PWX-32011: added https proxy support (#1120)

* added https proxy support

deploy/ccm/envoy-config-rest-custom-proxy.yaml → deploy/ccm/envoy-config-collector-custom-http-proxy.yaml

@@ -11,7 +11,7 @@ static_resources:
   - name: listener_cloud_support
     address:
       socket_address:
-        address: 0.0.0.0
+        address: 127.0.0.1
         port_value: REST_CLOUD_SUPPORT_PORT
     filter_chains:
     - filters:
@@ -42,9 +42,15 @@ static_resources:
                 - header:
                     key: "appliance-id"
                     value: APPLIANCE_ID
+                - header:
+                    key: "component-sn"
+                    value: COMPONENT_SN
                 - header:
                     key: "product-version"
                     value: PRODUCT_VERSION
+                - header:
+                    key: "proxy-authorization"
+                    value: "BASIC_AUTH"
                 route:
                   host_rewrite_literal: REST_PROXY_URL
                   cluster: cluster_cloud_support
@@ -91,9 +97,15 @@ static_resources:
             - header:
                 key: "appliance-id"
                 value: APPLIANCE_ID
+            - header:
+                key: "component-sn"
+                value: COMPONENT_SN
             - header:
                 key: "product-version"
                 value: PRODUCT_VERSION
+            - header:
+                key: "proxy-authorization"
+                value: "BASIC_AUTH"
   clusters:
   - name: cluster_cloud_support
     type: STRICT_DNS

deploy/ccm/envoy-config-collector-custom-https-proxy.yaml

@@ -0,0 +1,191 @@
+admin:
+  address:
+    socket_address:
+      address: 127.0.0.1
+      port_value: 9901
+node:
+  id: "id_rest"
+  cluster: "cluster_rest"
+static_resources:
+  listeners:
+  - name: listener_cloud_support
+    address:
+      socket_address:
+        address: 127.0.0.1
+        port_value: REST_CLOUD_SUPPORT_PORT
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          access_log:
+          - name: envoy.access_loggers.stdout
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+          http_filters:
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: "/"
+                request_headers_to_add:
+                - header:
+                    key: "product-name"
+                    value: "portworx"
+                - header:
+                    key: "appliance-id"
+                    value: APPLIANCE_ID
+                - header:
+                    key: "component-sn"
+                    value: COMPONENT_SN
+                - header:
+                    key: "product-version"
+                    value: PRODUCT_VERSION
+                - header:
+                    key: "proxy-authorization"
+                    value: "BASIC_AUTH"
+                route:
+                  host_rewrite_literal: REST_PROXY_URL
+                  cluster: cluster_cloud_support
+  - name: listener_cloud_support_tcp_proxy
+    address:
+      socket_address:
+        protocol: TCP
+        address: 127.0.0.1
+        port_value: CLOUD_SUPPORT_TCP_PROXY_PORT
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: ingress_tcp_proxy
+          access_log:
+          - name: envoy.access_loggers.stdout
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+          cluster: cluster_cloud_support_tcp_proxy
+  - name: listener_customer_proxy_envoy_internal_redirect
+    address:
+      socket_address:
+        protocol: TCP
+        address: 127.0.0.1
+        port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: ingress_customer_proxy_envoy_internal_redirect
+          access_log:
+          - name: envoy.access_loggers.stdout
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+          cluster: cluster_customer_proxy
+          tunneling_config:
+            hostname: REST_PROXY_URL:443
+            headers_to_add:
+            - header:
+                key: "product-name"
+                value: "portworx"
+            - header:
+                key: "appliance-id"
+                value: APPLIANCE_ID
+            - header:
+                key: "component-sn"
+                value: COMPONENT_SN
+            - header:
+                key: "product-version"
+                value: PRODUCT_VERSION
+            - header:
+                key: "proxy-authorization"
+                value: "BASIC_AUTH"
+  clusters:
+  - name: cluster_cloud_support
+    type: STRICT_DNS
+    dns_lookup_family: V4_ONLY
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: cluster_cloud_support
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: localhost
+                port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        common_tls_context:
+          tls_certificate_sds_secret_configs:
+            name: tls_sds
+            sds_config:
+              path: /etc/envoy/tls_certificate_sds_secret.yaml
+          validation_context:
+            trusted_ca:
+              filename: /etc/ssl/certs/ca-certificates.crt
+            match_typed_subject_alt_names:
+            - san_type: DNS
+              matcher:
+                exact: REST_PROXY_URL
+  - name: cluster_cloud_support_tcp_proxy
+    type: STRICT_DNS
+    dns_lookup_family: V4_ONLY
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: cluster_cloud_support_tcp_proxy
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: localhost
+                port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        common_tls_context:
+          tls_certificate_sds_secret_configs:
+            name: tls_sds
+            sds_config:
+              path: /etc/envoy/tls_certificate_sds_secret.yaml
+          validation_context:
+            trusted_ca:
+              filename: /etc/ssl/certs/ca-certificates.crt
+            match_typed_subject_alt_names:
+            - san_type: DNS
+              matcher:
+                exact: REST_PROXY_URL
+  - name: cluster_customer_proxy
+    type: STRICT_DNS
+    dns_lookup_family: V4_ONLY
+    lb_policy: ROUND_ROBIN
+    # This ensures HTTP/1.1 CONNECT is used for establishing the tunnel.
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        explicit_http_config:
+          http_protocol_options: {}
+    load_assignment:
+      cluster_name: cluster_customer_proxy
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: CUSTOM_PROXY_ADDRESS
+                port_value: CUSTOM_PROXY_PORT
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        sni: CUSTOM_PROXY_ADDRESS

deploy/ccm/envoy-config-register-custom-proxy.yaml → deploy/ccm/envoy-config-register-custom-http-proxy.yaml

@@ -48,6 +48,9 @@ static_resources:
                 - header:
                     key: "product-version"
                     value: PRODUCT_VERSION
+                - header:
+                    key: "proxy-authorization"
+                    value: "BASIC_AUTH"
                 route:
                   host_rewrite_literal: REGISTER_PROXY_URL
                   cluster: cluster_register_cloud_support
@@ -100,6 +103,9 @@ static_resources:
             - header:
                 key: "product-version"
                 value: PRODUCT_VERSION
+            - header:
+                key: "proxy-authorization"
+                value: "BASIC_AUTH"
   clusters:
   - name: cluster_register_cloud_support
     type: STRICT_DNS