From e40821948b4e039a8294d38caa6b88f01cde6271 Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:39:56 +0100 Subject: [PATCH 01/11] Create demo version of service-policy --- helm-chart/service-policy-demo/.helmignore | 23 +++ helm-chart/service-policy-demo/Chart.yaml | 6 + .../service-policy-demo/templates/NOTES.txt | 43 ++++++ .../templates/_helpers.tpl | 62 ++++++++ .../templates/cert-manager.yaml | 75 +++++++++ .../templates/globalconfig.yaml | 51 +++++++ .../templates/httpbin.yaml | 26 ++++ .../templates/httpfilter-healthcheck.yaml | 17 +++ .../templates/service-filters.yaml | 143 ++++++++++++++++++ .../templates/service-gatewayhost-notls.yaml | 86 +++++++++++ .../templates/service-gatewayhost.yaml | 80 ++++++++++ .../templates/tests/test-connection.yaml | 15 ++ helm-chart/service-policy-demo/values.yaml | 117 ++++++++++++++ 13 files changed, 744 insertions(+) create mode 100644 helm-chart/service-policy-demo/.helmignore create mode 100644 helm-chart/service-policy-demo/Chart.yaml create mode 100644 helm-chart/service-policy-demo/templates/NOTES.txt create mode 100644 helm-chart/service-policy-demo/templates/_helpers.tpl create mode 100644 helm-chart/service-policy-demo/templates/cert-manager.yaml create mode 100644 helm-chart/service-policy-demo/templates/globalconfig.yaml create mode 100644 helm-chart/service-policy-demo/templates/httpbin.yaml create mode 100644 helm-chart/service-policy-demo/templates/httpfilter-healthcheck.yaml create mode 100644 helm-chart/service-policy-demo/templates/service-filters.yaml create mode 100644 helm-chart/service-policy-demo/templates/service-gatewayhost-notls.yaml create mode 100644 helm-chart/service-policy-demo/templates/service-gatewayhost.yaml create mode 100644 helm-chart/service-policy-demo/templates/tests/test-connection.yaml create mode 100644 helm-chart/service-policy-demo/values.yaml diff --git a/helm-chart/service-policy-demo/.helmignore b/helm-chart/service-policy-demo/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm-chart/service-policy-demo/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-chart/service-policy-demo/Chart.yaml b/helm-chart/service-policy-demo/Chart.yaml new file mode 100644 index 0000000..d6d074c --- /dev/null +++ b/helm-chart/service-policy-demo/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: service-policy +description: Service L7 Policy using EnRoute API Gateway +type: application +version: 0.4.0 +appVersion: v0.10.0 diff --git a/helm-chart/service-policy-demo/templates/NOTES.txt b/helm-chart/service-policy-demo/templates/NOTES.txt new file mode 100644 index 0000000..057d98f --- /dev/null +++ b/helm-chart/service-policy-demo/templates/NOTES.txt @@ -0,0 +1,43 @@ + +------------------ Configuration Graph ----------------------------------- +Filters enabled for service [{{ .Values.service.name }}] +{{- if .Values.filters.lua.enable }} + | + {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter + kubectl edit -n {{ .Release.Namespace }} httpfilters.enroute.saaras.io {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter +{{- end }} +{{- if .Values.filters.cors.enable }} + | + {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter + kubectl edit -n {{ .Release.Namespace }} httpfilters.enroute.saaras.io {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter +{{- end }} +{{- if .Values.filters.jwt.enable }} + | + {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter + kubectl edit -n {{ .Release.Namespace }} httpfilters.enroute.saaras.io {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter +{{- end }} +{{- if .Values.filters.ratelimit.enable }} + | + {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 + kubectl edit -n {{ .Release.Namespace }} routefilters.enroute.saaras.io {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 (per-route ratelimit) + kubectl edit -n {{ .Release.Namespace }} globalconfigs.enroute.saaras.io {{ .Values.service.name }}-rl-global-config (ratelimit engine global config) +{{- end }} +{{- if .Values.filters.circuitbreakers.enable }} + | + {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers + kubectl edit -n {{ .Release.Namespace }} routefilters.enroute.saaras.io {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers +{{- end }} +{{- if .Values.filters.healthcheck.enable }} + | + {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter + kubectl edit -n {{ .Release.Namespace }} httpfilters.enroute.saaras.io {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter +{{- end }} + + +𝙴𝚗𝚁𝚘𝚞𝚝𝚎 Community Edition Service Policy +---------------------------------------- +Request an evaluation license for enterprise version - contact@saaras.io + +Slack Channel - https://slack.saaras.io +Getting Started Guide - https://getenroute.io/docs/getting-started-enroute-ingress-controller/ +EnRoute Features - https://getenroute.io/features/ diff --git a/helm-chart/service-policy-demo/templates/_helpers.tpl b/helm-chart/service-policy-demo/templates/_helpers.tpl new file mode 100644 index 0000000..ccd7903 --- /dev/null +++ b/helm-chart/service-policy-demo/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "service-policy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "service-policy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "service-policy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "service-policy.labels" -}} +helm.sh/chart: {{ include "service-policy.chart" . }} +{{ include "service-policy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "service-policy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "service-policy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "service-policy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "service-policy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm-chart/service-policy-demo/templates/cert-manager.yaml b/helm-chart/service-policy-demo/templates/cert-manager.yaml new file mode 100644 index 0000000..99e66fb --- /dev/null +++ b/helm-chart/service-policy-demo/templates/cert-manager.yaml @@ -0,0 +1,75 @@ +{{- if .Values.autoTLS.createIssuers }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: cert-manager +spec: + acme: + email: {{ .Values.autoTLS.email }} + privateKeySecretRef: + name: letsencrypt-staging + server: https://acme-staging-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + class: enroute + selector: {} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod + namespace: cert-manager +spec: + acme: + email: {{ .Values.autoTLS.email }} + privateKeySecretRef: + {{- if .Values.autoTLS.enableProd }} + name: letsencrypt-prod + {{- else }} + name: letsencrypt-staging + {{- end }} + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + class: enroute + selector: {} +{{- end }} +--- +{{- if or .Values.autoTLS.issueCert .Values.service.enableTLS }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.autoTLS.certificateCN }} + namespace: {{ .Release.Namespace }} +spec: + commonName: {{ .Values.autoTLS.certificateCN }} + dnsNames: + - {{ .Values.autoTLS.certificateCN }} + issuerRef: + {{- if .Values.autoTLS.enableProd }} + name: letsencrypt-prod + {{- else }} + name: letsencrypt-staging + {{- end }} + kind: ClusterIssuer + secretName: {{ .Values.autoTLS.certificateCN }} +--- +{{- if .Values.autoTLS.createChallengeService }} +apiVersion: v1 +kind: Service +metadata: + name: acme-challenge-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 80 + targetPort: 8089 + selector: + acme.cert-manager.io/http01-solver: "true" +{{- end }} +--- +{{- end }} diff --git a/helm-chart/service-policy-demo/templates/globalconfig.yaml b/helm-chart/service-policy-demo/templates/globalconfig.yaml new file mode 100644 index 0000000..cce6f13 --- /dev/null +++ b/helm-chart/service-policy-demo/templates/globalconfig.yaml @@ -0,0 +1,51 @@ +{{- if .Values.service.createGlobalConfig -}} +--- +apiVersion: enroute.saaras.io/v1 +kind: GlobalConfig +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-rl-global-config + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-rl-global-config + type: globalconfig_ratelimit +# for every xff, with proto https for default_route, enforce 2rps +# enroute_x-forwarded-for_10.0.20.90_x-forwarded-proto_https_generic_key_default_route_1617919413 + config: | + { + "domain": "enroute", + "descriptors" : + [ + { + "key": "x-forwarded-for", + "descriptors" : + [ + { + "key" : "x-forwarded-proto", + "value" : "http", + "descriptors" : [ + { + "key" : "generic_key", + "value" : "default_route", + "rate_limit" : { "unit" : "second", "requests_per_unit" : 5 } + } + ] + }, + { + "key" : "x-forwarded-proto", + "value" : "https", + "descriptors" : [ + { + "key" : "generic_key", + "value" : "default_route", + "rate_limit" : { "unit" : "second", "requests_per_unit" : 2 } + } + ] + } + ] + } + ] + } +{{- end -}} + diff --git a/helm-chart/service-policy-demo/templates/httpbin.yaml b/helm-chart/service-policy-demo/templates/httpbin.yaml new file mode 100644 index 0000000..775ee11 --- /dev/null +++ b/helm-chart/service-policy-demo/templates/httpbin.yaml @@ -0,0 +1,26 @@ +{{- if .Values.installHttpbin }} +apiVersion: v1 +kind: Pod +metadata: + name: httpbin + namespace: {{ .Release.Namespace }} + labels: + app: httpbin +spec: + containers: + - name: httpbin + image: kennethreitz/httpbin + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + namespace: {{ .Release.Namespace }} +spec: + selector: + app: httpbin + ports: + - port: 80 +{{- end }} diff --git a/helm-chart/service-policy-demo/templates/httpfilter-healthcheck.yaml b/helm-chart/service-policy-demo/templates/httpfilter-healthcheck.yaml new file mode 100644 index 0000000..972251b --- /dev/null +++ b/helm-chart/service-policy-demo/templates/httpfilter-healthcheck.yaml @@ -0,0 +1,17 @@ +{{- if .Values.filters.healthcheck.enable -}} +apiVersion: enroute.saaras.io/v1 +kind: HttpFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-healtcheck + type: http_filter_healthcheck + httpFilterConfig: + config: | + { + "path" : "/healthz" + } +{{- end -}} diff --git a/helm-chart/service-policy-demo/templates/service-filters.yaml b/helm-chart/service-policy-demo/templates/service-filters.yaml new file mode 100644 index 0000000..3cc105b --- /dev/null +++ b/helm-chart/service-policy-demo/templates/service-filters.yaml @@ -0,0 +1,143 @@ +--- +apiVersion: enroute.saaras.io/v1 +kind: RouteFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 + type: route_filter_ratelimit + routeFilterConfig: + config: | + { + "descriptors" : + [ + { "request_headers": { "header_name": "x-forwarded-for", "descriptor_key": "x-forwarded-for" } }, + { "request_headers": { "header_name": "x-forwarded-proto", "descriptor_key": "x-forwarded-proto" } }, + { "generic_key": { "descriptor_value" : "default_route" } } + ] + } +--- +apiVersion: enroute.saaras.io/v1 +kind: HttpFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter + type: http_filter_lua + httpFilterConfig: + config: | + function envoy_on_request(request_handle) + request_handle:logInfo("Hello World request"); + end + + function envoy_on_response(response_handle) + response_handle:logInfo("Hello World response"); + response_handle:headers():add("Lua-Filter-Says", "Hello") + end +--- +apiVersion: enroute.saaras.io/v1 +kind: HttpFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter + type: http_filter_cors + httpFilterConfig: + config: | + { + "match_condition" : { + "regex" : "\\*" + }, + "access_control_allow_methods" : "GET, OPTIONS", + "access_control_allow_headers" : "Content-Type", + "access_control_expose_headers" : "*", + "access_control_max_age" : "120" + } +--- +apiVersion: enroute.saaras.io/v1 +kind: HttpFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter + type: http_filter_jwt + services: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-externalauth + port: 443 + protocol: tls + httpFilterConfig: + config: | + { + "name" : "auth0", + "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json", + "audience" : "api-identifier", + "issuer" : "https://saaras.auth0.com/", + "route" : [{"prefix" : "/"}], + "jwt_service_name" : "auth0", + "jwt_service_port" : 443, + "jwt_forward_header_name" : "x-jwt-token" + } +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-externalauth + namespace: {{ .Release.Namespace }} +spec: + type: ExternalName + externalName: saaras.auth0.com + ports: + - port: 443 + # important to set protocol name + name: https +--- +apiVersion: enroute.saaras.io/v1 +kind: RouteFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers + type: route_filter_circuitbreakers + routeFilterConfig: + config: | + { + "max_connections" : 100, + "max_pending_requests" : 101, + "max_requests" : 102, + "max_retries" : 103 + } +--- +apiVersion: enroute.saaras.io/v1 +kind: RouteFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection + type: route_filter_outlierdetection + routeFilterConfig: + config: | + { + "consecutive_5xx" : 5, + "enforcing_consecutive_5xx" : 75, + "consecutive_gateway_failure" : 5, + "enforcing_consecutive_gateway_failure" : 75 + } +--- diff --git a/helm-chart/service-policy-demo/templates/service-gatewayhost-notls.yaml b/helm-chart/service-policy-demo/templates/service-gatewayhost-notls.yaml new file mode 100644 index 0000000..b1aec55 --- /dev/null +++ b/helm-chart/service-policy-demo/templates/service-gatewayhost-notls.yaml @@ -0,0 +1,86 @@ +{{- if eq .Values.service.enableTLS false }} +--- +apiVersion: enroute.saaras.io/v1 +kind: GatewayHost +metadata: + labels: + app: {{ .Values.service.name }} + name: {{ .Values.service.name }}-{{ .Values.service.port }}-gatewayhost + namespace: {{ .Release.Namespace }} +spec: + virtualhost: + {{- if eq (len .Values.service.fqdn) 0 }} + fqdn: '*' + {{- else }} + fqdn: {{ quote .Values.service.fqdn }} + {{- end -}} + {{- if .Values.filters.lua.enable }} + filters: + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter + type: http_filter_lua + {{- end }} + {{- if .Values.filters.cors.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter + type: http_filter_cors + {{- end }} + {{- if .Values.filters.healthcheck.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter + type: http_filter_healthcheck + {{- end }} + {{- if .Values.filters.jwt.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter + type: http_filter_jwt + {{- end }} + routes: + {{ if .Values.autoTLS.issueCert }} + - conditions: + - prefix: /.well-known/acme-challenge/ + header: + name: ":method" + exact: "GET" + services: + - name: acme-challenge-service + port: 80 + healthCheck: + healthyThresholdCount: 3 + intervalSeconds: 5 + path: / + host: hc + timeoutSeconds: 3 + unhealthyThresholdCount: 3 + {{- end }} + - conditions: + - prefix: {{ .Values.service.prefix }} + {{- if eq .Values.service.name "hello-enroute" }} + header: + name: ":method" + exact: "GET" + {{- end }} + {{- if or (eq .Values.filters.ratelimit.enable true) (eq .Values.filters.circuitbreakers.enable true) (eq .Values.filters.outlierdetection.enable true) }} + filters: + {{- end }} + {{- if .Values.filters.ratelimit.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 + type: route_filter_ratelimit + {{- end }} + {{- if .Values.filters.circuitbreakers.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers + type: route_filter_circuitbreakers + {{- end }} + {{- if .Values.filters.outlierdetection.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection + type: route_filter_outlierdetection + {{- end }} + services: + - name: {{ .Values.service.name }} + port: {{ .Values.service.port }} + {{- if .Values.service.httpHealthChecks }} + healthCheck: + healthyThresholdCount: 3 + intervalSeconds: 5 + path: / + host: hc + timeoutSeconds: 3 + unhealthyThresholdCount: 3 + {{- end }} +{{- end }} diff --git a/helm-chart/service-policy-demo/templates/service-gatewayhost.yaml b/helm-chart/service-policy-demo/templates/service-gatewayhost.yaml new file mode 100644 index 0000000..716a84a --- /dev/null +++ b/helm-chart/service-policy-demo/templates/service-gatewayhost.yaml @@ -0,0 +1,80 @@ +{{- if eq .Values.service.enableTLS true }} +apiVersion: enroute.saaras.io/v1 +kind: GatewayHost +metadata: + labels: + app: {{ .Values.service.name }} + name: {{ .Values.service.name }}-{{ .Values.autoTLS.certificateCN }}-{{ .Values.service.port }}-gatewayhost + namespace: {{ .Release.Namespace }} +spec: + virtualhost: + fqdn: {{ quote .Values.autoTLS.certificateCN }} + {{- if .Values.service.enableTLS }} + tls: + secretName: {{ .Values.autoTLS.certificateCN }} + {{- end }} + {{- if .Values.filters.lua.enable }} + filters: + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter + type: http_filter_lua + {{- end }} + {{- if .Values.filters.cors.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter + type: http_filter_cors + {{- end }} + {{- if .Values.filters.healthcheck.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter + type: http_filter_healthcheck + {{- end }} + {{- if .Values.filters.jwt.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter + type: http_filter_jwt + {{- end }} + routes: + - conditions: + - prefix: /.well-known/acme-challenge/ + header: + name: ":method" + exact: "GET" + services: + - name: acme-challenge-service + port: 80 + healthCheck: + healthyThresholdCount: 3 + intervalSeconds: 5 + path: / + host: hc + timeoutSeconds: 3 + unhealthyThresholdCount: 3 + - conditions: + - prefix: {{ .Values.service.prefix }} + {{- if eq .Values.service.name "hello-enroute" }} + header: + name: ":method" + exact: "GET" + {{- end }} + {{- if or (eq .Values.filters.ratelimit.enable true) (eq .Values.filters.circuitbreakers.enable true) }} + filters: + {{- end }} + {{- if .Values.filters.ratelimit.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 + type: route_filter_ratelimit + {{- end }} + {{- if .Values.filters.circuitbreakers.enable }} + - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers + type: route_filter_circuitbreakers + {{- end }} + services: + - name: {{ .Values.service.name }} + port: {{ .Values.service.port }} + {{- if .Values.service.httpHealthChecks }} + healthCheck: + healthyThresholdCount: 3 + intervalSeconds: 5 + path: / + host: hc + timeoutSeconds: 3 + unhealthyThresholdCount: 3 + {{- end }} +--- +{{- end }} diff --git a/helm-chart/service-policy-demo/templates/tests/test-connection.yaml b/helm-chart/service-policy-demo/templates/tests/test-connection.yaml new file mode 100644 index 0000000..b9e7c6f --- /dev/null +++ b/helm-chart/service-policy-demo/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "service-policy.fullname" . }}-test-connection" + labels: + {{- include "service-policy.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "service-policy.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm-chart/service-policy-demo/values.yaml b/helm-chart/service-policy-demo/values.yaml new file mode 100644 index 0000000..55b5bda --- /dev/null +++ b/helm-chart/service-policy-demo/values.yaml @@ -0,0 +1,117 @@ +# Default values for service-policy +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +filters: + lua: + enable: true + ratelimit: + enable: true + cors: + enable: false + jwt: + enable: false + circuitbreakers: + enable: false + outlierdetection: + enable: false + healthcheck: + enable: false + +installHttpbin: false + +service: + name: default-service-name + port: 80 + fqdn: '' + enableTLS: false + prefix: /default-service-prefix + createGlobalConfig: true + httpHealthChecks: false + +autoTLS: + issueCert: false + certificateCN: 'default-certificate-CN' + enableProd: false + createIssuers: false + createChallengeService: true + email: contact@example.com + +globalSettings: + nameOverride: "" + fullnameOverride: "" From a277dc7ee861fa2cd861e1d96d148b72e74b93bb Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:40:19 +0100 Subject: [PATCH 02/11] Rename --- helm-chart/service-policy/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm-chart/service-policy/Chart.yaml b/helm-chart/service-policy/Chart.yaml index d6d074c..4507257 100644 --- a/helm-chart/service-policy/Chart.yaml +++ b/helm-chart/service-policy/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: service-policy -description: Service L7 Policy using EnRoute API Gateway +name: service-policy-demo +description: Service L7 Demo Policy using EnRoute API Gateway type: application version: 0.4.0 appVersion: v0.10.0 From 5fc2e6ddebcfc8b4f2f376cc2c8c3645213048ab Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:40:59 +0100 Subject: [PATCH 03/11] Remove demo service --- .../service-policy/templates/httpbin.yaml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 helm-chart/service-policy/templates/httpbin.yaml diff --git a/helm-chart/service-policy/templates/httpbin.yaml b/helm-chart/service-policy/templates/httpbin.yaml deleted file mode 100644 index 775ee11..0000000 --- a/helm-chart/service-policy/templates/httpbin.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.installHttpbin }} -apiVersion: v1 -kind: Pod -metadata: - name: httpbin - namespace: {{ .Release.Namespace }} - labels: - app: httpbin -spec: - containers: - - name: httpbin - image: kennethreitz/httpbin - ports: - - containerPort: 80 ---- -apiVersion: v1 -kind: Service -metadata: - name: httpbin - namespace: {{ .Release.Namespace }} -spec: - selector: - app: httpbin - ports: - - port: 80 -{{- end }} From 0881068ab468973cdaf69cd0e7f2ce3e7636c9f3 Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:45:08 +0100 Subject: [PATCH 04/11] Remove unused values --- .../templates/service-filters.yaml | 29 +------- helm-chart/service-policy/values.yaml | 73 +------------------ 2 files changed, 5 insertions(+), 97 deletions(-) diff --git a/helm-chart/service-policy/templates/service-filters.yaml b/helm-chart/service-policy/templates/service-filters.yaml index 3cc105b..92f8fa5 100644 --- a/helm-chart/service-policy/templates/service-filters.yaml +++ b/helm-chart/service-policy/templates/service-filters.yaml @@ -11,9 +11,9 @@ spec: type: route_filter_ratelimit routeFilterConfig: config: | - { - "descriptors" : - [ + { + "descriptors" : + [ { "request_headers": { "header_name": "x-forwarded-for", "descriptor_key": "x-forwarded-for" } }, { "request_headers": { "header_name": "x-forwarded-proto", "descriptor_key": "x-forwarded-proto" } }, { "generic_key": { "descriptor_value" : "default_route" } } @@ -22,27 +22,6 @@ spec: --- apiVersion: enroute.saaras.io/v1 kind: HttpFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter - type: http_filter_lua - httpFilterConfig: - config: | - function envoy_on_request(request_handle) - request_handle:logInfo("Hello World request"); - end - - function envoy_on_response(response_handle) - response_handle:logInfo("Hello World response"); - response_handle:headers():add("Lua-Filter-Says", "Hello") - end ---- -apiVersion: enroute.saaras.io/v1 -kind: HttpFilter metadata: labels: app: {{ .Values.service.name }}-app @@ -138,6 +117,6 @@ spec: "consecutive_5xx" : 5, "enforcing_consecutive_5xx" : 75, "consecutive_gateway_failure" : 5, - "enforcing_consecutive_gateway_failure" : 75 + "enforcing_consecutive_gateway_failure" : 75 } --- diff --git