Envoy with Traffic Director cloud-config (#70)
This commit is contained in:
parent
e3d756c5ee
commit
27afe13235
|
@ -0,0 +1,87 @@
|
||||||
|
# Generic cloud-init generator for Container Optimized OS
|
||||||
|
|
||||||
|
This helper module manages a `cloud-config` configuration that can start a container on [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (COS). Either a complete `cloud-config` template can be provided via the `cloud_config` variable with optional template variables via the `config_variables`, or a generic `cloud-config` can be generated based on typical parameters needed to start a container.
|
||||||
|
|
||||||
|
Logging can be enabled via the [Google Cloud Logging docker driver](https://docs.docker.com/config/containers/logging/gcplogs/) using the `gcp_logging` variable. This is enabled by default, but requires that the service account running the COS instance have the `roles/logging.logWriter` IAM role or equivalent permissions on the project. If it doesn't, the container will fail to start unless this is disabled.
|
||||||
|
|
||||||
|
The module renders the generated cloud config in the `cloud_config` output, which can be directly used in instances or instance templates via the `user-data` metadata attribute.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
### Default configuration
|
||||||
|
|
||||||
|
This example will create a `cloud-config` that starts [Envoy Proxy](https://www.envoyproxy.io) and expose it on port 80. For a complete example, look at the sibling [`envoy-traffic-director`](../envoy-traffic-director/README.md) module that uses this module to start Envoy Proxy and connect it to [Traffic Director](https://cloud.google.com/traffic-director).
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cos-envoy" {
|
||||||
|
source = "./modules/cos-generic-metadata"
|
||||||
|
|
||||||
|
container_image = "envoyproxy/envoy:v1.14.1"
|
||||||
|
container_name = "envoy"
|
||||||
|
container_args = "-c /etc/envoy/envoy.yaml --log-level info --allow-unknown-static-fields"
|
||||||
|
|
||||||
|
container_volumes = [
|
||||||
|
{ host = "/etc/envoy/envoy.yaml",
|
||||||
|
container = "/etc/envoy/envoy.yaml"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
docker_args = "--network host --pid host"
|
||||||
|
|
||||||
|
files = {
|
||||||
|
"/var/run/envoy/customize.sh" = {
|
||||||
|
content = file("customize.sh")
|
||||||
|
owner = "root"
|
||||||
|
permissions = "0744"
|
||||||
|
}
|
||||||
|
"/etc/envoy/envoy.yaml" = {
|
||||||
|
content = file("envoy.yaml")
|
||||||
|
owner = "root"
|
||||||
|
permissions = "0644"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
run_commands = [
|
||||||
|
"iptables -t nat -N ENVOY_IN_REDIRECT",
|
||||||
|
"iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001",
|
||||||
|
"iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j ENVOY_IN_REDIRECT",
|
||||||
|
"iptables -t filter -A INPUT -p tcp -m tcp --dport 15001 -m state --state NEW,ESTABLISHED -j ACCEPT",
|
||||||
|
"/var/run/envoy/customize.sh",
|
||||||
|
"systemctl daemon-reload",
|
||||||
|
"systemctl start envoy",
|
||||||
|
]
|
||||||
|
|
||||||
|
users = [
|
||||||
|
{
|
||||||
|
username = "envoy",
|
||||||
|
uid = 1337
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
<!-- BEGIN TFDOC -->
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
| Name | Description | Type | Default | Required |
|
||||||
|
|------|-------------|------|---------|:--------:|
|
||||||
|
| container\_image | Container image. | `string` | n/a | yes |
|
||||||
|
| boot\_commands | List of cloud-init `bootcmd`s | `list(string)` | `[]` | no |
|
||||||
|
| cloud\_config | Cloud config template path. If provided, takes precedence over all other arguments. | `string` | `null` | no |
|
||||||
|
| config\_variables | Additional variables used to render the template passed via `cloud_config` | `map(any)` | `{}` | no |
|
||||||
|
| container\_args | Arguments for container | `string` | `""` | no |
|
||||||
|
| container\_name | Name of the container to be run | `string` | `"container"` | no |
|
||||||
|
| container\_volumes | List of volumes | <pre>list(object({<br> host = string,<br> container = string<br> }))</pre> | `[]` | no |
|
||||||
|
| docker\_args | Extra arguments to be passed for docker | `string` | `null` | no |
|
||||||
|
| file\_defaults | Default owner and permissions for files. | <pre>object({<br> owner = string<br> permissions = string<br> })</pre> | <pre>{<br> "owner": "root",<br> "permissions": "0644"<br>}</pre> | no |
|
||||||
|
| files | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <pre>map(object({<br> content = string<br> owner = string<br> permissions = string<br> }))</pre> | `{}` | no |
|
||||||
|
| gcp\_logging | Should container logs be sent to Google Cloud Logging | `bool` | `true` | no |
|
||||||
|
| run\_commands | List of cloud-init `runcmd`s | `list(string)` | `[]` | no |
|
||||||
|
| users | List of usernames to be created. If provided, first user will be used to run the container. | <pre>list(object({<br> username = string,<br> uid = number,<br> }))</pre> | `[]` | no |
|
||||||
|
|
||||||
|
## Outputs
|
||||||
|
|
||||||
|
| Name | Description |
|
||||||
|
|------|-------------|
|
||||||
|
| cloud\_config | Rendered cloud-config file to be passed as user-data instance metadata. |
|
||||||
|
<!-- END TFDOC -->
|
|
@ -0,0 +1,82 @@
|
||||||
|
#cloud-config
|
||||||
|
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
%{ if length(users) > 0 ~}
|
||||||
|
users:
|
||||||
|
%{ for user in users ~}
|
||||||
|
- name: ${user.username}
|
||||||
|
uid: ${user.uid}
|
||||||
|
%{ endfor ~}
|
||||||
|
%{ endif ~}
|
||||||
|
|
||||||
|
write_files:
|
||||||
|
- path: /var/lib/docker/daemon.json
|
||||||
|
permissions: 0644
|
||||||
|
owner: root
|
||||||
|
content: |
|
||||||
|
{
|
||||||
|
"live-restore": true,
|
||||||
|
"storage-driver": "overlay2",
|
||||||
|
"log-opts": {
|
||||||
|
"max-size": "1024m"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# ${container_name} container service
|
||||||
|
- path: /etc/systemd/system/${container_name}.service
|
||||||
|
permissions: 0644
|
||||||
|
owner: root
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=Start ${container_name} container
|
||||||
|
After=gcr-online.target docker.socket
|
||||||
|
Wants=gcr-online.target docker.socket docker-events-collector.service
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/bin/docker run --rm --name=${container_name} \
|
||||||
|
%{ if length(users) > 0 ~}
|
||||||
|
--user=${users[0].uid} \
|
||||||
|
%{ endif ~}
|
||||||
|
%{ if gcp_logging == true ~}
|
||||||
|
--log-driver=gcplogs \
|
||||||
|
%{ endif ~}
|
||||||
|
%{ if docker_args != null ~}
|
||||||
|
${docker_args} \
|
||||||
|
%{ endif ~}
|
||||||
|
%{ for volume in container_volumes ~}
|
||||||
|
-v ${volume.host}:${volume.container} \
|
||||||
|
%{ endfor ~}
|
||||||
|
${container_image} ${container_args}
|
||||||
|
ExecStop=/usr/bin/docker stop ${container_name}
|
||||||
|
%{ for path, data in files ~}
|
||||||
|
- path: ${path}
|
||||||
|
owner: ${lookup(data, "owner", "root")}
|
||||||
|
permissions: ${lookup(data, "permissions", "0644")}
|
||||||
|
content: |
|
||||||
|
${indent(6, data.content)}
|
||||||
|
%{ endfor ~}
|
||||||
|
|
||||||
|
%{ if length(boot_commands) > 0 ~}
|
||||||
|
bootcmd:
|
||||||
|
%{ for command in boot_commands ~}
|
||||||
|
- ${command}
|
||||||
|
%{ endfor ~}
|
||||||
|
%{ endif ~}
|
||||||
|
|
||||||
|
%{ if length(run_commands) > 0 ~}
|
||||||
|
runcmd:
|
||||||
|
%{ for command in run_commands ~}
|
||||||
|
- ${command}
|
||||||
|
%{ endfor ~}
|
||||||
|
%{ endif ~}
|
|
