envoy-controller

README

envoy-controller

envoy-controller is a Kubernetes controller that programs an Envoy instance with uninterpreted protobuf resources that are carried by custom resources in the cluster.

Rationale

envoy-controller is unopinionated and does not have an API of its own. It exists solely to allow Envoy xDS protobufs to be carried in Kubernetes CRD resources.

There are a number of reasons why this could be useful.

1. There are a number of Ingress controllers that use Envoy as a data plane. Each of these has its own way of programming Envoy and Envoy can have only one management server. Programming Envoy via CRDs allows multiple Ingress controllers to program the same Envoy data plane, if they are careful.

2. Ingress controllers rarely expose the full scope of the Envoy API, but operators may need to change the Envoy API resources in fairly arbitrary ways, e.g. injecting metadata, tweaking timeouts. envoy-controller makes it possible to write a custom controller to apply policy to Envoy resources that are generated by an Ingress controller.

3. Programming an service into Envoy should be operationally safe (i.e. introducing Ingress configuration errors should not break an existing Envoy configuration). This can be difficult to implement, since when a controller starts, it does not have a persistent store of Envoy configuration to reconcile against. envoy-controller provides this persistence layer so that a configuration error at Ingress API layer does not need to perturb the working Envoy resources.

4. If you don't have (or want) a Kubernetes controller, it is relatively simple to use envoy-controller to implement other kinds of Envoy workflows. For example, a GitOps workflow could simply apply Envoy resources that are stored as JSON files in Git.