You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Envoy: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>RLazarus
imported>RLazarus
(→‎Ship a new version: update procedure for repack script)
Line 26: Line 26:
=== Ship a new version ===
=== Ship a new version ===


Clone the upstream envoy repository, and export an archive for the revision you want to package
The ''operations/debs/envoyproxy'' repository includes the envoy source code and the debian control files. It has been created using [[debian:PackagingWithGit|gbp]] and using it is recommended. There is an upstream branch including the original source code from the GitHub repo and multiple upstream tags pointing to each imported version, and a master branch that is the result of applying the latest upstream tag and possibly the development version of debian control files.
 
Clone the debs repo and use its <code>debian/repack</code> script to clone the upstream envoy repository and export an archive for the revision you want to package. Run the script from outside the repo, in order to avoid dirtying the working directory with the archive.


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ export REF=v1.11.2  # use your own version here
$ export REF=v1.11.2  # use your own version here
$ git clone https://github.com/envoyproxy/envoy.git
$ USER="yourgerrituser" git clone "ssh://$USER@gerrit.wikimedia.org:29418/operations/debs/envoyproxy" && scp -p -P 29418 $USER@gerrit.wikimedia.org:hooks/commit-msg "envoyproxy/.git/hooks/"
$ pushd envoy && git archive --format=tar $REF | gzip > ../envoyproxy_$REF.orig.tar.gz
$ envoyproxy/debian/repack $REF
$ popd
</syntaxhighlight>
</syntaxhighlight>


Now clone ''operations/debs/envoyproxy'', and import the tar archive you generated. This repository includes the envoy source code and the debian control files. It has been created using [[debian:PackagingWithGit|gbp]] and using it is recommended. There is an upstream branch including the original source code from the GitHub repo and multiple upstream tags pointing to each imported version, a master branch that is the result of applying the latest upstream tag and possibly the development version of debian control files, after that several wikimedia-DIST branches which points to build packages to an specific distribution branch.
Now, inside the repo, import the tar archive you generated.


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ mkdir WMF && cd WMF
$ cd envoyproxy
$ USER="yourgerrituser" git clone "ssh://$USER@gerrit.wikimedia.org:29418/operations/debs/envoyproxy" && scp -p -P 29418 $USER@gerrit.wikimedia.org:hooks/commit-msg "envoyproxy/.git/hooks/"
$ git branch upstream && git branch -u origin/upstream upstream
$ pushd envoyproxy
$ gbp import-orig ../../envoyproxy_$REF.orig.tar.gz
$ gbp import-orig ../../envoyproxy_$REF.orig.tar.gz
$ git push upstream
$ git push origin upstream
$ git push --tag
$ git push --tag
</syntaxhighlight>
</syntaxhighlight>


Now merge the new version in the ''wikimedia-stretch'' branch, create a new changelog entry, and push this as well.
Now create a new changelog entry on master, and push this as well.
 
<syntaxhighlight lang="bash">
$ export DEBEMAIL="$(git config --get user.name) <$(git config --get user.email)>"
$ dch -v ${REF#v}-1 -D buster-wikimedia --force-distribution "New upstream version ${REF#v}"
$ git commit debian/changelog -m "New upstream version ${REF#v}"
$ git push
</syntaxhighlight>
 
=== Build the package on the WMF infrastructure ===
=== Build the package on the WMF infrastructure ===
For building a new envoy debian package you should follow this steps.
For building a new envoy debian package you should follow this steps.

Revision as of 15:35, 10 March 2020

What is envoy proxy

Envoy is an L7 proxy and communication bus designed for large modern service oriented architectures. It provides several features for a reverse proxy including but not limited to:

  • HTTP2 support.
  • L3/L4 filter architecture, so it can be used as a TLS terminator, traffic mirror service and other use cases.
  • Good observability and tracing, supporting statsd, zipking etc.
  • rate limiting, circuit breakers support.
  • dynamic configuration through the xDS protocol.
  • service discovery.
  • gRPC, Redis, MongoDB proxy support.

Envoy at WMF

There are two main use cases for envoy at WMF.

  • Act as a TLS terminator / proxy for internal services and potentially mediawiki.
  • Be deployed as a sidecar container to services running in the deployment pipeline and provide TLS termination, better observability, better logging for some services.

As more services move into the deployment pipeline, that is a kubernetes, these two use cases will converge into one.

Building envoy for WMF

Envoy community has presented recently https://www.getenvoy.io/ an envoy proxy distribution that offers amongst other artifacts, when we started to consider envoy that distribution channel didn't exist at that time. Unfortunately, the deb packages they provide are quite incomplete.

Ship a new version

The operations/debs/envoyproxy repository includes the envoy source code and the debian control files. It has been created using gbp and using it is recommended. There is an upstream branch including the original source code from the GitHub repo and multiple upstream tags pointing to each imported version, and a master branch that is the result of applying the latest upstream tag and possibly the development version of debian control files.

Clone the debs repo and use its debian/repack script to clone the upstream envoy repository and export an archive for the revision you want to package. Run the script from outside the repo, in order to avoid dirtying the working directory with the archive. 

$ export REF=v1.11.2  # use your own version here
$ USER="yourgerrituser" git clone "ssh://$USER@gerrit.wikimedia.org:29418/operations/debs/envoyproxy" && scp -p -P 29418 $USER@gerrit.wikimedia.org:hooks/commit-msg "envoyproxy/.git/hooks/"
$ envoyproxy/debian/repack $REF

Now, inside the repo, import the tar archive you generated. 

$ cd envoyproxy
$ git branch upstream && git branch -u origin/upstream upstream
$ gbp import-orig ../../envoyproxy_$REF.orig.tar.gz
$ git push origin upstream
$ git push --tag

Now create a new changelog entry on master, and push this as well. 

$ export DEBEMAIL="$(git config --get user.name) <$(git config --get user.email)>"
$ dch -v ${REF#v}-1 -D buster-wikimedia --force-distribution "New upstream version ${REF#v}"
$ git commit debian/changelog -m "New upstream version ${REF#v}"
$ git push

Build the package on the WMF infrastructure

For building a new envoy debian package you should follow this steps.

  1. get access to the packaging project in Horizon, ask a project admin if you don't know who it is ask in #wikimedia-sre.
  2. Add your ssh public key (not the same one you use for production) under Preferences > OpenStack on Wikitech.
  3. ssh into builder-envoy.packaging.eqiad.wmflabs
  4. go to /usr/src/envoyproxy and pull the master branch and upstream tags: git checkout master && git fetch --tags && git pull --force --rebase
  5. Run the /mnt/build_envoy.sh $DISTRO script, where $DISTRO should be the distribution code name.
  6. The envoy building workflow is complex and involves running some docker containers and internet access, because of that this package cannot be build in our build servers. It uses a patched-up version of what pbuilder does, just done manually.
  7. If the build process goes well, your new packages will be under /usr/src
  8. The process leaves behind a 100+-GB artifact, which you should clean up: rm /tmp/envoy-docker-build (If you need to rebuild for any reason, leave the file in place: the build will use it to run incrementally if appropriate, and will complete much faster.)
  9. Copy the output files from /usr/src to install1002.eqiad.wmnet.
Retrieved from "https://wikitech-static.wikimedia.org/w/index.php?title=Envoy&oldid=435126"