
Envoy Proxy at Reddit - runesoerensen
https://redditblog.com/2018/12/18/envoy-proxy-at-reddit/
======
ckwang
Hello! Blog post writer here. Happy to answer any questions.

~~~
gbrayut
Awesome blog post! I very much enjoy hearing how large web properties
implement these technologies and any issues they experience along the way.

Are you using envoy at all in your main http ingress path? You mentioned
haproxy and AWS ELBs, but it wasn't clear if envoy is also being considered
for public ingress traffic.

Keep up the great work!

~~~
ckwang
We have not yet put Envoy in our main HTTP ingress path, but internally we
have designs and implementation paths ready to go, and it's definitely being
considered for public ingress traffic. As we noted in the last "teaser"
section of the post we'd really like to leverage Envoy's routing functionality
to facilitate migrating client-facing APIs in the backend without affecting
frontend interfaces.

Our HAProxy layer that routes ingress traffic to the core backend
infrastructure has considerable routing logic that can be moved to Envoy and
then further extended. We'd love to explore that path in the coming months.

~~~
gbrayut
I look forward to hearing more about your plans for ingress and how the
various pieces fit together (CDN, L4/L7 LBs, TLS termination, Geo/policy DNS
balancing). Especially regarding the performance and new features available
using Envoy. I've use HAProxy before and it was great for simple
routing/reverse proxy but not so great at complex/dynamic configuration or
cert management.

~~~
rogerdonut
HAProxy supports quite complex configurations. We've actually found that many
of our users are only realizing extremely basic capabilities so we have been
working on increasing our blog content to help them take advantage of some of
the more complex configurations that can be done. We've even found that many
users are not aware that HAProxy now supports Hitless Reloads [1].

Quite a bit of complex routing and dynamic configurations can be provided by
map files [2] and these and many other settings can be updated directly from
the Runtime API [3].

With that said -- we are actively working to make things even better and
intend to introduce support for updating SSL certificates/keys directly
through the Runtime API as well as introducing a Data Plane API for HAProxy.

We have a new release coming any day now and this will lay the foundation that
will allow us to continue to provide best-in-class performance while
accelerating cutting edge feature delivery.

[1] [https://www.haproxy.com/blog/hitless-reloads-with-haproxy-
ho...](https://www.haproxy.com/blog/hitless-reloads-with-haproxy-howto/) [2]
[https://www.haproxy.com/blog/introduction-to-haproxy-
maps/](https://www.haproxy.com/blog/introduction-to-haproxy-maps/) [3]
[https://www.haproxy.com/blog/dynamic-configuration-
haproxy-r...](https://www.haproxy.com/blog/dynamic-configuration-haproxy-
runtime-api/)

------
ojhughes
The more logic we push out of band into sidecars, the harder application
issues become to debug. For example, let's say an Envoy config change is made
centrally and all of sudden my app breaks because an HTTP header has stopped
being set. Before I would easily be able to write a unit test to fix such a
thing. Now I would need to replicate the envoy config in a test environment
etc.

~~~
confiq
But I think that's the issue with ANY big software that you build. This
specific is not a job for unittest but for integration test.

~~~
ojhughes
The sidecar model is different to integrating with a 3rd party API as it is
designed to operate transparently. My Integration test might be passing but
when running with the sidecar, traffic can be mutated etc

------
wlll
Meta: "operationalizing", I really wish people wouldn't do this.

------
yourduskquibble
I see a lot of technical jargon but wondering how all of this relates and fits
in with (if at all) the redesign?

~~~
soonbesleeping
Agreed, it was hard to read from all the jargon. Also seems overly complex.

~~~
ojhughes
Regardless of whether Service Mesh is overly complex, the industry seems to
have entered an era of "Complexity Worship". I was speaking to some engineers
at a small startup the other day with only a handful of customers. They have
invested significant resource building there own K8S cluster, ensuring it runs
on multi-cloud etc, sounds a lot like premature optimisation.

~~~
rhizome
I have a theory that Complexity Worship is a product of boredom by CS degrees
who would rather not spend their time implementing WYSIWYG editors or whatever
anymore.

