-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* PWX-32011: added https proxy support (#1120)
- Loading branch information
Showing
17 changed files
with
1,535 additions
and
80 deletions.
There are no files selected for viewing
186 changes: 186 additions & 0 deletions
186
deploy/ccm/envoy-config-collector-custom-http-proxy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,186 @@ | ||
admin: | ||
address: | ||
socket_address: | ||
address: 127.0.0.1 | ||
port_value: 9901 | ||
node: | ||
id: "id_rest" | ||
cluster: "cluster_rest" | ||
static_resources: | ||
listeners: | ||
- name: listener_cloud_support | ||
address: | ||
socket_address: | ||
address: 127.0.0.1 | ||
port_value: REST_CLOUD_SUPPORT_PORT | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.http_connection_manager | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
stat_prefix: ingress_http | ||
access_log: | ||
- name: envoy.access_loggers.stdout | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
http_filters: | ||
- name: envoy.filters.http.router | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | ||
route_config: | ||
name: local_route | ||
virtual_hosts: | ||
- name: local_service | ||
domains: ["*"] | ||
routes: | ||
- match: | ||
prefix: "/" | ||
request_headers_to_add: | ||
- header: | ||
key: "product-name" | ||
value: "portworx" | ||
- header: | ||
key: "appliance-id" | ||
value: APPLIANCE_ID | ||
- header: | ||
key: "component-sn" | ||
value: COMPONENT_SN | ||
- header: | ||
key: "product-version" | ||
value: PRODUCT_VERSION | ||
- header: | ||
key: "proxy-authorization" | ||
value: "BASIC_AUTH" | ||
route: | ||
host_rewrite_literal: REST_PROXY_URL | ||
cluster: cluster_cloud_support | ||
- name: listener_cloud_support_tcp_proxy | ||
address: | ||
socket_address: | ||
protocol: TCP | ||
address: 127.0.0.1 | ||
port_value: CLOUD_SUPPORT_TCP_PROXY_PORT | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.tcp_proxy | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
stat_prefix: ingress_tcp_proxy | ||
access_log: | ||
- name: envoy.access_loggers.stdout | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
cluster: cluster_cloud_support_tcp_proxy | ||
- name: listener_customer_proxy_envoy_internal_redirect | ||
address: | ||
socket_address: | ||
protocol: TCP | ||
address: 127.0.0.1 | ||
port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.tcp_proxy | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
stat_prefix: ingress_customer_proxy_envoy_internal_redirect | ||
access_log: | ||
- name: envoy.access_loggers.stdout | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
cluster: cluster_customer_proxy | ||
tunneling_config: | ||
hostname: REST_PROXY_URL:443 | ||
headers_to_add: | ||
- header: | ||
key: "product-name" | ||
value: "portworx" | ||
- header: | ||
key: "appliance-id" | ||
value: APPLIANCE_ID | ||
- header: | ||
key: "component-sn" | ||
value: COMPONENT_SN | ||
- header: | ||
key: "product-version" | ||
value: PRODUCT_VERSION | ||
- header: | ||
key: "proxy-authorization" | ||
value: "BASIC_AUTH" | ||
clusters: | ||
- name: cluster_cloud_support | ||
type: STRICT_DNS | ||
dns_lookup_family: V4_ONLY | ||
lb_policy: ROUND_ROBIN | ||
load_assignment: | ||
cluster_name: cluster_cloud_support | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: localhost | ||
port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
common_tls_context: | ||
tls_certificate_sds_secret_configs: | ||
name: tls_sds | ||
sds_config: | ||
path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
validation_context: | ||
trusted_ca: | ||
filename: /etc/ssl/certs/ca-certificates.crt | ||
match_typed_subject_alt_names: | ||
- san_type: DNS | ||
matcher: | ||
exact: REST_PROXY_URL | ||
- name: cluster_cloud_support_tcp_proxy | ||
type: STRICT_DNS | ||
dns_lookup_family: V4_ONLY | ||
lb_policy: ROUND_ROBIN | ||
load_assignment: | ||
cluster_name: cluster_cloud_support_tcp_proxy | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: localhost | ||
port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
common_tls_context: | ||
tls_certificate_sds_secret_configs: | ||
name: tls_sds | ||
sds_config: | ||
path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
validation_context: | ||
trusted_ca: | ||
filename: /etc/ssl/certs/ca-certificates.crt | ||
match_typed_subject_alt_names: | ||
- san_type: DNS | ||
matcher: | ||
exact: REST_PROXY_URL | ||
- name: cluster_customer_proxy | ||
type: STRICT_DNS | ||
dns_lookup_family: V4_ONLY | ||
lb_policy: ROUND_ROBIN | ||
# This ensures HTTP/1.1 CONNECT is used for establishing the tunnel. | ||
typed_extension_protocol_options: | ||
envoy.extensions.upstreams.http.v3.HttpProtocolOptions: | ||
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions | ||
explicit_http_config: | ||
http_protocol_options: {} | ||
load_assignment: | ||
cluster_name: cluster_customer_proxy | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: CUSTOM_PROXY_ADDRESS | ||
