Created
August 7, 2020 09:55
-
-
Save OscarAyoy/dbffb40a3e0b3a888b68f7c8ea7cab0f to your computer and use it in GitHub Desktop.
Quick and dirty example of using an Envoy sidecar to terminate TLS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: sidecar-test-deploy | |
| labels: | |
| app: sidecar-test | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: sidecar-test | |
| template: | |
| metadata: | |
| name: sidecar-test-pod | |
| labels: | |
| app: sidecar-test | |
| spec: | |
| containers: | |
| # The application being proxied. | |
| - name: app | |
| # TODO: Insert name of desired image here. | |
| image: "" | |
| ports: | |
| - name: http | |
| containerPort: 8080 | |
| protocol: TCP | |
| # The sidecar. | |
| - name: sidecar | |
| image: envoyproxy/envoy:v1.15-latest | |
| ports: | |
| - name: https | |
| containerPort: 8443 | |
| protocol: TCP | |
| volumeMounts: | |
| - name: sidecar-config | |
| mountPath: "/etc/envoy" | |
| readOnly: true | |
| - name: sidecar-certs | |
| mountPath: "/certs" | |
| readOnly: true | |
| volumes: | |
| - name: sidecar-config | |
| configMap: | |
| name: sidecar-test-configmap | |
| - name: sidecar-certs | |
| secret: | |
| secretName: sidecar-test-secret | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: sidecar-test-configmap | |
| labels: | |
| app: sidecar-test | |
| data: | |
| envoy.yaml: | | |
| # Simple Envoy TLS terminating sidecar configuration. | |
| static_resources: | |
| listeners: | |
| - address: | |
| socket_address: | |
| address: 0.0.0.0 | |
| port_value: 8443 | |
| filter_chains: | |
| - filters: | |
| - name: envoy.filters.network.http_connection_manager | |
| typed_config: | |
| "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager | |
| codec_type: auto | |
| stat_prefix: ingress_http | |
| route_config: | |
| name: local_route | |
| virtual_hosts: | |
| - name: service | |
| domains: | |
| - "*" | |
| routes: | |
| - match: | |
| prefix: "/" | |
| route: | |
| cluster: local_service | |
| http_filters: | |
| - name: envoy.filters.http.router | |
| typed_config: {} | |
| tls_context: | |
| common_tls_context: | |
| tls_certificates: | |
| - certificate_chain: | |
| filename: "/certs/tls.crt" | |
| private_key: | |
| filename: "/certs/tls.key" | |
| clusters: | |
| - name: local_service | |
