diff --git a/.env b/.env new file mode 100644 index 0000000..f893754 --- /dev/null +++ b/.env @@ -0,0 +1,13 @@ +# .env file content +# This sets the default base path to the directory containing this file. +ENVOY_DATA_PATH=. + + +# External Ports +CONTROL_PLANE_DASHBOARD_PORT=8090 +ENVOY_HTTP_PORT=10000 +ENVOY_HTTPS_PORT=10001 +ENVOY_ADMIN_PORT=11111 + +# Node ID parameter +ENVOY_NODE_ID=home \ No newline at end of file diff --git a/data/config/cds.yaml b/data/config/cds.yaml index f7b686d..a18b8bd 100644 --- a/data/config/cds.yaml +++ b/data/config/cds.yaml @@ -2,7 +2,7 @@ - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster name: _acme_renewer connect_timeout: 0.2s - type: STATIC + type: STATIC_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: acme_renewer @@ -10,440 +10,8 @@ - lb_endpoints: - endpoint: health_check_config: - port_value: 8888 - address: - socket_address: - address: 172.17.0.1 #docker bridge - port_value: 8888 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _git_bucket - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: git_bucket - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 8088 - address: - socket_address: - address: 172.17.0.1 #docker bridge - port_value: 8088 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _code_server - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: code_server - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: port_value: 8080 address: socket_address: - address: 192.168.68.113 #docker bridge - port_value: 8080 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - validation_context: - trusted_ca: - filename: /etc/certs/upstream/vscode/root.crt -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _docker_registry - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: docker_registry - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 5555 - address: - socket_address: - address: 172.17.0.1 #docker bridge - port_value: 5555 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/docker.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/docker.jerxie.com/privkey.pem" } - # validation_context: - # trusted_ca: - # filename: "/etc/certs/docker.jerxie.com/chain1.pem" -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _nas_service - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: nas - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 5000 - address: - socket_address: - address: 172.17.0.1 #docker bridge - port_value: 5000 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _plex_server - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: nas - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 32400 - address: - socket_address: - address: 192.168.68.113 - port_value: 32400 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _nas_video - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: nas - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 9007 - address: - socket_address: - address: 127.0.0.1 #localhost - port_value: 9007 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _nas_audio - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: nas - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 8800 - address: - socket_address: - address: 127.0.0.1 #localhost - port_value: 8800 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _nas_note - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: nas - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 9350 - address: - socket_address: - address: 127.0.0.1 #localhost - port_value: 9350 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _nas_camera - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: camera - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 9900 - address: - socket_address: - address: 127.0.0.1 #localhost - port_value: 9900 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _nas_photo - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: nas - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 5080 - address: - socket_address: - address: 127.0.0.1 #localhost - port_value: 5080 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _k8s_apiserver - connect_timeout: 1s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: apiserver - endpoints: - - lb_endpoints: - - endpoint: {health_check_config: { port_value: 16443}, address: { socket_address: { address: 192.168.68.139, port_value: 16443 }}} #192.168.68.254 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - validation_context: - trusted_ca: - filename: /etc/certs/upstream/kubernetes/root.crt -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _k8s_router - connect_timeout: 1s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: nginx - endpoints: - - lb_endpoints: - - endpoint: {health_check_config: { port_value: 32704}, address: { socket_address: { address: 192.168.68.139, port_value: 32704 }}} - # - endpoint: { address: { socket_address: { address: 192.168.68.114, port_value: 32542 }}} - # transport_socket: - # name: envoy.transport_sockets.tls - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - # common_tls_context: - # validation_context: - # trusted_ca: - # filename: /etc/certs/kubernetes/root.crt -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _3d_printer_console - connect_timeout: 2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: printer - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 5000 - address: - socket_address: - address: octoprint - port_value: 5000 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _3d_printer_camera - connect_timeout: 2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: camera - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 8080 - address: - socket_address: - address: octoprint - port_value: 8080 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _bitwarden_service - connect_timeout: 0.2s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: pwassword_manager - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 10010 - address: - socket_address: - address: 172.17.0.1 - port_value: 10010 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _homeassistant_service - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: homeassistant_manager - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 8123 - address: - socket_address: - address: 192.168.68.133 - port_value: 8123 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _portainer_ui - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: portainer_ui - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 9000 - address: - socket_address: - address: 192.168.68.161 - port_value: 9000 - # transport_socket: - # name: envoy.transport_sockets.tls - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - # common_tls_context: - # validation_context: - # trusted_ca: - # filename: /etc/certs/upstream/portainer/root.crt -# - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster -# name: _baby_buddy -# connect_timeout: 0.2s -# type: STRICT_DNS -# lb_policy: ROUND_ROBIN -# load_assignment: -# cluster_name: baby_buddy -# endpoints: -# - lb_endpoints: -# - endpoint: -# health_check_config: -# port_value: 8555 -# address: -# socket_address: -# address: 192.168.68.106 -# port_value: 8555 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _grafana_ui - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: _grafana_ui - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 3000 - address: - socket_address: - address: 192.168.68.106 - port_value: 3000 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _auth_server - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: _auth_server - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 5556 - address: - socket_address: - address: 192.168.68.113 - port_value: 5557 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _ai_server - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: _ai_server - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 3000 - address: - socket_address: - address: 192.168.68.113 - port_value: 3000 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _pcb_server - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: _pcb_server - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 8088 - address: - socket_address: - address: 192.168.68.113 - port_value: 8088 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _ai_api_server - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: _ai_api_server - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 8002 - address: - socket_address: - address: 192.168.68.113 - port_value: 8002 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _ai_ui_server - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: _ai_ui_server - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 8003 - address: - socket_address: - address: 192.168.68.113 - port_value: 8003 -- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: _monitor_server - connect_timeout: 0.2s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: _monitor_server - endpoints: - - lb_endpoints: - - endpoint: - health_check_config: - port_value: 9090 - address: - socket_address: - address: 192.168.68.113 - port_value: 9090 \ No newline at end of file + address: envoy-control-plane + port_value: 8080 \ No newline at end of file diff --git a/data/config/lds.yaml b/data/config/lds.yaml index 81b5897..0b5cc16 100644 --- a/data/config/lds.yaml +++ b/data/config/lds.yaml @@ -1,980 +1,17 @@ resources: -- "@type": type.googleapis.com/envoy.config.listener.v3.Listener - name: http_listener - address: - socket_address: { address: 0.0.0.0, port_value: 10000 } - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - name: ingress_generic_insecure - virtual_hosts: - - name: http_to_https - domains: ["*"] - routes: - - match: { prefix : "/.well-known/acme-challenge"} - route: { cluster: _acme_renewer } - - match: { prefix: "/" } - redirect: { https_redirect: true } - - name: video_insecure - domains: ["video.jerxie.com" , "video.local:10000"] - routes: - - match: { prefix : "/.well-known/acme-challenge"} - route: { cluster: _acme_renewer } - - match: { prefix : "/"} - route: { cluster: _nas_video } - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router -- "@type": type.googleapis.com/envoy.config.listener.v3.Listener - name: https_listener - address: - socket_address: { address: 0.0.0.0, port_value: 10001 } - listener_filters: - - name: "envoy.filters.listener.tls_inspector" - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - normalize_path: true - merge_slashes: true - upgrade_configs: - - upgrade_type: websocket - codec_type: AUTO - stream_idle_timeout: 300s - request_timeout: 300s - route_config: - virtual_hosts: - - name: home_service - domains: ["home.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_homeassistant_service"} - # - match: { path: "/printer"} - # redirect: { path_redirect: "/printer/" } - # - match: { prefix: "/printer/webcam" } - # route: { prefix_rewrite: "/", cluster: _3d_printer_camera, idle_timeout: 0s } - # - match: { prefix: "/printer/" } - # route: { prefix_rewrite: "/", cluster: _3d_printer_console } - http_filters: - - name: envoy.filters.http.lua - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua - inline_code: | - require "/etc/envoy/filter" - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["home.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - # - certificate_chain: { filename: "/etc/certs/home_domain/certificate.crt" } - # private_key: { filename: "/etc/certs/home_domain/private.key" } - - certificate_chain: { filename: "/etc/certs/downstream/home.