a/helm-chart/service-policy/values.yaml b/helm-chart/service-policy/values.yaml index 55b5bda..282cdcb 100644 --- a/helm-chart/service-policy/values.yaml +++ b/helm-chart/service-policy/values.yaml @@ -2,15 +2,6 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -23,65 +14,9 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - filters: - lua: - enable: true ratelimit: - enable: true + enable: false cors: enable: false jwt: @@ -93,8 +28,6 @@ filters: healthcheck: enable: false -installHttpbin: false - service: name: default-service-name port: 80 @@ -111,7 +44,3 @@ autoTLS: createIssuers: false createChallengeService: true email: contact@example.com - -globalSettings: - nameOverride: "" - fullnameOverride: "" From ed6c27eaeb2063500e7b529799e50f39ec1854af Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:50:12 +0100 Subject: [PATCH 05/11] Allow healthchecks to be configurable --- .../templates/service-gatewayhost-notls.yaml | 18 +++++++----------- .../templates/service-gatewayhost.yaml | 18 +++++++----------- helm-chart/service-policy/values.yaml | 9 ++++++++- 3 files changed, 22 insertions(+), 23 deletions(-) diff --git a/helm-chart/service-policy/templates/service-gatewayhost-notls.yaml b/helm-chart/service-policy/templates/service-gatewayhost-notls.yaml index b1aec55..1bd8f81 100644 --- a/helm-chart/service-policy/templates/service-gatewayhost-notls.yaml +++ b/helm-chart/service-policy/templates/service-gatewayhost-notls.yaml @@ -14,11 +14,7 @@ spec: {{- else }} fqdn: {{ quote .Values.service.fqdn }} {{- end -}} - {{- if .Values.filters.lua.enable }} filters: - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter - type: http_filter_lua - {{- end }} {{- if .Values.filters.cors.enable }} - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter type: http_filter_cors @@ -74,13 +70,13 @@ spec: services: - name: {{ .Values.service.name }} port: {{ .Values.service.port }} - {{- if .Values.service.httpHealthChecks }} + {{- if .Values.service.healthcheck.enabled }} healthCheck: - healthyThresholdCount: 3 - intervalSeconds: 5 - path: / - host: hc - timeoutSeconds: 3 - unhealthyThresholdCount: 3 + healthyThresholdCount: {{ .Values.services.healthcheck.healthy | default 3 }} + intervalSeconds: {{ .Values.services.healthcheck.interval | default 5 }} + path: {{ .Values.services.healthcheck.path }} + host: {{ .Values.services.healthcheck.host }} + timeoutSeconds: {{ .Values.services.healthcheck.timeout | default 3 }} + unhealthyThresholdCount: {{ .Values.services.healthcheck.unhealthy | default 3 }} {{- end }} {{- end }} diff --git a/helm-chart/service-policy/templates/service-gatewayhost.yaml b/helm-chart/service-policy/templates/service-gatewayhost.yaml index 716a84a..7f6e978 100644 --- a/helm-chart/service-policy/templates/service-gatewayhost.yaml +++ b/helm-chart/service-policy/templates/service-gatewayhost.yaml @@ -13,11 +13,7 @@ spec: tls: secretName: {{ .Values.autoTLS.certificateCN }} {{- end }} - {{- if .Values.filters.lua.enable }} filters: - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-luatestfilter - type: http_filter_lua - {{- end }} {{- if .Values.filters.cors.enable }} - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter type: http_filter_cors @@ -67,14 +63,14 @@ spec: services: - name: {{ .Values.service.name }} port: {{ .Values.service.port }} - {{- if .Values.service.httpHealthChecks }} + {{- if .Values.service.healthcheck.enabled }} healthCheck: - healthyThresholdCount: 3 - intervalSeconds: 5 - path: / - host: hc - timeoutSeconds: 3 - unhealthyThresholdCount: 3 + healthyThresholdCount: {{ .Values.services.healthcheck.healthy | default 3 }} + intervalSeconds: {{ .Values.services.healthcheck.interval | default 5 }} + path: {{ .Values.services.healthcheck.path }} + host: {{ .Values.services.healthcheck.host }} + timeoutSeconds: {{ .Values.services.healthcheck.timeout | default 3 }} + unhealthyThresholdCount: {{ .Values.services.healthcheck.unhealthy | default 3 }} {{- end }} --- {{- end }} diff --git a/helm-chart/service-policy/values.yaml b/helm-chart/service-policy/values.yaml index 282cdcb..bd35232 100644 --- a/helm-chart/service-policy/values.yaml +++ b/helm-chart/service-policy/values.yaml @@ -35,7 +35,14 @@ service: enableTLS: false prefix: /default-service-prefix createGlobalConfig: true - httpHealthChecks: false + healthcheck: + enabled: false + path: /healthz + host: hc + healthyCount: 3 + unhealthyCount: 3 + interval: 5 + timeout: 3 autoTLS: issueCert: false From 0aa8bd0392756c588eabfbd664142098e28af2f0 Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:54:02 +0100 Subject: [PATCH 06/11] Keep rate limit settings together --- helm-chart/service-policy/templates/globalconfig.yaml | 2 +- helm-chart/service-policy/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm-chart/service-policy/templates/globalconfig.yaml b/helm-chart/service-policy/templates/globalconfig.yaml index cce6f13..52c779a 100644 --- a/helm-chart/service-policy/templates/globalconfig.yaml +++ b/helm-chart/service-policy/templates/globalconfig.yaml @@ -1,4 +1,4 @@ -{{- if .Values.service.createGlobalConfig -}} +{{- if .Values.service.ratelimit.createGlobalConfig -}} --- apiVersion: enroute.saaras.io/v1 kind: GlobalConfig diff --git a/helm-chart/service-policy/values.yaml b/helm-chart/service-policy/values.yaml index bd35232..27e88a1 100644 --- a/helm-chart/service-policy/values.yaml +++ b/helm-chart/service-policy/values.yaml @@ -17,6 +17,7 @@ serviceAccount: filters: ratelimit: enable: false + createGlobalConfig: true cors: enable: false jwt: @@ -34,7 +35,6 @@ service: fqdn: '' enableTLS: false prefix: /default-service-prefix - createGlobalConfig: true healthcheck: enabled: false path: /healthz From 8fda22f18f32914acb3bd6a80942e4a976c91573 Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:58:42 +0100 Subject: [PATCH 07/11] Rename key --- helm-chart/service-policy/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/service-policy/values.yaml b/helm-chart/service-policy/values.yaml index 27e88a1..90d6d06 100644 --- a/helm-chart/service-policy/values.yaml +++ b/helm-chart/service-policy/values.yaml @@ -36,7 +36,7 @@ service: enableTLS: false prefix: /default-service-prefix healthcheck: - enabled: false + enable: false path: /healthz host: hc healthyCount: 3 From 99356ed3dd2a89f8cce83a7d04ad795ae76a8c0f Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:59:03 +0100 Subject: [PATCH 08/11] Enable global config if ratelimit enabled --- helm-chart/service-policy/templates/globalconfig.yaml | 2 +- helm-chart/service-policy/values.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/helm-chart/service-policy/templates/globalconfig.yaml b/helm-chart/service-policy/templates/globalconfig.yaml index 52c779a..82d77d0 100644 --- a/helm-chart/service-policy/templates/globalconfig.yaml +++ b/helm-chart/service-policy/templates/globalconfig.yaml @@ -1,4 +1,4 @@ -{{- if .Values.service.ratelimit.createGlobalConfig -}} +{{- if .Values.service.ratelimit.enable -}} --- apiVersion: enroute.saaras.io/v1 kind: GlobalConfig diff --git a/helm-chart/service-policy/values.yaml b/helm-chart/service-policy/values.yaml index 90d6d06..8f16e0d 100644 --- a/helm-chart/service-policy/values.yaml +++ b/helm-chart/service-policy/values.yaml @@ -17,7 +17,6 @@ serviceAccount: filters: ratelimit: enable: false - createGlobalConfig: true cors: enable: false jwt: From 01e94f56c03ddda1519121d631c51a5513578dd2 Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 10:59:13 +0100 Subject: [PATCH 09/11] Split filters out of single file --- .../templates/filer-outlierdetection.yaml | 19 +++ .../templates/filter-circuitbreakers.yaml | 19 +++ .../service-policy/templates/filter-cors.yaml | 22 ++++ .../service-policy/templates/filter-jwt.yaml | 27 ++++ .../templates/filter-ratelimit.yaml | 21 +++ .../templates/service-filters.yaml | 122 ------------------ 6 files changed, 108 insertions(+), 122 deletions(-) create mode 100644 helm-chart/service-policy/templates/filer-outlierdetection.yaml create mode 100644 helm-chart/service-policy/templates/filter-circuitbreakers.yaml create mode 100644 helm-chart/service-policy/templates/filter-cors.yaml create mode 100644 helm-chart/service-policy/templates/filter-jwt.yaml create mode 100644 helm-chart/service-policy/templates/filter-ratelimit.yaml delete mode 100644 helm-chart/service-policy/templates/service-filters.yaml diff --git a/helm-chart/service-policy/templates/filer-outlierdetection.yaml b/helm-chart/service-policy/templates/filer-outlierdetection.yaml new file mode 100644 index 0000000..e75b03f --- /dev/null +++ b/helm-chart/service-policy/templates/filer-outlierdetection.