diff --git a/Dockerfile b/Dockerfile.app similarity index 100% rename from Dockerfile rename to Dockerfile.app diff --git a/Dockerfile.envoy b/Dockerfile.envoy new file mode 100644 index 0000000..4476103 --- /dev/null +++ b/Dockerfile.envoy @@ -0,0 +1,7 @@ +FROM envoyproxy/envoy:v1.35.0 + +EXPOSE 8080 8443 + +USER envoy + +CMD ["envoy", "-c", "/etc/envoy/envoy.yaml", "--log-level", "info"] \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/envoy.yaml b/charts/eric-oss-hello-world-python-app/envoy.yaml new file mode 100644 index 0000000..104707d --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/envoy.yaml @@ -0,0 +1,100 @@ +node: + id: {{ .Release.Name }} + cluster: python-hello-world + +static_resources: + listeners: + # HTTPS listener with mTLS + - name: listener_https + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + require_client_certificate: true + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "${ENVOY_APP_CERT_FILE_PATH}/${ENVOY_APP_CERT}" + private_key: + filename: "${ENVOY_APP_CERT_FILE_PATH}/${ENVOY_APP_KEY}" + validation_context: + trusted_ca: + filename: "${ENVOY_CA_CERT_FILE_PATH}/${ENVOY_CA_CERT_FILE_NAME}" + #match_subject_alt_names: + # - exact: "client.example.com" + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_https_secure + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + route_config: + name: local_route_https_secure + virtual_hosts: + - name: secure_service + domains: ["*"] + routes: + - match: + prefix: "/sample-app/python/hello" + route: + cluster: eric-oss-hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # HTTP listener that redirects to HTTPS + - name: listener_http + address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + route_config: + name: local_route_http + virtual_hosts: + - name: backend_http + domains: ["*"] + routes: + - match: + prefix: "/sample-app/python/metrics" + route: + cluster: eric-oss-hello-world-python-cluster + - match: + prefix: "/sample-app/python/health" + route: + cluster: eric-oss-hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: eric-oss-hello-world-python-cluster + type: STATIC + load_assignment: + cluster_name: eric-oss-hello-world-python-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8050 \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml index 9c9867f..2eeedc2 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml @@ -11,3 +11,5 @@ metadata: data: LOG_CTRL_FILE: |- {{ .Files.Get "logcontrol.json" | indent 4}} + ENVOY_CONFIG_FILE: |- +{{ .Files.Get "envoy.yaml" | indent 4 }} \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 4aaea3c..2efdeb7 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -55,6 +55,12 @@ spec: items: - key: LOG_CTRL_FILE path: logcontrol.json + - name: envoy-volume + configMap: + name: {{ include "eric-oss-hello-world-python-app.name" . }} + items: + - key: ENVOY_CONFIG_FILE + path: envoy.yaml - name: platform-cacerts secret: secretName: {{ index .Values "platformCaCertSecretName" | quote }} @@ -67,6 +73,14 @@ spec: secret: secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 + - name: sidecar-platform-cacerts + secret: + secretName: {{ index .Values "sidecarPlatformCaCertSecretName" | quote }} + defaultMode: 420 + - name: sidecar-app-certs + secret: + secretName: {{ index .Values "sidecarAppSecretName" | quote }} + defaultMode: 420 containers: - name: eric-oss-hello-world-python-app image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }} @@ -182,6 +196,89 @@ spec: {{- end }} resources: {{- toYaml .Values.resources.helloWorld | nindent 12 }} + - name: envoy + image: envoyproxy/envoy:v1.35.0 + imagePullPolicy: IfNotPresent + securityContext: + {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} + appArmorProfile: + type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} + {{- end }} + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} + env: + - name: ENVOY_CA_CERT_FILE_PATH + value: {{ index .Values "sidecarPlatformCaCertMountPath" | default .Values.instantiationDefaults.sidecarPlatformCaCertMountPath | quote }} + - name: ENVOY_CA_CERT_FILE_NAME + value: {{ index .Values "sidecarPlatformCaCertFileName" | quote }} + - name: ENVOY_APP_KEY + value: {{ index .Values "sidecarAppKeyFileName" | quote }} + - name: ENVOY_APP_CERT + value: {{ index .Values "sidecarAppCertFileName" | quote }} + - name: ENVOY_APP_CERT_FILE_PATH + value: {{ index .Values "sidecarAppCertMountPath" | default .Values.instantiationDefaults.sidecarAppCertMountPath | quote }} + args: + - /usr/local/bin/envoy + - -c + - /etc/envoy/envoy.yaml + - --log-level + - info + ports: + - name: envoy-http + containerPort: 8080 + protocol: TCP + - name: envoy-https + containerPort: 8443 + protocol: TCP + livenessProbe: + tcpSocket: + port: 8443 + {{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{- end }} + readinessProbe: + tcpSocket: + port: 8443 + {{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{- end }} + volumeMounts: + - name: envoy-volume + mountPath: /etc/envoy + readOnly: true + - name: sidecar-platform-cacerts + mountPath: {{ index .Values "sidecarPlatformCaCertMountPath" | default .Values.instantiationDefaults.sidecarPlatformCaCertMountPath | quote }} + readOnly: true + - name: sidecar-app-certs + mountPath: {{ index .Values "sidecarAppCertMountPath" | default .Values.instantiationDefaults.sidecarAppCertMountPath | quote }} + readOnly: true {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: - name: {{ template "eric-oss-hello-world-python-app.pullSecrets" . }} diff --git a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml b/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml deleted file mode 100644 index ca297c9..0000000 --- a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "eric-oss-hello-world-python-app.name" . -}} -{{- $servicePort := .Values.service.port -}} ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} - {{- if .Values.labels }} - {{ .Values.labels | toYaml | indent 4 }} - {{- end }} - {{- with .Values.ingress }} - annotations: - {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} - {{- if .annotations }} - {{ .annotations | toYaml | indent 4 }} - {{- end }} - {{- if .ingressClass }} - kubernetes.io/ingress.class: {{.ingressClass }} - {{- end -}} - {{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - backend: - serviceName: {{ $fullName }} - servicePort: {{ $servicePort }} -{{- end }} diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index d90cef5..0188b1c 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -15,10 +15,14 @@ spec: ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.port }} - targetPort: 8050 + - port: {{ .Values.service.httpport }} + targetPort: 8080 protocol: TCP - name: http + name: envoy-http + - port: {{ .Values.service.httpsport }} + targetPort: 8443 + protocol: TCP + name: envoy-https selector: app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 2c4b392..af3aafb 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -43,7 +43,8 @@ seccompProfile: service: type: ClusterIP - port: 8050 + httpport: 8080 + httpsport: 8443 ingress: enabled: false @@ -116,6 +117,12 @@ probes: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 10 + envoy: + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 10 # Pod priority configuration for deployments podPriority: @@ -127,6 +134,8 @@ instantiationDefaults: platformCaCertMountPath: "/etc/tls-ca/platform/" appCertMountPath: "/etc/tls/log/" clientCredsMountPath: "/etc/client-creds/" + sidecarPlatformCaCertMountPath: "/etc/sidecar-tls-ca/platform/" + sidecarAppCertMountPath: "/etc/sidecar-tls/log/" global: clientCredentials: diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..8ca1785 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,29 @@ +version: "3.9" + +services: + app: + build: + context: . + dockerfile: Dockerfile.app + args: + APP_VERSION: ${APP_VERSION} + image: proj-eric-oss-drop/eric-oss-hello-world-python-app:${APP_VERSION} + container_name: eric-oss-hello-world-python-app + ports: + - "8050:8050" # expose app port + restart: unless-stopped + + envoy: + build: + context: . + dockerfile: Dockerfile.envoy + args: + APP_VERSION: ${APP_VERSION} + image: proj-eric-oss-drop/envoy:${APP_VERSION} + container_name: envoy + depends_on: + - app + ports: + - "8080:8080" # HTTP + - "8443:8443" # HTTPS + restart: unless-stopped