{{- if eq .Values.common.externalConfigMaps false }} apiVersion: v1 kind: ConfigMap metadata: name: {{ template "envoy.appName" . }} labels: {{ include "envoy.labels" . | indent 4 }} data: {{- range $key, $value := .Values.envoy.files }} {{ $key }}: |- {{ $value | default "" | indent 4 }} {{- end -}} {{- if (index .Values.envoy.templates "envoy.yaml") }} envoy.yaml: |- {{ $valueWithDefault := default "" (index .Values.envoy.templates "envoy.yaml") -}} {{ tpl $valueWithDefault $ | indent 4 }} {{- else }} envoy.yaml: |- node: cluster: ampint-gw id: ampint-gw admin: address: socket_address: address: 0.0.0.0 port_value: {{ .Values.envoy.adminPorts.admin.containerPort }} dynamic_resources: cds_config: resource_api_version: V3 api_config_source: api_type: GRPC transport_api_version: V3 grpc_services: - envoy_grpc: cluster_name: xds_cluster lds_config: resource_api_version: V3 api_config_source: api_type: GRPC transport_api_version: V3 grpc_services: - envoy_grpc: cluster_name: xds_cluster static_resources: listeners: - name: internal address: socket_address: address: 0.0.0.0 port_value: 9902 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: internal codec_type: AUTO stream_idle_timeout: 15s use_remote_address: true xff_num_trusted_hops: 0 common_http_protocol_options: idle_timeout: 15s route_config: name: internal validate_clusters: false virtual_hosts: - name: internal domains: - "*" routes: - match: path: "/started" route: cluster: blackhole http_filters: - name: envoy.filters.http.lua typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua inline_code: | function envoy_on_request(request_handle) local headers, body = request_handle:httpCall( "service_admin", { [":method"] = "GET", [":path"] = "/stats?filter=http.apim.rds.ampint-api.update_success&format=text", [":authority"] = "internal" }, "", 2000, false) local headersMtls, bodyMtls = request_handle:httpCall( "service_admin", { [":method"] = "GET", [":path"] = "/stats?filter=http.apim.rds.ampint-api-mtls.update_success&format=text", [":authority"] = "internal" }, "", 2000, false) local count = string.gsub(body, "^%s*.+:%s*(.-)%s*$", "%1") local countMtls = string.match(bodyMtls, ":[%s]*(%d+)") if count == "0" or countMtls == "0" then request_handle:respond( {[":status"] = "503"}, "Not Ready") else request_handle:respond( {[":status"] = "200"}, "Ready") end end - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router {{ if .Values.global.multihost.enabled }} {{ if .Values.global.multihost.listeners.tcp.http.enabled }} - name: multiHostHttp address: socket_address: address: 0.0.0.0 port_value: 9080 listener_filters: - name: envoy.filters.listener.proxy_protocol typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol "allow_requests_without_proxy_protocol": true filter_chains: - filter_chain_match: server_names: - "{{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}" - filters: - name: envoy.filters.network.connection_limit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit stat_prefix: traffic_max_connections max_connections: 30000 delay: 10s - name: envoy.filters.network.tcp_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: http cluster: inbound-worker-http max_connect_attempts: 3 idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} {{- end }} {{ if .Values.global.multihost.listeners.ssh.sftp.enabled }} - name: multiHostSftp address: socket_address: address: 0.0.0.0 port_value: 2222 listener_filters: - name: envoy.filters.listener.proxy_protocol typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol "allow_requests_without_proxy_protocol": true - name: "envoy.filters.listener.tls_inspector" typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector filter_chains: - filter_chain_match: server_names: - "{{ .Values.global.multihost.listeners.ssh.sftp.hostPrefix }}.{{ .Values.global.external_domain }}" - filters: - name: envoy.filters.network.connection_limit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit stat_prefix: ssh_max_connections max_connections: 30000 delay: 10s - name: envoy.filters.network.tcp_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: ssh cluster: inbound-worker-ssh max_connect_attempts: 3 idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} {{- end }} {{ else }} - name: https-1 address: socket_address: address: 0.0.0.0 port_value: 9443 listener_filters: - name: envoy.filters.listener.proxy_protocol typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol "allow_requests_without_proxy_protocol": true - name: "envoy.filters.listener.tls_inspector" typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector filter_chains: - filter_chain_match: server_names: {{- if eq (include "parent.dataplaneMode" . ) "shared" }} - "*.{{ .Values.global.external_domain }}" {{- else }} - "{{ .Values.global.external_domain }}" {{- end }} filters: - name: envoy.filters.network.connection_limit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit stat_prefix: traffic_max_connections max_connections: 30000 delay: 10s - name: envoy.filters.network.tcp_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: https cluster: inbound-worker-https max_connect_attempts: 3 idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} - name: https-2 address: socket_address: address: 0.0.0.0 port_value: 8443 listener_filters: - name: envoy.filters.listener.proxy_protocol typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol "allow_requests_without_proxy_protocol": true - name: "envoy.filters.listener.tls_inspector" typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector filter_chains: - filter_chain_match: server_names: {{- if eq (include "parent.dataplaneMode" . ) "shared" }} - "*.