessible, so creating the Postgres deployment is pretty easy. The relevant config file is
postgres/deployment.yaml
spec:containers:- name: postgresimage: postgres:9.6
Given the deployment, we also need to expose the Postgres service within our cluster. That’s defined in
postgres/service.yaml
spec:type: ClusterIPports:- name: postgresport: 5432selector:service: postgres
Note that we mark this with type
ClusterIP
To fire this up, just run
bash up.sh postgres
Once that’s done,
kubectl get pods
postgres
NAME READY STATUS RESTARTS AGEpostgres-1385931004-p3szz 1/1 Running 0 5s
and
kubectl get services
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGEpostgres 10.107.246.55 <none> 5432/TCP 5s
So we now have a running Postgres server, reachable from anywhere in the cluster at
postgres:5432
The Flask App
Our Flask app is really simple: basically it just responds to
PUT
GET
The only real gotcha is that by default, Flask will listen only on the loopback address, which will prevent any connections from outside the Flask app’s container. We set the Flask app to explicitly listen on
0.0.0.0
To get the app running in Kubernetes, we’ll need a Docker image that contains our app. We’ll build this on top of the
lyft/envoy
FROM lyft/envoy:latestRUN apt-get update && apt-get -q install -ycurlpython-pipdnsutilsWORKDIR /applicationCOPY requirements.txt .RUN pip install -r requirements.txtCOPY service.py .COPY entrypoint.sh .RUN chmod +x entrypoint.shENTRYPOINT [ "./entrypoint.sh" ]
We’ll build that into a Docker image, then fire up a Kubernetes deployment and service with it. The deployment, in
usersvc/deployment.yaml
postgres
spec:containers:- name: usersvcimage: usersvc:step1
Likewise,
usersvc/service.yaml
postgres
spec:type: LoadBalancerports:- name: usersvcport: 5000targetPort: 5000selector:service: usersvc
It may seem odd to be starting with
LoadBalancer
To build the Docker image and crank up the service, run
bash up.sh usersvc
At this point,
kubectl
usersvc
postgres
NAME READY STATUS RESTARTS AGEpostgres-1385931004-p3szz 1/1 Running 0 5musersvc-1941676296-kmglv 1/1 Running 0 5s
First Test!
And now for the moment of truth: let’s see if it works without Envoy before moving on! This will require us to get the IP address and mapped port number for the
usersvc
minikube service --url usersvc
to get a neatly-formed URL to our
usersvc
Let’s start with a basic health check using
curl
usersvc
postgres
curl $(minikube service --url usersvc)/user/health
If all goes well, the health check should return something like
{"hostname": "usersvc-1941676296-kmglv","msg": "user health check OK","ok": true,"resolvedname": "172.17.0.10"}
Next up we can try saving and retrieving a user:
curl -X PUT -H "Content-Type: application/json" \-d '{ "fullname": "Alice", "password": "alicerules" }' \$(minikube service --url usersvc)/user/alice
This should give us a user record for Alice, including her UUID but not her password:
{"fullname": "Alice","hostname": "usersvc-1941676296-kmglv","ok": true,"resolvedname": "172.17.0.10","uuid": "44FD5687B15B4AF78753E33E6A2B033B"}
If we repeat it for Bob, we should get much the same:
curl -X PUT -H "Content-Type: application/json" \-d '{ "fullname": "Bob", "password": "bobrules" }' \$(minikube service --url usersvc)/user/bob
Note, of course, that Bob should have a different UUID:
{"fullname": "Bob","hostname": "usersvc-1941676296-kmglv","ok": true,"resolvedname": "172.17.0.10","uuid": "72C77A08942D4EADA61B6A0713C1624F"}
Finally, we should be able to read both users back (again, minus passwords!) with
curl $(minikube service --url usersvc)/user/alicecurl $(minikube service --url usersvc)/user/bob
Enter Envoy
Given that all of that is working, it’s time to stick Envoy in front of everything, so it can manage to route when we start scaling the front end. As we discussed in the previous article, we have an edge Envoy and an application Envoy, each of which needs its own configuration. So we’ll crank up the edge Envoy first
Since the edge Envoy runs in its own container, we’ll need a separate Docker image for it. Here’s the Dockerfile:
FROM lyft/envoy:latestRUN apt-get update && apt-get -q install -ycurldnsutilsCOPY envoy.json /etc/envoy.jsonCMD /usr/local/bin/envoy -c /etc/envoy.json
which is to say, we take
lyft/envoy:latest
Our edge Envoy’s config is fairly simple, too, since it only needs to proxy any URL starting with
/user
usersvc
virtual_hosts
"virtual_hosts": [{"name": "service","domains": [ "*" ],"routes": [{"timeout_ms": 0,"prefix": "/user","cluster": “usersvc"}]}]
and here’s the related
clusters
"clusters": [{"name": “usersvc”,"type": "strict_dns","lb_type": "round_robin","hosts": [{"url": “tcp://usersvc:80”}]}]
Note that we’re using
strict_dns
usersvc
As usual, you can get the edge Envoy running with a single command:
bash up.sh edge-envoy
Sadly we can’t really test anything yet, since the edge Envoy is going to try to talk to application Envoys that aren’t running yet.
