From d8cc9d522125c5fd4cefd7553c986cd59c31d9e6 Mon Sep 17 00:00:00 2001 From: Brooks Cunningham Date: Tue, 18 Feb 2025 12:05:25 -0600 Subject: [PATCH] Updates --- .github/workflows/ngwaf-envoy.yaml | 2 +- .../envoy-deployment.yaml | 201 ++++++++++++++++++ 2 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 on-prem-ngwaf-integrations/envoy-deployment.yaml diff --git a/.github/workflows/ngwaf-envoy.yaml b/.github/workflows/ngwaf-envoy.yaml index 6a30ff6..3c939cd 100644 --- a/.github/workflows/ngwaf-envoy.yaml +++ b/.github/workflows/ngwaf-envoy.yaml @@ -29,7 +29,7 @@ jobs: --from-literal=secretaccesskey=${{ secrets.NGWAF_STAGING_SECRETACCESSKEY }} - name: Deploy Envoy resources from file - run: kubectl apply -f k8s/envoy-deployment.yaml + run: kubectl apply -f on-prem-ngwaf-integrations/envoy-deployment.yaml - name: Wait for Envoy rollout run: kubectl rollout status deployment/envoy-waf-deployment --timeout=30s diff --git a/on-prem-ngwaf-integrations/envoy-deployment.yaml b/on-prem-ngwaf-integrations/envoy-deployment.yaml new file mode 100644 index 0000000..c6ff842 --- /dev/null +++ b/on-prem-ngwaf-integrations/envoy-deployment.yaml @@ -0,0 +1,201 @@ +# ConfigMap: Contains the updated Envoy configuration with ext_authz integration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-config +data: + envoy.yaml: | + node: + id: proxy-node + cluster: proxy-cluster + static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: backend + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: edge_cluster + host_rewrite_literal: "http.edgecompute.app" + cors: + allow_origin_string_match: + - prefix: "*" + allow_methods: GET, PUT, DELETE, POST, OPTIONS + allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout + max_age: "1728000" + expose_headers: custom-header-1,grpc-status,grpc-message + + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + - name: envoy.http_grpc_access_log + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig + common_config: + log_name: "sigsci-agent-grpc" + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: sigsci-agent-grpc + timeout: 0.2s + additional_request_headers_to_log: + # These sigsci-agent headers are required for correct processing: + - "x-sigsci-request-id" + - "x-sigsci-waf-response" + # Optionally, additional headers can be added that should be recorded: + - "accept" + - "content-type" + - "content-length" + additional_response_headers_to_log: + - "date" + - "server" + - "content-type" + - "content-length" + + + http_filters: + # ext_authz filter calls the NGWAF agent via gRPC. + - name: envoy.filters.http.ext_authz + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + transport_api_version: V3 + grpc_service: + envoy_grpc: + cluster_name: sigsci-agent-grpc + failure_mode_allow: false + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + # Cluster for forwarding requests to https://http.edgecompute.app. + - name: edge_cluster + connect_timeout: 0.25s + type: LOGICAL_DNS + lb_policy: ROUND_ROBIN + dns_lookup_family: V4_ONLY + http2_protocol_options: {} + load_assignment: + cluster_name: edge_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: http.edgecompute.app + port_value: 443 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: "http.edgecompute.app" + # Cluster used by the ext_authz filter to contact the NGWAF agent. + - name: sigsci-agent-grpc + connect_timeout: 0.25s + type: STATIC + lb_policy: ROUND_ROBIN + http2_protocol_options: {} # <--- This tells Envoy to use HTTP/2 for gRPC + load_assignment: + cluster_name: sigsci-agent-grpc + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + # Both containers share the same network namespace. + address: 127.0.0.1 + port_value: 9999 + +--- + +# Deployment: Combines the Envoy proxy and the Next‑Gen WAF Agent sidecar. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-waf-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: envoy-waf + template: + metadata: + labels: + app: envoy-waf + spec: + containers: + # Envoy container – set to use debug logging for detailed output. + - name: envoy + image: envoyproxy/envoy:v1.22-latest + args: + - "-c" + - "/etc/envoy/envoy.yaml" + - "-l" + - "debug" # Change to "trace" for even more verbosity. + ports: + - containerPort: 10000 + volumeMounts: + - name: envoy-config + mountPath: /etc/envoy + # Next‑Gen WAF Agent container (sigsci-agent) configured for ext_authz (gRPC mode). + - name: sigsci-agent + image: signalsciences/sigsci-agent:latest + imagePullPolicy: IfNotPresent + env: + - name: SIGSCI_ACCESSKEYID + valueFrom: + secretKeyRef: + name: sigsci.my-site-name-here + key: accesskeyid + - name: SIGSCI_SECRETACCESSKEY + valueFrom: + secretKeyRef: + name: sigsci.my-site-name-here + key: secretaccesskey + # Instruct the agent to expect response data and configure its gRPC address. + - name: SIGSCI_ENVOY_EXPECT_RESPONSE_DATA + value: "1" + - name: SIGSCI_ENVOY_GRPC_ADDRESS + value: "localhost:9999" + - name: SIGSCI_DEBUG_ALL_THE_THINGS + value: "true" + - name: SIGSCI_WAF_DATA_LOG + value: "/dev/stdout" + ports: + - containerPort: 9999 + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: envoy-config + configMap: + name: envoy-config + +--- + +# Service: Exposes the Envoy listener on port 10000. +apiVersion: v1 +kind: Service +metadata: + name: envoy +spec: + selector: + app: envoy-waf + ports: + - protocol: TCP + port: 10000 + targetPort: 10000 \ No newline at end of file