Implement envoy route config for opentelemetry-collector (#5016)

* Implement envoy route config for opentelemetry-collector Signed-off-by: Shinnosuke Sawada <[email protected]> * Add annotation for gateway to rollout when its config changes Signed-off-by: Shinnosuke Sawada <[email protected]> --------- Signed-off-by: Shinnosuke Sawada <[email protected]>
pipe-cd · Jul 8, 2024 · 713fb03 · 713fb03
1 parent dd8833b
commit 713fb03
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 1 deletion.
diff --git a/manifests/pipecd/templates/deployment.yaml b/manifests/pipecd/templates/deployment.yaml
@@ -17,6 +17,8 @@ spec:
  labels:
  {{- include "pipecd.selectorLabels" . | nindent 8 }}
  app.kubernetes.io/component: gateway
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/envoy-configmap.yaml") . | sha256sum }} # ref; https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
  spec:
  {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }}
  serviceAccountName: {{ include "pipecd.serviceAccountName" . }}

diff --git a/manifests/pipecd/templates/envoy-configmap.yaml b/manifests/pipecd/templates/envoy-configmap.yaml
@@ -20,7 +20,7 @@ data:
  socket_address:
  address: 0.0.0.0
  port_value: 9090
- filter_chains:
+ filter_chains: # We cannot turn off ext_authz by default, so we have to turn it off in config for each route that doesn't need authz.
  - filters:
  - name: envoy.filters.network.http_connection_manager
  typed_config:
@@ -32,6 +32,14 @@ data:
  typed_config:
  "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
  http_filters:
+ - name: envoy.filters.http.ext_authz
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+ grpc_service:
+ envoy_grpc:
+ cluster_name: grpc-envoy-ext-authz
+ transport_api_version: V3
+ include_peer_certificate: false
  - name: envoy.filters.http.grpc_web
 {{- if .Values.cors.enabled }}
  - name: envoy.filters.http.cors
@@ -66,38 +74,71 @@ data:
  grpc:
  route:
  cluster: grpc-piped-service
+ typed_per_filter_config:
+ envoy.filters.http.ext_authz:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+ disabled: true
  - match:
  prefix: /pipe.api.service.pipedservice.PipedService/
  grpc:
  route:
  cluster: grpc-piped-service
  prefix_rewrite: /grpc.service.pipedservice.PipedService/
+ typed_per_filter_config:
+ envoy.filters.http.ext_authz:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+ disabled: true
  - match:
  prefix: /grpc.service.webservice.WebService/
  grpc:
  route:
  cluster: grpc-web-service
+ typed_per_filter_config:
+ envoy.filters.http.ext_authz:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+ disabled: true
  - match:
  prefix: /pipe.api.service.webservice.WebService/
  grpc:
  route:
  cluster: grpc-web-service
  prefix_rewrite: /grpc.service.webservice.WebService/
+ typed_per_filter_config:
+ envoy.filters.http.ext_authz:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+ disabled: true
  - match:
  prefix: /grpc.service.apiservice.APIService/
  grpc:
  route:
  cluster: grpc-api-service
+ typed_per_filter_config:
+ envoy.filters.http.ext_authz:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+ disabled: true
  - match:
  prefix: /pipe.api.service.apiservice.APIService/
  grpc:
  route:
  cluster: grpc-api-service
  prefix_rewrite: /grpc.service.apiservice.APIService/
+ typed_per_filter_config:
+ envoy.filters.http.ext_authz:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+ disabled: true
+ - match: # We want to protect the opentelemetry service with envoy ext_authz, so this route must not turn off ext_authz.
+ prefix: "/opentelemetry.proto.collector.trace.v1.TraceService/"
+ grpc:
+ route:
+ cluster: opentelemetry-collector
  - match:
  prefix: /
  route:
  cluster: server-http
+ typed_per_filter_config:
+ envoy.filters.http.ext_authz:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+ disabled: true
 {{- if .Values.gateway.internalTLS.enabled }}
  transport_socket:
  name: envoy.transport_socket.tls
@@ -175,3 +216,35 @@ data:
  port_value: 9082
  track_cluster_stats:
  request_response_sizes: true
+ - name: grpc-envoy-ext-authz
+ http2_protocol_options: {}
+ connect_timeout: 0.25s
+ type: STRICT_DNS
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: grpc-envoy-ext-authz
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: {{ include "pipecd.fullname" . }}-server
+ port_value: 9086
+ track_cluster_stats:
+ request_response_sizes: true
+ - name: opentelemetry-collector
+ http2_protocol_options: {}
+ connect_timeout: 0.25s
+ type: STRICT_DNS
+ lb_policy: ROUND_ROBIN
+ load_assignment:
+ cluster_name: opentelemetry-collector
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: {{ include "pipecd.fullname" . }}-opentelemetry-collector
+ port_value: 4317
+ track_cluster_stats:
+ request_response_sizes: true