first commit

2026-01-21 17:37:42 +11:00
commit bd1ed71ac4
142 changed files with 18994 additions and 0 deletions
--- a/templates/envoy/configmap.yaml
+++ b/templates/envoy/configmap.yaml
@@ -0,0 +1,602 @@
+{{- if eq .Values.common.externalConfigMaps false }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "envoy.appName" . }}
+  labels:
+{{ include "envoy.labels" . | indent 4 }}
+data:
+  {{- range $key, $value := .Values.envoy.files }}
+  {{ $key }}: |-
+  {{ $value | default "" | indent 4 }}
+  {{- end -}}
+  {{- if (index .Values.envoy.templates "envoy.yaml") }}
+  envoy.yaml: |-
+    {{ $valueWithDefault := default "" (index .Values.envoy.templates "envoy.yaml") -}}
+  {{ tpl $valueWithDefault $ | indent 4 }}
+  {{- else }}
+  envoy.yaml: |-
+    node:
+      cluster: ampint-gw
+      id: ampint-gw
+
+    admin:
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: {{ .Values.envoy.adminPorts.admin.containerPort }}
+
+    dynamic_resources:
+      cds_config:
+        resource_api_version: V3
+        api_config_source:
+          api_type: GRPC
+          transport_api_version: V3
+          grpc_services:
+            - envoy_grpc:
+                cluster_name: xds_cluster
+      lds_config:
+        resource_api_version: V3
+        api_config_source:
+          api_type: GRPC
+          transport_api_version: V3
+          grpc_services:
+            - envoy_grpc:
+                cluster_name: xds_cluster
+
+    static_resources:
+      listeners:
+      - name: internal
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 9902
+        filter_chains:
+          - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: internal
+                codec_type: AUTO
+                stream_idle_timeout: 15s
+                use_remote_address: true
+                xff_num_trusted_hops: 0
+                common_http_protocol_options:
+                  idle_timeout: 15s
+                route_config:
+                  name: internal
+                  validate_clusters: false
+                  virtual_hosts:
+                  - name: internal
+                    domains:
+                    - "*"
+                    routes:
+                    - match:
+                        path: "/started"
+                      route:
+                        cluster: blackhole
+                http_filters:
+                  - name: envoy.filters.http.lua
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+                      inline_code: |
+                        function envoy_on_request(request_handle)
+                          local headers, body = request_handle:httpCall(
+                          "service_admin",
+                          {
+                            [":method"] = "GET",
+                            [":path"] = "/stats?filter=http.apim.rds.ampint-api.update_success&format=text",
+                            [":authority"] = "internal"
+                          },
+                          "", 2000, false)
+
+                          local headersMtls, bodyMtls = request_handle:httpCall(
+                            "service_admin",
+                            {
+                              [":method"] = "GET",
+                              [":path"] = "/stats?filter=http.apim.rds.ampint-api-mtls.update_success&format=text",
+                              [":authority"] = "internal"
+                            },
+                            "", 2000, false)
+
+                          local count = string.gsub(body, "^%s*.+:%s*(.-)%s*$", "%1")
+                          local countMtls = string.match(bodyMtls, ":[%s]*(%d+)")
+                          
+                          if count == "0" or countMtls == "0" then
+                            request_handle:respond(
+                              {[":status"] = "503"},
+                              "Not Ready")
+                          else
+                            request_handle:respond(
+                                {[":status"] = "200"},
+                                "Ready")
+                          end
+                        end
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+      {{ if .Values.global.multihost.enabled }}
+      {{ if .Values.global.multihost.listeners.tcp.http.enabled  }}
+      - name: multiHostHttp
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 9080
+        listener_filters:
+        - name: envoy.filters.listener.proxy_protocol
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+            "allow_requests_without_proxy_protocol": true
+        filter_chains:
+        - filter_chain_match:
+            server_names:
+            - "{{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}"
+        - filters:
+          - name: envoy.filters.network.connection_limit
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+              stat_prefix: traffic_max_connections
+              max_connections: 30000
+              delay: 10s
+          - name: envoy.filters.network.tcp_proxy
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+              stat_prefix: http
+              cluster: inbound-worker-http
+              max_connect_attempts: 3
+              idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+      {{- end }}
+
+      {{ if .Values.global.multihost.listeners.ssh.sftp.enabled  }}
+      - name: multiHostSftp
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 2222
+        listener_filters:
+        - name: envoy.filters.listener.proxy_protocol
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+            "allow_requests_without_proxy_protocol": true