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: enroute.saaras.io/v1 +kind: RouteFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection + type: route_filter_outlierdetection + routeFilterConfig: + config: | + { + "consecutive_5xx" : 5, + "enforcing_consecutive_5xx" : 75, + "consecutive_gateway_failure" : 5, + "enforcing_consecutive_gateway_failure" : 75 + } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-circuitbreakers.yaml b/helm-chart/service-policy/templates/filter-circuitbreakers.yaml new file mode 100644 index 0000000..d713c47 --- /dev/null +++ b/helm-chart/service-policy/templates/filter-circuitbreakers.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: enroute.saaras.io/v1 +kind: RouteFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers + type: route_filter_circuitbreakers + routeFilterConfig: + config: | + { + "max_connections" : 100, + "max_pending_requests" : 101, + "max_requests" : 102, + "max_retries" : 103 + } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-cors.yaml b/helm-chart/service-policy/templates/filter-cors.yaml new file mode 100644 index 0000000..1cc505b --- /dev/null +++ b/helm-chart/service-policy/templates/filter-cors.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: enroute.saaras.io/v1 +kind: HttpFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter + type: http_filter_cors + httpFilterConfig: + config: | + { + "match_condition" : { + "regex" : "\\*" + }, + "access_control_allow_methods" : "GET, OPTIONS", + "access_control_allow_headers" : "Content-Type", + "access_control_expose_headers" : "*", + "access_control_max_age" : "120" + } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-jwt.yaml b/helm-chart/service-policy/templates/filter-jwt.yaml new file mode 100644 index 0000000..88d3a17 --- /dev/null +++ b/helm-chart/service-policy/templates/filter-jwt.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: enroute.saaras.io/v1 +kind: HttpFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter + type: http_filter_jwt + services: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-externalauth + port: 443 + protocol: tls + httpFilterConfig: + config: | + { + "name" : "auth0", + "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json", + "audience" : "api-identifier", + "issuer" : "https://saaras.auth0.com/", + "route" : [{"prefix" : "/"}], + "jwt_service_name" : "auth0", + "jwt_service_port" : 443, + "jwt_forward_header_name" : "x-jwt-token" + } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-ratelimit.yaml b/helm-chart/service-policy/templates/filter-ratelimit.yaml new file mode 100644 index 0000000..fae05d8 --- /dev/null +++ b/helm-chart/service-policy/templates/filter-ratelimit.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: enroute.saaras.io/v1 +kind: RouteFilter +metadata: + labels: + app: {{ .Values.service.name }}-app + name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 + namespace: {{ .Release.Namespace }} +spec: + name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 + type: route_filter_ratelimit + routeFilterConfig: + config: | + { + "descriptors" : + [ + { "request_headers": { "header_name": "x-forwarded-for", "descriptor_key": "x-forwarded-for" } }, + { "request_headers": { "header_name": "x-forwarded-proto", "descriptor_key": "x-forwarded-proto" } }, + { "generic_key": { "descriptor_value" : "default_route" } } + ] + } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/service-filters.yaml b/helm-chart/service-policy/templates/service-filters.yaml deleted file mode 100644 index 92f8fa5..0000000 --- a/helm-chart/service-policy/templates/service-filters.yaml +++ /dev/null @@ -1,122 +0,0 @@ ---- -apiVersion: enroute.saaras.io/v1 -kind: RouteFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 - type: route_filter_ratelimit - routeFilterConfig: - config: | - { - "descriptors" : - [ - { "request_headers": { "header_name": "x-forwarded-for", "descriptor_key": "x-forwarded-for" } }, - { "request_headers": { "header_name": "x-forwarded-proto", "descriptor_key": "x-forwarded-proto" } }, - { "generic_key": { "descriptor_value" : "default_route" } } - ] - } ---- -apiVersion: enroute.saaras.io/v1 -kind: HttpFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter - type: http_filter_cors - httpFilterConfig: - config: | - { - "match_condition" : { - "regex" : "\\*" - }, - "access_control_allow_methods" : "GET, OPTIONS", - "access_control_allow_headers" : "Content-Type", - "access_control_expose_headers" : "*", - "access_control_max_age" : "120" - } ---- -apiVersion: enroute.saaras.io/v1 -kind: HttpFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter - type: http_filter_jwt - services: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-externalauth - port: 443 - protocol: tls - httpFilterConfig: - config: | - { - "name" : "auth0", - "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json", - "audience" : "api-identifier", - "issuer" : "https://saaras.auth0.com/", - "route" : [{"prefix" : "/"}], - "jwt_service_name" : "auth0", - "jwt_service_port" : 443, - "jwt_forward_header_name" : "x-jwt-token" - } ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-externalauth - namespace: {{ .Release.Namespace }} -spec: - type: ExternalName - externalName: saaras.auth0.com - ports: - - port: 443 - # important to set protocol name - name: https ---- -apiVersion: enroute.saaras.io/v1 -kind: RouteFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers - type: route_filter_circuitbreakers - routeFilterConfig: - config: | - { - "max_connections" : 100, - "max_pending_requests" : 101, - "max_requests" : 102, - "max_retries" : 103 - } ---- -apiVersion: enroute.saaras.io/v1 -kind: RouteFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection - type: route_filter_outlierdetection - routeFilterConfig: - config: | - { - "consecutive_5xx" : 5, - "enforcing_consecutive_5xx" : 75, - "consecutive_gateway_failure" : 5, - "enforcing_consecutive_gateway_failure" : 75 - } ---- From aadbc900dd49e8aac33e255d078b5f9437790ecc Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 11:10:31 +0100 Subject: [PATCH 10/11] Max filters configurable --- .../templates/filer-outlierdetection.yaml | 8 +++---- .../templates/filter-circuitbreakers.yaml | 8 +++---- .../service-policy/templates/filter-cors.yaml | 10 ++++----- .../service-policy/templates/filter-jwt.yaml | 20 ++++++++++------- helm-chart/service-policy/values.yaml | 22 +++++++++++++++++++ 5 files changed, 47 insertions(+), 21 deletions(-) diff --git a/helm-chart/service-policy/templates/filer-outlierdetection.yaml b/helm-chart/service-policy/templates/filer-outlierdetection.yaml index e75b03f..93bb878 100644 --- a/helm-chart/service-policy/templates/filer-outlierdetection.yaml +++ b/helm-chart/service-policy/templates/filer-outlierdetection.yaml @@ -12,8 +12,8 @@ spec: routeFilterConfig: config: | { - "consecutive_5xx" : 5, - "enforcing_consecutive_5xx" : 75, - "consecutive_gateway_failure" : 5, - "enforcing_consecutive_gateway_failure" : 75 + "consecutive_5xx" : {{ .Values.filters.outlierdetection.consecutive5xx | int }}, + "enforcing_consecutive_5xx" : {{ .Values.filters.outlierdetection.enforcingConsecutive5xx | int }}, + "consecutive_gateway_failure" : {{ .Values.filters.outlierdetection.consecutiveGatewayFailure | int }}, + "enforcing_consecutive_gateway_failure" : {{ .Values.filters.outlierdetection.enforcingConsecutiveGatewayFailure | int }} } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-circuitbreakers.yaml b/helm-chart/service-policy/templates/filter-circuitbreakers.yaml index d713c47..e4fa632 100644 --- a/helm-chart/service-policy/templates/filter-circuitbreakers.yaml +++ b/helm-chart/service-policy/templates/filter-circuitbreakers.yaml @@ -12,8 +12,8 @@ spec: routeFilterConfig: config: | { - "max_connections" : 100, - "max_pending_requests" : 101, - "max_requests" : 102, - "max_retries" : 103 + "max_connections" : {{ .Values.filters.circuitbreakers.maxConnections | int }}, + "max_pending_requests" : {{ .Values.filters.circuitbreakers.maxPendingRequests | int }}, + "max_requests" : {{ .Values.filters.circuitbreakers.maxRequests | int }}, + "max_retries" : {{ .Values.filters.circuitbreakers.maxRetries | int }} } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-cors.yaml b/helm-chart/service-policy/templates/filter-cors.yaml index 1cc505b..5300af6 100644 --- a/helm-chart/service-policy/templates/filter-cors.yaml +++ b/helm-chart/service-policy/templates/filter-cors.yaml @@ -13,10 +13,10 @@ spec: config: | { "match_condition" : { - "regex" : "\\*" + "regex" : {{ .Values.filters.cors.regex | quote }} }, - "access_control_allow_methods" : "GET, OPTIONS", - "access_control_allow_headers" : "Content-Type", - "access_control_expose_headers" : "*", - "access_control_max_age" : "120" + "access_control_allow_methods" : {{ join "," .Values.filters.cors.allowMethods | quote }}, + "access_control_allow_headers" : {{ join "," .Values.filters.cors.allowHeaders | quote }}, + "access_control_expose_headers" : {{ .Values.filters.cors.exposeHeaders | quote }}, + "access_control_max_age" : {{ .Values.filters.cors.maxAge | int | quote }} } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-jwt.yaml b/helm-chart/service-policy/templates/filter-jwt.yaml index 88d3a17..fb8ec16 100644 --- a/helm-chart/service-policy/templates/filter-jwt.yaml +++ b/helm-chart/service-policy/templates/filter-jwt.yaml @@ -16,12 +16,16 @@ spec: httpFilterConfig: config: | { - "name" : "auth0", - "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json", - "audience" : "api-identifier", - "issuer" : "https://saaras.auth0.com/", - "route" : [{"prefix" : "/"}], - "jwt_service_name" : "auth0", - "jwt_service_port" : 443, - "jwt_forward_header_name" : "x-jwt-token" + "name" : {{ .Values.filters.jwt.name | quote }}, + "jwks_uri" : {{ .Values.filters.jwt.jwksUri | quote }}, + "audience" : {{ .Values.filters.jwt.audience | quote }}, + "issuer" : {{ .Values.filters.jwt.issuer | quote }}, + "route" : [ + {{- range .Values.filters.jwt.routes }} + {"prefix" : {{ .prefix | quote }}} + {{- end }} + ], + "jwt_service_name" : {{ .Values.filters.jwt.serviceName | quote }}, + "jwt_service_port" : {{ .Values.filters.jwt.servicePort | int }}, + "jwt_forward_header_name" : {{ .Values.filters.jwt.headerName | quote }} } \ No newline at end of file diff --git a/helm-chart/service-policy/values.yaml b/helm-chart/service-policy/values.yaml index 8f16e0d..0eaa7c0 100644 --- a/helm-chart/service-policy/values.yaml +++ b/helm-chart/service-policy/values.yaml @@ -19,12 +19,34 @@ filters: enable: false cors: enable: false + regex: '\\*' + allowMethods: ['GET', 'OPTIONS'] + allowHeaders: ['Content-Type'] + exposeHeaders: '*' + maxAge: 120 jwt: enable: false + name: auth0 + jwksUri: "https://saaras.auth0.com/.well-known/jwks.json" + audience: "api-identifier" + issuer: "https://saaras.auth0.com/" + routes: + - prefix: / + serviceName: auth0 + servicePort: 443 + headerName: "x-jwt-token" circuitbreakers: enable: false + maxConnections: 100 + maxPendingRequest: 101 + maxRequests: 102 + maxRetries: 103 outlierdetection: enable: false + consecutive5xx: 5 + enforcingConsecutive5xx: 75 + consecutiveGatewayFailure: 5 + enforcingConsecutiveGatewayFailure: 75 healthcheck: enable: false From 7a00beb5b1f5154a9e01324e40738568fb455e15 Mon Sep 17 00:00:00 2001 From: Harry Walter Date: Tue, 12 Jul 2022 11:47:03 +0100 Subject: [PATCH 11/11] Simpify service-policy to support multiple routes --- .../service-policy/templates/_helpers.tpl | 11 --- .../templates/cert-manager.yaml | 75 ---------------- .../templates/filer-outlierdetection.yaml | 19 ---- .../templates/filter-circuitbreakers.yaml | 19 ---- .../service-policy/templates/filter-cors.yaml | 22 ----- .../service-policy/templates/filter-jwt.yaml | 31 ------- .../templates/filter-ratelimit.yaml | 21 ----- .../templates/globalconfig.yaml | 51 ----------- .../templates/httpfilter-healthcheck.yaml | 17 ---- .../templates/service-gatewayhost-notls.yaml | 82 ------------------ .../templates/service-gatewayhost.yaml | 86 +++++-------------- helm-chart/service-policy/values.yaml | 84 ++++-------------- 12 files changed, 41 insertions(+), 477 deletions(-) delete mode 100644 helm-chart/service-policy/templates/cert-manager.yaml delete mode 100644 helm-chart/service-policy/templates/filer-outlierdetection.yaml delete mode 100644 helm-chart/service-policy/templates/filter-circuitbreakers.yaml delete mode 100644 helm-chart/service-policy/templates/filter-cors.yaml delete mode 100644 helm-chart/service-policy/templates/filter-jwt.yaml delete mode 100644 helm-chart/service-policy/templates/filter-ratelimit.yaml delete mode 100644 helm-chart/service-policy/templates/globalconfig.yaml delete mode 100644 helm-chart/service-policy/templates/httpfilter-healthcheck.yaml delete mode 100644 helm-chart/service-policy/templates/service-gatewayhost-notls.yaml diff --git a/helm-chart/service-policy/templates/_helpers.tpl b/helm-chart/service-policy/templates/_helpers.tpl index ccd7903..e670163 100644 --- a/helm-chart/service-policy/templates/_helpers.tpl +++ b/helm-chart/service-policy/templates/_helpers.tpl @@ -49,14 +49,3 @@ Selector labels app.kubernetes.io/name: {{ include "service-policy.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "service-policy.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "service-policy.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/helm-chart/service-policy/templates/cert-manager.yaml b/helm-chart/service-policy/templates/cert-manager.yaml deleted file mode 100644 index 99e66fb..0000000 --- a/helm-chart/service-policy/templates/cert-manager.