App Changes for Envoy
Once the edge Envoy is running, we need to switch our Flask app to use an application Envoy. We needn’t change the database at all, but the Flask app needs a few tweaks:
- We need to have the Dockerfile copy in an Envoy config file.
- We need to have the script start Envoy as well as the Flask app.
entrypoint.sh
- While we’re at it, we can switch back to having Flask listen only on the loopback interface, and
- We’ll switch the service from a to a
LoadBalancer
.ClusterIP
The effect here is that we’ll have a running Envoy through which we can talk to the Flask app — but also that Envoy will be the only way to talk to the Flask app. Trying to go direct will be blocked in the network layer.
The application Envoy’s config, while we’re at it, is very similar to the edge Envoy’s. The
listeners
clusters
"clusters": [{"name": “usersvc”,"type": "static","lb_type": "round_robin","hosts": [{"url": “tcp://127.0.0.1:80”}]}]
Basically we just use a static single-member cluster, with only
localhost
All the changes to the Flask side of the world can be found in the
usersvc2
usersvc
usersvc:step2
usersvc:step1
usersvc
bash down.sh usersvc
and then bring up the new one:
bash up.sh usersvc2
Second Test!
Once all that is done, voilà: you should be able to retrieve Alice and Bob from before:
curl $(minikube service --url edge-envoy)/user/alicecurl $(minikube service --url edge-envoy)/user/bob
…but note that we’re using the
edge-envoy
usersvc
usersvc
Scaling the Flask App
One of the promises of Envoy is helping with scaling applications. Let’s see how well it handles that by scaling up to multiple instances of our Flask app:
kubectl scale --replicas=3 deployment/usersvc
Once that’s done,
kubectl
usersvc
NAME READY STATUS RESTARTS AGEedge-envoy-2874730579-7vrp4 1/1 Running 0 3mpostgres-1385931004-p3szz 1/1 Running 0 5musersvc-2016583945-h7hqz 1/1 Running 0 6susersvc-2016583945-hxvrn 1/1 Running 0 6susersvc-2016583945-pzq2x 1/1 Running 0 3m
and we should then be able to see
curl
curl $(minikube service --url edge-envoy)/user/health
multiple times, and look at the
hostname
usersvc
But it’s not. Uhoh. What’s going on here?
Remembering that we’re running Envoy in
strict_dns
nslookup
usersvc
kubectl exec usersvc-2016583945-h7hqz /usr/bin/nslookup usersvc
(Make sure to use one of your pod names when you run this! Just pasting the line above is extremely unlikely to work.)
Running this check, we find that only one address comes back — so Envoy’s DNS-based service discovery simply isn’t going to work. Envoy can’t round-robin among our three service instances if it never hears about two of them.
The Service Discovery Service
What's going on here is that Kubernetes puts each service into its DNS, but it doesn't put each service endpoint into its DNS — and we need Envoy to know about the endpoints to load balance. Thankfully, Kubernetes knows each service's service endpoints, and Envoy knows how to query a REST service for discovery information. So we can make this work with a simple Python shim that bridges the Envoy "Service Discovery Service" (SDS) to the Kubernetes API.
There’s also the Istio project, which is digging into a more full-featured solution here.
Our SDS is in the
usersvc-sds
requests
We also need to modify the edge Envoy’s config slightly: rather than using
strict_dns
sds
sds
"cluster_manager": {"sds": {"cluster": {"name": "usersvc-sds","connect_timeout_ms": 250,"type": "strict_dns","lb_type": "round_robin","hosts": [{"url": "tcp://usersvc-sds:5000"}]},"refresh_delay_ms": 15000},"clusters": [{"name": "usersvc","connect_timeout_ms": 250,"type": "sds","service_name": "usersvc","lb_type": "round_robin","features": "http2"}]}
Look carefully: the
sds
clusters
clusters
sds
"type": "sds"
hosts
The
edge-envoy2
bash up.sh usersvc-sdsbash down.sh edge-envoybash up.sh edge-envoy2
and now, repeating our health check should show you the round-robin around the hosts. But, of course, asking for the details of user Alice should always give the same results, no matter which host the database lookup
curl $(minikube service --url edge-envoy)/user/alice
If you repeat that a few times, the host information should change, but the user information should not.
Up Next
We have everything working, including using Envoy to handle round-robin traffic between our several Flask apps. With
kubectl scale
Next up: Google Container Engine and AWS. One of the promises of Kubernetes is being able to easily get stuff deployed in multiple environments, so we’re going to see whether that actually works.