skippy/edge-envoy.json

## edge-envoy.json
{
  "listeners": [
    {
      "address": "tcp://0.0.0.0:443",
      "ssl_context": {
        "cert_chain_file": "/etc/envoy/cert/cert.crt",
        "private_key_file": "/etc/envoy/cert/cert.key",
        "ca_cert_file": "/etc/envoy/cert/cert.ca"
      },
      "filters": [
        {
          "type": "read",
          "name": "http_connection_manager",
          "config": {
            "codec_type": "auto",
            "generate_request_id": true,
            "server_name": "",
            "stat_prefix": "ingress_https",
            "route_config": {
              "virtual_hosts": [
                {
                  "name": "backend",
                  "domains": ["*"],
                  "routes": [
                    {
                      "timeout_ms": 0,
                      "prefix": "/service-pdf/",
                      "prefix_rewrite": "/",
                      "cluster": "service-pdf"
                    }
                  ]
                }
              ]
            },
            "filters": [
              {
                "type": "both",
                "name": "health_check",
                "config": {
                  "pass_through_mode": false,
                  "endpoint": "/healthcheck"
                }
              },
              {
                "type": "decoder",
                "name": "router",
                "config": {}
              }
            ],
            "access_log": [
              {
                "path": "/dev/stdout"
              }
            ]
          }
        }
      ]
    }
  ],
  "admin": {
    "access_log_path": "/dev/stdout",
    "address": "tcp://0.0.0.0:8001"
  },
  "cluster_manager": {
    "clusters": [
      {
        "name": "service-pdf",
        "connect_timeout_ms": 250,
        "type": "logical_dns",
        "service_name": "service-pdf",
        "lb_type": "least_request",
        "ssl_context": {
          "ca_cert_file": "/etc/envoy/cert/cert.ca"
        },
        "hosts": [
          {
            "url": "tcp://service-pdf.default.svc.cluster.local:443"
          }
        ]
      }
    ]
  }
}

## output.sh
$ # the envoy version
$ kubectl exec <envoy_edge_pod_name> -- envoy --version

envoy  version: fc5b5da4901b5e4ffb0307b98c30076f695ea962/Clean/RELEASE

$ # hitting the service-envoy directly from edge envoy
$ kubectl exec <envoy_edge_pod_name> -- curl --cacert /etc/envoy/cert/cert.ca -is https://service-pdf.default.svc.cluster.local/status.json
HTTP/1.1 200 OK
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
content-type: application/json; charset=utf-8
etag: W/"b0eb2270edbaee695628701ced790922"
cache-control: max-age=0, private, must-revalidate
x-request-id: d4b8a446-efa1-4b2e-ae06-bed7d77d9b4f
x-runtime: 0.002212
x-envoy-upstream-service-time: 3
date: Thu, 01 Jun 2017 03:09:38 GMT
server:
transfer-encoding: chunked

{"revision":"b5484f8","time":"2017-06-01T03:09:38.836Z","app_key":"service.pdf"}

$ # hitting the envoy-edge directly
$ curl -k $(minikube service --https --url envoy-internal)/service-pdf/status.json
upstream connect error or disconnect/reset before headers

$ #after servers have been restarted with the ssl_context removed
$ curl -i -k $(minikube service --https --url envoy-internal)/service-pdf/status.json
HTTP/1.1 200 OK
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
content-type: application/json; charset=utf-8
etag: W/"335be8e7ab9ca8d69dde9e7e0fb361f6"
cache-control: max-age=0, private, must-revalidate
x-request-id: 00416fed-9b60-4426-b9d2-d7f8bea67b94
x-runtime: 0.002838
x-envoy-upstream-service-time: 5
date: Thu, 01 Jun 2017 03:27:50 GMT
server:
transfer-encoding: chunked

{"revision":"b5484f8","time":"2017-06-01T03:27:50.869Z","app_key":"service.pdf"}

## service-envoy-cert.ca
-----BEGIN CERTIFICATE-----
MIIDPjCCAiagAwIBAgIUJMw91+jtpX1/E8CNp4er4eoUt20wDQYJKoZIhvcNAQEL
BQAwJDEiMCAGA1UEAxMZZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDAeFw0xNzA2
MDEwMzU1NDhaFw0yNzA1MzAwMzU2MThaMCQxIjAgBgNVBAMTGWRlZmF1bHQuc3Zj
LmNsdXN0ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC
bW1hs2WQyfto71GouJZgnaUcl9SxBMeLTsQTO0R8q8DCVYUeIkrY1RZ+bxv7KOF1
yly69inaKn/0syeeAfBQsJtSvqXV0HrHgDfD+rdOl3bdLe8h/7prmpSJEhYveJJZ
TdGDPiEkaqwxSYVPZxCCdIAjKvhxQ8AkxyVU1/KC9pGnl+bUw0eCGDDr/PRM2BWe
rknFQlUAdJn6uEYFY1IyiKbrXsOA5PSyFmGA5XchM1tRgLiHKXtS0Zfifbdjc8Im
gKli5ZlEeFbg5Ih8hpM88/hnqy2nsAiErA2vFcTWlbCDHM33F2/9Dhu0UCx1jZ6z
ePSvL0MKhbScABpyMMgFAgMBAAGjaDBmMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
Af8EBTADAQH/MB0GA1UdDgQWBBQfrYYUqi6RYBHZEesdFAiWSpdUCzAkBgNVHREE
HTAbghlkZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IB
AQCaG2Mo1PW4corgfe1+tGMej6E2p7i+ApG5UNwFjATB7LNpdw2ey6GDWb/LBFFA
6oLor1duFAg5at0EcKb/7tMLa/K2Nk81WW0h+e8CAHydtVwtBnwOy/pIgR9uIWPy
YIX/Eo/AtFnPrKFLO0w8tOOEl/JEF7DKB/tTxP278Z3q6vD7FZE5IpkeBNgVq3bL
HKuCEPMjGBH1tJY52ySQQHPkbiEOVYvwasvdBm8JpRuYnWOmS/YZZIC4DZ8rZwBE
bNDGty10HCYvesDHbrL7mBYIfnt7MQYHfwHMjkBBWFfTeg20hvxO9sBaIW0ZqVb9
Yed8+/FgjJxMbK3DYw72wgAa
-----END CERTIFICATE-----

## service-envoy-cert.crt
-----BEGIN CERTIFICATE-----
MIIDaTCCAlGgAwIBAgIUaz5FOp/ljP9/13KdOW3r2kj30vkwDQYJKoZIhvcNAQEL
BQAwJDEiMCAGA1UEAxMZZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDAeFw0xNzA2
MDEwNDM0MDNaFw0xNzA2MDEwNjM0MzNaMDAxLjAsBgNVBAMTJXNlcnZpY2UtcGRm
LmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
AAQ55e4R6YIssDREmBSLj2DbXJ0JzBntG2NPgDO1L/zXGGgQdMyhBxHFzq+gYaWS
yjt/3TrtNVAgOZDat5DCK/Opk49HgknEPkwGnN1r5DqOJ6NhtARhbOKBnrejpP+H
t3ujggEzMIIBLzAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMB0GA1UdDgQWBBQURgZtnSZ7qVeKYA0ABb9q/relSTAfBgNVHSME
GDAWgBQfrYYUqi6RYBHZEesdFAiWSpdUCzBKBggrBgEFBQcBAQQ+MDwwOgYIKwYB
BQUHMAKGLmh0dHBzOi8vdmF1bHQ6ODIwMC92MS9wa2kvaW50ZXJuYWwtc2Vydmlj
ZXMvY2EwMAYDVR0RBCkwJ4Ilc2VydmljZS1wZGYuZGVmYXVsdC5zdmMuY2x1c3Rl
ci5sb2NhbDBABgNVHR8EOTA3MDWgM6Axhi9odHRwczovL3ZhdWx0OjgyMDAvdjEv
cGtpL2ludGVybmFsLXNlcnZpY2VzL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAvBWx
Gf/VSUp2w1sjuOi7UYv794eii0VWVDwIVqwZmLIm61xQWzLi1l5Q6TQkeQ5iUoAm
tV4IeExd/fxyH2lnrxAB9BRb3GPCh8a9WwaVZB7jzNf6VPnvQdHP9fWwgBuJYwU8
Dek8nWYRS6F/zw/a5JM3Lym6mld8kirpfvvcXXi4KAIjuLeW6Noo3++3WARTWmFW
30z/xPSHd/T4Whe5p47094S3LKbCTjsFmDeL5oQR/DsRsJuUO3p4fT3k45Alsdhb
z2e2Tx00xSX9PmNE8toroBROG6upcTIvxED7oME38R4NncEfx/xI9/iRWhAEVWBL
Y6q1CWzSap3ehxOXGQ==
-----END CERTIFICATE-----