@ -0,0 +1,46 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
locals {
|
||||||
|
cloud_config = templatefile(local.template, merge(var.config_variables, {
|
||||||
|
boot_commands = var.boot_commands
|
||||||
|
container_args = var.container_args
|
||||||
|
container_image = var.container_image
|
||||||
|
container_name = var.container_name
|
||||||
|
container_volumes = var.container_volumes
|
||||||
|
docker_args = var.docker_args
|
||||||
|
files = local.files
|
||||||
|
gcp_logging = var.gcp_logging
|
||||||
|
run_commands = var.run_commands
|
||||||
|
users = var.users
|
||||||
|
}))
|
||||||
|
files = {
|
||||||
|
for path, attrs in var.files : path => {
|
||||||
|
content = attrs.content,
|
||||||
|
owner = attrs.owner == null ? var.file_defaults.owner : attrs.owner,
|
||||||
|
permissions = (
|
||||||
|
attrs.permissions == null
|
||||||
|
? var.file_defaults.permissions
|
||||||
|
: attrs.permissions
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
template = (
|
||||||
|
var.cloud_config == null
|
||||||
|
? "${path.module}/cloud-config.yaml"
|
||||||
|
: var.cloud_config
|
||||||
|
)
|
||||||
|
}
|
|
@ -0,0 +1,20 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
output "cloud_config" {
|
||||||
|
description = "Rendered cloud-config file to be passed as user-data instance metadata."
|
||||||
|
value = local.cloud_config
|
||||||
|
}
|
|
@ -0,0 +1,110 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
variable "boot_commands" {
|
||||||
|
description = "List of cloud-init `bootcmd`s"
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cloud_config" {
|
||||||
|
description = "Cloud config template path. If provided, takes precedence over all other arguments."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "config_variables" {
|
||||||
|
description = "Additional variables used to render the template passed via `cloud_config`"
|
||||||
|
type = map(any)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "container_args" {
|
||||||
|
description = "Arguments for container"
|
||||||
|
type = string
|
||||||
|
default = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
variable "container_image" {
|
||||||
|
description = "Container image."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "container_name" {
|
||||||
|
description = "Name of the container to be run"
|
||||||
|
type = string
|
||||||
|
default = "container"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "container_volumes" {
|
||||||
|
description = "List of volumes"
|
||||||
|
type = list(object({
|
||||||
|
host = string,
|
||||||
|
container = string
|
||||||
|
}))
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "docker_args" {
|
||||||
|
description = "Extra arguments to be passed for docker"
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "file_defaults" {
|
||||||
|
description = "Default owner and permissions for files."
|
||||||
|
type = object({
|
||||||
|
owner = string
|
||||||
|
permissions = string
|
||||||
|
})
|
||||||
|
default = {
|
||||||
|
owner = "root"
|
||||||
|
permissions = "0644"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "files" {
|
||||||
|
description = "Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null."
|
||||||
|
type = map(object({
|
||||||
|
content = string
|
||||||
|
owner = string
|
||||||
|
permissions = string
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "gcp_logging" {
|
||||||
|
description = "Should container logs be sent to Google Cloud Logging"
|
||||||
|
type = bool
|
||||||
|
default = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "run_commands" {
|
||||||
|
description = "List of cloud-init `runcmd`s"
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "users" {
|
||||||
|
description = "List of usernames to be created. If provided, first user will be used to run the container."
|
||||||
|
type = list(object({
|
||||||
|
username = string,
|
||||||
|
uid = number,
|
||||||
|
}))
|
||||||
|
default = [
|
||||||
|
]
|
||||||
|
}
|
|
@ -0,0 +1,59 @@
|
||||||
|
# Containerized Envoy Proxy with Traffic Director on Container Optimized OS
|
||||||
|
|
||||||
|
This module manages a `cloud-config` configuration that starts a containerized Envoy Proxy on Container Optimized OS connected to Traffic Director. The default configuration creates a reverse proxy exposed on the node's port 80. Traffic routing policies and management should be managed by other means via Traffic Director.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
### Default configuration
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
# Envoy TD config
|
||||||
|
module "cos-envoy-td" {
|
||||||
|
source = "./modules/cloud-config-container/envoy-traffic-director"
|
||||||
|
}
|
||||||
|
|
||||||
|
# COS VM
|
||||||
|
module "vm-cos" {
|
||||||
|
source = "./modules/compute-vm"
|
||||||
|
project_id = local.project_id
|
||||||
|
region = local.region
|
||||||
|
zone = local.zone
|
||||||
|
name = "cos-envoy-td"
|
||||||
|
network_interfaces = [{
|
||||||
|
network = local.vpc.self_link,
|
||||||
|
subnetwork = local.vpc.subnet_self_link,
|
||||||
|
nat = false,
|
||||||
|
addresses = null
|
||||||
|
}]
|
||||||
|
instance_count = 1
|
||||||
|
tags = ["ssh", "http"]
|
||||||
|
|
||||||
|
metadata = {
|
||||||
|
user-data = module.cos-envoy-td.cloud_config
|
||||||
|
}
|
||||||
|
|
||||||
|
boot_disk = {
|
||||||
|
image = "projects/cos-cloud/global/images/family/cos-stable"
|
||||||
|
type = "pd-ssd"
|
||||||
|
size = 10
|
||||||
|
}
|
||||||
|
|
||||||
|
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
<!-- BEGIN TFDOC -->
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
| Name | Description | Type | Default | Required |
|
||||||
|
|------|-------------|------|---------|:--------:|
|
||||||
|
| envoy\_image | Envoy Proxy container image to use. | `string` | `"envoyproxy/envoy:v1.14.1"` | no |
|
||||||
|
| gcp\_logging | Should container logs be sent to Google Cloud Logging | `bool` | `true` | no |
|
||||||
|
|
||||||
|
## Outputs
|
||||||
|
|
||||||
|
| Name | Description |
|
||||||
|
|------|-------------|
|
||||||
|
| cloud\_config | Rendered cloud-config file to be passed as user-data instance metadata. |
|
||||||
|
<!-- END TFDOC -->
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
ENVOY_NODE_ID=$(uuidgen)~$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/network-interfaces/0/ip)
|
||||||
|
ENVOY_ZONE=$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/zone | cut -f 4 -d '/')
|
||||||
|
CONFIG_PROJECT_NUMBER=$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/network-interfaces/0/network | cut -f 2 -d '/')
|
||||||
|
VPC_NETWORK_NAME=$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/network-interfaces/0/network | cut -f 4 -d '/')
|
||||||
|
sed -i "s/_ENVOY_NODE_ID_/${ENVOY_NODE_ID}/" /etc/envoy/envoy.yaml
|
||||||
|
sed -i "s/_ENVOY_ZONE_/${ENVOY_ZONE}/" /etc/envoy/envoy.yaml
|
||||||
|
sed -i "s/_CONFIG_PROJECT_NUMBER_/${CONFIG_PROJECT_NUMBER}/" /etc/envoy/envoy.yaml
|
||||||
|
sed -i "s/_VPC_NETWORK_NAME_/${VPC_NETWORK_NAME}/" /etc/envoy/envoy.yaml
|
|
@ -0,0 +1,140 @@
|
||||||
|
node:
|
||||||
|
id: "_ENVOY_NODE_ID_"
|
||||||
|
cluster: cluster # unused
