A lightweight setup that uses Envoy as both an API Gateway and Kubernetes Ingress Controller in front of two small Go services — one for login/auth (with gRPC for Envoy’s external authorization) and one for a backend with public/private routes. Everything runs on Kubernetes using Helm.
This project started as a playground for testing service-to-service authentication, and route protection — and then grew into a reusable, multi-environment chart you can install with a single make command.
- Envoy – serves as the Ingress Controller and API gateway, handling routing, load‑balancing, logging, and calling the auth service for token validation (via gRPC)
- Auth (Go) – REST endpoint for
/login, gRPC endpoint for Envoy ext_authz, issues JWTs, and/healthcheckfor probes - Backend (Go) – public
/public, protected/private, and/healthcheckfor probes - Helm chart – one chart for all services, with values for
opsandstgenvironments; Envoy is exposed via Kubernetes LoadBalancer (no separate Ingress CRD). - Makefile – to help typing Helm commands repeatedly
.
├── deploy
│ ├── charts
│ │ ├── auth
│ │ ├── backend
│ │ ├── envoy
│ ├── Chart.yaml
│ ├── values.ops.yaml
│ ├── values.stg.yaml
│ └── values.yaml
├── scripts
│ └── test.sh
├── services
│ ├── auth
│ │ ├── Dockerfile
│ │ └── main.go
│ ├── backend
│ │ ├── Dockerfile
│ │ └── main.go
│ └── envoy
│ ├── Dockerfile
│ └── envoy.yaml
├── Makefile
└── README.md
Start Minikube:
minikube startmake build-images
make load-imagesThis builds the auth, backend, and envoy images and loads them into Minikube’s Docker daemon.
make helm-install-opsmake helm-install-stgmake helm-test-ops
make helm-test-stgmake helm-template-ops
make helm-template-stgAfter deployment, the LoadBalancer will route the downstream's requests to all envoy pods.
Port-forward ops-envoy:
kubectl port-forward deployment/ops-envoy 8060:8060 -n opsor port-forward stg-envoy:
kubectl port-forward deployment/stg-envoy 8060:8060 -n stgThen run the test script:
./scripts/test.sh functionalThis script:
- calls
/endpoint to get the landing page information - calls
/loginendpoint to the auth service to fetch a JWT token - calls
/publicendpoint without token - calls
/privateendpoint without and with token - prints results; Envoy will round‑robin across auth & backend pods.
Further, we can collect the Envoy gateway's stats:
kubectl port-forward deployment/ops-envoy 9901:9901 -n opsand call admin's endpoint:
curl http://localhost:9901/statsHere are some samples of the stats:
cluster.auth_http.upstream_rq_200: 5
cluster.backend_service.upstream_rq_200: 10
cluster.auth_ext.internal.upstream_rq_time: P0(nan,0) P25(nan,0) P50(nan,0) P75(nan,0) P90(nan,0) P95(nan,1.05) P99(nan,1.09) P99.5(nan,1.095) P99.9(nan,1.099) P100(nan,1.1)
Once we have verified the basic functionality, you we stress the system to prove autoscaling. This test will generate a flood of requests against the /public endpoint, driving CPU utilization above the HPA threshold (ops environment) and causing your Backend and Envoy pods to scale out automatically.
How it works
- We fire off a configurable number of concurrent
curlrequests (PERF_REQUESTS) with a fixed parallelism (PERF_CONCURRENCY) for a duration (PERF_DURATION). - Each request hits
/public, which does minimal work but still consumes CPU. - The HorizontalPodAutoscaler watches the CPU usage (via metrics-server) and will spin up new replicas once average utilization exceeds the configured target.
Usage
- Enable metrics-server in Minikube:
minikube addons enable metrics-server
kubectl get deploy metrics-server -n kube-system- Run only the performance test:
./scripts/test.sh perfQuick “on/off” tests to verify each sub‑chart’s enabled flag works as expected.
make helm-smoke-noauthVerify only backend service & envoy are running
kubectl get deployments -n smoke-testClean up the smoke tests
make cleanup-smokemake helm-upgrade-ops
make helm-upgrade-stg To uninstall Helm releases and delete Docker images from both local and Minikube:
make cleanupThis runs:
helm uninstalldocker rmilocallyminikube ssh -- ctr images rm ...
Revert to a previous Helm release:
make helm-rollback-ops
make helm-rollback-stg- Envoy config is generated from a Helm
ConfigMap - Auth and backend service names are dynamically set per environment via
values.stg.yamlandvalues.ops.yaml