## service-envoy-cert.key
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDD0q5Oc/9+N6vshJn6uxpWnJHRIfR1vKN782A/evDPjYODCOxFSr8dC
Nc6eHxNPFm6gBwYFK4EEACKhZANiAAQ55e4R6YIssDREmBSLj2DbXJ0JzBntG2NP
gDO1L/zXGGgQdMyhBxHFzq+gYaWSyjt/3TrtNVAgOZDat5DCK/Opk49HgknEPkwG
nN1r5DqOJ6NhtARhbOKBnrejpP+Ht3s=
-----END EC PRIVATE KEY-----

## service-envoy.json
{
  "listeners": [
    {
      "address": "tcp://0.0.0.0:443",
      "ssl_context": {
        "alpn_protocols": "h2,http/1.1",
        "alt_alpn_protocols": "http/1.1",
        "cert_chain_file": "/etc/envoy/cert/cert.crt",
        "private_key_file": "/etc/envoy/cert/cert.key",
        "ca_cert_file": "/etc/envoy/cert/cert.ca"
      },
      "filters": [
        {
          "type": "read",
          "name": "http_connection_manager",
          "config": {
            "codec_type": "auto",
            "generate_request_id": true,
            "add_user_agent": true,
            "server_name": "",
            "stat_prefix": "service-pdf",
            "use_remote_address": true,
            "route_config": {
              "virtual_hosts": [
                {
                  "name": "service-pdf",
                  "domains": ["*"],
                  "routes": [
                    {
                      "prefix": "/",
                      "cluster": "local-service"
                    }
                  ]
                }
              ]
            },
            "filters": [
              {
                "type": "both",
                "name": "health_check",
                "config": {
                  "pass_through_mode": false,
                  "endpoint": "/healthcheck"
                }
              },
              {
                "type": "decoder",
                "name": "router",
                "config": {}
              }
            ],
            "access_log": [
              {
                "path": "/dev/stdout"
              }
            ]
          }
        }
      ]
    }
  ],
  "admin": {
    "access_log_path": "/dev/stdout",
    "address": "tcp://0.0.0.0:8001"
  },
  "cluster_manager": {
    "clusters": [
      {
        "name": "local-service",
        "service_name": "local-service",
        "connect_timeout_ms": 250,
        "type": "static",
        "lb_type": "round_robin",
        "hosts": [
          {
            "url": "tcp://127.0.0.1:3000"
          }
        ],
        "health_check":  {
          "type": "http",
          "timeout_ms": 5000,
          "interval_ms": 5000,
          "interval_jitter_ms": 2000,
          "unhealthy_threshold": 2,
          "healthy_threshold": 2,
          "path": "/status.json"
        }
      }
    ]
  }
}
	{
	"listeners": [
	{
	"address": "tcp://0.0.0.0:443",
	"ssl_context": {
	"cert_chain_file": "/etc/envoy/cert/cert.crt",
	"private_key_file": "/etc/envoy/cert/cert.key",
	"ca_cert_file": "/etc/envoy/cert/cert.ca"
	},
	"filters": [
	{
	"type": "read",
	"name": "http_connection_manager",
	"config": {
	"codec_type": "auto",
	"generate_request_id": true,
	"server_name": "",
	"stat_prefix": "ingress_https",
	"route_config": {
	"virtual_hosts": [
	{
	"name": "backend",
	"domains": ["*"],
	"routes": [
	{
	"timeout_ms": 0,
	"prefix": "/service-pdf/",
	"prefix_rewrite": "/",
	"cluster": "service-pdf"
	}
	]
	}
	]
	},
	"filters": [
	{
	"type": "both",
	"name": "health_check",
	"config": {
	"pass_through_mode": false,
	"endpoint": "/healthcheck"
	}
	},
	{
	"type": "decoder",
	"name": "router",
	"config": {}
	}
	],
	"access_log": [
	{
	"path": "/dev/stdout"
	}
	]
	}
	}
	]
	}
	],
	"admin": {
	"access_log_path": "/dev/stdout",
	"address": "tcp://0.0.0.0:8001"
	},
	"cluster_manager": {
	"clusters": [
	{
	"name": "service-pdf",
	"connect_timeout_ms": 250,
	"type": "logical_dns",
	"service_name": "service-pdf",
	"lb_type": "least_request",
	"ssl_context": {
	"ca_cert_file": "/etc/envoy/cert/cert.ca"
	},
	"hosts": [
	{
	"url": "tcp://service-pdf.default.svc.cluster.local:443"
	}
	]
	}
	]
	}
	}
	$ # the envoy version
	$ kubectl exec <envoy_edge_pod_name> -- envoy --version