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/home.jerxie.com/privkey.pem" } - # validation_context: - # trusted_ca: - # filename: /etc/certs/ca_bundle.crt - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: docker_service - domains: ["docker.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_docker_registry", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["docker.jerxie.com", "docker.local"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/docker.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/docker.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - upgrade_configs: - - upgrade_type: websocket - route_config: - virtual_hosts: - - name: docker_service - domains: ["nas.jerxie.com", "nas:10001"] - routes: - - match: { prefix: "/" } - route: { cluster: "_nas_service", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["nas.jerxie.com", "nas"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/nas.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/nas.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: docker_service - domains: ["video.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_nas_video", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["video.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/video.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/video.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: plex_server - domains: ["plex.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_plex_server", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["plex.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/plex.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/plex.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - normalize_path: true - merge_slashes: true - route_config: - virtual_hosts: - - name: kubernetes_service - domains: ["kubernetes.jerxie.com"] - routes: - - match: { path: "/apiserver"} - route: { prefix_rewrite: "/" , cluster: _k8s_apiserver } - - match: { prefix: "/apiserver/" } - route: { prefix_rewrite: "/" , cluster: _k8s_apiserver } - - match: { prefix: "/" } - route: { cluster: "_k8s_router"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["kubernetes.jerxie.com", "kubernetes.local"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/kubernetes.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/kubernetes.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - normalize_path: true - merge_slashes: true - route_config: - virtual_hosts: - - name: kubernetes_dashboard_service - domains: ["kubernetes.dashboard.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_k8s_router"} - http_filters: - - name: envoy.filters.http.oauth2 - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - token_endpoint: - cluster: _auth_server - uri: auth.jerxie.com/token - timeout: 3s - authorization_endpoint: https://auth.jerxie.com/auth - redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback" - redirect_path_matcher: - path: - exact: /callback - signout_path: - path: - exact: /signout - forward_bearer_token: true - credentials: - client_id: kubernetes-dashboard - token_secret: - name: token - sds_config: - path: "/etc/envoy/token-secret.yaml" - hmac_secret: - name: hmac - sds_config: - path: "/etc/envoy/hmac-secret.yaml" - # (Optional): defaults to 'user' scope if not provided - auth_scopes: - - openid - - email - # (Optional): set resource parameter for Authorization request - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["kubernetes.dashboard.jerxie.com", "kubernetes.dashboard.local"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/kubernetes.dashboard.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/kubernetes.dashboard.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: kubernetes_blog_service - domains: ["blog.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_k8s_router"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["blog.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/blog.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/blog.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: kubernetes_blog_service - domains: ["argocd.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_k8s_router"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["argocd.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/argocd.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/argocd.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - upgrade_configs: - - upgrade_type: websocket - stream_idle_timeout: 0s - normalize_path: true - merge_slashes: true - route_config: - virtual_hosts: - - name: meet_service - domains: ["meet.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_k8s_router"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["meet.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/meet.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/meet.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: docker_service - domains: ["audio.jerxie.com", "audio.local"] - routes: - - match: { prefix: "/" } - route: { cluster: "_nas_audio"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["audio.jerxie.com", "audio.local"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/audio.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/audio.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - upgrade_configs: - - upgrade_type: websocket - route_config: - virtual_hosts: - - name: code_service - domains: ["code.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_code_server"} - http_filters: - - name: envoy.filters.http.oauth2 - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - token_endpoint: - cluster: _auth_server - uri: auth.jerxie.com/token - timeout: 3s - authorization_endpoint: https://auth.jerxie.com/auth - redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback" - forward_bearer_token: true - redirect_path_matcher: - path: - exact: /callback - signout_path: - path: - exact: /signout - credentials: - client_id: code-server - token_secret: - name: token - sds_config: - path: "/etc/envoy/token-secret.yaml" - hmac_secret: - name: hmac - sds_config: - path: "/etc/envoy/hmac-secret.yaml" - # (Optional): defaults to 'user' scope if not provided - auth_scopes: - - openid - - email - # (Optional): set resource parameter for Authorization request - - name: envoy.filters.http.jwt_authn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication - providers: - provider1: - remote_jwks: - http_uri: - uri: "https://auth.jerxie.com/keys" - cluster: _auth_server - timeout: 5s - cache_duration: 600s - from_headers: - - name: Authorization - value_prefix: "Bearer " - from_cookies: - - BearerToken - payload_in_metadata: jwt_payload - rules: - - match: - prefix: / - requires: - provider_name: provider1 - - name: envoy.filters.http.lua - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua - inline_code: | - email = "" - function envoy_on_request(request_handle) - email = "" - local meta = request_handle:streamInfo():dynamicMetadata() - for key, value in pairs(meta:get("envoy.filters.http.jwt_authn")) do - if key == "jwt_payload" then - for k, v in pairs(value) do - if k == "email" then - request_handle:logInfo("login codeserver: " ..v) - email = v - end - end - end - end - end - - function envoy_on_response(response_handle) - if email ~="" and email ~= "axieyangb@gmail.com" then - response_handle:logInfo("Got unauthorized user, return 403 for user " ..email) - response_handle:headers():add("set-cookie", "BearerToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - response_handle:headers():add("set-cookie", "OauthHMAC=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - response_handle:headers():add("set-cookie", "IdToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - response_handle:headers():add("set-cookie", "OauthExpires=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - end - email = "" - end - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["code.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/code.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/code.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: photo_service - domains: ["photo.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_nas_photo", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["photo.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/photo.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/photo.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: password_service - domains: ["password.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_bitwarden_service"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["password.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/password.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/password.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: gitbucket_service - domains: ["gitbucket.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_git_bucket"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["gitbucket.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/gitbucket.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/gitbucket.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - upgrade_configs: - - upgrade_type: websocket - stream_idle_timeout: 0s - normalize_path: true - merge_slashes: true - route_config: - virtual_hosts: - - name: printer_service - domains: ["printer.jerxie.com"] - routes: - - match: { prefix: "/webcam" } - route: { prefix_rewrite: "/", cluster: "_3d_printer_camera", max_stream_duration: {grpc_timeout_header_max: 0s} } - - match: { prefix: "/" } - route: { cluster: "_3d_printer_console"} - http_filters: - - name: envoy.filters.http.oauth2 - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - token_endpoint: - cluster: _auth_server - uri: auth.jerxie.com/token - timeout: 3s - authorization_endpoint: https://auth.jerxie.com/auth - redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback" - redirect_path_matcher: - path: - exact: /callback - signout_path: - path: - exact: /signout - forward_bearer_token: true - credentials: - client_id: octoprint-portal - token_secret: - name: token - sds_config: - path: "/etc/envoy/token-secret.yaml" - hmac_secret: - name: hmac - sds_config: - path: "/etc/envoy/hmac-secret.yaml" - # (Optional): defaults to 'user' scope if not provided - auth_scopes: - - openid - - email - # (Optional): set resource parameter for Authorization request - - name: envoy.filters.http.jwt_authn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication - providers: - provider1: - remote_jwks: - http_uri: - uri: "https://auth.jerxie.com/keys" - cluster: _auth_server - timeout: 5s - cache_duration: 600s - from_headers: - - name: Authorization - value_prefix: "Bearer " - # from_cookies: - # - BearerToken - payload_in_metadata: jwt_payload - rules: - - match: - prefix: / - requires: - provider_name: provider1 - - name: envoy.filters.http.lua - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua - inline_code: | - email = "" - function envoy_on_request(request_handle) - email = "" - local meta = request_handle:streamInfo():dynamicMetadata() - for key, value in pairs(meta:get("envoy.filters.http.jwt_authn")) do - if key == "jwt_payload" then - for k, v in pairs(value) do - if k == "email" then - print("login octoprint: "..v) - email = v - request_handle:headers():add("ENVOY_AUTHENTICATED_USER", v) - end - end - end - end - end - - function envoy_on_response(response_handle) - if email ~="" and email ~= "axieyangb@gmail.com" then - response_handle:logInfo("Got unauthorized user, return 403 for user " ..email) - response_handle:headers():add("set-cookie", "BearerToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - response_handle:headers():add("set-cookie", "OauthHMAC=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - response_handle:headers():add("set-cookie", "IdToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - response_handle:headers():add("set-cookie", "OauthExpires=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT") - end - email = "" - end - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["printer.jerxie.com", "printer.local"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/printer.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/printer.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - upgrade_configs: - - upgrade_type: websocket - route_config: - virtual_hosts: - - name: camera_service - domains: ["camera.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_nas_camera"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["camera.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/camera.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/camera.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - virtual_hosts: - - name: note_service - domains: ["note.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_nas_note"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["note.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/note.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/note.jerxie.com/privkey.pem" } - # - filters: - # - name: envoy.filters.network.http_connection_manager - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - # stat_prefix: ingress_http - # codec_type: AUTO - # route_config: - # virtual_hosts: - # - name: baby_service - # domains: ["baby.jerxie.com"] - # routes: - # - match: { prefix: "/" } - # route: { cluster: "_baby_buddy"} - # http_filters: - # - name: envoy.filters.http.router - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - # filter_chain_match: - # server_names: ["baby.jerxie.com"] - # transport_socket: - # name: envoy.transport_sockets.tls - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - # common_tls_context: - # tls_certificates: - # - certificate_chain: { filename: "/etc/certs/downstream/baby.jerxie.com/fullchain.pem" } - # private_key: { filename: "/etc/certs/downstream/baby.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - upgrade_configs: - - upgrade_type: websocket - codec_type: AUTO - route_config: - virtual_hosts: - - name: container_service - domains: ["container.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_portainer_ui"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["container.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/container.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/container.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - upgrade_configs: - - upgrade_type: websocket - codec_type: AUTO - route_config: - virtual_hosts: - - name: grafana_service - domains: ["grafana.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_grafana_ui"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["grafana.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/grafana.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/grafana.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - upgrade_configs: - - upgrade_type: websocket - codec_type: AUTO - route_config: - virtual_hosts: - - name: auth_service - domains: ["auth.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_auth_server"} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["auth.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/auth.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/auth.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - upgrade_configs: - - upgrade_type: websocket - codec_type: AUTO - route_config: - virtual_hosts: - - name: ai_service - domains: ["ai.jerxie.com"] - routes: - - match: { prefix: "/api" } - route: { cluster: "_ai_api_server", timeout: 0s} - - match: { prefix: "/" } - route: { cluster: "_ai_ui_server", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["ai.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/ai.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/ai.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - upgrade_configs: - - upgrade_type: websocket - codec_type: AUTO - route_config: - virtual_hosts: - - name: pcb_service - domains: ["pcb.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_pcb_server", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["pcb.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/pcb.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/pcb.jerxie.com/privkey.pem" } - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - upgrade_configs: - - upgrade_type: websocket - codec_type: AUTO - route_config: - virtual_hosts: - - name: monitor_service - domains: ["monitor.jerxie.com"] - routes: - - match: { prefix: "/" } - route: { cluster: "_monitor_server", timeout: 0s} - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - filter_chain_match: - server_names: ["monitor.jerxie.com"] - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: { filename: "/etc/certs/downstream/monitor.jerxie.com/fullchain.pem" } - private_key: { filename: "/etc/certs/downstream/monitor.jerxie.com/privkey.pem" } \ No newline at end of file +- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: _acme_renewer + connect_timeout: 0.2s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: acme_renewer + endpoints: + - lb_endpoints: + - endpoint: + health_check_config: + port_value: 8888 + address: + socket_address: + address: 172.17.0.1 #docker bridge + port_value: 8888 \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 0fc4c36..3b00d95 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,39 +1,37 @@ version: "3.9" services: - # 1. The Envoy Control Plane (Your existing service) + # 1. The Envoy Control Plane envoy-control-plane: - user: "1026:100" image: docker.jerxie.com/xds-server:latest container_name: envoy-control-plane restart: unless-stopped ports: # Exposes the gRPC XDS service port (18000) for the Envoy proxy to connect to - - "8090:8080" - # --- REMOVED: The 18000:18000 mapping is removed as it's only for internal sidecar use. --- - # - "18000:18000" + - "${CONTROL_PLANE_DASHBOARD_PORT}:8080" volumes: - - /volume1/docker/envoy-control-plane/data:/app/data:rw - command: ["--node-id", "home", "--config-dir", "/app/data/config","--db","file:/app/data/data.db?_foreign_keys=on", "--enable-cert-issuance", "webroot-path=/app/data/acme"] + # Uses the externally defined or default path + - ${ENVOY_DATA_PATH}/data:/app/data:rw + command: ["--node-id", "${ENVOY_NODE_ID}", "--config-dir", "/app/data/config","--db","file:/app/data/data.db?_foreign_keys=on", "--enable-cert-issuance", "webroot-path=/app/data/acme"] # Add a network to ensure both services can communicate networks: - envoy_network - # 2. The Envoy Proxy (New service) + # 2. The Envoy Proxy envoy-proxy: - user: "1026:100" # Use the official Envoy Docker image image: envoyproxy/envoy:v1.33.12 # Use a specific, stable version container_name: envoy-proxy restart: unless-stopped # Expose a port where the proxy will listen for client traffic (e.g., 11111 for admin, 10000,10001 for listener) ports: - - "10000:10000" - - "10001:10001" - - "11111:11111" + - "${ENVOY_HTTP_PORT}:10000" + - "${ENVOY_HTTPS_PORT}:10001" + - "${ENVOY_ADMIN_PORT}:11111" volumes: - - /volume1/docker/envoy-control-plane/data/envoy_config:/etc/config:rw + # Uses the externally defined or default path + - ${ENVOY_DATA_PATH}/data/envoy_config:/etc/config:rw # The starting command you provided command: - "envoy" @@ -46,21 +44,6 @@ networks: - envoy_network -# Define the volumes used by the services -# Corrected volume definition -#volumes: -# data_volume: -# driver: local -# driver_opts: -# type: "nfs" -# # Keep standard NFS mount options here (addr, rw, nfsvers=4) -# o: "addr=192.168.68.90,rw,nfsvers=4" -# # Specify the remote path -# device: ":/volume1/docker/envoy-control-plane/data" -# # Define ownership options separately (optional, but often helps) -# uid: "1026" -# gid: "100" - # Define a custom network for inter-service communication networks: envoy_network: diff --git a/envoy.yaml b/envoy.yaml index 7e66455..4e44d9c 100644 --- a/envoy.yaml +++ b/envoy.yaml @@ -1,27 +1,20 @@ node: id: home cluster: home-cluster - + dynamic_resources: - # Dynamic discovery for clusters (CDS) - cds_config: - resource_api_version: V3 - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster + ads_config: + api_type: GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster - # Dynamic discovery for listeners (LDS) + cds_config: + ads: {} + lds_config: - resource_api_version: V3 - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster + ads: {} admin: access_log_path: /dev/null @@ -50,4 +43,4 @@ address: socket_address: address: envoy-control-plane - port_value: 18000 + port_value: 18000 \ No newline at end of file diff --git a/internal/api_handlers.go b/internal/api_handlers.go index cd0e2cd..ecb61fb 100644 --- a/internal/api_handlers.go +++ b/internal/api_handlers.go @@ -479,6 +479,7 @@ } func (api *API) issueCertificateHandler(w http.ResponseWriter, r *http.Request) { + ctx := context.Background() if r.Method != http.MethodPost { http.Error(w, "method not allowed", http.StatusMethodNotAllowed) return @@ -494,7 +495,7 @@ return } - issuer, err := internalcert.NewCertIssuer(req.Issuer) + issuer, err := internalcert.NewCertIssuer(ctx, req.Issuer) if err != nil { http.Error(w, "failed to create certificate issuer", http.StatusInternalServerError) return @@ -522,6 +523,7 @@ } func (api *API) renewCertificateHandler(w http.ResponseWriter, r *http.Request) { + ctx := context.Background() if r.Method != http.MethodPost { http.Error(w, "method not allowed", http.StatusMethodNotAllowed) return @@ -546,7 +548,7 @@ return } - issuer, err := internalcert.NewCertIssuer(issuertype) + issuer, err := internalcert.NewCertIssuer(ctx, issuertype) if err != nil { http.Error(w, "failed to create certificate issuer", http.StatusInternalServerError) return diff --git a/internal/pkg/cert/factory.go b/internal/pkg/cert/factory.go index 072388e..b4d35d5 100644 --- a/internal/pkg/cert/factory.go +++ b/internal/pkg/cert/factory.go @@ -1,10 +1,12 @@ package cert import ( + "context" "fmt" "os" "strconv" + internallog "envoy-control-plane/internal/log" "envoy-control-plane/internal/pkg/cert/api" "envoy-control-plane/internal/pkg/cert/letsencrypt" ) @@ -12,7 +14,8 @@ // NewCertIssuer is a factory function that creates a CertIssuer based on the provided type name. // It allows the rest of the application to obtain an issuer without knowing the specific // underlying implementation details. -func NewCertIssuer(issuerType string) (api.CertIssuer, error) { +func NewCertIssuer(ctx context.Context, issuerType string) (api.CertIssuer, error) { + log := internallog.LogFromContext(ctx) switch issuerType { case "letsencrypt": // 1. Check the environment variable for staging mode. @@ -34,6 +37,8 @@ } } + log.Infof("Creating LetsEncrypt issuer with staging mode: %v", useStaging) + // 4. Return the concrete *letsencrypt.LetsEncryptIssuer with the determined setting. return &letsencrypt.LetsEncryptIssuer{ UseStaging: useStaging, diff --git a/internal/pkg/cert/rotation/rotator.go b/internal/pkg/cert/rotation/rotator.go index 84f1269..b1395cc 100644 --- a/internal/pkg/cert/rotation/rotator.go +++ b/internal/pkg/cert/rotation/rotator.go @@ -101,7 +101,7 @@ } // 4. Renew the certificate - certIsser, err := cert.NewCertIssuer(c.IssuerType) + certIsser, err := cert.NewCertIssuer(ctx, c.IssuerType) if err != nil { log.Errorf("Failed to create certificate issuer for domain %s: %v", c.Domain, err) return