Merge pull request #1837 from apichick/envoy-sni-dyn-fwd-proxy
Added envoy as SNI dynamic forward proxy to cloud-config-container
This commit is contained in:
commit
c501c657ec
|
@ -0,0 +1,57 @@
|
|||
# Containerized Envoy as SNI dynamic forward proxy on Container Optimized OS
|
||||
|
||||
This module manages a `cloud-config` configuration that starts a containerized [Envoy SNI Dynamic forward proxy]https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter) service on Container Optimized OS running on port 443.
|
||||
|
||||
This module depends on the cos-generic-metadata module being in the parent folder. If you change its location be sure to adjust the source attribute in main.tf.
|
||||
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
|
||||
## Examples
|
||||
|
||||
### Default configuration
|
||||
|
||||
This example will create a `cloud-config` that uses the module's defaults, creating a simple hello web server showing host name and request id.
|
||||
|
||||
```hcl
|
||||
module "cos-envoy-sni-dyn-fwd-proxy" {
|
||||
source = "./fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy"
|
||||
envoy_image = "envoyproxy/envoy:v1.28-latest"
|
||||
}
|
||||
|
||||
module "vm-envoy-sni-dyn-fwd-proxy" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
project_id = "my-project"
|
||||
zone = "europe-west8-b"
|
||||
name = "cos-envoy-sni-dyn-fw-proxy"
|
||||
network_interfaces = [{
|
||||
network = "default"
|
||||
subnetwork = "gce"
|
||||
}]
|
||||
metadata = {
|
||||
user-data = module.cos-envoy-sni-dyn-fwd-proxy.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
boot_disk = {
|
||||
initialize_params = {
|
||||
image = "projects/cos-cloud/global/images/family/cos-stable"
|
||||
type = "pd-ssd"
|
||||
size = 10
|
||||
}
|
||||
}
|
||||
tags = ["https-server", "ssh"]
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [envoy_image](variables.tf#L17) | Image. | <code>string</code> | ✓ | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
<!-- END TFDOC -->
|
|
@ -0,0 +1,56 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
admin:
|
||||
address:
|
||||
socket_address:
|
||||
protocol: TCP
|
||||
address: 127.0.0.1
|
||||
port_value: 9991
|
||||
static_resources:
|
||||
listeners:
|
||||
- name: listener
|
||||
address:
|
||||
socket_address:
|
||||
protocol: TCP
|
||||
address: 0.0.0.0
|
||||
port_value: 8443
|
||||
listener_filters:
|
||||
- name: envoy.filters.listener.tls_inspector
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
|
||||
filter_chains:
|
||||
- filters:
|
||||
- name: envoy.filters.network.sni_dynamic_forward_proxy
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
|
||||
port_value: 443
|
||||
dns_cache_config:
|
||||
name: dynamic_forward_proxy_cache_config
|
||||
dns_lookup_family: V4_ONLY
|
||||
- name: envoy.tcp_proxy
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
|
||||
stat_prefix: tcp
|
||||
cluster: dynamic_forward_proxy_cluster
|
||||
clusters:
|
||||
- name: dynamic_forward_proxy_cluster
|
||||
lb_policy: CLUSTER_PROVIDED
|
||||
cluster_type:
|
||||
name: envoy.clusters.dynamic_forward_proxy
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
|
||||
dns_cache_config:
|
||||
name: dynamic_forward_proxy_cache_config
|
||||
dns_lookup_family: V4_ONLY%
|
|
@ -0,0 +1,44 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "cos-envoy" {
|
||||
source = "../cos-generic-metadata"
|
||||
container_image = var.envoy_image
|
||||
container_name = "envoy"
|
||||
container_args = "-c /etc/envoy/envoy.yaml --log-level info --allow-unknown-static-fields"
|
||||
container_volumes = [
|
||||
{ host = "/etc/envoy/", container = "/etc/envoy/" }
|
||||
]
|
||||
docker_args = "--network host --pid host"
|
||||
files = {
|
||||
"/etc/envoy/envoy.yaml" = {
|
||||
content = file("${path.module}/files/envoy.yaml")
|
||||
owner = "root"
|
||||
permissions = "0644"
|
||||
}
|
||||
}
|
||||
run_commands = [
|
||||
"iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443",
|
||||
"iptables -A INPUT -p tcp --dport 8443 -j ACCEPT",
|
||||
"iptables -t mangle -I PREROUTING -p tcp --dport 8443 -j DROP",
|
||||
"systemctl daemon-reload",
|
||||
"systemctl start envoy",
|
||||
]
|
||||
users = [{
|
||||
username = "envoy",
|
||||
uid = 1337
|
||||
}]
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
output "cloud_config" {
|
||||
description = "Rendered cloud-config file to be passed as user-data instance metadata."
|
||||
value = module.cos-envoy.cloud_config
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "envoy_image" {
|
||||
description = "Image."
|
||||
type = string
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 1.4.4"
|
||||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 5.0.0, < 6.0.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 5.0.0, < 6.0.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue