diff --git a/make/auth.mk b/make/auth.mk index a92cb7df..e5d57cc2 100644 --- a/make/auth.mk +++ b/make/auth.mk @@ -74,9 +74,15 @@ deploy-limitador: .PHONY: user-apps + +ifeq (true,$(TLS_ENABLED)) +ENVOY_OVERLAY = tls +else +ENVOY_OVERLAY = notls +endif user-apps: ## Deploys talker API and envoy kubectl -n $(NAMESPACE) apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml - kubectl -n $(NAMESPACE) apply -f $(PROJECT_PATH)/utils/deploy/envoy-tls.yaml + kubectl -n $(NAMESPACE) apply -f $(PROJECT_PATH)/utils/deploy/envoy-$(ENVOY_OVERLAY).yaml ##@ Util diff --git a/utils/deploy/envoy-notls.yaml b/utils/deploy/envoy-notls.yaml new file mode 100644 index 00000000..263d3652 --- /dev/null +++ b/utils/deploy/envoy-notls.yaml @@ -0,0 +1,269 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: envoy + name: envoy +data: + envoy.yaml: | + static_resources: + clusters: + - name: authorino_wasm + connect_timeout: 1s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: { } + load_assignment: + cluster_name: authorino_wasm + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: authorino-authorino-authorization + port_value: 50051 + - name: limitador + connect_timeout: 1s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: { } + load_assignment: + cluster_name: limitador + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: limitador + port_value: 8081 + - name: talker-api + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: talker-api + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: talker-api + port_value: 3000 + - name: talker-web + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: talker-web + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: talker-web + port_value: 8888 + - name: opentelemetry + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: { } + load_assignment: + cluster_name: opentelemetry + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: otel-collector + port_value: 4317 + listeners: + - address: + socket_address: + address: 0.0.0.0 + port_value: 8000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: local + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: [ '*' ] + routes: + - match: { prefix: / } + route: + cluster: talker-api + http_filters: + - name: envoy.filters.http.header_to_metadata + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config + request_rules: + - header: x-dyn-user-id + on_header_present: + key: user_id + type: STRING + remove: false + - name: envoy.filters.http.wasm + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + config: + name: kuadrant_wasm + root_id: kuadrant_wasm + vm_config: + vm_id: vm.sentinel.kuadrant_wasm + runtime: envoy.wasm.runtime.v8 + code: + local: + filename: /opt/kuadrant/wasm/wasm_shim.wasm + allow_precompiled: true + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: > + { + "failureMode": "deny", + "rateLimitPolicies": [ + { + "name": "rlp-ns-A/rlp-name-A", + "domain": "rlp-ns-A/rlp-name-A", + "service": "authorino_wasm", + "hostnames": ["*.a.com"], + "rules": [ + { + "conditions": [ + { + "allOf": [ + { + "selector": "request.host", + "operator": "eq", + "value": "test.a.com" + } + ] + } + ], + "data": [ + { + "static": { + "key": "limit_to_be_activated", + "value": "1" + } + } + ] + } + ] + } + ] + } + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # # Uncomment to enable tracing + # tracing: + # provider: + # name: envoy.tracers.opentelemetry + # typed_config: + # "@type": type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig + # grpc_service: + # envoy_grpc: + # cluster_name: opentelemetry + # timeout: 1s + # service_name: envoy + admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 8001 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: envoy + name: envoy +spec: + replicas: 1 + selector: + matchLabels: + app: envoy + template: + metadata: + labels: + app: envoy + spec: + containers: + - args: + - --config-path /usr/local/etc/envoy/envoy.yaml + - --service-cluster front-proxy + - --log-level info + - --component-log-level wasm:debug,filter:trace,http:debug,router:debug + command: + - /usr/local/bin/envoy + image: envoyproxy/envoy:v1.31-latest + name: envoy + ports: + - containerPort: 8000 + name: web + - containerPort: 8001 + name: admin + volumeMounts: + - mountPath: /usr/local/etc/envoy + name: config + readOnly: true + - mountPath: /opt/kuadrant/wasm + name: wasm + volumes: + - configMap: + items: + - key: envoy.yaml + path: envoy.yaml + name: envoy + name: config + - name: wasm + hostPath: + path: /opt/kuadrant/wasm +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: envoy + name: envoy +spec: + ports: + - name: web + port: 8000 + protocol: TCP + selector: + app: envoy +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-wildcard-host +spec: + rules: + - host: talker-api.127.0.0.1.nip.io + http: + paths: + - backend: + service: + name: envoy + port: + number: 8000 + path: / + pathType: Prefix diff --git a/utils/deploy/envoy.yaml b/utils/deploy/envoy-tls.yaml similarity index 80% rename from utils/deploy/envoy.yaml rename to utils/deploy/envoy-tls.yaml index fd5f3b20..3b4d76b1 100644 --- a/utils/deploy/envoy.yaml +++ b/utils/deploy/envoy-tls.yaml @@ -8,13 +8,17 @@ data: envoy.yaml: | static_resources: clusters: - - name: authorino - connect_timeout: 0.25s + - name: authorino_wasm + connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN - http2_protocol_options: { } + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: { } load_assignment: - cluster_name: authorino + cluster_name: authorino_wasm endpoints: - lb_endpoints: - endpoint: @@ -34,7 +38,11 @@ data: connect_timeout: 1s type: STRICT_DNS lb_policy: ROUND_ROBIN - http2_protocol_options: { } + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: { } load_assignment: cluster_name: limitador endpoints: @@ -74,7 +82,11 @@ data: connect_timeout: 0.25s type: STRICT_DNS lb_policy: ROUND_ROBIN - http2_protocol_options: { } + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: { } load_assignment: cluster_name: opentelemetry endpoints: @@ -91,7 +103,7 @@ data: port_value: 8000 filter_chains: - filters: - - name: envoy.http_connection_manager + - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: local @@ -102,25 +114,9 @@ data: - name: local_service domains: [ '*' ] routes: - - match: { prefix: /web } - route: - cluster: talker-web - typed_per_filter_config: - envoy.filters.http.ext_authz: - "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute - disabled: true - match: { prefix: / } route: cluster: talker-api - rate_limits: - - actions: - - metadata: - metadata_key: - key: "envoy.filters.http.ext_authz" - path: - - key: ext_auth_data - - key: username - descriptor_key: user_id http_filters: - name: envoy.filters.http.header_to_metadata typed_config: @@ -153,14 +149,26 @@ data: { "name": "rlp-ns-A/rlp-name-A", "domain": "rlp-ns-A/rlp-name-A", - "service": "authorino", + "service": "authorino_wasm", "hostnames": ["*.a.com"], "rules": [ { + "conditions": [ + { + "allOf": [ + { + "selector": "request.host", + "operator": "eq", + "value": "test.a.com" + } + ] + } + ], "data": [ { - "selector": { - "selector": "unknown.path" + "static": { + "key": "limit_to_be_activated", + "value": "1" } } ] @@ -185,7 +193,6 @@ data: # timeout: 1s # service_name: envoy admin: - access_log_path: "/tmp/admin_access.log" address: socket_address: address: 0.0.0.0 @@ -212,10 +219,10 @@ spec: - --config-path /usr/local/etc/envoy/envoy.yaml - --service-cluster front-proxy - --log-level info - - --component-log-level filter:trace,http:debug,router:debug + - --component-log-level wasm:debug,filter:trace,http:debug,router:debug command: - /usr/local/bin/envoy - image: envoyproxy/envoy:v1.25-latest + image: envoyproxy/envoy:v1.31-latest name: envoy ports: - containerPort: 8000