port_value: CUSTOM_PROXY_PORT |
191 changes: 191 additions & 0 deletions
191
deploy/ccm/envoy-config-collector-custom-https-proxy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,191 @@ | ||
admin: | ||
address: | ||
socket_address: | ||
address: 127.0.0.1 | ||
port_value: 9901 | ||
node: | ||
id: "id_rest" | ||
cluster: "cluster_rest" | ||
static_resources: | ||
listeners: | ||
- name: listener_cloud_support | ||
address: | ||
socket_address: | ||
address: 127.0.0.1 | ||
port_value: REST_CLOUD_SUPPORT_PORT | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.http_connection_manager | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
stat_prefix: ingress_http | ||
access_log: | ||
- name: envoy.access_loggers.stdout | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
http_filters: | ||
- name: envoy.filters.http.router | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | ||
route_config: | ||
name: local_route | ||
virtual_hosts: | ||
- name: local_service | ||
domains: ["*"] | ||
routes: | ||
- match: | ||
prefix: "/" | ||
request_headers_to_add: | ||
- header: | ||
key: "product-name" | ||
value: "portworx" | ||
- header: | ||
key: "appliance-id" | ||
value: APPLIANCE_ID | ||
- header: | ||
key: "component-sn" | ||
value: COMPONENT_SN | ||
- header: | ||
key: "product-version" | ||
value: PRODUCT_VERSION | ||
- header: | ||
key: "proxy-authorization" | ||
value: "BASIC_AUTH" | ||
route: | ||
host_rewrite_literal: REST_PROXY_URL | ||
cluster: cluster_cloud_support | ||
- name: listener_cloud_support_tcp_proxy | ||
address: | ||
socket_address: | ||
protocol: TCP | ||
address: 127.0.0.1 | ||
port_value: CLOUD_SUPPORT_TCP_PROXY_PORT | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.tcp_proxy | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
stat_prefix: ingress_tcp_proxy | ||
access_log: | ||
- name: envoy.access_loggers.stdout | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
cluster: cluster_cloud_support_tcp_proxy | ||
- name: listener_customer_proxy_envoy_internal_redirect | ||
address: | ||
socket_address: | ||
protocol: TCP | ||
address: 127.0.0.1 | ||
port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.tcp_proxy | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
stat_prefix: ingress_customer_proxy_envoy_internal_redirect | ||
access_log: | ||
- name: envoy.access_loggers.stdout | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
cluster: cluster_customer_proxy | ||
tunneling_config: | ||
hostname: REST_PROXY_URL:443 | ||
headers_to_add: | ||
- header: | ||
key: "product-name" | ||
value: "portworx" | ||
- header: | ||
key: "appliance-id" | ||
value: APPLIANCE_ID | ||
- header: | ||
key: "component-sn" | ||
value: COMPONENT_SN | ||
- header: | ||
key: "product-version" | ||
value: PRODUCT_VERSION | ||
- header: | ||
key: "proxy-authorization" | ||
value: "BASIC_AUTH" | ||
clusters: | ||
- name: cluster_cloud_support | ||
type: STRICT_DNS | ||
dns_lookup_family: V4_ONLY | ||
lb_policy: ROUND_ROBIN | ||
load_assignment: | ||
cluster_name: cluster_cloud_support | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: localhost | ||
port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
common_tls_context: | ||
tls_certificate_sds_secret_configs: | ||
name: tls_sds | ||
sds_config: | ||
path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
validation_context: | ||
trusted_ca: | ||
filename: /etc/ssl/certs/ca-certificates.crt | ||
match_typed_subject_alt_names: | ||
- san_type: DNS | ||
matcher: | ||
exact: REST_PROXY_URL | ||
- name: cluster_cloud_support_tcp_proxy | ||
type: STRICT_DNS | ||
dns_lookup_family: V4_ONLY | ||
lb_policy: ROUND_ROBIN | ||
load_assignment: | ||
cluster_name: cluster_cloud_support_tcp_proxy | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: localhost | ||
port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
common_tls_context: | ||
tls_certificate_sds_secret_configs: | ||
name: tls_sds | ||
sds_config: | ||
path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
validation_context: | ||
trusted_ca: | ||
filename: /etc/ssl/certs/ca-certificates.crt | ||
match_typed_subject_alt_names: | ||
- san_type: DNS | ||
matcher: | ||
exact: REST_PROXY_URL | ||
- name: cluster_customer_proxy | ||
type: STRICT_DNS | ||
dns_lookup_family: V4_ONLY | ||
lb_policy: ROUND_ROBIN | ||
# This ensures HTTP/1.1 CONNECT is used for establishing the tunnel. | ||
typed_extension_protocol_options: | ||
envoy.extensions.upstreams.http.v3.HttpProtocolOptions: | ||
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions | ||
explicit_http_config: | ||
http_protocol_options: {} | ||
load_assignment: | ||
cluster_name: cluster_customer_proxy | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: CUSTOM_PROXY_ADDRESS | ||
port_value: CUSTOM_PROXY_PORT | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
sni: CUSTOM_PROXY_ADDRESS |
Oops, something went wrong.