{{ .Values.global.external_domain }}" {{- else }} - "{{ .Values.global.external_domain }}" {{- end }} filters: - name: envoy.filters.network.connection_limit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit stat_prefix: traffic_max_connections max_connections: 30000 delay: 10s - name: envoy.filters.network.tcp_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: https cluster: inbound-worker-https max_connect_attempts: 3 idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} - name: http address: socket_address: address: 0.0.0.0 port_value: 9080 listener_filters: - name: envoy.filters.listener.proxy_protocol typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol "allow_requests_without_proxy_protocol": true filter_chains: - filters: - name: envoy.filters.network.connection_limit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit stat_prefix: traffic_max_connections max_connections: 30000 delay: 10s - name: envoy.filters.network.tcp_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: http cluster: inbound-worker-http max_connect_attempts: 3 idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} - name: ssh address: socket_address: address: 0.0.0.0 port_value: 2222 listener_filters: - name: envoy.filters.listener.proxy_protocol typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol "allow_requests_without_proxy_protocol": true - name: "envoy.filters.listener.tls_inspector" typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector filter_chains: filters: - name: envoy.filters.network.connection_limit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit stat_prefix: ssh_max_connections max_connections: 30000 delay: 10s - name: envoy.filters.network.tcp_proxy typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: ssh cluster: inbound-worker-ssh max_connect_attempts: 3 idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} {{- end }} clusters: - name: service_admin connect_timeout: 0.25s type: STATIC lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: # Configure an HTTP/2 keep-alive to detect connection issues and reconnect # to the admin server if the connection is no longer responsive. connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: service_admin endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 9901 - name: xds_cluster connect_timeout: 0.25s type: LOGICAL_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: xds_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: pep-server-{{ .Values.global.appEnv }} port_value: 9090 #Note the health checks needs only to be applied to one of the pep_clusters health_checks: - timeout: 2s interval: 3s unhealthy_threshold: 2 healthy_threshold: 2 grpc_health_check: service_name: "" no_traffic_healthy_interval: 5s {{- if .Values.common.openTelemetry.enabled }} - name: otel_cluster connect_timeout: 0.25s type: LOGICAL_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: otel_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: pep-server-{{ .Values.global.appEnv }} port_value: 9090 {{- end }} - name: als_cluster connect_timeout: 0.25s type: LOGICAL_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: als_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: pep-server-{{ .Values.global.appEnv }} port_value: 9090 - name: ext_authz_cluster connect_timeout: 0.25s type: LOGICAL_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: ext_authz_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: pep-server-{{ .Values.global.appEnv }} port_value: 9090 - name: ext_proc_start_audit_cluster connect_timeout: 0.25s type: LOGICAL_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: ext_proc_start_audit_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: pep-server-{{ .Values.global.appEnv }} port_value: 9090 {{- if ne (include "parent.dataplaneMode" . ) "shared" }} - name: orchestrator_cluster connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }} type: STRICT_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s load_assignment: cluster_name: orchestrator_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: orchestrator-{{ .Values.global.appEnv }} port_value: 50051 health_checks: - timeout: 3s interval: 3s unhealthy_threshold: 1 healthy_threshold: 2 grpc_health_check: service_name: "" no_traffic_healthy_interval: 30s - name: orchestrator_cluster-sse connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }} type: STRICT_DNS lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http_protocol_options: {} load_assignment: cluster_name: orchestrator_cluster-sse endpoints: - lb_endpoints: - endpoint: address: socket_address: address: orchestrator-{{ .Values.global.appEnv }} port_value: 50052 {{- end }} - name: inbound-worker-sse connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }} http_protocol_options: allow_chunked_length: true typed_extension_protocol_options: envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} type: LOGICAL_DNS load_assignment: cluster_name: inbound-worker-sse endpoints: - lb_endpoints: - endpoint: address: socket_address: address: inbound-worker-{{ .Values.global.appEnv }} port_value: 7080 health_checks: - timeout: 1s interval: 20s unhealthy_threshold: 3 healthy_threshold: 3 tcp_health_check: {} - name: inbound-worker-http connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }} http_protocol_options: allow_chunked_length: true typed_extension_protocol_options: envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} type: LOGICAL_DNS load_assignment: cluster_name: inbound-worker-http endpoints: - lb_endpoints: - endpoint: address: socket_address: address: inbound-worker-{{ .Values.global.appEnv }} port_value: 9080 health_checks: - timeout: 1s interval: 20s unhealthy_threshold: 3 healthy_threshold: 3 tcp_health_check: {} - name: inbound-worker-https connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }} http_protocol_options: allow_chunked_length: true typed_extension_protocol_options: envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} type: LOGICAL_DNS load_assignment: cluster_name: inbound-worker-https endpoints: - lb_endpoints: - endpoint: address: socket_address: address: inbound-worker-{{ .Values.global.appEnv }} port_value: 9443 health_checks: - timeout: 1s interval: 20s unhealthy_threshold: 3 healthy_threshold: 3 tcp_health_check: {} - name: inbound-worker-ssh connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }} typed_extension_protocol_options: envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }} type: LOGICAL_DNS load_assignment: cluster_name: inbound-worker-ssh endpoints: - lb_endpoints: - endpoint: address: socket_address: address: inbound-worker-{{ .Values.global.appEnv }} port_value: 2222 health_checks: - timeout: 1s interval: 20s unhealthy_threshold: 3 healthy_threshold: 3 tcp_health_check: {} {{- end }} {{- end }}