|
||||||
|
locality:
|
||||||
|
zone: "_ENVOY_ZONE_"
|
||||||
|
metadata:
|
||||||
|
TRAFFICDIRECTOR_INTERCEPTION_PORT: "15001"
|
||||||
|
TRAFFICDIRECTOR_NETWORK_NAME: "_VPC_NETWORK_NAME_"
|
||||||
|
TRAFFICDIRECTOR_GCP_PROJECT_NUMBER: "_CONFIG_PROJECT_NUMBER_"
|
||||||
|
TRAFFICDIRECTOR_ENABLE_TRACING: "false"
|
||||||
|
TRAFFICDIRECTOR_ACCESS_LOG_PATH: ""
|
||||||
|
TRAFFICDIRECTOR_INBOUND_BACKEND_PORTS: ""
|
||||||
|
|
||||||
|
dynamic_resources:
|
||||||
|
lds_config: {ads: {}}
|
||||||
|
cds_config: {ads: {}}
|
||||||
|
ads_config:
|
||||||
|
api_type: GRPC
|
||||||
|
grpc_services:
|
||||||
|
- google_grpc:
|
||||||
|
target_uri: trafficdirector.googleapis.com:443
|
||||||
|
stat_prefix: trafficdirector
|
||||||
|
channel_credentials:
|
||||||
|
ssl_credentials:
|
||||||
|
root_certs:
|
||||||
|
filename: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
call_credentials:
|
||||||
|
google_compute_engine: {}
|
||||||
|
|
||||||
|
cluster_manager:
|
||||||
|
load_stats_config:
|
||||||
|
api_type: GRPC
|
||||||
|
grpc_services:
|
||||||
|
- google_grpc:
|
||||||
|
target_uri: trafficdirector.googleapis.com:443
|
||||||
|
stat_prefix: trafficdirector
|
||||||
|
channel_credentials:
|
||||||
|
ssl_credentials:
|
||||||
|
root_certs:
|
||||||
|
filename: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
call_credentials:
|
||||||
|
google_compute_engine: {}
|
||||||
|
|
||||||
|
admin:
|
||||||
|
access_log_path: /dev/stdout
|
||||||
|
address:
|
||||||
|
socket_address:
|
||||||
|
address: 127.0.0.1 # Admin page is only accessible locally.
|
||||||
|
port_value: 15000
|
||||||
|
|
||||||
|
tracing:
|
||||||
|
http:
|
||||||
|
name: envoy.tracers.opencensus
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/envoy.config.trace.v2.OpenCensusConfig
|
||||||
|
stackdriver_exporter_enabled: "false"
|
||||||
|
stackdriver_project_id: ""
|
||||||
|
|
||||||
|
layered_runtime:
|
||||||
|
layers:
|
||||||
|
- name: rtds_layer
|
||||||
|
rtds_layer:
|
||||||
|
name: traffic_director_runtime
|
||||||
|
rtds_config: {ads: {}}
|
||||||
|
- name: static_layer
|
||||||
|
static_layer:
|
||||||
|
envoy:
|
||||||
|
deprecated_features:
|
||||||
|
cluster:
|
||||||
|
proto:ORIGINAL_DST_LB: "true"
|
||||||
|
proto:extension_protocol_options: "true"
|
||||||
|
proto:tls_context: "true"
|
||||||
|
health_check:
|
||||||
|
proto:use_http2: "true"
|
||||||
|
http_connection_manager:
|
||||||
|
proto:operation_name: "true"
|
||||||
|
listener:
|
||||||
|
proto:tls_context: "true"
|
||||||
|
listener_components:
|
||||||
|
proto:config: "true"
|
||||||
|
route_components:
|
||||||
|
proto:allow_origin: "true"
|
||||||
|
proto:method: "true"
|
||||||
|
proto:pattern: "true"
|
||||||
|
proto:regex: "true"
|
||||||
|
proto:regex_match: "true"
|
||||||
|
proto:value: "true"
|
||||||
|
string:
|
||||||
|
proto:regex: "true"
|
||||||
|
trace:
|
||||||
|
proto:HTTP_JSON_V1: "true"
|
||||||
|
deprecated_features:envoy:
|
||||||
|
api:
|
||||||
|
v2:
|
||||||
|
Cluster:
|
||||||
|
LbPolicy:
|
||||||
|
ORIGINAL_DST_LB: "true"
|
||||||
|
extension_protocol_options: "true"
|
||||||
|
tls_context: "true"
|
||||||
|
Listener:
|
||||||
|
tls_context: "true"
|
||||||
|
core:
|
||||||
|
HealthCheck:
|
||||||
|
HttpHealthCheck:
|
||||||
|
use_http2: "true"
|
||||||
|
listener:
|
||||||
|
Filter:
|
||||||
|
config: "true"
