diff --git a/manifests/pipecd/templates/deployment.yaml b/manifests/pipecd/templates/deployment.yaml index 1b925495d3..cb4ac07022 100644 --- a/manifests/pipecd/templates/deployment.yaml +++ b/manifests/pipecd/templates/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: {{- include "pipecd.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: gateway + annotations: + checksum/config: {{ include (print $.Template.BasePath "/envoy-configmap.yaml") . | sha256sum }} # ref; https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments spec: {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }} serviceAccountName: {{ include "pipecd.serviceAccountName" . }} diff --git a/manifests/pipecd/templates/envoy-configmap.yaml b/manifests/pipecd/templates/envoy-configmap.yaml index 99c7ecf2fa..fb56503390 100644 --- a/manifests/pipecd/templates/envoy-configmap.yaml +++ b/manifests/pipecd/templates/envoy-configmap.yaml @@ -20,7 +20,7 @@ data: socket_address: address: 0.0.0.0 port_value: 9090 - filter_chains: + filter_chains: # We cannot turn off ext_authz by default, so we have to turn it off in config for each route that doesn't need authz. - filters: - name: envoy.filters.network.http_connection_manager typed_config: @@ -32,6 +32,14 @@ data: typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog http_filters: + - name: envoy.filters.http.ext_authz + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + grpc_service: + envoy_grpc: + cluster_name: grpc-envoy-ext-authz + transport_api_version: V3 + include_peer_certificate: false - name: envoy.filters.http.grpc_web {{- if .Values.cors.enabled }} - name: envoy.filters.http.cors @@ -66,38 +74,71 @@ data: grpc: route: cluster: grpc-piped-service + typed_per_filter_config: + envoy.filters.http.ext_authz: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute + disabled: true - match: prefix: /pipe.api.service.pipedservice.PipedService/ grpc: route: cluster: grpc-piped-service prefix_rewrite: /grpc.service.pipedservice.PipedService/ + typed_per_filter_config: + envoy.filters.http.ext_authz: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute + disabled: true - match: prefix: /grpc.service.webservice.WebService/ grpc: route: cluster: grpc-web-service + typed_per_filter_config: + envoy.filters.http.ext_authz: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute + disabled: true - match: prefix: /pipe.api.service.webservice.WebService/ grpc: route: cluster: grpc-web-service prefix_rewrite: /grpc.service.webservice.WebService/ + typed_per_filter_config: + envoy.filters.http.ext_authz: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute + disabled: true - match: prefix: /grpc.service.apiservice.APIService/ grpc: route: cluster: grpc-api-service + typed_per_filter_config: + envoy.filters.http.ext_authz: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute + disabled: true - match: prefix: /pipe.api.service.apiservice.APIService/ grpc: route: cluster: grpc-api-service prefix_rewrite: /grpc.service.apiservice.APIService/ + typed_per_filter_config: + envoy.filters.http.ext_authz: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute + disabled: true + - match: # We want to protect the opentelemetry service with envoy ext_authz, so this route must not turn off ext_authz. + prefix: "/opentelemetry.proto.collector.trace.v1.TraceService/" + grpc: + route: + cluster: opentelemetry-collector - match: prefix: / route: cluster: server-http + typed_per_filter_config: + envoy.filters.http.ext_authz: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute + disabled: true {{- if .Values.gateway.internalTLS.enabled }} transport_socket: name: envoy.transport_socket.tls @@ -175,3 +216,35 @@ data: port_value: 9082 track_cluster_stats: request_response_sizes: true + - name: grpc-envoy-ext-authz + http2_protocol_options: {} + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: grpc-envoy-ext-authz + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: {{ include "pipecd.fullname" . }}-server + port_value: 9086 + track_cluster_stats: + request_response_sizes: true + - name: opentelemetry-collector + http2_protocol_options: {} + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: opentelemetry-collector + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: {{ include "pipecd.fullname" . }}-opentelemetry-collector + port_value: 4317 + track_cluster_stats: + request_response_sizes: true