Skip to content

Instantly share code, notes, and snippets.

@the-wondersmith

the-wondersmith/apiclarity-values.yaml

Last active May 16, 2023 15:06
Show Gist options
  • Save the-wondersmith/0d1d7e35467c676770c43cf05da5e58a to your computer and use it in GitHub Desktop.
Save the-wondersmith/0d1d7e35467c676770c43cf05da5e58a to your computer and use it in GitHub Desktop.
Download ZIP
Simplified API Clarity Deployment w/ Istio + Envoy WASM Filter Traffic Source
Raw
readme.md

The two attached files (apiclarity-values.yaml and envoy-filter.yaml) can be used to perform a vastly simplified installation of API Clarity to any Kubernetes cluster where Istio is already present.

To do so, first apply envoy-filter.yaml however you normally deploy workloads to your cluster.

e.x.

kubectl apply -f path/to/envoy-filter.yaml

Then follow the usual Helm installation guide from the official API Clarity repo, using the attached apiclarity-values.yaml file in place of the "default" values file referenced in step 2.

Once API Clarity has been deployed and becomes "ready", any other workload¹ in your cluster can be made to "report" its API traffic by applying the label(s) specified by {filter}.spec.workloadSelector.labels.

e.x.

kubectl label deployment my-super-cool-deployment tracing.apiclarity.io/enabled=true

After applying the appropriate label(s) to your desired workload(s), you should be able to continue as normal from step 5 of the API Clarity Helm installation guide.

  1. "workload" here meaning:
  • daemonsets
  • deployments
  • statefulsets
Raw
apiclarity-values.yaml
################################################################################################
# Values #
# #
# [[ref](https://github.com/openclarity/apiclarity/blob/master/charts/apiclarity/values.yaml)] #
# #
################################################################################################
#######################################################################################
## Global Values
global:
bflaAutomaticLearningAndDetection:
enable: true
## End of Global Values
#######################################################################################
#######################################################################################
## API Clarity Values
apiclarity:
logLevel: info
## End of APIClarity Values
#######################################################################################
#######################################################################################
## APIClarity Traffic Source Values
trafficSource:
envoyWasm:
enabled: true
enableIstioVerify: true
# API Clarity's usual post-install patching job is
# superceded by the "global" `EnvoyFilter` in istio's
# root namespace along with the application of the
# selector labels from `{filter}.specworkloadSelector.labels`.
#
# tl;dr this `namespaces` field should be empty when using a
# "global" `EnvoyFilter` as an API Clarity traffic source
namespaces: []
# End of APIClarity Traffic Source Values
#######################################################################################
Raw
envoy-filter.yaml
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
# the filter's `name` can be literally anything
name: api-clarity-trace-filter
# the filter should be deployed to whatever
# istio considers its "root" namespace
# [[ref](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig:~:text=No-,rootNamespace,-string)]
namespace: istio-system
spec:
priority: 2147000000 # APIClarity tracing should run as close to last as possible (to capture accurate data)
workloadSelector:
labels:
# this can be almost any label, or even more than one label
# if desired. Whatever value(s) are in this section though
# must be present on any workload you'd like to "report" to
# the API Clarity "collector" service
tracing.apiclarity.io/enabled: "true"
configPatches:
- applyTo: EXTENSION_CONFIG
patch:
operation: ADD
value:
name: apiclarity-trace-filter
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: '{"service_mesh":"istio","trace_sampling_enabled":"false"}'
root_id: apiclarity
vm_config:
code:
remote:
http_uri:
timeout: 60s
# Point this at literally any HTTP(S) url that
# supplies the API Clarity WASM filter binary
uri: >-
https://github.com/openclarity/wasm-filters/raw/a7b4eb86a990a87d665f5dea6926f7216caba604/bin/release/http-trace-filter.wasm
# This hash is a security precaution, but can *technically* be omitted
# NOTE: you *absolutely* should not omit it
sha256: >-
56835842030e03a2b4dcd6b6376c55a088781cbc0f3c2ab6284b74f852aec08b
environment_variables:
key_values:
proxy_log: '1'
runtime: envoy.wasm.runtime.v8
vm_id: trace-filter
- applyTo: HTTP_FILTER
match:
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
config_discovery:
config_source:
ads: {}
type_urls:
- type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
name: apiclarity-trace-filter
- applyTo: CLUSTER
patch:
operation: ADD
value:
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: trace_analyzer
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: apiclarity-apiclarity.apiclarity.svc.cluster.local
port_value: 9000
protocol: TCP
name: trace_analyzer
type: LOGICAL_DNS
- applyTo: CLUSTER
patch:
operation: ADD
value:
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: trace-sampling-manager
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: apiclarity-apiclarity.apiclarity.svc.cluster.local
port_value: 9990
protocol: TCP
name: trace-sampling-manager
type: LOGICAL_DNS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment