A demo of some fun things you can do with envoy.
- ab
- curl
- docker
- envsubst (
brew install gettext) - make
In order to fully appreciate all the things, you must:
- Have an auth0 domain
- Create an auth0 API and register
readandwritescope for it. Scopes can be defined in an API's "permissions" tab. - Create a Machine to Machine application associated with this API and attach the
readscope. - Export these things into your environment
AUTH0_DOMAINe.g.kursar.auth0.comAPI_AUDIENCEthis is an id for your API. It's typically your API's url, and is available in your API's settings. I usedenvoy-demobut you can make this anything.CLIENT_IDthis is autogenerated and is available in your M2M app settingsCLIENT_SECRETthis is autogenerated and is available in your M2M app settings
Once you've completed the setup ( i.e. auth0 config and exported vars), try to build the images and get an access token:
make clean install token.txt
If that works, bring up the services:
make run
You should now be able to hit the app directly on 8080 as well as through envoy on 8000:
curl localhost:8080/hello
curl localhost:8000/hello
We'll go through envoy for the rest of the walkthrough.
See retry_policy in envoy.yaml. We should see 3 retries on 500 errors.
curl -i localhost:8000/error
Here we trigger a 500 response. If we tail the app containers logs, we can see the original request and the 3 retries:
docker-compose logs -f app
See the timeout in the same retry_policy section of envoy.yaml. We see a 5s per-try timeout. There's also a 15s overall timeout in the route. If we trigger timeouts, we should see the original request, retries at ~5 and ~10 seconds, and probably not a 3rd retry because we're at 15s at that point.
curl -i localhost:8000/timeout
See envoy.filters.http.cache filter in envoy.yaml. This is an in-memory cache of the envoy container. Attempting to retrieve the /cache page should return cached responses, noted by the age response header and the same page contents, for 60s ( as configured in the max-age response header).
curl -i localhost:8000/cache
curl -i localhost:8000/cache
curl -i localhost:8000/cache
Requesting the cache page with different x-api-key values will return the same response.
curl -i -H "x-api-key: user1" localhost:8000/cache
curl -i -H "x-api-key: user2" localhost:8000/cache
curl -i -H "x-api-key: user1" localhost:8000/cache
curl -i -H "x-api-key: user2" localhost:8000/cache
This is undesirable. We can inform the cache to cache per x-api-hear by using a vary header in the response.
curl -i -H "x-api-key: user1" localhost:8000/vary
curl -i -H "x-api-key: user2" localhost:8000/vary
curl -i -H "x-api-key: user1" localhost:8000/vary
curl -i -H "x-api-key: user2" localhost:8000/vary
Note this requires the header in the app's response as well as config in the envoy.filters.http.cache filter (see allowed_vary_headers).
Try to make a request to a secure endpoint.
curl -i localhost:8000/secure
You should see a 401/Unauthorized response. We need to include our access token as retrieved from auth0. We already grabbed this and stuck it in token.txt, so let's try using that.
export TOKEN="$(cat ./token.txt)"
curl -i -H "authorization: Bearer ${TOKEN}" localhost:8000/secure
You should get a 200 response. Further, the jwt payload should be visible, demonstrating that the app now has access to the client id and scopes of this user, and that envoy has already validated these.
See the envoy.filters.http.rbac filter in envoy.yaml. This additionally checks the scopes in the jwt payload.
You should be able to hit /rbac-read if your M2M app is assigned the read scope. You should be able to see this in the previous responses.
curl -i -H "authorization: Bearer ${TOKEN}" localhost:8000/rbac-read
However, /rbac-write requires the presumable unassigned write scope, and so should 403:
curl -i -H "authorization: Bearer ${TOKEN}" localhost:8000/rbac-write
See the envoy.filters.http.local_ratelimit filter in envoy.yaml. We've configured an enforcing local rate limit that configures 10 tokens /s.
Fire off a bunch of requests with ab to trigger the rate limit for about half of them:
ab -n 200 -c 20 -v 3 localhost:8000/hello 2>&1 | grep ^HTTP | sort | uniq -c