Skip to content

Mtls sef - surendar #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
surendarraju wants to merge 6 commits into from
Closed

Mtls sef - surendar #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ea2d8f3
mtls sef
surendarraju Aug 11, 2025
13bdf50
mtls-sef-support
surendarraju Aug 14, 2025
31b57f4
patch-2
surendarraju Aug 14, 2025
469d598
improvements
surendarraju Aug 15, 2025
382d41b
More changes
surendarraju Aug 15, 2025
2ccfea8
missed additions
surendarraju Aug 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 Dockerfile → Dockerfile.app
View file
Open in desktop
File renamed without changes.
7 changes: 7 additions & 0 deletions Dockerfile.envoy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
FROM envoyproxy/envoy:v1.35.0

EXPOSE 8080 8443

USER envoy

CMD ["envoy", "-c", "/etc/envoy/envoy.yaml", "--log-level", "info"]
100 changes: 100 additions & 0 deletions charts/eric-oss-hello-world-python-app/envoy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
node:
id: {{ .Release.Name }}
cluster: python-hello-world

static_resources:
listeners:
# HTTPS listener with mTLS
- name: listener_https
address:
socket_address:
address: 0.0.0.0
port_value: 8443
filter_chains:
- transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
require_client_certificate: true
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "${ENVOY_APP_CERT_FILE_PATH}/${ENVOY_APP_CERT}"
private_key:
filename: "${ENVOY_APP_CERT_FILE_PATH}/${ENVOY_APP_KEY}"
validation_context:
trusted_ca:
filename: "${ENVOY_CA_CERT_FILE_PATH}/${ENVOY_CA_CERT_FILE_NAME}"
#match_subject_alt_names:
# - exact: "client.example.com"
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_https_secure
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route_https_secure
virtual_hosts:
- name: secure_service
domains: ["*"]
routes:
- match:
prefix: "/sample-app/python/hello"
route:
cluster: eric-oss-hello-world-python-cluster
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

# HTTP listener that redirects to HTTPS
- name: listener_http
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route_http
virtual_hosts:
- name: backend_http
domains: ["*"]
routes:
- match:
prefix: "/sample-app/python/metrics"
route:
cluster: eric-oss-hello-world-python-cluster
- match:
prefix: "/sample-app/python/health"
route:
cluster: eric-oss-hello-world-python-cluster
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

clusters:
- name: eric-oss-hello-world-python-cluster
type: STATIC
load_assignment:
cluster_name: eric-oss-hello-world-python-cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 8050
2 changes: 2 additions & 0 deletions charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,5 @@ metadata:
data:
LOG_CTRL_FILE: |-
{{ .Files.Get "logcontrol.json" | indent 4}}
ENVOY_CONFIG_FILE: |-
{{ .Files.Get "envoy.yaml" | indent 4 }}
97 changes: 97 additions & 0 deletions charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ spec:
items:
- key: LOG_CTRL_FILE
path: logcontrol.json
- name: envoy-volume
configMap:
name: {{ include "eric-oss-hello-world-python-app.name" . }}
items:
- key: ENVOY_CONFIG_FILE
path: envoy.yaml
- name: platform-cacerts
secret:
secretName: {{ index .Values "platformCaCertSecretName" | quote }}
Expand All @@ -67,6 +73,14 @@ spec:
secret:
secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}
defaultMode: 420
- name: sidecar-platform-cacerts
secret:
secretName: {{ index .Values "sidecarPlatformCaCertSecretName" | quote }}
defaultMode: 420
- name: sidecar-app-certs
secret:
secretName: {{ index .Values "sidecarAppSecretName" | quote }}
defaultMode: 420
containers:
- name: eric-oss-hello-world-python-app
image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }}
Expand Down Expand Up @@ -182,6 +196,89 @@ spec:
{{- end }}
resources:
{{- toYaml .Values.resources.helloWorld | nindent 12 }}
- name: envoy
image: envoyproxy/envoy:v1.35.0
imagePullPolicy: IfNotPresent
securityContext:
{{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }}
appArmorProfile:
type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}
{{- end }}
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- all
{{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }}
env:
- name: ENVOY_CA_CERT_FILE_PATH
value: {{ index .Values "sidecarPlatformCaCertMountPath" | default .Values.instantiationDefaults.sidecarPlatformCaCertMountPath | quote }}
- name: ENVOY_CA_CERT_FILE_NAME
value: {{ index .Values "sidecarPlatformCaCertFileName" | quote }}
- name: ENVOY_APP_KEY
value: {{ index .Values "sidecarAppKeyFileName" | quote }}
- name: ENVOY_APP_CERT
value: {{ index .Values "sidecarAppCertFileName" | quote }}
- name: ENVOY_APP_CERT_FILE_PATH
value: {{ index .Values "sidecarAppCertMountPath" | default .Values.instantiationDefaults.sidecarAppCertMountPath | quote }}
args:
- /usr/local/bin/envoy
- -c
- /etc/envoy/envoy.yaml
- --log-level
- info
ports:
- name: envoy-http
containerPort: 8080
protocol: TCP
- name: envoy-https
containerPort: 8443
protocol: TCP
livenessProbe:
tcpSocket:
port: 8443
{{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }}
{{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }}
{{- end }}
{{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }}
{{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }}
{{- end }}
{{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }}
{{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }}
{{- end }}
{{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }}
{{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }}
{{- end }}
readinessProbe:
tcpSocket:
port: 8443
{{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }}
{{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }}
{{- end }}
{{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }}
{{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }}
{{- end }}
{{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }}
{{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }}
{{- end }}
{{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }}
{{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }}
{{- end }}
volumeMounts:
- name: envoy-volume
mountPath: /etc/envoy
readOnly: true
- name: sidecar-platform-cacerts
mountPath: {{ index .Values "sidecarPlatformCaCertMountPath" | default .Values.instantiationDefaults.sidecarPlatformCaCertMountPath | quote }}
readOnly: true
- name: sidecar-app-certs
mountPath: {{ index .Values "sidecarAppCertMountPath" | default .Values.instantiationDefaults.sidecarAppCertMountPath | quote }}
readOnly: true
{{- if include "eric-oss-hello-world-python-app.pullSecrets" . }}
imagePullSecrets:
- name: {{ template "eric-oss-hello-world-python-app.pullSecrets" . }}
Expand Down
43 changes: 0 additions & 43 deletions charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml
View file
Open in desktop

This file was deleted.

10 changes: 7 additions & 3 deletions charts/eric-oss-hello-world-python-app/templates/service/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,14 @@ spec:
ipFamilies: [{{ .Values.global.internalIPFamily }}]
{{- end }}
ports:
- port: {{ .Values.service.port }}
targetPort: 8050
- port: {{ .Values.service.httpport }}
targetPort: 8080
protocol: TCP
name: http
name: envoy-http
- port: {{ .Values.service.httpsport }}
targetPort: 8443
protocol: TCP
name: envoy-https
selector:
app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
11 changes: 10 additions & 1 deletion charts/eric-oss-hello-world-python-app/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,8 @@ seccompProfile:

service:
type: ClusterIP
port: 8050
httpport: 8080
httpsport: 8443

ingress:
enabled: false
Expand Down Expand Up @@ -116,6 +117,12 @@ probes:
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 10
envoy:
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 10

# Pod priority configuration for deployments
podPriority:
Expand All @@ -127,6 +134,8 @@ instantiationDefaults:
platformCaCertMountPath: "/etc/tls-ca/platform/"
appCertMountPath: "/etc/tls/log/"
clientCredsMountPath: "/etc/client-creds/"
sidecarPlatformCaCertMountPath: "/etc/sidecar-tls-ca/platform/"
sidecarAppCertMountPath: "/etc/sidecar-tls/log/"

global:
clientCredentials:
Expand Down
29 changes: 29 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
version: "3.9"

services:
app:
build:
context: .
dockerfile: Dockerfile.app
args:
APP_VERSION: ${APP_VERSION}
image: proj-eric-oss-drop/eric-oss-hello-world-python-app:${APP_VERSION}
container_name: eric-oss-hello-world-python-app
ports:
- "8050:8050" # expose app port
restart: unless-stopped

envoy:
build:
context: .
dockerfile: Dockerfile.envoy
args:
APP_VERSION: ${APP_VERSION}
image: proj-eric-oss-drop/envoy:${APP_VERSION}
container_name: envoy
depends_on:
- app
ports:
- "8080:8080" # HTTP
- "8443:8443" # HTTPS
restart: unless-stopped