	envoy version: fc5b5da4901b5e4ffb0307b98c30076f695ea962/Clean/RELEASE

	$ # hitting the service-envoy directly from edge envoy
	$ kubectl exec <envoy_edge_pod_name> -- curl --cacert /etc/envoy/cert/cert.ca -is https://service-pdf.default.svc.cluster.local/status.json
	HTTP/1.1 200 OK
	x-frame-options: SAMEORIGIN
	x-xss-protection: 1; mode=block
	x-content-type-options: nosniff
	content-type: application/json; charset=utf-8
	etag: W/"b0eb2270edbaee695628701ced790922"
	cache-control: max-age=0, private, must-revalidate
	x-request-id: d4b8a446-efa1-4b2e-ae06-bed7d77d9b4f
	x-runtime: 0.002212
	x-envoy-upstream-service-time: 3
	date: Thu, 01 Jun 2017 03:09:38 GMT
	server:
	transfer-encoding: chunked

	{"revision":"b5484f8","time":"2017-06-01T03:09:38.836Z","app_key":"service.pdf"}

	$ # hitting the envoy-edge directly
	$ curl -k $(minikube service --https --url envoy-internal)/service-pdf/status.json
	upstream connect error or disconnect/reset before headers

	$ #after servers have been restarted with the ssl_context removed
	$ curl -i -k $(minikube service --https --url envoy-internal)/service-pdf/status.json
	HTTP/1.1 200 OK
	x-frame-options: SAMEORIGIN
	x-xss-protection: 1; mode=block
	x-content-type-options: nosniff
	content-type: application/json; charset=utf-8
	etag: W/"335be8e7ab9ca8d69dde9e7e0fb361f6"
	cache-control: max-age=0, private, must-revalidate
	x-request-id: 00416fed-9b60-4426-b9d2-d7f8bea67b94
	x-runtime: 0.002838
	x-envoy-upstream-service-time: 5
	date: Thu, 01 Jun 2017 03:27:50 GMT
	server:
	transfer-encoding: chunked

