From 2570d32e8dc325f996d58264cc397552ab81e46d Mon Sep 17 00:00:00 2001 From: eonedar Date: Tue, 12 Aug 2025 15:18:09 +0100 Subject: [PATCH 1/7] initial POC commit Signed-off-by: eonedar --- Dockerfile | 3 +- .../certs/client-certs-curl-debug.yaml | 18 ++++ .../certs/client-certs-secret.yaml | 9 ++ .../envoy.yaml | 90 +++++++++++++++++++ .../templates/configmap/configmap.yaml | 2 + .../templates/deployment/deployment.yaml | 86 +++++++++++------- .../templates/service/service.yaml | 16 +++- 7 files changed, 189 insertions(+), 35 deletions(-) create mode 100644 charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml create mode 100644 charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml create mode 100644 charts/eric-oss-hello-world-python-app/envoy.yaml diff --git a/Dockerfile b/Dockerfile index 6dca988..e3467dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ -FROM +FROM python:3.12-slim + ARG USER_ID=60577 ARG USER_NAME="eric-sdk" diff --git a/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml b/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml new file mode 100644 index 0000000..b6a56a6 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: client-certs-curl-debug +spec: + restartPolicy: Always + containers: + - name: curl-debug + image: curlimages/curl:latest + command: ["sleep", "infinity"] + volumeMounts: + - name: client-certs + mountPath: /etc/certs + readOnly: true + volumes: + - name: client-certs + secret: + secretName: client-certs diff --git a/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml b/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml new file mode 100644 index 0000000..2a33f69 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + ca.crt: xxxxxxxxx + client.crt: xxxxxxxxx + client.key: xxxxxxxxx +kind: Secret +metadata: + creationTimestamp: null + name: client-certs diff --git a/charts/eric-oss-hello-world-python-app/envoy.yaml b/charts/eric-oss-hello-world-python-app/envoy.yaml new file mode 100644 index 0000000..dcc57cc --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/envoy.yaml @@ -0,0 +1,90 @@ +admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 9901 + +static_resources: + listeners: + # TLS listener for mTLS endpoint + - name: hello_world_python_tls + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + require_client_certificate: true + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "/etc/envoy/certs/server.crt" + private_key: + filename: "/etc/envoy/certs/server.key" + validation_context: + trusted_ca: + filename: "/etc/envoy/certs/ca.crt" + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http_secure + route_config: + virtual_hosts: + - name: secure_service + domains: ["*"] + routes: + - match: + path: "/sample-app/python/hello" + route: + cluster: hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Plain HTTP listener for other endpoints + - name: hello_world_python_plain + address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http_plain + route_config: + virtual_hosts: + - name: plain_service + domains: ["*"] + routes: + - match: + path: "/sample-app/python/health" + route: + cluster: hello-world-python-cluster + - match: + path: "/sample-app/python/metrics" + route: + cluster: hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: hello-world-python-cluster + type: STATIC + load_assignment: + cluster_name: hello-world-python-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8050 diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml index 9c9867f..c0fbc7f 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml @@ -11,3 +11,5 @@ metadata: data: LOG_CTRL_FILE: |- {{ .Files.Get "logcontrol.json" | indent 4}} + ENVOY_CONFIG_FILE: |- +{{ .Files.Get "envoy.yaml" | indent 4}} diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 4aaea3c..682cf9c 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -36,9 +36,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} service.cleartext/scraping: "true" annotations: - {{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }} - container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }} - {{- end }} +{{/* {{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }}*/}} +{{/* container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }}*/}} +{{/* {{- end }}*/}} prometheus.io/port: "{{ .Values.service.port }}" prometheus.io/scrape: "{{ .Values.prometheus.scrape }}" prometheus.io/path: "{{ .Values.prometheus.path }}" @@ -49,33 +49,58 @@ spec: priorityClassName: {{ (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }} {{- end }} volumes: + - name: envoy-certs + secret: + secretName: envoy-mtls - name: config-volume configMap: name: {{ include "eric-oss-hello-world-python-app.name" . }} items: - key: LOG_CTRL_FILE path: logcontrol.json - - name: platform-cacerts - secret: - secretName: {{ index .Values "platformCaCertSecretName" | quote }} - defaultMode: 420 - - name: app-certs - secret: - secretName: {{ index .Values "appSecretName" | quote }} - defaultMode: 420 - - name: client-creds - secret: - secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} - defaultMode: 420 + - key: ENVOY_CONFIG_FILE + path: envoy.yaml +{{/* - name: platform-cacerts*/}} +{{/* secret:*/}} +{{/* secretName: {{ index .Values "platformCaCertSecretName" | quote }}*/}} +{{/* defaultMode: 420*/}} +{{/* - name: app-certs*/}} +{{/* secret:*/}} +{{/* secretName: {{ index .Values "appSecretName" | quote }}*/}} +{{/* defaultMode: 420*/}} +{{/* - name: client-creds*/}} +{{/* secret:*/}} +{{/* secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}*/}} +{{/* defaultMode: 420*/}} containers: + - name: envoy + image: envoyproxy/envoy:v1.35.0 +{{/* restartPolicy: Always*/}} + ports: + - containerPort: 8080 + name: envoy-http + protocol: TCP + - containerPort: 8443 + name: envoy-https + protocol: TCP + - containerPort: 9901 + name: admin + args: [ "-c", "/etc/envoy/envoy.yaml" ] + volumeMounts: + - mountPath: /etc/envoy + name: config-volume + + - name: envoy-certs + mountPath: /etc/envoy/certs + readOnly: true - name: eric-oss-hello-world-python-app image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }} imagePullPolicy: {{ include "eric-oss-hello-world-python-app.registryImagePullPolicy" . | quote }} securityContext: - {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} - appArmorProfile: - type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} - {{- end }} +{{/* {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} */}} +{{/* appArmorProfile:*/}} +{{/* type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}*/}} +{{/* {{- end }}*/}} allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true @@ -85,17 +110,18 @@ spec: - all {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} volumeMounts: - - name: config-volume - mountPath: /etc/adp - - name: platform-cacerts - mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }} - readOnly: true - - name: app-certs - mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }} - readOnly: true - - name: client-creds - mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }} - readOnly: true +{{/* - name: config-volume*/}} +{{/* mountPath: /etc/adp*/}} +{{/* - name: platform-cacerts*/}} +{{/* mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }}*/}} +{{/* readOnly: true*/}} +{{/* - name: app-certs*/}} +{{/* mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}*/}} +{{/* readOnly: true*/}} +{{/* - name: client-creds*/}} +{{/* mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}*/}} +{{/* readOnly: true*/}} + env: - name: IAM_CLIENT_ID value: {{ index .Values "clientId" | quote }} diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index d90cef5..36f2427 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "eric-oss-hello-world-python-app.name" . }} + name: {{ include "eric-oss-hello-world-python-app.name" . }}-service labels: {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} {{- if .Values.labels }} @@ -15,10 +15,18 @@ spec: ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.port }} - targetPort: 8050 +{{/* - port: {{ .Values.service.port }}*/}} +{{/* targetPort: 8050*/}} +{{/* protocol: TCP*/}} +{{/* name: http*/}} + - port: 8080 + name: envoy-http-svc + targetPort: 8080 + protocol: TCP + - port: 8443 + name: envoy-https-svc + targetPort: 8443 protocol: TCP - name: http selector: app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} From b3b3a27353753ac9c20975b9a40403bdb5b3c985 Mon Sep 17 00:00:00 2001 From: eonedar Date: Wed, 13 Aug 2025 10:55:45 +0100 Subject: [PATCH 2/7] added envoy-mtls-secret.yaml Signed-off-by: eonedar --- .../templates/secret/envoy-mtls-secret.