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if .Values.autoTLS.createIssuers }} ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging - namespace: cert-manager -spec: - acme: - email: {{ .Values.autoTLS.email }} - privateKeySecretRef: - name: letsencrypt-staging - server: https://acme-staging-v02.api.letsencrypt.org/directory - solvers: - - http01: - ingress: - class: enroute - selector: {} ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-prod - namespace: cert-manager -spec: - acme: - email: {{ .Values.autoTLS.email }} - privateKeySecretRef: - {{- if .Values.autoTLS.enableProd }} - name: letsencrypt-prod - {{- else }} - name: letsencrypt-staging - {{- end }} - server: https://acme-v02.api.letsencrypt.org/directory - solvers: - - http01: - ingress: - class: enroute - selector: {} -{{- end }} ---- -{{- if or .Values.autoTLS.issueCert .Values.service.enableTLS }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Values.autoTLS.certificateCN }} - namespace: {{ .Release.Namespace }} -spec: - commonName: {{ .Values.autoTLS.certificateCN }} - dnsNames: - - {{ .Values.autoTLS.certificateCN }} - issuerRef: - {{- if .Values.autoTLS.enableProd }} - name: letsencrypt-prod - {{- else }} - name: letsencrypt-staging - {{- end }} - kind: ClusterIssuer - secretName: {{ .Values.autoTLS.certificateCN }} ---- -{{- if .Values.autoTLS.createChallengeService }} -apiVersion: v1 -kind: Service -metadata: - name: acme-challenge-service - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 80 - targetPort: 8089 - selector: - acme.cert-manager.io/http01-solver: "true" -{{- end }} ---- -{{- end }} diff --git a/helm-chart/service-policy/templates/filer-outlierdetection.yaml b/helm-chart/service-policy/templates/filer-outlierdetection.yaml deleted file mode 100644 index 93bb878..0000000 --- a/helm-chart/service-policy/templates/filer-outlierdetection.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: enroute.saaras.io/v1 -kind: RouteFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection - type: route_filter_outlierdetection - routeFilterConfig: - config: | - { - "consecutive_5xx" : {{ .Values.filters.outlierdetection.consecutive5xx | int }}, - "enforcing_consecutive_5xx" : {{ .Values.filters.outlierdetection.enforcingConsecutive5xx | int }}, - "consecutive_gateway_failure" : {{ .Values.filters.outlierdetection.consecutiveGatewayFailure | int }}, - "enforcing_consecutive_gateway_failure" : {{ .Values.filters.outlierdetection.enforcingConsecutiveGatewayFailure | int }} - } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-circuitbreakers.yaml b/helm-chart/service-policy/templates/filter-circuitbreakers.yaml deleted file mode 100644 index e4fa632..0000000 --- a/helm-chart/service-policy/templates/filter-circuitbreakers.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: enroute.saaras.io/v1 -kind: RouteFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers - type: route_filter_circuitbreakers - routeFilterConfig: - config: | - { - "max_connections" : {{ .Values.filters.circuitbreakers.maxConnections | int }}, - "max_pending_requests" : {{ .Values.filters.circuitbreakers.maxPendingRequests | int }}, - "max_requests" : {{ .Values.filters.circuitbreakers.maxRequests | int }}, - "max_retries" : {{ .Values.filters.circuitbreakers.maxRetries | int }} - } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-cors.yaml b/helm-chart/service-policy/templates/filter-cors.yaml deleted file mode 100644 index 5300af6..0000000 --- a/helm-chart/service-policy/templates/filter-cors.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: enroute.saaras.io/v1 -kind: HttpFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter - type: http_filter_cors - httpFilterConfig: - config: | - { - "match_condition" : { - "regex" : {{ .Values.filters.cors.regex | quote }} - }, - "access_control_allow_methods" : {{ join "," .Values.filters.cors.allowMethods | quote }}, - "access_control_allow_headers" : {{ join "," .Values.filters.cors.allowHeaders | quote }}, - "access_control_expose_headers" : {{ .Values.filters.cors.exposeHeaders | quote }}, - "access_control_max_age" : {{ .Values.filters.cors.maxAge | int | quote }} - } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-jwt.yaml b/helm-chart/service-policy/templates/filter-jwt.yaml deleted file mode 100644 index fb8ec16..0000000 --- a/helm-chart/service-policy/templates/filter-jwt.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: enroute.saaras.io/v1 -kind: HttpFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter - type: http_filter_jwt - services: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-externalauth - port: 443 - protocol: tls - httpFilterConfig: - config: | - { - "name" : {{ .Values.filters.jwt.name | quote }}, - "jwks_uri" : {{ .Values.filters.jwt.jwksUri | quote }}, - "audience" : {{ .Values.filters.jwt.audience | quote }}, - "issuer" : {{ .Values.filters.jwt.issuer | quote }}, - "route" : [ - {{- range .Values.filters.jwt.routes }} - {"prefix" : {{ .prefix | quote }}} - {{- end }} - ], - "jwt_service_name" : {{ .Values.filters.jwt.serviceName | quote }}, - "jwt_service_port" : {{ .Values.filters.jwt.servicePort | int }}, - "jwt_forward_header_name" : {{ .Values.filters.jwt.headerName | quote }} - } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/filter-ratelimit.yaml b/helm-chart/service-policy/templates/filter-ratelimit.yaml deleted file mode 100644 index fae05d8..0000000 --- a/helm-chart/service-policy/templates/filter-ratelimit.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: enroute.saaras.io/v1 -kind: RouteFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 - type: route_filter_ratelimit - routeFilterConfig: - config: | - { - "descriptors" : - [ - { "request_headers": { "header_name": "x-forwarded-for", "descriptor_key": "x-forwarded-for" } }, - { "request_headers": { "header_name": "x-forwarded-proto", "descriptor_key": "x-forwarded-proto" } }, - { "generic_key": { "descriptor_value" : "default_route" } } - ] - } \ No newline at end of file diff --git a/helm-chart/service-policy/templates/globalconfig.yaml b/helm-chart/service-policy/templates/globalconfig.yaml deleted file mode 100644 index 82d77d0..0000000 --- a/helm-chart/service-policy/templates/globalconfig.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.service.ratelimit.enable -}} ---- -apiVersion: enroute.saaras.io/v1 -kind: GlobalConfig -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-rl-global-config - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-rl-global-config - type: globalconfig_ratelimit -# for every xff, with proto https for default_route, enforce 2rps -# enroute_x-forwarded-for_10.0.20.90_x-forwarded-proto_https_generic_key_default_route_1617919413 - config: | - { - "domain": "enroute", - "descriptors" : - [ - { - "key": "x-forwarded-for", - "descriptors" : - [ - { - "key" : "x-forwarded-proto", - "value" : "http", - "descriptors" : [ - { - "key" : "generic_key", - "value" : "default_route", - "rate_limit" : { "unit" : "second", "requests_per_unit" : 5 } - } - ] - }, - { - "key" : "x-forwarded-proto", - "value" : "https", - "descriptors" : [ - { - "key" : "generic_key", - "value" : "default_route", - "rate_limit" : { "unit" : "second", "requests_per_unit" : 2 } - } - ] - } - ] - } - ] - } -{{- end -}} - diff --git a/helm-chart/service-policy/templates/httpfilter-healthcheck.yaml b/helm-chart/service-policy/templates/httpfilter-healthcheck.yaml deleted file mode 100644 index 972251b..0000000 --- a/helm-chart/service-policy/templates/httpfilter-healthcheck.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.filters.healthcheck.enable -}} -apiVersion: enroute.saaras.io/v1 -kind: HttpFilter -metadata: - labels: - app: {{ .Values.service.name }}-app - name: {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter - namespace: {{ .Release.Namespace }} -spec: - name: {{ .Values.service.name }}-{{ .Values.service.port }}-healtcheck - type: http_filter_healthcheck - httpFilterConfig: - config: | - { - "path" : "/healthz" - } -{{- end -}} diff --git a/helm-chart/service-policy/templates/service-gatewayhost-notls.yaml b/helm-chart/service-policy/templates/service-gatewayhost-notls.yaml deleted file mode 100644 index 1bd8f81..0000000 --- a/helm-chart/service-policy/templates/service-gatewayhost-notls.