Skip to content

Envoy poc -pr #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
surendarraju wants to merge 2 commits into from
Closed

Envoy poc -pr #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2570d32
initial POC commit
don2112e Aug 12, 2025
b3b3a27
added envoy-mtls-secret.yaml
don2112e Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
FROM <PYTHON_IMAGE_NAME>
FROM python:3.12-slim


ARG USER_ID=60577
ARG USER_NAME="eric-sdk"
Expand Down
18 changes: 18 additions & 0 deletions charts/eric-oss-hello-world-python-app/certs/client-certs-curl-debug.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: client-certs-curl-debug
spec:
restartPolicy: Always
containers:
- name: curl-debug
image: curlimages/curl:latest
command: ["sleep", "infinity"]
volumeMounts:
- name: client-certs
mountPath: /etc/certs
readOnly: true
volumes:
- name: client-certs
secret:
secretName: client-certs
9 changes: 9 additions & 0 deletions charts/eric-oss-hello-world-python-app/certs/client-certs-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
data:
ca.crt: xxxxxxxxx
client.crt: xxxxxxxxx
client.key: xxxxxxxxx
kind: Secret
metadata:
creationTimestamp: null
name: client-certs
90 changes: 90 additions & 0 deletions charts/eric-oss-hello-world-python-app/envoy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901

static_resources:
listeners:
# TLS listener for mTLS endpoint
- name: hello_world_python_tls
address:
socket_address:
address: 0.0.0.0
port_value: 8443
filter_chains:
- transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
require_client_certificate: true
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/envoy/certs/server.crt"
private_key:
filename: "/etc/envoy/certs/server.key"
validation_context:
trusted_ca:
filename: "/etc/envoy/certs/ca.crt"
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http_secure
route_config:
virtual_hosts:
- name: secure_service
domains: ["*"]
routes:
- match:
path: "/sample-app/python/hello"
route:
cluster: hello-world-python-cluster
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

# Plain HTTP listener for other endpoints
- name: hello_world_python_plain
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http_plain
route_config:
virtual_hosts:
- name: plain_service
domains: ["*"]
routes:
- match:
path: "/sample-app/python/health"
route:
cluster: hello-world-python-cluster
- match:
path: "/sample-app/python/metrics"
route:
cluster: hello-world-python-cluster
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

clusters:
- name: hello-world-python-cluster
type: STATIC
load_assignment:
cluster_name: hello-world-python-service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 8050
2 changes: 2 additions & 0 deletions charts/eric-oss-hello-world-python-app/templates/configmap/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,5 @@ metadata:
data:
LOG_CTRL_FILE: |-
{{ .Files.Get "logcontrol.json" | indent 4}}
ENVOY_CONFIG_FILE: |-
{{ .Files.Get "envoy.yaml" | indent 4}}
86 changes: 56 additions & 30 deletions charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,9 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
service.cleartext/scraping: "true"
annotations:
{{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }}
container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }}
{{- end }}
{{/* {{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }}*/}}
{{/* container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }}*/}}
{{/* {{- end }}*/}}
prometheus.io/port: "{{ .Values.service.port }}"
prometheus.io/scrape: "{{ .Values.prometheus.scrape }}"
prometheus.io/path: "{{ .Values.prometheus.path }}"
Expand All @@ -49,33 +49,58 @@ spec:
priorityClassName: {{ (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }}
{{- end }}
volumes:
- name: envoy-certs
secret:
secretName: envoy-mtls
- name: config-volume
configMap:
name: {{ include "eric-oss-hello-world-python-app.name" . }}
items:
- key: LOG_CTRL_FILE
path: logcontrol.json
- name: platform-cacerts
secret:
secretName: {{ index .Values "platformCaCertSecretName" | quote }}
defaultMode: 420
- name: app-certs
secret:
secretName: {{ index .Values "appSecretName" | quote }}
defaultMode: 420
- name: client-creds
secret:
secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}
defaultMode: 420
- key: ENVOY_CONFIG_FILE
path: envoy.yaml
{{/* - name: platform-cacerts*/}}
{{/* secret:*/}}
{{/* secretName: {{ index .Values "platformCaCertSecretName" | quote }}*/}}
{{/* defaultMode: 420*/}}
{{/* - name: app-certs*/}}
{{/* secret:*/}}
{{/* secretName: {{ index .Values "appSecretName" | quote }}*/}}
{{/* defaultMode: 420*/}}
{{/* - name: client-creds*/}}
{{/* secret:*/}}
{{/* secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}*/}}
{{/* defaultMode: 420*/}}
containers:
- name: envoy
image: envoyproxy/envoy:v1.35.0
{{/* restartPolicy: Always*/}}
ports:
- containerPort: 8080
name: envoy-http
protocol: TCP
- containerPort: 8443
name: envoy-https
protocol: TCP
- containerPort: 9901
name: admin
args: [ "-c", "/etc/envoy/envoy.yaml" ]
volumeMounts:
- mountPath: /etc/envoy
name: config-volume

- name: envoy-certs
mountPath: /etc/envoy/certs
readOnly: true
- name: eric-oss-hello-world-python-app
image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }}
imagePullPolicy: {{ include "eric-oss-hello-world-python-app.registryImagePullPolicy" . | quote }}
securityContext:
{{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }}
appArmorProfile:
type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}
{{- end }}
{{/* {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} */}}
{{/* appArmorProfile:*/}}
{{/* type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}*/}}
{{/* {{- end }}*/}}
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
Expand All @@ -85,17 +110,18 @@ spec:
- all
{{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }}
volumeMounts:
- name: config-volume
mountPath: /etc/adp
- name: platform-cacerts
mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }}
readOnly: true
- name: app-certs
mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}
readOnly: true
- name: client-creds
mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}
readOnly: true
{{/* - name: config-volume*/}}
{{/* mountPath: /etc/adp*/}}
{{/* - name: platform-cacerts*/}}
{{/* mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }}*/}}
{{/* readOnly: true*/}}
{{/* - name: app-certs*/}}
{{/* mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}*/}}
{{/* readOnly: true*/}}
{{/* - name: client-creds*/}}
{{/* mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}*/}}
{{/* readOnly: true*/}}

env:
- name: IAM_CLIENT_ID
value: {{ index .Values "clientId" | quote }}
Expand Down
10 changes: 10 additions & 0 deletions charts/eric-oss-hello-world-python-app/templates/secret/envoy-mtls-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: envoy-mtls
namespace: default
type: Opaque
data:
server.crt: {{ .Files.Get "certs/server.crt" | b64enc }}
server.key: {{ .Files.Get "certs/server.key" | b64enc }}
ca.crt: {{ .Files.Get "certs/ca.crt" | b64enc }}
16 changes: 12 additions & 4 deletions charts/eric-oss-hello-world-python-app/templates/service/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "eric-oss-hello-world-python-app.name" . }}
name: {{ include "eric-oss-hello-world-python-app.name" . }}-service
Copy link
Contributor Author

@surendarraju surendarraju Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to ignore this

labels:
{{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}
{{- if .Values.labels }}
Expand All @@ -15,10 +15,18 @@ spec:
ipFamilies: [{{ .Values.global.internalIPFamily }}]
{{- end }}
ports:
- port: {{ .Values.service.port }}
targetPort: 8050
{{/* - port: {{ .Values.service.port }}*/}}
{{/* targetPort: 8050*/}}
{{/* protocol: TCP*/}}
{{/* name: http*/}}
- port: 8080
name: envoy-http-svc
targetPort: 8080
protocol: TCP
- port: 8443
name: envoy-https-svc
targetPort: 8443
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}