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml diff --git a/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml new file mode 100644 index 0000000..8e57c95 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: envoy-mtls + namespace: default +type: Opaque +data: + server.crt: {{ .Files.Get "certs/server.crt" | b64enc }} + server.key: {{ .Files.Get "certs/server.key" | b64enc }} + ca.crt: {{ .Files.Get "certs/ca.crt" | b64enc }} From c272c92bab4d0db1ecdf2d16caab6cee3ddfc82c Mon Sep 17 00:00:00 2001 From: Mihai Laurentiu Bocioroaga Date: Wed, 13 Aug 2025 13:22:17 +0100 Subject: [PATCH 3/7] Add cert paths to .gitignore --- .gitignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index 68bc17f..ab56429 100644 --- a/.gitignore +++ b/.gitignore @@ -158,3 +158,8 @@ cython_debug/ # and can be added to the global gitignore or merged into this file. For a more nuclear # option (not recommended) you can uncomment the following to ignore the entire idea folder. #.idea/ + +# Self-signed certs for testing +charts/eric-oss-hello-world-python-app/certs/*.crt +charts/eric-oss-hello-world-python-app/certs/*.key +charts/eric-oss-hello-world-python-app/certs/*.pem \ No newline at end of file From ae8d2a16c5cf71a82b777cb4116a4b6eb51e5642 Mon Sep 17 00:00:00 2001 From: Mihai Laurentiu Bocioroaga Date: Wed, 13 Aug 2025 14:24:42 +0100 Subject: [PATCH 4/7] Add mounting of secrets with optional minikube profile in Values which will automatically bring up self-signed certs for testing --- .gitignore | 6 +- ...ient-certs-secret.yaml => curl-certs.yaml} | 8 +- ...client-certs-curl-debug.yaml => curl.yaml} | 10 +-- .../envoy.yaml | 90 ------------------- .../templates/configmap/configmap.yaml | 15 ---- .../templates/deployment/deployment.yaml | 41 ++++++--- .../templates/ingress/ingress.yaml | 43 --------- .../network-policy/network-policy.yaml | 15 +++- .../templates/secret/envoy-mtls-secret.yaml | 5 +- .../values.yaml | 22 ++--- 10 files changed, 67 insertions(+), 188 deletions(-) rename charts/eric-oss-hello-world-python-app/certs/{client-certs-secret.yaml => curl-certs.yaml} (86%) rename charts/eric-oss-hello-world-python-app/certs/{client-certs-curl-debug.yaml => curl.yaml} (64%) delete mode 100644 charts/eric-oss-hello-world-python-app/envoy.yaml delete mode 100644 charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml delete mode 100644 charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml diff --git a/.gitignore b/.gitignore index ab56429..1d6f3b2 100644 --- a/.gitignore +++ b/.gitignore @@ -160,6 +160,6 @@ cython_debug/ #.idea/ # Self-signed certs for testing -charts/eric-oss-hello-world-python-app/certs/*.crt -charts/eric-oss-hello-world-python-app/certs/*.key -charts/eric-oss-hello-world-python-app/certs/*.pem \ No newline at end of file +*.crt +*.key +*.pem \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml b/charts/eric-oss-hello-world-python-app/certs/curl-certs.yaml similarity index 86% rename from charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml rename to charts/eric-oss-hello-world-python-app/certs/curl-certs.yaml index 2a33f69..dde7b70 100644 --- a/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml +++ b/charts/eric-oss-hello-world-python-app/certs/curl-certs.yaml @@ -1,9 +1,9 @@ apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + name: curl-certs data: ca.crt: xxxxxxxxx client.crt: xxxxxxxxx client.key: xxxxxxxxx -kind: Secret -metadata: - creationTimestamp: null - name: client-certs diff --git a/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml b/charts/eric-oss-hello-world-python-app/certs/curl.yaml similarity index 64% rename from charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml rename to charts/eric-oss-hello-world-python-app/certs/curl.yaml index b6a56a6..975fa5f 100644 --- a/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml +++ b/charts/eric-oss-hello-world-python-app/certs/curl.yaml @@ -1,18 +1,18 @@ apiVersion: v1 kind: Pod metadata: - name: client-certs-curl-debug + name: curl spec: restartPolicy: Always containers: - - name: curl-debug + - name: curl image: curlimages/curl:latest command: ["sleep", "infinity"] volumeMounts: - - name: client-certs + - name: curl-certs mountPath: /etc/certs readOnly: true volumes: - - name: client-certs + - name: curl-certs secret: - secretName: client-certs + secretName: curl-certs diff --git a/charts/eric-oss-hello-world-python-app/envoy.yaml b/charts/eric-oss-hello-world-python-app/envoy.yaml deleted file mode 100644 index dcc57cc..0000000 --- a/charts/eric-oss-hello-world-python-app/envoy.yaml +++ /dev/null @@ -1,90 +0,0 @@ -admin: - address: - socket_address: - address: 0.0.0.0 - port_value: 9901 - -static_resources: - listeners: - # TLS listener for mTLS endpoint - - name: hello_world_python_tls - address: - socket_address: - address: 0.0.0.0 - port_value: 8443 - filter_chains: - - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - require_client_certificate: true - common_tls_context: - tls_certificates: - - certificate_chain: - filename: "/etc/envoy/certs/server.crt" - private_key: - filename: "/etc/envoy/certs/server.key" - validation_context: - trusted_ca: - filename: "/etc/envoy/certs/ca.crt" - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http_secure - route_config: - virtual_hosts: - - name: secure_service - domains: ["*"] - routes: - - match: - path: "/sample-app/python/hello" - route: - cluster: hello-world-python-cluster - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Plain HTTP listener for other endpoints - - name: hello_world_python_plain - address: - socket_address: - address: 0.0.0.0 - port_value: 8080 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http_plain - route_config: - virtual_hosts: - - name: plain_service - domains: ["*"] - routes: - - match: - path: "/sample-app/python/health" - route: - cluster: hello-world-python-cluster - - match: - path: "/sample-app/python/metrics" - route: - cluster: hello-world-python-cluster - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - clusters: - - name: hello-world-python-cluster - type: STATIC - load_assignment: - cluster_name: hello-world-python-service - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 8050 diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml deleted file mode 100644 index c0fbc7f..0000000 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "eric-oss-hello-world-python-app.name" . }} - labels: - {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} - {{- if .Values.labels }} - {{ .Values.labels | toYaml | indent 4 }} - {{- end }} - annotations: {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} -data: - LOG_CTRL_FILE: |- -{{ .Files.Get "logcontrol.json" | indent 4}} - ENVOY_CONFIG_FILE: |- -{{ .Files.Get "envoy.yaml" | indent 4}} diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 682cf9c..167f6cd 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -49,16 +49,22 @@ spec: priorityClassName: {{ (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }} {{- end }} volumes: + {{- if eq .Values.profile "minikube" }} - name: envoy-certs secret: - secretName: envoy-mtls + secretName: envoy-mtls-secret + {{- end }} - name: config-volume configMap: - name: {{ include "eric-oss-hello-world-python-app.name" . }} + name: {{ include "eric-oss-hello-world-python-app.name" . }}-log-ctrl items: - key: LOG_CTRL_FILE path: logcontrol.json - - key: ENVOY_CONFIG_FILE + - name: envoy-config + configMap: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-configmap + items: + - key: envoy.yaml path: envoy.yaml {{/* - name: platform-cacerts*/}} {{/* secret:*/}} @@ -75,6 +81,7 @@ spec: containers: - name: envoy image: envoyproxy/envoy:v1.35.0 + args: [ "-c", "/etc/envoy/envoy.yaml" ] {{/* restartPolicy: Always*/}} ports: - containerPort: 8080 @@ -85,11 +92,9 @@ spec: protocol: TCP - containerPort: 9901 name: admin - args: [ "-c", "/etc/envoy/envoy.yaml" ] volumeMounts: - - mountPath: /etc/envoy - name: config-volume - + - name: envoy-config + mountPath: /etc/envoy - name: envoy-certs mountPath: /etc/envoy/certs readOnly: true @@ -107,9 +112,9 @@ spec: runAsNonRoot: true capabilities: drop: - - all + - all {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} - volumeMounts: +{{/* volumeMounts:*/}} {{/* - name: config-volume*/}} {{/* mountPath: /etc/adp*/}} {{/* - name: platform-cacerts*/}} @@ -134,7 +139,7 @@ spec: - name: CA_CERT_FILE_PATH value: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }} - name: CA_CERT_FILE_NAME - value: {{ index .Values "platformCaCertFileName" | quote }} + value: {{ index .Values "platformCaCertFileName" | quote }} - name: APP_KEY value: {{ index .Values "appKeyFileName" | quote }} - name: APP_CERT @@ -208,6 +213,22 @@ spec: {{- end }} resources: {{- toYaml .Values.resources.helloWorld | nindent 12 }} +{{/* initContainers:*/}} +{{/* - name: envoy*/}} +{{/* image: envoyproxy/envoy:v1.35.0*/}} +{{/* restartPolicy: Always*/}} +{{/* ports:*/}} +{{/* - containerPort: 8080*/}} +{{/* - containerPort: 8443*/}} +{{/* - containerPort: 9901*/}} +{{/* args: [ "-c", "/etc/envoy/envoy.yaml" ]*/}} +{{/* volumeMounts:*/}} +{{/* - mountPath: /etc/envoy*/}} +{{/* name: config-volume*/}} + +{{/* - name: envoy-certs*/}} +{{/* mountPath: /etc/envoy/certs*/}} +{{/* readOnly: true*/}} {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: - name: {{ template "eric-oss-hello-world-python-app.pullSecrets" . }} diff --git a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml b/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml deleted file mode 100644 index ca297c9..0000000 --- a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "eric-oss-hello-world-python-app.name" . -}} -{{- $servicePort := .Values.service.port -}} ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} - {{- if .Values.labels }} - {{ .Values.labels | toYaml | indent 4 }} - {{- end }} - {{- with .Values.ingress }} - annotations: - {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} - {{- if .annotations }} - {{ .annotations | toYaml | indent 4 }} - {{- end }} - {{- if .ingressClass }} - kubernetes.io/ingress.class: {{.ingressClass }} - {{- end -}} - {{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - backend: - serviceName: {{ $fullName }} - servicePort: {{ $servicePort }} -{{- end }} diff --git a/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml b/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml index 142bfe7..e42978b 100644 --- a/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml @@ -12,7 +12,10 @@ metadata: spec: podSelector: matchLabels: - app: eric-oss-hello-world-python-app + app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress ingress: - from: - podSelector: @@ -24,6 +27,12 @@ spec: - podSelector: matchLabels: app: eric-pm-server + {{- if eq .Values.profile "minikube" }} + - podSelector: + matchLabels: + run: curl + {{- end }} ports: - - port: {{ .Values.service.port }} - + - port: 8080 # Envoy HTTP + - port: 8443 # Envoy HTTPS + - port: {{ .Values.service.port }} # Optional: app port (e.g., 8050) diff --git a/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml index 8e57c95..a7dbdf4 100644 --- a/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml @@ -1,10 +1,13 @@ +{{/* Create a secret with self-signed certs only if we are using the minikube profile. */}} +{{- if eq .Values.profile "minikube" }} apiVersion: v1 kind: Secret metadata: - name: envoy-mtls + name: envoy-mtls-secret namespace: default type: Opaque data: server.crt: {{ .Files.Get "certs/server.crt" | b64enc }} server.key: {{ .Files.Get "certs/server.key" | b64enc }} ca.crt: {{ .Files.Get "certs/ca.crt" | b64enc }} +{{-end }} \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 2c4b392..5757bd0 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -1,6 +1,8 @@ # Default values for eric-oss-hello-world-python-app. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +profile: "default" + global: timezone: UTC registry: @@ -45,18 +47,6 @@ service: type: ClusterIP port: 8050 -ingress: - enabled: false - ingressClass: OAM-IngressClass - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - host: "" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: helloWorld: limits: @@ -102,18 +92,22 @@ prometheus: scrape: true path: "/sample-app/python/metrics" +envoy: + certFileName: "server.crt" + keyFileName: "server.key" + terminationGracePeriodSeconds: 30 probes: eric-oss-hello-world-python-app: livenessProbe: failureThreshold: 3 - initialDelaySeconds: 60 + initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 - initialDelaySeconds: 60 + initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 10 From 2649714f1f45daa198978db56f796ef97706832a Mon Sep 17 00:00:00 2001 From: Mihai Bocioroaga Date: Wed, 13 Aug 2025 14:42:05 +0100 Subject: [PATCH 5/7] Revert accidental Dockerfile change --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index e3467dc..9437945 