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if eq .Values.service.enableTLS false }} ---- -apiVersion: enroute.saaras.io/v1 -kind: GatewayHost -metadata: - labels: - app: {{ .Values.service.name }} - name: {{ .Values.service.name }}-{{ .Values.service.port }}-gatewayhost - namespace: {{ .Release.Namespace }} -spec: - virtualhost: - {{- if eq (len .Values.service.fqdn) 0 }} - fqdn: '*' - {{- else }} - fqdn: {{ quote .Values.service.fqdn }} - {{- end -}} - filters: - {{- if .Values.filters.cors.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter - type: http_filter_cors - {{- end }} - {{- if .Values.filters.healthcheck.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter - type: http_filter_healthcheck - {{- end }} - {{- if .Values.filters.jwt.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter - type: http_filter_jwt - {{- end }} - routes: - {{ if .Values.autoTLS.issueCert }} - - conditions: - - prefix: /.well-known/acme-challenge/ - header: - name: ":method" - exact: "GET" - services: - - name: acme-challenge-service - port: 80 - healthCheck: - healthyThresholdCount: 3 - intervalSeconds: 5 - path: / - host: hc - timeoutSeconds: 3 - unhealthyThresholdCount: 3 - {{- end }} - - conditions: - - prefix: {{ .Values.service.prefix }} - {{- if eq .Values.service.name "hello-enroute" }} - header: - name: ":method" - exact: "GET" - {{- end }} - {{- if or (eq .Values.filters.ratelimit.enable true) (eq .Values.filters.circuitbreakers.enable true) (eq .Values.filters.outlierdetection.enable true) }} - filters: - {{- end }} - {{- if .Values.filters.ratelimit.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 - type: route_filter_ratelimit - {{- end }} - {{- if .Values.filters.circuitbreakers.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers - type: route_filter_circuitbreakers - {{- end }} - {{- if .Values.filters.outlierdetection.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-outlierdetection - type: route_filter_outlierdetection - {{- end }} - services: - - name: {{ .Values.service.name }} - port: {{ .Values.service.port }} - {{- if .Values.service.healthcheck.enabled }} - healthCheck: - healthyThresholdCount: {{ .Values.services.healthcheck.healthy | default 3 }} - intervalSeconds: {{ .Values.services.healthcheck.interval | default 5 }} - path: {{ .Values.services.healthcheck.path }} - host: {{ .Values.services.healthcheck.host }} - timeoutSeconds: {{ .Values.services.healthcheck.timeout | default 3 }} - unhealthyThresholdCount: {{ .Values.services.healthcheck.unhealthy | default 3 }} - {{- end }} -{{- end }} diff --git a/helm-chart/service-policy/templates/service-gatewayhost.yaml b/helm-chart/service-policy/templates/service-gatewayhost.yaml index 7f6e978..552059e 100644 --- a/helm-chart/service-policy/templates/service-gatewayhost.yaml +++ b/helm-chart/service-policy/templates/service-gatewayhost.yaml @@ -1,76 +1,36 @@ -{{- if eq .Values.service.enableTLS true }} +--- apiVersion: enroute.saaras.io/v1 kind: GatewayHost metadata: + name: {{ include "service-policy.fullname" . }} labels: - app: {{ .Values.service.name }} - name: {{ .Values.service.name }}-{{ .Values.autoTLS.certificateCN }}-{{ .Values.service.port }}-gatewayhost + {{- include "service-policy.labels" . | nindent 4 }}-gatewayhost namespace: {{ .Release.Namespace }} spec: virtualhost: - fqdn: {{ quote .Values.autoTLS.certificateCN }} - {{- if .Values.service.enableTLS }} - tls: - secretName: {{ .Values.autoTLS.certificateCN }} - {{- end }} - filters: - {{- if .Values.filters.cors.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-corsfilter - type: http_filter_cors - {{- end }} - {{- if .Values.filters.healthcheck.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-healthcheckfilter - type: http_filter_healthcheck - {{- end }} - {{- if .Values.filters.jwt.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-jwtfilter - type: http_filter_jwt - {{- end }} + {{- if eq (len .Values.fqdn) 0 }} + fqdn: '*' + {{- else }} + fqdn: {{ quote .Values.fqdn }} + {{- end -}} routes: + {{- range .Values.routes }} - conditions: - - prefix: /.well-known/acme-challenge/ - header: - name: ":method" - exact: "GET" + {{- range .conditions }} + - prefix: {{ .prefix }} + {{- end }} services: - - name: acme-challenge-service - port: 80 + {{- range .services }} + - name: {{ .name }} + port: {{ .port | int }} + {{- if .healthcheck.enabled }} healthCheck: - healthyThresholdCount: 3 - intervalSeconds: 5 - path: / - host: hc - timeoutSeconds: 3 - unhealthyThresholdCount: 3 - - conditions: - - prefix: {{ .Values.service.prefix }} - {{- if eq .Values.service.name "hello-enroute" }} - header: - name: ":method" - exact: "GET" + healthyThresholdCount: {{ .services.healthcheck.healthy | default 3 }} + intervalSeconds: {{ .services.healthcheck.interval | default 5 }} + path: {{ .services.healthcheck.path }} + host: {{ .services.healthcheck.host }} + timeoutSeconds: {{ .services.healthcheck.timeout | default 3 }} + unhealthyThresholdCount: {{ .services.healthcheck.unhealthy | default 3 }} {{- end }} - {{- if or (eq .Values.filters.ratelimit.enable true) (eq .Values.filters.circuitbreakers.enable true) }} - filters: {{- end }} - {{- if .Values.filters.ratelimit.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-rl2 - type: route_filter_ratelimit - {{- end }} - {{- if .Values.filters.circuitbreakers.enable }} - - name: {{ .Values.service.name }}-{{ .Values.service.port }}-circuitbreakers - type: route_filter_circuitbreakers - {{- end }} - services: - - name: {{ .Values.service.name }} - port: {{ .Values.service.port }} - {{- if .Values.service.healthcheck.enabled }} - healthCheck: - healthyThresholdCount: {{ .Values.services.healthcheck.healthy | default 3 }} - intervalSeconds: {{ .Values.services.healthcheck.interval | default 5 }} - path: {{ .Values.services.healthcheck.path }} - host: {{ .Values.services.healthcheck.host }} - timeoutSeconds: {{ .Values.services.healthcheck.timeout | default 3 }} - unhealthyThresholdCount: {{ .Values.services.healthcheck.unhealthy | default 3 }} - {{- end }} ---- -{{- end }} + {{- end }} diff --git a/helm-chart/service-policy/values.yaml b/helm-chart/service-policy/values.yaml index 0eaa7c0..65f59b3 100644 --- a/helm-chart/service-policy/values.yaml +++ b/helm-chart/service-policy/values.yaml @@ -5,70 +5,22 @@ nameOverride: "" fullnameOverride: "" -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" +fqdn: '' -filters: - ratelimit: - enable: false - cors: - enable: false - regex: '\\*' - allowMethods: ['GET', 'OPTIONS'] - allowHeaders: ['Content-Type'] - exposeHeaders: '*' - maxAge: 120 - jwt: - enable: false - name: auth0 - jwksUri: "https://saaras.auth0.com/.well-known/jwks.json" - audience: "api-identifier" - issuer: "https://saaras.auth0.com/" - routes: - - prefix: / - serviceName: auth0 - servicePort: 443 - headerName: "x-jwt-token" - circuitbreakers: - enable: false - maxConnections: 100 - maxPendingRequest: 101 - maxRequests: 102 - maxRetries: 103 - outlierdetection: - enable: false - consecutive5xx: 5 - enforcingConsecutive5xx: 75 - consecutiveGatewayFailure: 5 - enforcingConsecutiveGatewayFailure: 75 - healthcheck: - enable: false - -service: - name: default-service-name - port: 80 - fqdn: '' - enableTLS: false - prefix: /default-service-prefix - healthcheck: - enable: false - path: /healthz - host: hc - healthyCount: 3 - unhealthyCount: 3 - interval: 5 - timeout: 3 - -autoTLS: - issueCert: false - certificateCN: 'default-certificate-CN' - enableProd: false - createIssuers: false - createChallengeService: true - email: contact@example.com +routes: + - conditions: + - prefix: / + # header: {} + enableWebsockets: false + # prefixRewrite: / + services: + - name: default-service-name + port: 80 + healthcheck: + enable: false + # path: /healthz + # host: hc + # interval: 5 + # timeout: 3 + # healthyCount: 3 + # unhealthyCount: 3