+        - name: "envoy.filters.listener.tls_inspector"
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+        filter_chains:
+        - filter_chain_match:
+            server_names:
+            - "{{ .Values.global.multihost.listeners.ssh.sftp.hostPrefix }}.{{ .Values.global.external_domain }}"
+        - filters:
+          - name: envoy.filters.network.connection_limit
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+              stat_prefix: ssh_max_connections
+              max_connections: 30000
+              delay: 10s
+          - name: envoy.filters.network.tcp_proxy
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+              stat_prefix: ssh
+              cluster: inbound-worker-ssh
+              max_connect_attempts: 3
+              idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+      {{- end }}
+
+      {{ else }}
+      - name: https-1
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 9443
+        listener_filters:
+        - name: envoy.filters.listener.proxy_protocol
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+            "allow_requests_without_proxy_protocol": true
+        - name: "envoy.filters.listener.tls_inspector"
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+        filter_chains:
+        - filter_chain_match:
+            server_names:
+            {{- if eq  (include "parent.dataplaneMode" . ) "shared" }}
+            - "*.{{ .Values.global.external_domain }}"
+            {{- else }}
+            - "{{ .Values.global.external_domain }}"
+            {{- end }}
+          filters:
+            - name: envoy.filters.network.connection_limit
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+                stat_prefix: traffic_max_connections
+                max_connections: 30000
+                delay: 10s
+            - name: envoy.filters.network.tcp_proxy
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                stat_prefix: https
+                cluster: inbound-worker-https
+                max_connect_attempts: 3
+                idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+
+      - name: https-2
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 8443
+        listener_filters:
+        - name: envoy.filters.listener.proxy_protocol
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+            "allow_requests_without_proxy_protocol": true
+        - name: "envoy.filters.listener.tls_inspector"
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+        filter_chains:
+        - filter_chain_match:
+            server_names:
+            {{- if eq  (include "parent.dataplaneMode" . ) "shared" }}
+            - "*.{{ .Values.global.external_domain }}"
+            {{- else }}
+            - "{{ .Values.global.external_domain }}"
+            {{- end }}
+          filters:
+            - name: envoy.filters.network.connection_limit
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+                stat_prefix: traffic_max_connections
+                max_connections: 30000
+                delay: 10s
+            - name: envoy.filters.network.tcp_proxy
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                stat_prefix: https
+                cluster: inbound-worker-https
+                max_connect_attempts: 3
+                idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+
+      - name: http
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 9080
+        listener_filters:
+        - name: envoy.filters.listener.proxy_protocol
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+            "allow_requests_without_proxy_protocol": true
+        filter_chains:
+        - filters:
+            - name: envoy.filters.network.connection_limit
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+                stat_prefix: traffic_max_connections
+                max_connections: 30000
+                delay: 10s
+            - name: envoy.filters.network.tcp_proxy
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                stat_prefix: http
+                cluster: inbound-worker-http
+                max_connect_attempts: 3
+                idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+
+      - name: ssh
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 2222
+        listener_filters:
+        - name: envoy.filters.listener.proxy_protocol
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+            "allow_requests_without_proxy_protocol": true
+        - name: "envoy.filters.listener.tls_inspector"
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+        filter_chains:
+          filters:
+            - name: envoy.filters.network.connection_limit
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+                stat_prefix: ssh_max_connections
+                max_connections: 30000
+                delay: 10s
+            - name: envoy.filters.network.tcp_proxy
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                stat_prefix: ssh
+                cluster: inbound-worker-ssh
+                max_connect_attempts: 3
+                idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+      {{- end }}
+
+      clusters:
+      - name: service_admin
+        connect_timeout: 0.25s
+        type: STATIC
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options:
+                # Configure an HTTP/2 keep-alive to detect connection issues and reconnect
+                # to the admin server if the connection is no longer responsive.
+                connection_keepalive:
+                  interval: 30s
+                  timeout: 5s
+        load_assignment:
+          cluster_name: service_admin
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 9901
+      - name: xds_cluster
+        connect_timeout: 0.25s
+        type: LOGICAL_DNS
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options:
+                connection_keepalive:
+                  interval: 30s
+                  timeout: 5s
+        load_assignment:
+          cluster_name: xds_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: pep-server-{{ .Values.global.appEnv }}
+                    port_value: 9090
+        #Note the health checks needs only to be applied to one of the pep_clusters
+        health_checks:
+          - timeout: 2s
+            interval: 3s
+            unhealthy_threshold: 2
+            healthy_threshold: 2
+            grpc_health_check:
+              service_name: ""
+            no_traffic_healthy_interval: 5s
+
+      {{- if .Values.common.openTelemetry.enabled }}
+      - name: otel_cluster
+        connect_timeout: 0.25s
+        type: LOGICAL_DNS
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options:
+                connection_keepalive:
+                  interval: 30s
+                  timeout: 5s
+        load_assignment:
+          cluster_name: otel_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: pep-server-{{ .Values.global.appEnv }}
+                    port_value: 9090
+      {{- end }}
+      - name: als_cluster
+        connect_timeout: 0.25s
+        type: LOGICAL_DNS
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options:
+                connection_keepalive:
+                  interval: 30s
+                  timeout: 5s
+        load_assignment:
+          cluster_name: als_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: pep-server-{{ .Values.global.appEnv }}
+                    port_value: 9090
+      - name: ext_authz_cluster
+        connect_timeout: 0.25s
+        type: LOGICAL_DNS
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options:
+                connection_keepalive:
+                  interval: 30s
+                  timeout: 5s
+        load_assignment:
+          cluster_name: ext_authz_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: pep-server-{{ .Values.global.appEnv }}
+                    port_value: 9090
+      - name: ext_proc_start_audit_cluster
+        connect_timeout: 0.25s
+        type: LOGICAL_DNS
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options:
+                connection_keepalive:
+                  interval: 30s
+                  timeout: 5s
+        load_assignment:
+          cluster_name: ext_proc_start_audit_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: pep-server-{{ .Values.global.appEnv }}
+                    port_value: 9090
+      {{- if ne  (include "parent.dataplaneMode" . ) "shared" }}
+      - name: orchestrator_cluster
+        connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
+        type: STRICT_DNS
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options:
+                connection_keepalive:
+                  interval: 30s
+                  timeout: 5s
+        load_assignment:
+          cluster_name: orchestrator_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: orchestrator-{{ .Values.global.appEnv }}
+                    port_value: 50051
+
+        health_checks:
+          - timeout: 3s
+            interval: 3s
+            unhealthy_threshold: 1
+            healthy_threshold: 2
+            grpc_health_check:
+              service_name: ""
+            no_traffic_healthy_interval: 30s
+
+      - name: orchestrator_cluster-sse
+        connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
+        type: STRICT_DNS
+        lb_policy: ROUND_ROBIN
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http_protocol_options: {}
+        load_assignment:
+          cluster_name: orchestrator_cluster-sse
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: orchestrator-{{ .Values.global.appEnv }}
+                    port_value: 50052
+      {{- end }}
+      - name: inbound-worker-sse
+        connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
+        http_protocol_options:
+          allow_chunked_length: true
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
+            idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+        type: LOGICAL_DNS
+        load_assignment:
+          cluster_name: inbound-worker-sse
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: inbound-worker-{{ .Values.global.appEnv }}
+                    port_value: 7080
+        health_checks:
+          - timeout: 1s
+            interval: 20s
+            unhealthy_threshold: 3
+            healthy_threshold: 3
+            tcp_health_check: {}
+
+      - name: inbound-worker-http
+        connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
+        http_protocol_options:
+          allow_chunked_length: true
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
+            idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+        type: LOGICAL_DNS
+        load_assignment:
+          cluster_name: inbound-worker-http
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: inbound-worker-{{ .Values.global.appEnv }}
+                    port_value: 9080
+        health_checks:
+          - timeout: 1s
+            interval: 20s
+            unhealthy_threshold: 3
+            healthy_threshold: 3
+            tcp_health_check: {}
+      - name: inbound-worker-https
+        connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
+        http_protocol_options:
+          allow_chunked_length: true
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
+            idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+        type: LOGICAL_DNS
+        load_assignment:
+          cluster_name: inbound-worker-https
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: inbound-worker-{{ .Values.global.appEnv }}
+                    port_value: 9443
+        health_checks:
+          - timeout: 1s
+            interval: 20s
+            unhealthy_threshold: 3
+            healthy_threshold: 3
+            tcp_health_check: {}
+      - name: inbound-worker-ssh
+        connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
+            idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
+        type: LOGICAL_DNS
+        load_assignment:
+          cluster_name: inbound-worker-ssh
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: inbound-worker-{{ .Values.global.appEnv }}
+                    port_value: 2222
+        health_checks:
+          - timeout: 1s
+            interval: 20s
+            unhealthy_threshold: 3
+            healthy_threshold: 3
+            tcp_health_check: {}
+  {{- end }}
+{{- end }}