-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* PWX-32011: added https proxy support (#1120)
- Loading branch information
Showing
17 changed files
with
1,535 additions
and
80 deletions.
There are no files selected for viewing
186 changes: 186 additions & 0 deletions
186
deploy/ccm/envoy-config-collector-custom-http-proxy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,186 @@ | ||
| admin: | ||
| address: | ||
| socket_address: | ||
| address: 127.0.0.1 | ||
| port_value: 9901 | ||
| node: | ||
| id: "id_rest" | ||
| cluster: "cluster_rest" | ||
| static_resources: | ||
| listeners: | ||
| - name: listener_cloud_support | ||
| address: | ||
| socket_address: | ||
| address: 127.0.0.1 | ||
| port_value: REST_CLOUD_SUPPORT_PORT | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.http_connection_manager | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
| stat_prefix: ingress_http | ||
| access_log: | ||
| - name: envoy.access_loggers.stdout | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
| http_filters: | ||
| - name: envoy.filters.http.router | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | ||
| route_config: | ||
| name: local_route | ||
| virtual_hosts: | ||
| - name: local_service | ||
| domains: ["*"] | ||
| routes: | ||
| - match: | ||
| prefix: "/" | ||
| request_headers_to_add: | ||
| - header: | ||
| key: "product-name" | ||
| value: "portworx" | ||
| - header: | ||
| key: "appliance-id" | ||
| value: APPLIANCE_ID | ||
| - header: | ||
| key: "component-sn" | ||
| value: COMPONENT_SN | ||
| - header: | ||
| key: "product-version" | ||
| value: PRODUCT_VERSION | ||
| - header: | ||
| key: "proxy-authorization" | ||
| value: "BASIC_AUTH" | ||
| route: | ||
| host_rewrite_literal: REST_PROXY_URL | ||
| cluster: cluster_cloud_support | ||
| - name: listener_cloud_support_tcp_proxy | ||
| address: | ||
| socket_address: | ||
| protocol: TCP | ||
| address: 127.0.0.1 | ||
| port_value: CLOUD_SUPPORT_TCP_PROXY_PORT | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.tcp_proxy | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
| stat_prefix: ingress_tcp_proxy | ||
| access_log: | ||
| - name: envoy.access_loggers.stdout | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
| cluster: cluster_cloud_support_tcp_proxy | ||
| - name: listener_customer_proxy_envoy_internal_redirect | ||
| address: | ||
| socket_address: | ||
| protocol: TCP | ||
| address: 127.0.0.1 | ||
| port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.tcp_proxy | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
| stat_prefix: ingress_customer_proxy_envoy_internal_redirect | ||
| access_log: | ||
| - name: envoy.access_loggers.stdout | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
| cluster: cluster_customer_proxy | ||
| tunneling_config: | ||
| hostname: REST_PROXY_URL:443 | ||
| headers_to_add: | ||
| - header: | ||
| key: "product-name" | ||
| value: "portworx" | ||
| - header: | ||
| key: "appliance-id" | ||
| value: APPLIANCE_ID | ||
| - header: | ||
| key: "component-sn" | ||
| value: COMPONENT_SN | ||
| - header: | ||
| key: "product-version" | ||
| value: PRODUCT_VERSION | ||
| - header: | ||
| key: "proxy-authorization" | ||
| value: "BASIC_AUTH" | ||
| clusters: | ||
| - name: cluster_cloud_support | ||
| type: STRICT_DNS | ||
| dns_lookup_family: V4_ONLY | ||
| lb_policy: ROUND_ROBIN | ||
| load_assignment: | ||
| cluster_name: cluster_cloud_support | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: localhost | ||
| port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
| transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
| common_tls_context: | ||
| tls_certificate_sds_secret_configs: | ||
| name: tls_sds | ||
| sds_config: | ||
| path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
| validation_context: | ||
| trusted_ca: | ||
| filename: /etc/ssl/certs/ca-certificates.crt | ||
| match_typed_subject_alt_names: | ||
| - san_type: DNS | ||
| matcher: | ||
| exact: REST_PROXY_URL | ||
| - name: cluster_cloud_support_tcp_proxy | ||
| type: STRICT_DNS | ||
| dns_lookup_family: V4_ONLY | ||
| lb_policy: ROUND_ROBIN | ||
| load_assignment: | ||
| cluster_name: cluster_cloud_support_tcp_proxy | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: localhost | ||
| port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
| transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
| common_tls_context: | ||
| tls_certificate_sds_secret_configs: | ||
| name: tls_sds | ||
| sds_config: | ||
| path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
| validation_context: | ||
| trusted_ca: | ||
| filename: /etc/ssl/certs/ca-certificates.crt | ||
| match_typed_subject_alt_names: | ||
| - san_type: DNS | ||
| matcher: | ||
| exact: REST_PROXY_URL | ||
| - name: cluster_customer_proxy | ||
| type: STRICT_DNS | ||
| dns_lookup_family: V4_ONLY | ||
| lb_policy: ROUND_ROBIN | ||
| # This ensures HTTP/1.1 CONNECT is used for establishing the tunnel. | ||
| typed_extension_protocol_options: | ||
| envoy.extensions.upstreams.http.v3.HttpProtocolOptions: | ||
| "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions | ||
| explicit_http_config: | ||
| http_protocol_options: {} | ||
| load_assignment: | ||
| cluster_name: cluster_customer_proxy | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: CUSTOM_PROXY_ADDRESS | ||
| port_value: CUSTOM_PROXY_PORT |
191 changes: 191 additions & 0 deletions
191
deploy/ccm/envoy-config-collector-custom-https-proxy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,191 @@ | ||
| admin: | ||
| address: | ||
| socket_address: | ||
| address: 127.0.0.1 | ||
| port_value: 9901 | ||
| node: | ||
| id: "id_rest" | ||
| cluster: "cluster_rest" | ||
| static_resources: | ||
| listeners: | ||
| - name: listener_cloud_support | ||
| address: | ||
| socket_address: | ||
| address: 127.0.0.1 | ||
| port_value: REST_CLOUD_SUPPORT_PORT | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.http_connection_manager | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
| stat_prefix: ingress_http | ||
| access_log: | ||
| - name: envoy.access_loggers.stdout | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
| http_filters: | ||
| - name: envoy.filters.http.router | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | ||
| route_config: | ||
| name: local_route | ||
| virtual_hosts: | ||
| - name: local_service | ||
| domains: ["*"] | ||
| routes: | ||
| - match: | ||
| prefix: "/" | ||
| request_headers_to_add: | ||
| - header: | ||
| key: "product-name" | ||
| value: "portworx" | ||
| - header: | ||
| key: "appliance-id" | ||
| value: APPLIANCE_ID | ||
| - header: | ||
| key: "component-sn" | ||
| value: COMPONENT_SN | ||
| - header: | ||
| key: "product-version" | ||
| value: PRODUCT_VERSION | ||
| - header: | ||
| key: "proxy-authorization" | ||
| value: "BASIC_AUTH" | ||
| route: | ||
| host_rewrite_literal: REST_PROXY_URL | ||
| cluster: cluster_cloud_support | ||
| - name: listener_cloud_support_tcp_proxy | ||
| address: | ||
| socket_address: | ||
| protocol: TCP | ||
| address: 127.0.0.1 | ||
| port_value: CLOUD_SUPPORT_TCP_PROXY_PORT | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.tcp_proxy | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
| stat_prefix: ingress_tcp_proxy | ||
| access_log: | ||
| - name: envoy.access_loggers.stdout | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
| cluster: cluster_cloud_support_tcp_proxy | ||
| - name: listener_customer_proxy_envoy_internal_redirect | ||
| address: | ||
| socket_address: | ||
| protocol: TCP | ||
| address: 127.0.0.1 | ||
| port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.tcp_proxy | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | ||
| stat_prefix: ingress_customer_proxy_envoy_internal_redirect | ||
| access_log: | ||
| - name: envoy.access_loggers.stdout | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | ||
| cluster: cluster_customer_proxy | ||
| tunneling_config: | ||
| hostname: REST_PROXY_URL:443 | ||
| headers_to_add: | ||
| - header: | ||
| key: "product-name" | ||
| value: "portworx" | ||
| - header: | ||
| key: "appliance-id" | ||
| value: APPLIANCE_ID | ||
| - header: | ||
| key: "component-sn" | ||
| value: COMPONENT_SN | ||
| - header: | ||
| key: "product-version" | ||
| value: PRODUCT_VERSION | ||
| - header: | ||
| key: "proxy-authorization" | ||
| value: "BASIC_AUTH" | ||
| clusters: | ||
| - name: cluster_cloud_support | ||
| type: STRICT_DNS | ||
| dns_lookup_family: V4_ONLY | ||
| lb_policy: ROUND_ROBIN | ||
| load_assignment: | ||
| cluster_name: cluster_cloud_support | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: localhost | ||
| port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
| transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
| common_tls_context: | ||
| tls_certificate_sds_secret_configs: | ||
| name: tls_sds | ||
| sds_config: | ||
| path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
| validation_context: | ||
| trusted_ca: | ||
| filename: /etc/ssl/certs/ca-certificates.crt | ||
| match_typed_subject_alt_names: | ||
| - san_type: DNS | ||
| matcher: | ||
| exact: REST_PROXY_URL | ||
| - name: cluster_cloud_support_tcp_proxy | ||
| type: STRICT_DNS | ||
| dns_lookup_family: V4_ONLY | ||
| lb_policy: ROUND_ROBIN | ||
| load_assignment: | ||
| cluster_name: cluster_cloud_support_tcp_proxy | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: localhost | ||
| port_value: CLOUD_SUPPORT_ENVOY_INTERNAL_REDIRECT_PORT | ||
| transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
| common_tls_context: | ||
| tls_certificate_sds_secret_configs: | ||
| name: tls_sds | ||
| sds_config: | ||
| path: /etc/envoy/tls_certificate_sds_secret.yaml | ||
| validation_context: | ||
| trusted_ca: | ||
| filename: /etc/ssl/certs/ca-certificates.crt | ||
| match_typed_subject_alt_names: | ||
| - san_type: DNS | ||
| matcher: | ||
| exact: REST_PROXY_URL | ||
| - name: cluster_customer_proxy | ||
| type: STRICT_DNS | ||
| dns_lookup_family: V4_ONLY | ||
| lb_policy: ROUND_ROBIN | ||
| # This ensures HTTP/1.1 CONNECT is used for establishing the tunnel. | ||
| typed_extension_protocol_options: | ||
| envoy.extensions.upstreams.http.v3.HttpProtocolOptions: | ||
| "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions | ||
| explicit_http_config: | ||
| http_protocol_options: {} | ||
| load_assignment: | ||
| cluster_name: cluster_customer_proxy | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: CUSTOM_PROXY_ADDRESS | ||
| port_value: CUSTOM_PROXY_PORT | ||
| transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
| sni: CUSTOM_PROXY_ADDRESS |
Oops, something went wrong.