|
||||||
|
ListenerFilter:
|
||||||
|
config: "true"
|
||||||
|
route:
|
||||||
|
CorsPolicy:
|
||||||
|
allow_origin: "true"
|
||||||
|
HeaderMatcher:
|
||||||
|
regex_match: "true"
|
||||||
|
QueryParameterMatcher:
|
||||||
|
regex: "true"
|
||||||
|
value: "true"
|
||||||
|
RouteMatch:
|
||||||
|
regex: "true"
|
||||||
|
VirtualCluster:
|
||||||
|
method: "true"
|
||||||
|
pattern: "true"
|
||||||
|
config:
|
||||||
|
filter:
|
||||||
|
network:
|
||||||
|
http_connection_manager:
|
||||||
|
v2:
|
||||||
|
HttpConnectionManager:
|
||||||
|
Tracing:
|
||||||
|
operation_name: "true"
|
||||||
|
trace:
|
||||||
|
v2:
|
||||||
|
ZipkinConfig:
|
||||||
|
CollectorEndpointVersion:
|
||||||
|
HTTP_JSON_V1: "true"
|
||||||
|
type:
|
||||||
|
matcher:
|
||||||
|
StringMatcher:
|
||||||
|
regex: "true"
|
|
@ -0,0 +1,67 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
module "cos-envoy-td" {
|
||||||
|
source = "./modules/cos-generic-metadata"
|
||||||
|
|
||||||
|
boot_commands = [
|
||||||
|
"systemctl start node-problem-detector",
|
||||||
|
]
|
||||||
|
|
||||||
|
container_image = var.envoy_image
|
||||||
|
container_name = "envoy"
|
||||||
|
container_args = "-c /etc/envoy/envoy.yaml --log-level info --allow-unknown-static-fields"
|
||||||
|
|
||||||
|
container_volumes = [
|
||||||
|
{ host = "/etc/envoy/envoy.yaml",
|
||||||
|
container = "/etc/envoy/envoy.yaml"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
docker_args = "--network host --pid host"
|
||||||
|
|
||||||
|
files = {
|
||||||
|
"/var/run/envoy/customize.sh" = {
|
||||||
|
content = file("${path.module}/files/customize.sh")
|
||||||
|
owner = "root"
|
||||||
|
permissions = "0744"
|
||||||
|
}
|
||||||
|
"/etc/envoy/envoy.yaml" = {
|
||||||
|
content = file("${path.module}/files/envoy.yaml")
|
||||||
|
owner = "root"
|
||||||
|
permissions = "0644"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
gcp_logging = var.gcp_logging
|
||||||
|
|
||||||
|
run_commands = [
|
||||||
|
"iptables -t nat -N ENVOY_IN_REDIRECT",
|
||||||
|
"iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001",
|
||||||
|
"iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j ENVOY_IN_REDIRECT",
|
||||||
|
"iptables -t filter -A INPUT -p tcp -m tcp --dport 15001 -m state --state NEW,ESTABLISHED -j ACCEPT",
|
||||||
|
"/var/run/envoy/customize.sh",
|
||||||
|
"systemctl daemon-reload",
|
||||||
|
"systemctl start envoy",
|
||||||
|
]
|
||||||
|
|
||||||
|
users = [
|
||||||
|
{
|
||||||
|
username = "envoy",
|
||||||
|
uid = 1337
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
|
@ -0,0 +1 @@
|
||||||
|
../../cos-generic-metadata
|
|
@ -0,0 +1,20 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
output "cloud_config" {
|
||||||
|
description = "Rendered cloud-config file to be passed as user-data instance metadata."
|
||||||
|
value = module.cos-envoy-td.cloud_config
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
variable "envoy_image" {
|
||||||
|
description = "Envoy Proxy container image to use."
|
||||||
|
type = string
|
||||||
|
default = "envoyproxy/envoy:v1.14.1"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "gcp_logging" {
|
||||||
|
description = "Should container logs be sent to Google Cloud Logging"
|
||||||
|
type = bool
|
||||||
|
default = true
|
||||||
|
}
|
Loading…
Reference in New Issue