	{"revision":"b5484f8","time":"2017-06-01T03:27:50.869Z","app_key":"service.pdf"}
	-----BEGIN CERTIFICATE-----
	MIIDPjCCAiagAwIBAgIUJMw91+jtpX1/E8CNp4er4eoUt20wDQYJKoZIhvcNAQEL
	BQAwJDEiMCAGA1UEAxMZZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDAeFw0xNzA2
	MDEwMzU1NDhaFw0yNzA1MzAwMzU2MThaMCQxIjAgBgNVBAMTGWRlZmF1bHQuc3Zj
	LmNsdXN0ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC
	bW1hs2WQyfto71GouJZgnaUcl9SxBMeLTsQTO0R8q8DCVYUeIkrY1RZ+bxv7KOF1
	yly69inaKn/0syeeAfBQsJtSvqXV0HrHgDfD+rdOl3bdLe8h/7prmpSJEhYveJJZ
	TdGDPiEkaqwxSYVPZxCCdIAjKvhxQ8AkxyVU1/KC9pGnl+bUw0eCGDDr/PRM2BWe
	rknFQlUAdJn6uEYFY1IyiKbrXsOA5PSyFmGA5XchM1tRgLiHKXtS0Zfifbdjc8Im
	gKli5ZlEeFbg5Ih8hpM88/hnqy2nsAiErA2vFcTWlbCDHM33F2/9Dhu0UCx1jZ6z
	ePSvL0MKhbScABpyMMgFAgMBAAGjaDBmMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
	Af8EBTADAQH/MB0GA1UdDgQWBBQfrYYUqi6RYBHZEesdFAiWSpdUCzAkBgNVHREE
	HTAbghlkZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IB
	AQCaG2Mo1PW4corgfe1+tGMej6E2p7i+ApG5UNwFjATB7LNpdw2ey6GDWb/LBFFA
	6oLor1duFAg5at0EcKb/7tMLa/K2Nk81WW0h+e8CAHydtVwtBnwOy/pIgR9uIWPy
	YIX/Eo/AtFnPrKFLO0w8tOOEl/JEF7DKB/tTxP278Z3q6vD7FZE5IpkeBNgVq3bL
	HKuCEPMjGBH1tJY52ySQQHPkbiEOVYvwasvdBm8JpRuYnWOmS/YZZIC4DZ8rZwBE
	bNDGty10HCYvesDHbrL7mBYIfnt7MQYHfwHMjkBBWFfTeg20hvxO9sBaIW0ZqVb9
	Yed8+/FgjJxMbK3DYw72wgAa
	-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
	MIIDaTCCAlGgAwIBAgIUaz5FOp/ljP9/13KdOW3r2kj30vkwDQYJKoZIhvcNAQEL
	BQAwJDEiMCAGA1UEAxMZZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDAeFw0xNzA2
	MDEwNDM0MDNaFw0xNzA2MDEwNjM0MzNaMDAxLjAsBgNVBAMTJXNlcnZpY2UtcGRm
	LmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
	AAQ55e4R6YIssDREmBSLj2DbXJ0JzBntG2NPgDO1L/zXGGgQdMyhBxHFzq+gYaWS
	yjt/3TrtNVAgOZDat5DCK/Opk49HgknEPkwGnN1r5DqOJ6NhtARhbOKBnrejpP+H
	t3ujggEzMIIBLzAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
	CCsGAQUFBwMCMB0GA1UdDgQWBBQURgZtnSZ7qVeKYA0ABb9q/relSTAfBgNVHSME
	GDAWgBQfrYYUqi6RYBHZEesdFAiWSpdUCzBKBggrBgEFBQcBAQQ+MDwwOgYIKwYB
	BQUHMAKGLmh0dHBzOi8vdmF1bHQ6ODIwMC92MS9wa2kvaW50ZXJuYWwtc2Vydmlj
	ZXMvY2EwMAYDVR0RBCkwJ4Ilc2VydmljZS1wZGYuZGVmYXVsdC5zdmMuY2x1c3Rl
	ci5sb2NhbDBABgNVHR8EOTA3MDWgM6Axhi9odHRwczovL3ZhdWx0OjgyMDAvdjEv
	cGtpL2ludGVybmFsLXNlcnZpY2VzL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAvBWx
	Gf/VSUp2w1sjuOi7UYv794eii0VWVDwIVqwZmLIm61xQWzLi1l5Q6TQkeQ5iUoAm
	tV4IeExd/fxyH2lnrxAB9BRb3GPCh8a9WwaVZB7jzNf6VPnvQdHP9fWwgBuJYwU8
	Dek8nWYRS6F/zw/a5JM3Lym6mld8kirpfvvcXXi4KAIjuLeW6Noo3++3WARTWmFW
	30z/xPSHd/T4Whe5p47094S3LKbCTjsFmDeL5oQR/DsRsJuUO3p4fT3k45Alsdhb
	z2e2Tx00xSX9PmNE8toroBROG6upcTIvxED7oME38R4NncEfx/xI9/iRWhAEVWBL
	Y6q1CWzSap3ehxOXGQ==
	-----END CERTIFICATE-----
	-----BEGIN EC PRIVATE KEY-----
	MIGkAgEBBDD0q5Oc/9+N6vshJn6uxpWnJHRIfR1vKN782A/evDPjYODCOxFSr8dC
	Nc6eHxNPFm6gBwYFK4EEACKhZANiAAQ55e4R6YIssDREmBSLj2DbXJ0JzBntG2NP
	gDO1L/zXGGgQdMyhBxHFzq+gYaWSyjt/3TrtNVAgOZDat5DCK/Opk49HgknEPkwG
	nN1r5DqOJ6NhtARhbOKBnrejpP+Ht3s=
	-----END EC PRIVATE KEY-----