| connect_timeout: 0.25s | |
| type: strict_dns | |
| lb_policy: round_robin | |
| hosts: | |
| - socket_address: | |
| address: 127.0.0.1 | |
| port_value: 8080 | |
| admin: | |
| access_log_path: /dev/null | |
| address: | |
| socket_address: | |
| address: 0.0.0.0 | |
| port_value: 8082 | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: sidecar-test-secret | |
| labels: | |
| app: sidecar-test | |
| type: kubernetes.io/tls | |
| data: | |
| # NB: Random self-signed certificate. | |
| # Ref: https://letsencrypt.org/sv/docs/certificates-for-localhost/ | |
| tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1VENDQWMyZ0F3SUJBZ0lKQU52eC82UkdyU3FQTUEwR0NTcUdTSWIzRFFFQkN3VUFNQlF4RWpBUUJnTlYKQkFNTUNXeHZZMkZzYUc5emREQWVGdzB5TURBNE1EY3dPRFF6TkRSYUZ3MHlNREE1TURZd09EUXpORFJhTUJReApFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTWV2MFQrMlRKL0svVVprRzBaeXdzamxmekhGNEZPZUpsRklwUnIzMzRjRGRkWnVFTlZKMmJiYWlzZGQKUWwxS1dOdWR1UG1YeVJGZnk5WlRWLzJKRlB2RFREUHpvaXNSaXhJN1RPQlFPQk95ZWt1cnVwc2YxNHl4d3pkZgoyZEI3SFFzc3JRZm90Z21aYkloZ011OTJjdVI4bG9reVoyZ251UlZMb0FjOEhBYjErUUJqRGNranB0VWhuTEJ0CkRjMEw0YVJHSklkMHo3QkhJcm16S3RxaWJaUjNjN0tEL1hqMnNaTHBoY2dIMnJMRm1GWmJBdHNhODN6Q2dUZUYKSmYzUXVIQko4WjJNR3JiRUd5RGhCM2tLMHpURTdrb1VHMEl2bGxvRXl3bUdkeUFoRklaOVlDako3c05xTW1FeQpHYWZpeTFsVHhhZS9SZStFUXMyKzdvL204K3NDQXdFQUFhTTZNRGd3RkFZRFZSMFJCQTB3QzRJSmJHOWpZV3hvCmIzTjBNQXNHQTFVZER3UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBZFRGcVdwb0xrditvUUZLd3RyVHlvZ0J2ZUY0dVlBT21yQzhlZUFQZE5kKzQ5MTNqMVQxMApjVlhaYWgrMVdKM3NEMElEOWh4K3B2T2RubjFZMHVDbXpCNzVHQzF6eWxBOFRhYlpJNUhKT0FRUjF1TDJUL0ExClNtYi9GUE0zWnhwUzNwaUlTNjRPTjkrNXR2UUwrUHpWUkRrcGh0SXo5S3hVZXdnZGs3Z3l1NmdYaU5QT1dWajcKRVEvaCt0ei8zd1hhRllVZXdhaGN6ODgyaDZ0RGQvbHZBQmdJSmYvUEttQ1FjaElUK1RrNUFiK2dva1JobUVKTApaZEZwM2svc1U0RmhkYXBnZklzYURMNG9ELzRPcDdpWEtjODM0NFV1YUVQU2hKUlRrWkNnRVN4NjRXRHp6Mk1vCkJaNmpURitmMWNRTU1iT3Eyb0xLZWNVSUt6MVd0cWlXbWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | |
| tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREhyOUUvdGt5Znl2MUcKWkJ0R2NzTEk1WDh4eGVCVG5pWlJTS1VhOTkrSEEzWFdiaERWU2RtMjJvckhYVUpkU2xqYm5iajVsOGtSWDh2VwpVMWY5aVJUN3cwd3o4NklyRVlzU08wemdVRGdUc25wTHE3cWJIOWVNc2NNM1g5blFleDBMTEswSDZMWUptV3lJCllETHZkbkxrZkphSk1tZG9KN2tWUzZBSFBCd0c5ZmtBWXczSkk2YlZJWnl3YlEzTkMrR2tSaVNIZE0rd1J5SzUKc3lyYW9tMlVkM095Zy8xNDlyR1M2WVhJQjlxeXhaaFdXd0xiR3ZOOHdvRTNoU1g5MExod1NmR2RqQnEyeEJzZwo0UWQ1Q3RNMHhPNUtGQnRDTDVaYUJNc0pobmNnSVJTR2ZXQW95ZTdEYWpKaE1obW40c3RaVThXbnYwWHZoRUxOCnZ1NlA1dlByQWdNQkFBRUNnZ0VBUTNjVlhVODhLQ2l1MVo5d3o2WnFSUEcwdlo0N0lrVW1jUVA0TkZwV3ZRamcKUVNoQ3E2MGR6M2VhdDZ5OGhVUmZMU1Btb1AwMVE1ZDRDTnR6dVFjZGZjb0g3dTE3ZHMyZ2pQSllFTmxKZU80dAovMjd2eHdWRkVCWG0vTWgza01abms2VHVlT09ZelRsMnY4U3dzTkwyRWxnOWkvRHBtdmtBd1Q4aHZCQUU4QnlGCjByZi9DeUhHaDhyRmlOaFhPUGFLVGNPTEJ3b0xwWW40NkJTMFlsVENaaVpDNE51VFRzL3VSU241UnE4K1N2QTgKMnlSSzRCV1ArT0VFOUxwYjJjNXJOYTNtajZUQ3dROVU3N0hlTzhPMVI0cFFnVis3T0hWVFJobjVHcTFPbjkwdQo2T3J5OGhCZFl4ejRpRnJLc1Q5NWhmVkRpZVJic3d1R1FienJXN2RJd1FLQmdRRGkxby93aDlNQkRJUDNIMmIrCk94Q1B3UGQ2NjE4Si9wNFpEeFNKY21WRnBRT0JhWEFNc2FVWTdBZUdkRGkwWkVxZ20vUXdIc3BGVmVYY0RLd0sKdGVjWjRvV0F3L0Iyb3gvZWlxTldlalJ5b2huZHVUdERxcjJ6T3RBbFJkYjJybW5GczhjVnpYU1g3a1AwV1VUZgpWR1lHUHVVUVNVS0pKQmVtanhmTEVCL0FPd0tCZ1FEaFc2NVQzQmdYYXR1eDMyUDgwejBwTCtUZERYNUlUTmlxCnZuYk9kbjRydDVRM0JNUVI5TSs0NjJyL3RuNkJ2QlJaRzdjUHV5RjhENjVDNnl5SGhSNEhUVTh6dDRJNVA1TTkKcjFnQnVVaGRLTXBmbFJOdUg0c1lTaFhWUm85R2syTFVNcmp0bU1mSW15eTRrZTkxYmVSNFJUOS9BL3V3cVdVOQo5S3JUWkY2UUVRS0JnUURMQUMyTW1tRHcvVnhVR2R3NEJHL0wxbXNqcStRL3M0ZVU4WFAxbFZTZ1FRNmtEOUhnCjZsSFB2ZHIyTHFoWWQ3QjVqMWUyZ0xlUDJWRjkzakZRM0gxWEl1dEswdzh0Zk1xV2hBZXM2bXhwY2p3bnV3OFkKZllLTEZVVVZOaTBzVWVZQ3NlS20xbGxUWmoyV1BSVnZyNzRtTkw4V0ZobmZWVmQ5RFczRG9raG41UUtCZ0Viego4SzBpak10Q3I2MFBJcElGaUNvaGxETXMvbWVSR2w2WDNSd2dIcFZ4RlU5RlJ0NUliK1pPNkw5ZUcvS0kzdmMzClRLbTlSMHVpUEVHQmZlR2xQZEVhdkNjU1RnUHNTbFdQa1d2cGhDa2dvS2I3YnNTclZjWHQvWFhLNDIxYkZqQ3QKVDZBdkRDZlRBMytSSXcyYjdlVVlHR2ZMUDBGZDlDeFBqa0ZFUnFtaEFvR0FKVlhaM3ZtSEVTV05RYkNFNFFwNApNQ2hzSnliNis5SlpJMU5KYUhZWHd0cHQ4TnNlSXBwNkpCNU1xQlcvYUZNZ1cvcG44djRtWmdxZkNKL0RMRFFyCjU2elhzcmlVN3N2SWFadUtLN1hmemsvbFJydE91OUIvaURYRkZFQVlRclBMWWwwVmZnWEp6cjdNVTBsdzdMSmsKb2NPN3dyTzU1L1oxMzAzOVhEWjgrYUU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K | |
| --- | |
| # Service used for testing on Docker for Mac. Replace with Ingress. | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: sidecar-test-service | |
| labels: | |
| app: sidecar-test | |
| spec: | |
| type: NodePort | |
| selector: | |
| app: sidecar-test | |
| ports: | |
| - port: 8443 | |
| targetPort: 8443 | |
| nodePort: 30000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment