From ea2d8f379d8cd763cfe066d310066a0e8c8b64b6 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Mon, 11 Aug 2025 21:05:09 +0100 Subject: [PATCH 1/6] mtls sef --- .../templates/deployment/deployment.yaml | 42 +++++++++++ .../templates/envoy/envoy-configmap.yaml | 73 +++++++++++++++++++ .../templates/ingress/ingress.yaml | 43 ----------- 3 files changed, 115 insertions(+), 43 deletions(-) create mode 100644 charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml delete mode 100644 charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 4aaea3c..1c994e6 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -67,6 +67,17 @@ spec: secret: secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 + - name: envoy-config + configMap: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-config + - name: sidecar-platform-cacerts + secret: + secretName: {{ index .Values "platformCaCertSecretName" | quote }} + defaultMode: 420 + - name: sidecar-app-certs + secret: + secretName: {{ index .Values "appSecretName" | quote }} + defaultMode: 420 containers: - name: eric-oss-hello-world-python-app image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }} @@ -182,6 +193,37 @@ spec: {{- end }} resources: {{- toYaml .Values.resources.helloWorld | nindent 12 }} + - name: envoy + image: envoyproxy/envoy:v1.23.0 + imagePullPolicy: IfNotPresent + args: + - /usr/local/bin/envoy + - -c + - /etc/envoy/envoy.yaml + - --log-level + - info + ports: + - name: envoy-https + containerPort: 8443 + protocol: TCP + volumeMounts: + - name: envoy-config + mountPath: /etc/envoy + readOnly: true + - name: sidecar-platform-cacerts + mountPath: /etc/ssl/certs + readOnly: true + - name: sidecar-app-certs + mountPath: /etc/ssl/private + readOnly: true + securityContext: + runAsUser: 1337 # non-root user, adjust as per Envoy recommendations + runAsGroup: 1337 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: - name: {{ template "eric-oss-hello-world-python-app.pullSecrets" . }} diff --git a/charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml new file mode 100644 index 0000000..e3dc38b --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "eric-oss-hello-world-python-app.fullname" . }}-envoy-config +data: + envoy.yaml: | + node: + id: {{ .Release.Name }} + cluster: python-hello-world + + static_resources: + listeners: + - name: listener_https + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - filter_chain_match: + transport_protocol: "tls" + tls_context: + common_tls_context: + tls_certificates: + - certificate_chain: + filename: /etc/envoy/tls/server.crt + private_key: + filename: /etc/envoy/tls/server.key + validation_context: + trusted_ca: + filename: /etc/envoy/client-ca/ca.crt + match_subject_alt_names: + - exact: "client.example.com" # Replace with your expected client SAN if needed + # Enforce client cert validation (mTLS) + require_client_certificate: true + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: backend + domains: ["*"] + routes: + - match: + prefix: "/sample-app/python/hello" + route: + cluster: python_service + http_filters: + - name: envoy.filters.http.router + + clusters: + - name: python_service + connect_timeout: 0.25s + type: logical_dns + lb_policy: round_robin + load_assignment: + cluster_name: python_service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8050 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + # If your python service doesn't do TLS, comment/remove this section + # Here it assumes plain HTTP upstream, so no TLS to upstream + diff --git a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml b/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml deleted file mode 100644 index ca297c9..0000000 --- a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "eric-oss-hello-world-python-app.name" . -}} -{{- $servicePort := .Values.service.port -}} ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} - {{- if .Values.labels }} - {{ .Values.labels | toYaml | indent 4 }} - {{- end }} - {{- with .Values.ingress }} - annotations: - {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} - {{- if .annotations }} - {{ .annotations | toYaml | indent 4 }} - {{- end }} - {{- if .ingressClass }} - kubernetes.io/ingress.class: {{.ingressClass }} - {{- end -}} - {{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - backend: - serviceName: {{ $fullName }} - servicePort: {{ $servicePort }} -{{- end }} From 13bdf504223d09e112e3a90adaec2aa809c0f0f8 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Thu, 14 Aug 2025 11:25:50 +0100 Subject: [PATCH 2/6] mtls-sef-support --- .../envoy.yaml | 92 +++++++++++++++++++ .../templates/configmap/configmap.yaml | 2 + .../templates/deployment/deployment.yaml | 28 ++++-- .../templates/envoy/envoy-configmap.yaml | 73 --------------- .../templates/service/service.yaml | 10 +- .../values.yaml | 5 +- 6 files changed, 125 insertions(+), 85 deletions(-) create mode 100644 charts/eric-oss-hello-world-python-app/envoy.yaml delete mode 100644 charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml diff --git a/charts/eric-oss-hello-world-python-app/envoy.yaml b/charts/eric-oss-hello-world-python-app/envoy.yaml new file mode 100644 index 0000000..ef948a7 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/envoy.yaml @@ -0,0 +1,92 @@ +node: + id: {{ .Release.Name }} + cluster: python-hello-world +admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 9901 +static_resources: + listeners: + - name: listener_https + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + require_client_certificate: true + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "/etc/envoy/certs/server.crt" + private_key: + filename: "/etc/envoy/certs/server.key" + validation_context: + trusted_ca: + filename: "/etc/envoy/certs/ca.crt" + #match_subject_alt_names: + # - exact: "client.example.com" + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_https_secure + route_config: + name: local_route_https_secure + virtual_hosts: + - name: secure_service + domains: ["*"] + routes: + - match: + prefix: "/sample-app/python/hello" + route: + cluster: eric-oss-hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + - name: listener_http + address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route_http + virtual_hosts: + - name: backend_http + domains: ["*"] + routes: + - match: + prefix: "/sample-app/python/metrics" + route: + cluster: eric-oss-hello-world-python-cluster + - match: + prefix: "/sample-app/python/health" + route: + cluster: eric-oss-hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: eric-oss-hello-world-python-cluster + type: STATIC + load_assignment: + cluster_name: eric-oss-hello-world-python-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8050 diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml index 9c9867f..2eeedc2 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml @@ -11,3 +11,5 @@ metadata: data: LOG_CTRL_FILE: |- {{ .Files.Get "logcontrol.json" | indent 4}} + ENVOY_CONFIG_FILE: |- +{{ .Files.Get "envoy.yaml" | indent 4 }} \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 1c994e6..0805b6c 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -55,6 +55,8 @@ spec: items: - key: LOG_CTRL_FILE path: logcontrol.json + - key: ENVOY_CONFIG_FILE + path: envoy.yaml - name: platform-cacerts secret: secretName: {{ index .Values "platformCaCertSecretName" | quote }} @@ -67,16 +69,13 @@ spec: secret: secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 - - name: envoy-config - configMap: - name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-config - name: sidecar-platform-cacerts secret: - secretName: {{ index .Values "platformCaCertSecretName" | quote }} + secretName: {{ index .Values "sidecarPlatformCaCertSecretName" | quote }} defaultMode: 420 - name: sidecar-app-certs secret: - secretName: {{ index .Values "appSecretName" | quote }} + secretName: {{ index .Values "sidecarAppSecretName" | quote }} defaultMode: 420 containers: - name: eric-oss-hello-world-python-app @@ -203,27 +202,40 @@ spec: - --log-level - info ports: + - name: envoy-http + containerPort: 8080 + protocol: TCP - name: envoy-https containerPort: 8443 protocol: TCP + - name: envoy-admin + containerPort: 9901 volumeMounts: - name: envoy-config mountPath: /etc/envoy readOnly: true - name: sidecar-platform-cacerts - mountPath: /etc/ssl/certs + mountPath: {{ index .Values "sidecarPlatformCaCertMountPath" | default .Values.instantiationDefaults.sidecarPlatformCaCertMountPath | quote }} readOnly: true - name: sidecar-app-certs - mountPath: /etc/ssl/private + mountPath: {{ index .Values "sidecarAppCertMountPath" | default .Values.instantiationDefaults.sidecarAppCertMountPath | quote }} readOnly: true securityContext: - runAsUser: 1337 # non-root user, adjust as per Envoy recommendations + runAsNonRoot: true + runAsUser: 1337 runAsGroup: 1337 + fsGroup: 1337 allowPrivilegeEscalation: false + privileged: false readOnlyRootFilesystem: true capabilities: drop: - all + {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} + appArmorProfile: + type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} + {{- end }} + {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 2 }} {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: - name: {{ template "eric-oss-hello-world-python-app.pullSecrets" . }} diff --git a/charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml deleted file mode 100644 index e3dc38b..0000000 --- a/charts/eric-oss-hello-world-python-app/templates/envoy/envoy-configmap.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "eric-oss-hello-world-python-app.fullname" . }}-envoy-config -data: - envoy.yaml: | - node: - id: {{ .Release.Name }} - cluster: python-hello-world - - static_resources: - listeners: - - name: listener_https - address: - socket_address: - address: 0.0.0.0 - port_value: 8443 - filter_chains: - - filter_chain_match: - transport_protocol: "tls" - tls_context: - common_tls_context: - tls_certificates: - - certificate_chain: - filename: /etc/envoy/tls/server.crt - private_key: - filename: /etc/envoy/tls/server.key - validation_context: - trusted_ca: - filename: /etc/envoy/client-ca/ca.crt - match_subject_alt_names: - - exact: "client.example.com" # Replace with your expected client SAN if needed - # Enforce client cert validation (mTLS) - require_client_certificate: true - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: local_route - virtual_hosts: - - name: backend - domains: ["*"] - routes: - - match: - prefix: "/sample-app/python/hello" - route: - cluster: python_service - http_filters: - - name: envoy.filters.http.router - - clusters: - - name: python_service - connect_timeout: 0.25s - type: logical_dns - lb_policy: round_robin - load_assignment: - cluster_name: python_service - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 8050 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - # If your python service doesn't do TLS, comment/remove this section - # Here it assumes plain HTTP upstream, so no TLS to upstream - diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index d90cef5..0188b1c 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -15,10 +15,14 @@ spec: ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.port }} - targetPort: 8050 + - port: {{ .Values.service.httpport }} + targetPort: 8080 protocol: TCP - name: http + name: envoy-http + - port: {{ .Values.service.httpsport }} + targetPort: 8443 + protocol: TCP + name: envoy-https selector: app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 2c4b392..77e77f8 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -43,7 +43,8 @@ seccompProfile: service: type: ClusterIP - port: 8050 + httpport: 8080 + httpsport: 8443 ingress: enabled: false @@ -127,6 +128,8 @@ instantiationDefaults: platformCaCertMountPath: "/etc/tls-ca/platform/" appCertMountPath: "/etc/tls/log/" clientCredsMountPath: "/etc/client-creds/" + sidecarPlatformCaCertMountPath: "/etc/sidecar-tls-ca/platform/" + sidecarAppCertMountPath: "/etc/sidecar-tls/log/" global: clientCredentials: From 31b57f45d807f48634b3b5fc5eea5ced315a61b3 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Thu, 14 Aug 2025 11:37:46 +0100 Subject: [PATCH 3/6] patch-2 --- .../envoy.yaml | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/envoy.yaml b/charts/eric-oss-hello-world-python-app/envoy.yaml index ef948a7..57282bb 100644 --- a/charts/eric-oss-hello-world-python-app/envoy.yaml +++ b/charts/eric-oss-hello-world-python-app/envoy.yaml @@ -1,13 +1,16 @@ node: id: {{ .Release.Name }} cluster: python-hello-world + admin: address: socket_address: address: 0.0.0.0 port_value: 9901 + static_resources: listeners: + # HTTPS listener with mTLS - name: listener_https address: socket_address: @@ -35,6 +38,10 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_https_secure + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog route_config: name: local_route_https_secure virtual_hosts: @@ -49,6 +56,8 @@ static_resources: - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # HTTP listener that redirects to HTTPS - name: listener_http address: socket_address: @@ -60,12 +69,21 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog route_config: name: local_route_http virtual_hosts: - name: backend_http domains: ["*"] routes: + # HTTP → HTTPS redirect + - match: + prefix: "/" + redirect: + https_redirect: true - match: prefix: "/sample-app/python/metrics" route: @@ -78,15 +96,16 @@ static_resources: - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: - name: eric-oss-hello-world-python-cluster type: STATIC load_assignment: - cluster_name: eric-oss-hello-world-python-service + cluster_name: eric-oss-hello-world-python-cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 - port_value: 8050 + port_value: 8050 \ No newline at end of file From 469d5982acebed20afeeb0a18adfd1821a7aa352 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 15 Aug 2025 15:25:35 +0100 Subject: [PATCH 4/6] improvements --- .../envoy.yaml | 17 ++--------- .../templates/deployment/deployment.yaml | 28 +++++++++++++++++-- .../values.yaml | 10 +++++-- 3 files changed, 37 insertions(+), 18 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/envoy.yaml b/charts/eric-oss-hello-world-python-app/envoy.yaml index 57282bb..104707d 100644 --- a/charts/eric-oss-hello-world-python-app/envoy.yaml +++ b/charts/eric-oss-hello-world-python-app/envoy.yaml @@ -2,12 +2,6 @@ node: id: {{ .Release.Name }} cluster: python-hello-world -admin: - address: - socket_address: - address: 0.0.0.0 - port_value: 9901 - static_resources: listeners: # HTTPS listener with mTLS @@ -25,12 +19,12 @@ static_resources: common_tls_context: tls_certificates: - certificate_chain: - filename: "/etc/envoy/certs/server.crt" + filename: "${ENVOY_APP_CERT_FILE_PATH}/${ENVOY_APP_CERT}" private_key: - filename: "/etc/envoy/certs/server.key" + filename: "${ENVOY_APP_CERT_FILE_PATH}/${ENVOY_APP_KEY}" validation_context: trusted_ca: - filename: "/etc/envoy/certs/ca.crt" + filename: "${ENVOY_CA_CERT_FILE_PATH}/${ENVOY_CA_CERT_FILE_NAME}" #match_subject_alt_names: # - exact: "client.example.com" filters: @@ -79,11 +73,6 @@ static_resources: - name: backend_http domains: ["*"] routes: - # HTTP → HTTPS redirect - - match: - prefix: "/" - redirect: - https_redirect: true - match: prefix: "/sample-app/python/metrics" route: diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 0805b6c..04824df 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -195,6 +195,17 @@ spec: - name: envoy image: envoyproxy/envoy:v1.23.0 imagePullPolicy: IfNotPresent + env: + - name: ENVOY_CA_CERT_FILE_PATH + value: {{ index .Values "sidecarPlatformCaCertMountPath" | default .Values.instantiationDefaults.sidecarPlatformCaCertMountPath | quote }} + - name: ENVOY_CA_CERT_FILE_NAME + value: {{ index .Values "sidecarPlatformCaCertFileName" | quote }} + - name: ENVOY_APP_KEY + value: {{ index .Values "sidecarAppKeyFileName" | quote }} + - name: ENVOY_APP_CERT + value: {{ index .Values "sidecarAppCertFileName" | quote }} + - name: ENVOY_APP_CERT_FILE_PATH + value: {{ index .Values "sidecarAppCertMountPath" | default .Values.instantiationDefaults.sidecarAppCertMountPath | quote }} args: - /usr/local/bin/envoy - -c @@ -208,8 +219,21 @@ spec: - name: envoy-https containerPort: 8443 protocol: TCP - - name: envoy-admin - containerPort: 9901 + readinessProbe: + tcpSocket: + port: 8080 + {{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{- end }} volumeMounts: - name: envoy-config mountPath: /etc/envoy diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 77e77f8..cf6e8a4 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -5,13 +5,13 @@ global: timezone: UTC registry: url: armdocker.rnd.ericsson.se - imagePullPolicy: IfNotPresent + imagePullPolicy: Always pullSecret: internalIPFamily: imageCredentials: repoPath: - pullPolicy: IfNotPresent + pullPolicy: Always registry: url: pullSecret: @@ -117,6 +117,12 @@ probes: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 10 + envoy: + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 10 # Pod priority configuration for deployments podPriority: From 382d41becdab582c14d2d30ba84320a4e0413b9a Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 15 Aug 2025 22:44:16 +0100 Subject: [PATCH 5/6] More changes --- Dockerfile => Dockerfile.app | 2 +- Dockerfile.envoy | 7 +++ .../templates/deployment/deployment.yaml | 57 ++++++++++++------- docker-compose.yml | 29 ++++++++++ 4 files changed, 75 insertions(+), 20 deletions(-) rename Dockerfile => Dockerfile.app (95%) create mode 100644 Dockerfile.envoy create mode 100644 docker-compose.yml diff --git a/Dockerfile b/Dockerfile.app similarity index 95% rename from Dockerfile rename to Dockerfile.app index 6dca988..06ed235 100644 --- a/Dockerfile +++ b/Dockerfile.app @@ -1,4 +1,4 @@ -FROM +FROM python:3.9-slim ARG USER_ID=60577 ARG USER_NAME="eric-sdk" diff --git a/Dockerfile.envoy b/Dockerfile.envoy new file mode 100644 index 0000000..4476103 --- /dev/null +++ b/Dockerfile.envoy @@ -0,0 +1,7 @@ +FROM envoyproxy/envoy:v1.35.0 + +EXPOSE 8080 8443 + +USER envoy + +CMD ["envoy", "-c", "/etc/envoy/envoy.yaml", "--log-level", "info"] \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 04824df..2efdeb7 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -55,6 +55,10 @@ spec: items: - key: LOG_CTRL_FILE path: logcontrol.json + - name: envoy-volume + configMap: + name: {{ include "eric-oss-hello-world-python-app.name" . }} + items: - key: ENVOY_CONFIG_FILE path: envoy.yaml - name: platform-cacerts @@ -193,8 +197,24 @@ spec: resources: {{- toYaml .Values.resources.helloWorld | nindent 12 }} - name: envoy - image: envoyproxy/envoy:v1.23.0 + image: envoyproxy/envoy:v1.35.0 imagePullPolicy: IfNotPresent + securityContext: + {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} + appArmorProfile: + type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} + {{- end }} + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} env: - name: ENVOY_CA_CERT_FILE_PATH value: {{ index .Values "sidecarPlatformCaCertMountPath" | default .Values.instantiationDefaults.sidecarPlatformCaCertMountPath | quote }} @@ -219,9 +239,24 @@ spec: - name: envoy-https containerPort: 8443 protocol: TCP + livenessProbe: + tcpSocket: + port: 8443 + {{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{- end }} readinessProbe: tcpSocket: - port: 8080 + port: 8443 {{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} {{- end }} @@ -235,7 +270,7 @@ spec: {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} {{- end }} volumeMounts: - - name: envoy-config + - name: envoy-volume mountPath: /etc/envoy readOnly: true - name: sidecar-platform-cacerts @@ -244,22 +279,6 @@ spec: - name: sidecar-app-certs mountPath: {{ index .Values "sidecarAppCertMountPath" | default .Values.instantiationDefaults.sidecarAppCertMountPath | quote }} readOnly: true - securityContext: - runAsNonRoot: true - runAsUser: 1337 - runAsGroup: 1337 - fsGroup: 1337 - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - capabilities: - drop: - - all - {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} - appArmorProfile: - type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} - {{- end }} - {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 2 }} {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: - name: {{ template "eric-oss-hello-world-python-app.pullSecrets" . }} diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..8ca1785 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,29 @@ +version: "3.9" + +services: + app: + build: + context: . + dockerfile: Dockerfile.app + args: + APP_VERSION: ${APP_VERSION} + image: proj-eric-oss-drop/eric-oss-hello-world-python-app:${APP_VERSION} + container_name: eric-oss-hello-world-python-app + ports: + - "8050:8050" # expose app port + restart: unless-stopped + + envoy: + build: + context: . + dockerfile: Dockerfile.envoy + args: + APP_VERSION: ${APP_VERSION} + image: proj-eric-oss-drop/envoy:${APP_VERSION} + container_name: envoy + depends_on: + - app + ports: + - "8080:8080" # HTTP + - "8443:8443" # HTTPS + restart: unless-stopped From 2ccfea824bcbd56a8ca4fc48c403e7a8962de800 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 15 Aug 2025 22:47:55 +0100 Subject: [PATCH 6/6] missed additions --- Dockerfile.app | 2 +- charts/eric-oss-hello-world-python-app/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.app b/Dockerfile.app index 06ed235..6dca988 100644 --- a/Dockerfile.app +++ b/Dockerfile.app @@ -1,4 +1,4 @@ -FROM python:3.9-slim +FROM ARG USER_ID=60577 ARG USER_NAME="eric-sdk" diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index cf6e8a4..af3aafb 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -5,13 +5,13 @@ global: timezone: UTC registry: url: armdocker.rnd.ericsson.se - imagePullPolicy: Always + imagePullPolicy: IfNotPresent pullSecret: internalIPFamily: imageCredentials: repoPath: - pullPolicy: Always + pullPolicy: IfNotPresent registry: url: pullSecret: