🕸️ 服务网格代理 / Service Mesh Proxy
轻量级服务网格 Sidecar 代理,支持流量管理、熔断、mTLS 和可观测性
中文: 服务网格是微服务通信的基础设施,但 Istio 和 Linkerd 资源消耗大、配置复杂。本项目提供轻量级 Sidecar 代理,核心功能齐全:流量路由、负载均衡、熔断、mTLS,资源占用极低。
English: Service mesh is infrastructure for microservice communication, but Istio and Linkerd are resource-heavy and complex to configure. This project provides a lightweight sidecar proxy with all core features: traffic routing, load balancing, circuit breaking, mTLS, with minimal resource footprint.
| 项目 | 优势 | 不足 | 推荐度 |
|---|---|---|---|
| envoyproxy/envoy | CNCF 标准 | C++,配置复杂 | ⭐⭐⭐⭐⭐ |
| istio/istio | 功能全面 | 非常重量级 | ⭐⭐⭐⭐ |
| linkerd/linkerd2 | 轻量 Mesh | Rust,功能有限 | ⭐⭐⭐⭐ |
| solo-io/gloo | API 网关 | 偏网关而非 Mesh | ⭐⭐⭐ |
- 支持 xDS API / xDS API support
- 添加服务网格控制面 / Mesh control plane
- 支持 gRPC 代理 / gRPC proxy support
- 添加流量镜像 / Traffic mirroring
A lightweight service mesh sidecar proxy with traffic management, circuit breaking, mTLS, and observability.
- L4/L7 Proxy: High-performance proxy supporting both TCP and HTTP traffic forwarding
- Traffic Management: Route requests based on path prefix, headers, HTTP methods, and regex patterns
- Traffic Mirroring: Asynchronously replicate traffic to mirror targets with configurable sampling rate
- Load Balancing: Multiple algorithms including Round Robin, Weighted Round Robin, Consistent Hash, and Least Connections
- Circuit Breaking: Three-state circuit breaker (Closed/Open/Half-Open) with failure rate and absolute threshold detection
- Retry with Backoff: Configurable retry with exponential backoff and jitter
- mTLS: Mutual TLS with automatic certificate generation, CA signing, and certificate rotation
- Service Discovery: Consul and Kubernetes service discovery with DNS fallback
- Observability: OpenTelemetry tracing, Prometheus metrics, and structured access logging
┌─────────────────────────────────┐
│ Service Mesh Proxy │
│ │
Request ────────►│ ┌──────────┐ ┌──────────────┐ │
│ │ Router │─►│Load Balancer │ │
│ └──────────┘ └──────────────┘ │
│ │ │ │
│ ┌──────────┐ ┌──────────────┐ │
│ │ Mirror │ │Circuit Breaker│ │
│ └──────────┘ └──────────────┘ │
│ │ │ │
│ ┌──────────┐ ┌──────────────┐ │
│ │ Retry │ │ mTLS │ │
│ └──────────┘ └──────────────┘ │
│ │
│ ┌─────────────────────────────┐ │
│ │ Observability │ │
│ │ Tracing │ Metrics │ Logging │ │
│ └─────────────────────────────┘ │
└─────────────────────────────────┘
│
▼
Upstream Service
# Clone the repository
git clone https://github.com/gal111111/service-mesh-proxy.git
cd service-mesh-proxy
# Start with Docker Compose
docker-compose up -d
# Or build and run directly
go build -o service-mesh-proxy .
./service-mesh-proxyEdit config.yaml to configure the proxy:
listener:
port: 15001
tls_enabled: false
discovery:
type: consul
consul_addr: "consul:8500"
circuit_breaker:
failure_threshold: 5
timeout: 30s
retry:
max_retries: 3
backoff_base: 2.0
jitter: true| Algorithm | Description |
|---|---|
| Round Robin | Evenly distributes requests across instances |
| Weighted Round Robin | Smooth weighted round robin for heterogeneous instances |
| Consistent Hash | Routes based on request hash for session affinity |
| Least Connections | Routes to the instance with fewest active connections |
- Closed: Normal operation, requests pass through
- Open: All requests rejected, waits for timeout period
- Half-Open: Allows limited requests to test if upstream has recovered
- Tracing: OpenTelemetry with OTLP gRPC export
- Metrics: Prometheus endpoint at
:15000/metrics - Access Logs: Structured JSON access logging
MIT