cscott/amplify-fusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a83164397c93a608dcf70281326c21159c753589
amplify-fusion/templates/envoy/configmap.yaml
Conan Scott bd1ed71ac4 first commit
2026-01-21 17:37:42 +11:00

603 lines
23 KiB
YAML
Raw Blame History

{{- if eq .Values.common.externalConfigMaps false }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "envoy.appName" . }}
labels:
{{ include "envoy.labels" . | indent 4 }}
data:
{{- range $key, $value := .Values.envoy.files }}
{{ $key }}: |-
{{ $value | default "" | indent 4 }}
{{- end -}}
{{- if (index .Values.envoy.templates "envoy.yaml") }}
envoy.yaml: |-
{{ $valueWithDefault := default "" (index .Values.envoy.templates "envoy.yaml") -}}
{{ tpl $valueWithDefault $ | indent 4 }}
{{- else }}
envoy.yaml: |-
node:
cluster: ampint-gw
id: ampint-gw
admin:
address:
socket_address:
address: 0.0.0.0
port_value: {{ .Values.envoy.adminPorts.admin.containerPort }}
dynamic_resources:
cds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
lds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
static_resources:
listeners:
- name: internal
address:
socket_address:
address: 0.0.0.0
port_value: 9902
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: internal
codec_type: AUTO
stream_idle_timeout: 15s
use_remote_address: true
xff_num_trusted_hops: 0
common_http_protocol_options:
idle_timeout: 15s
route_config:
name: internal
validate_clusters: false
virtual_hosts:
- name: internal
domains:
- "*"
routes:
- match:
path: "/started"
route:
cluster: blackhole
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local headers, body = request_handle:httpCall(
"service_admin",
{
[":method"] = "GET",
[":path"] = "/stats?filter=http.apim.rds.ampint-api.update_success&format=text",
[":authority"] = "internal"
},
"", 2000, false)
local headersMtls, bodyMtls = request_handle:httpCall(
"service_admin",
{
[":method"] = "GET",
[":path"] = "/stats?filter=http.apim.rds.ampint-api-mtls.update_success&format=text",
[":authority"] = "internal"
},
"", 2000, false)
local count = string.gsub(body, "^%s*.+:%s*(.-)%s*$", "%1")
local countMtls = string.match(bodyMtls, ":[%s]*(%d+)")
if count == "0" or countMtls == "0" then
request_handle:respond(
{[":status"] = "503"},
"Not Ready")
else
request_handle:respond(
{[":status"] = "200"},
"Ready")
end
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
{{ if .Values.global.multihost.enabled }}
{{ if .Values.global.multihost.listeners.tcp.http.enabled }}
- name: multiHostHttp
address:
socket_address:
address: 0.0.0.0
port_value: 9080
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
filter_chains:
- filter_chain_match:
server_names:
- "{{ .Values.global.multihost.listeners.tcp.http.hostPrefix }}.{{ .Values.global.external_domain }}"
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: http
cluster: inbound-worker-http
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
{{ if .Values.global.multihost.listeners.ssh.sftp.enabled }}
- name: multiHostSftp
address:
socket_address:
address: 0.0.0.0
port_value: 2222
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
- "{{ .Values.global.multihost.listeners.ssh.sftp.hostPrefix }}.{{ .Values.global.external_domain }}"
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: ssh_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: ssh
cluster: inbound-worker-ssh
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
{{ else }}
- name: https-1
address:
socket_address:
address: 0.0.0.0
port_value: 9443
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- "*.{{ .Values.global.external_domain }}"
{{- else }}
- "{{ .Values.global.external_domain }}"
{{- end }}
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: https
cluster: inbound-worker-https
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: https-2
address:
socket_address:
address: 0.0.0.0
port_value: 8443
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filter_chain_match:
server_names:
{{- if eq (include "parent.dataplaneMode" . ) "shared" }}
- "*.{{ .Values.global.external_domain }}"
{{- else }}
- "{{ .Values.global.external_domain }}"
{{- end }}
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: https
cluster: inbound-worker-https
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: http
address:
socket_address:
address: 0.0.0.0
port_value: 9080
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
filter_chains:
- filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: traffic_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: http
cluster: inbound-worker-http
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
- name: ssh
address:
socket_address:
address: 0.0.0.0
port_value: 2222
listener_filters:
- name: envoy.filters.listener.proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
"allow_requests_without_proxy_protocol": true
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
filters:
- name: envoy.filters.network.connection_limit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
stat_prefix: ssh_max_connections
max_connections: 30000
delay: 10s
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: ssh
cluster: inbound-worker-ssh
max_connect_attempts: 3
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
{{- end }}
clusters:
- name: service_admin
connect_timeout: 0.25s
type: STATIC
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
# Configure an HTTP/2 keep-alive to detect connection issues and reconnect
# to the admin server if the connection is no longer responsive.
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: service_admin
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 9901
- name: xds_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
#Note the health checks needs only to be applied to one of the pep_clusters
health_checks:
- timeout: 2s
interval: 3s
unhealthy_threshold: 2
healthy_threshold: 2
grpc_health_check:
service_name: ""
no_traffic_healthy_interval: 5s
{{- if .Values.common.openTelemetry.enabled }}
- name: otel_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: otel_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
{{- end }}
- name: als_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: als_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
- name: ext_authz_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: ext_authz_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
- name: ext_proc_start_audit_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: ext_proc_start_audit_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: pep-server-{{ .Values.global.appEnv }}
port_value: 9090
{{- if ne (include "parent.dataplaneMode" . ) "shared" }}
- name: orchestrator_cluster
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
type: STRICT_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
load_assignment:
cluster_name: orchestrator_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: orchestrator-{{ .Values.global.appEnv }}
port_value: 50051
health_checks:
- timeout: 3s
interval: 3s
unhealthy_threshold: 1
healthy_threshold: 2
grpc_health_check:
service_name: ""
no_traffic_healthy_interval: 30s
- name: orchestrator_cluster-sse
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
type: STRICT_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http_protocol_options: {}
load_assignment:
cluster_name: orchestrator_cluster-sse
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: orchestrator-{{ .Values.global.appEnv }}
port_value: 50052
{{- end }}
- name: inbound-worker-sse
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-sse
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 7080
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-http
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-http
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 9080
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-https
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
http_protocol_options:
allow_chunked_length: true
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-https
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 9443
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
- name: inbound-worker-ssh
connect_timeout: {{ .Values.envoy.timeouts.connectTimeout }}
typed_extension_protocol_options:
envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.tcp.v3.TcpProtocolOptions
idle_timeout: {{ .Values.envoy.timeouts.idleTimeout }}
type: LOGICAL_DNS
load_assignment:
cluster_name: inbound-worker-ssh
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: inbound-worker-{{ .Values.global.appEnv }}
port_value: 2222
health_checks:
- timeout: 1s
interval: 20s
unhealthy_threshold: 3
healthy_threshold: 3
tcp_health_check: {}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink