Skip to content

sagikazarmark/curiefense-emissary-poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits

.github/workflows

.github/workflows

 
 

app

app

 
 

curiefense

curiefense

 
 

emissary

emissary

 
 

kind

kind

 
 

.gitmodules

.gitmodules

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

entrypoint.sh

entrypoint.sh

 
 

Repository files navigation

Curiefense WAF + Emissary Ingress POC

Clone the repository with the following command:

git clone --recurse-submodules https://github.com/sagikazarmark/curiefense-emissary-poc.git

Preparations

Build container image:

docker build .

If you use Kind (proceed to the instructions below if you are here for the first time), you can build a local image and load into Kind:

docker build -t curiefense-emissary .
kind load docker-image curiefense-emissary:latest

Setup

Gain access to a Kubernetes cluster. Check out the Using Kind section for a local setup.

Using Kind

  1. Create a new Kind cluster:
kind create cluster --config kind/kind.yaml
  1. Run the setup script to install required components:
./kind/setup.sh

Deploy Curiefense

Deploy Curiefense:

kubectl create namespace curiefense

kubectl apply -f curiefense/secret.yaml

cd curiefense/curiefense-helm/curiefense-helm
DOCKER_TAG=v1.5.0 ./deploy.sh -f curiefense/use-minio.yaml --set "global.proxy.frontend=envoy" --set "global.settings.curiefense_minio_insecure=true"
cd -

TODO: quality of life improvement: push (prod) chart to a chart repo? Use Kustomize to install components (uiserver, confserver) separately?

Deploy Emissary Ingress

Deploy Emissary:

# If you run into any error, run it again
kustomize build emissary | k apply -f -

kubectl -n emissary wait --for condition=available --timeout=90s deploy emissary-ingress

Deploy the echo app

kubectl apply -f app/app.yaml

Usage

First, you might want to create some configuration that proves the system works.

For example, you could create a Global Filter that matches requests with a specific header (eg. breakme: true).

Check out the documentation to learn about the vast number of features Curiefense has.

First, port-forward into the Curiefense UI server:

kubectl -n curiefense port-forward deploy/uiserver 8080:80

Then follow these steps to setup a simple deny rule:

  1. Go to Policies & Rules
  2. Choose Global Filters
  3. Click the + (plus) sign in the right upper corner
  4. Give the new filter a name
  5. Add a new match for a Header (eg. breakme: true)
  6. Choose 503 Service Unavailable as action
  7. Hit save (floppy icon)
  8. Go to Publish Changes
  9. Hit Publish configuration

Next, port-forward into Emissary Ingress:

kubectl -n emissary port-forward deploy/emissary-ingress 8888:8080

Finally, send a request to the ingress:

curl -H "Host: host2.example.com" -H "breakme: true" localhost:8888

You should get an 503 from the server.

Cleanup

Ideally, delete the cluster.

In case of Kind:

kind delete cluster

Best effort attempt to delete resources:

kubectl delete namespace emissary
kubectl delete namespace curiefense

About

An attempt to integrate Curiefense into Emissary Ingress

Resources

Readme
Activity

Stars

2 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages 1

 

Languages