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ -FROM python:3.12-slim - +FROM ARG USER_ID=60577 ARG USER_NAME="eric-sdk" @@ -23,4 +22,4 @@ RUN echo "$USER_ID:!::0:::::" >>/etc/shadow USER $USER_ID -CMD ["./eric-oss-hello-world-python-app/main.py"] \ No newline at end of file +CMD ["./eric-oss-hello-world-python-app/main.py"] From 6c7fd2cc766b21270c343371c76f0f04c9fd7d07 Mon Sep 17 00:00:00 2001 From: Mihai Laurentiu Bocioroaga Date: Wed, 13 Aug 2025 15:29:06 +0100 Subject: [PATCH 6/7] Add configmaps which I forgot to track in my last commit --- .../templates/configmap/configmap-envoy.yaml | 105 ++++++++++++++++++ .../configmap/configmap-log-ctrl.yaml | 13 +++ 2 files changed, 118 insertions(+) create mode 100644 charts/eric-oss-hello-world-python-app/templates/configmap/configmap-envoy.yaml create mode 100644 charts/eric-oss-hello-world-python-app/templates/configmap/configmap-log-ctrl.yaml diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap-envoy.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap-envoy.yaml new file mode 100644 index 0000000..82a13a0 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap-envoy.yaml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-configmap + labels: + {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} + {{- if .Values.labels }} + {{ .Values.labels | toYaml | indent 4 }} + {{- end }} + annotations: {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} +data: + envoy.yaml: | + node: + id: {{ .Release.Name }} + cluster: python-hello-world + admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 9901 + static_resources: + listeners: + - name: listener_https + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + require_client_certificate: true + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "/etc/envoy/certs/{{ index .Values.envoy "certFileName" }}" + private_key: + filename: "/etc/envoy/certs/{{ index .Values.envoy "keyFileName" }}" + validation_context: + trusted_ca: + filename: "/etc/envoy/certs/ca.crt" + #For more stricter validation on SAN, uncomment the below and set match_subject_alt_names + #match_subject_alt_names: + # - exact: "client.example.com" + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_https_secure + route_config: + name: local_route_https_secure + virtual_hosts: + - name: secure_service + domains: ["*"] + routes: + - match: + prefix: "/sample-app/python/hello" + route: + cluster: eric-oss-hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + - name: listener_http + address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route_http + virtual_hosts: + - name: backend_http + domains: ["*"] + routes: + - match: + prefix: "/sample-app/python/metrics" + route: + cluster: eric-oss-hello-world-python-cluster + - match: + prefix: "/sample-app/python/health" + route: + cluster: eric-oss-hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: eric-oss-hello-world-python-cluster + type: STATIC + load_assignment: + cluster_name: eric-oss-hello-world-python-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8050 \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap-log-ctrl.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap-log-ctrl.yaml new file mode 100644 index 0000000..f522541 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap-log-ctrl.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-log-ctrl + labels: + {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} + {{- if .Values.labels }} + {{ .Values.labels | toYaml | indent 4 }} + {{- end }} + annotations: {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} +data: + LOG_CTRL_FILE: |- +{{ .Files.Get "logcontrol.json" | indent 4}} From 0bea7177c440b88bf424027258946b78d2b8ef12 Mon Sep 17 00:00:00 2001 From: Mihai Laurentiu Bocioroaga Date: Wed, 13 Aug 2025 15:44:34 +0100 Subject: [PATCH 7/7] Fix syntax error in Helm if statement --- .../templates/secret/envoy-mtls-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml index a7dbdf4..6121cf6 100644 --- a/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml @@ -10,4 +10,4 @@ data: server.crt: {{ .Files.Get "certs/server.crt" | b64enc }} server.key: {{ .Files.Get "certs/server.key" | b64enc }} ca.crt: {{ .Files.Get "certs/ca.crt" | b64enc }} -{{-end }} \ No newline at end of file +{{- end }} \ No newline at end of file