From 2570d32e8dc325f996d58264cc397552ab81e46d Mon Sep 17 00:00:00 2001 From: eonedar Date: Tue, 12 Aug 2025 15:18:09 +0100 Subject: [PATCH 1/2] initial POC commit Signed-off-by: eonedar --- Dockerfile | 3 +- .../certs/client-certs-curl-debug.yaml | 18 ++++ .../certs/client-certs-secret.yaml | 9 ++ .../envoy.yaml | 90 +++++++++++++++++++ .../templates/configmap/configmap.yaml | 2 + .../templates/deployment/deployment.yaml | 86 +++++++++++------- .../templates/service/service.yaml | 16 +++- 7 files changed, 189 insertions(+), 35 deletions(-) create mode 100644 charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml create mode 100644 charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml create mode 100644 charts/eric-oss-hello-world-python-app/envoy.yaml diff --git a/Dockerfile b/Dockerfile index 6dca988..e3467dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ -FROM +FROM python:3.12-slim + ARG USER_ID=60577 ARG USER_NAME="eric-sdk" diff --git a/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml b/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml new file mode 100644 index 0000000..b6a56a6 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: client-certs-curl-debug +spec: + restartPolicy: Always + containers: + - name: curl-debug + image: curlimages/curl:latest + command: ["sleep", "infinity"] + volumeMounts: + - name: client-certs + mountPath: /etc/certs + readOnly: true + volumes: + - name: client-certs + secret: + secretName: client-certs diff --git a/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml b/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml new file mode 100644 index 0000000..2a33f69 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + ca.crt: xxxxxxxxx + client.crt: xxxxxxxxx + client.key: xxxxxxxxx +kind: Secret +metadata: + creationTimestamp: null + name: client-certs diff --git a/charts/eric-oss-hello-world-python-app/envoy.yaml b/charts/eric-oss-hello-world-python-app/envoy.yaml new file mode 100644 index 0000000..dcc57cc --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/envoy.yaml @@ -0,0 +1,90 @@ +admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 9901 + +static_resources: + listeners: + # TLS listener for mTLS endpoint + - name: hello_world_python_tls + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + require_client_certificate: true + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "/etc/envoy/certs/server.crt" + private_key: + filename: "/etc/envoy/certs/server.key" + validation_context: + trusted_ca: + filename: "/etc/envoy/certs/ca.crt" + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http_secure + route_config: + virtual_hosts: + - name: secure_service + domains: ["*"] + routes: + - match: + path: "/sample-app/python/hello" + route: + cluster: hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Plain HTTP listener for other endpoints + - name: hello_world_python_plain + address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http_plain + route_config: + virtual_hosts: + - name: plain_service + domains: ["*"] + routes: + - match: + path: "/sample-app/python/health" + route: + cluster: hello-world-python-cluster + - match: + path: "/sample-app/python/metrics" + route: + cluster: hello-world-python-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: hello-world-python-cluster + type: STATIC + load_assignment: + cluster_name: hello-world-python-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8050 diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml index 9c9867f..c0fbc7f 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml @@ -11,3 +11,5 @@ metadata: data: LOG_CTRL_FILE: |- {{ .Files.Get "logcontrol.json" | indent 4}} + ENVOY_CONFIG_FILE: |- +{{ .Files.Get "envoy.yaml" | indent 4}} diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 4aaea3c..682cf9c 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -36,9 +36,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} service.cleartext/scraping: "true" annotations: - {{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }} - container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }} - {{- end }} +{{/* {{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }}*/}} +{{/* container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }}*/}} +{{/* {{- end }}*/}} prometheus.io/port: "{{ .Values.service.port }}" prometheus.io/scrape: "{{ .Values.prometheus.scrape }}" prometheus.io/path: "{{ .Values.prometheus.path }}" @@ -49,33 +49,58 @@ spec: priorityClassName: {{ (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }} {{- end }} volumes: + - name: envoy-certs + secret: + secretName: envoy-mtls - name: config-volume configMap: name: {{ include "eric-oss-hello-world-python-app.name" . }} items: - key: LOG_CTRL_FILE path: logcontrol.json - - name: platform-cacerts - secret: - secretName: {{ index .Values "platformCaCertSecretName" | quote }} - defaultMode: 420 - - name: app-certs - secret: - secretName: {{ index .Values "appSecretName" | quote }} - defaultMode: 420 - - name: client-creds - secret: - secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} - defaultMode: 420 + - key: ENVOY_CONFIG_FILE + path: envoy.yaml +{{/* - name: platform-cacerts*/}} +{{/* secret:*/}} +{{/* secretName: {{ index .Values "platformCaCertSecretName" | quote }}*/}} +{{/* defaultMode: 420*/}} +{{/* - name: app-certs*/}} +{{/* secret:*/}} +{{/* secretName: {{ index .Values "appSecretName" | quote }}*/}} +{{/* defaultMode: 420*/}} +{{/* - name: client-creds*/}} +{{/* secret:*/}} +{{/* secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}*/}} +{{/* defaultMode: 420*/}} containers: + - name: envoy + image: envoyproxy/envoy:v1.35.0 +{{/* restartPolicy: Always*/}} + ports: + - containerPort: 8080 + name: envoy-http + protocol: TCP + - containerPort: 8443 + name: envoy-https + protocol: TCP + - containerPort: 9901 + name: admin + args: [ "-c", "/etc/envoy/envoy.yaml" ] + volumeMounts: + - mountPath: /etc/envoy + name: config-volume + + - name: envoy-certs + mountPath: /etc/envoy/certs + readOnly: true - name: eric-oss-hello-world-python-app image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }} imagePullPolicy: {{ include "eric-oss-hello-world-python-app.registryImagePullPolicy" . | quote }} securityContext: - {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} - appArmorProfile: - type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} - {{- end }} +{{/* {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} */}} +{{/* appArmorProfile:*/}} +{{/* type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}*/}} +{{/* {{- end }}*/}} allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true @@ -85,17 +110,18 @@ spec: - all {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} volumeMounts: - - name: config-volume - mountPath: /etc/adp - - name: platform-cacerts - mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }} - readOnly: true - - name: app-certs - mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }} - readOnly: true - - name: client-creds - mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }} - readOnly: true +{{/* - name: config-volume*/}} +{{/* mountPath: /etc/adp*/}} +{{/* - name: platform-cacerts*/}} +{{/* mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }}*/}} +{{/* readOnly: true*/}} +{{/* - name: app-certs*/}} +{{/* mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}*/}} +{{/* readOnly: true*/}} +{{/* - name: client-creds*/}} +{{/* mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}*/}} +{{/* readOnly: true*/}} + env: - name: IAM_CLIENT_ID value: {{ index .Values "clientId" | quote }} diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index d90cef5..36f2427 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "eric-oss-hello-world-python-app.name" . }} + name: {{ include "eric-oss-hello-world-python-app.name" . }}-service labels: {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} {{- if .Values.labels }} @@ -15,10 +15,18 @@ spec: ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.port }} - targetPort: 8050 +{{/* - port: {{ .Values.service.port }}*/}} +{{/* targetPort: 8050*/}} +{{/* protocol: TCP*/}} +{{/* name: http*/}} + - port: 8080 + name: envoy-http-svc + targetPort: 8080 + protocol: TCP + - port: 8443 + name: envoy-https-svc + targetPort: 8443 protocol: TCP - name: http selector: app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} From b3b3a27353753ac9c20975b9a40403bdb5b3c985 Mon Sep 17 00:00:00 2001 From: eonedar Date: Wed, 13 Aug 2025 10:55:45 +0100 Subject: [PATCH 2/2] added envoy-mtls-secret.yaml Signed-off-by: eonedar --- .../templates/secret/envoy-mtls-secret.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml diff --git a/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml new file mode 100644 index 0000000..8e57c95 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: envoy-mtls + namespace: default +type: Opaque +data: + server.crt: {{ .Files.Get "certs/server.crt" | b64enc }} + server.key: {{ .Files.Get "certs/server.key" | b64enc }} + ca.crt: {{ .Files.Get "certs/ca.crt" | b64enc }}