-
Notifications
You must be signed in to change notification settings - Fork 5.5k
examples: Add TLS sandbox #13844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
examples: Add TLS sandbox #13844
Changes from 13 commits
Commits
Show all changes
45 commits
Select commit
Hold shift + click to select a range
5afbda6
examples: Add TLS sandbox
phlax 92f36fe
docs/ci: Update docs publishing
phlax 76c9d60
remove pipeline dep check
phlax 34b9c06
docs/
phlax e7e21a9
docs/
phlax e39f44a
examples/
phlax 535bc91
docs/
phlax d687992
docs/
phlax 420fc4c
examples/
phlax 3b7b0fa
docs/
phlax 7734c12
docs/
phlax b95da5d
examples/
phlax e01647e
examples/
phlax 815eaf1
docs/
phlax 3593e4e
Revert "remove pipeline dep check"
phlax 2e28810
Revert "docs/ci: Update docs publishing"
phlax 5213817
Add responds_without utility function
phlax c149344
examples/
phlax c36490c
Merge branch 'master' into examples-tls-sandbox
phlax 87d9b1e
docs/
phlax 567a5d6
docs/
phlax db3b14f
docs/
phlax 5f13d12
docs/
phlax 4dfbb8e
Merge branch 'master' into examples-tls-sandbox
phlax db255b9
docs/
phlax 002b836
docs/
phlax 6a1d0a0
docs/
phlax 34cca9c
docs/
phlax 05af2f3
docs/
phlax 04f0485
docs/
phlax f705da7
docs/
phlax 72d3926
docs/
phlax 8846c46
docs/
phlax e09cde3
docs/
phlax 56ba320
docs/
phlax 0077912
docs/
phlax 4580de1
docs/
phlax b78290a
docs/
phlax 12fcf2d
docs/
phlax 97a6a1a
docs/
phlax aee256a
docs/
phlax f1b1aca
docs/
phlax 2aa4bac
docs/
phlax 2f6d39c
docs/
phlax 496e049
docs/
phlax File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -27,5 +27,6 @@ features. The following sandboxes are available: | |
| mysql | ||
| postgres | ||
| redis | ||
| tls | ||
| wasm-cc | ||
| zipkin_tracing | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| .. _install_sandboxes_tls: | ||
|
|
||
| TLS | ||
| === | ||
|
|
||
| This example walks through some of the ways that Envoy can be configured to make | ||
| use of encrypted connections using ``TLS`` over ``HTTP``. | ||
|
phlax marked this conversation as resolved.
Outdated
|
||
|
|
||
| It demonstrates a number of commonly used proxying and ``TLS`` termination patterns: | ||
|
|
||
| - ``https`` -> ``http`` | ||
| - ``https`` -> ``https`` | ||
| - ``http`` -> ``https`` | ||
| - ``https`` passthrough | ||
|
|
||
| .. include:: _include/docker-env-setup.rst | ||
|
|
||
| Change directory to ``examples/tls`` in the Envoy repository. | ||
|
|
||
| Step 3: Build the sandbox | ||
| ************************* | ||
|
|
||
| .. code-block:: console | ||
|
|
||
| $ pwd | ||
| envoy/examples/tls | ||
| $ docker-compose pull | ||
| $ docker-compose up --build -d | ||
| $ docker-compose ps | ||
|
|
||
| Name Command State Ports | ||
| ----------------------------------------------------------------------------------------------- | ||
| tls_proxy-https-to-http_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10000->10000/tcp | ||
| tls_proxy-https-to-https_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10001->10000/tcp | ||
| tls_proxy-http-to-https_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10002->10000/tcp | ||
| tls_proxy-https-passthrough_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10003->10000/tcp | ||
| tls_service-http_1 node ./index.js Up | ||
| tls_service-https_1 node ./index.js Up | ||
|
|
||
| Step 4: Test proxying ``https`` -> ``http`` | ||
| ******************************************** | ||
|
|
||
| The Envoy proxy listening on https://localhost:10000 terminates ``HTTPS`` and proxies to the upstream ``HTTP`` service. | ||
|
|
||
|
phlax marked this conversation as resolved.
|
||
| .. code-block:: console | ||
|
|
||
| $ curl -sk https://localhost:10000 | jq '.headers["x-forwarded-proto"]' | ||
| "https" | ||
|
|
||
| $ curl -sk https://localhost:10000 | jq '.os.hostname' | ||
| "service-http" | ||
|
|
||
| Step 5: Test proxying ``https`` -> ``https`` | ||
| ******************************************** | ||
|
|
||
| The Envoy proxy listening on https://localhost:10001 terminates ``HTTPS`` and proxies to the upstream ``HTTPS`` service. | ||
|
|
||
| .. code-block:: console | ||
|
|
||
| $ curl -sk https://localhost:10001 | jq '.headers["x-forwarded-proto"]' | ||
| "https" | ||
|
|
||
| $ curl -sk https://localhost:10001 | jq '.os.hostname' | ||
| "service-https" | ||
|
|
||
| Step 6: Test proxying ``http`` -> ``https`` | ||
| ******************************************* | ||
|
|
||
| The Envoy proxy listening on https://localhost:10002 terminates ``HTTP`` and proxies to the upstream ``HTTPS`` service. | ||
|
phlax marked this conversation as resolved.
Outdated
|
||
|
|
||
| .. code-block:: console | ||
|
|
||
| $ curl -s http://localhost:10002 | jq '.headers["x-forwarded-proto"]' | ||
| "http" | ||
|
|
||
| $ curl -s http://localhost:10002 | jq '.os.hostname' | ||
| "service-https" | ||
|
|
||
|
|
||
| Step 7: Test proxying ``https`` passthrough | ||
| ******************************************* | ||
|
|
||
| The Envoy proxy listening on https://localhost:10003 proxies directly to the upstream ``HTTPS`` service which | ||
| does the termination. | ||
|
phlax marked this conversation as resolved.
Outdated
|
||
|
|
||
| .. code-block:: console | ||
|
|
||
| $ curl -s http://localhost:10002 | jq '.headers["x-forwarded-proto"]' | ||
|
phlax marked this conversation as resolved.
Outdated
|
||
| "http" | ||
|
|
||
| $ curl -s http://localhost:10002 | jq '.os.hostname' | ||
| "service-https" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| FROM envoyproxy/envoy-dev:latest | ||
|
|
||
| COPY ./envoy-http-https.yaml /etc/envoy.yaml | ||
| RUN chmod go+r /etc/envoy.yaml | ||
| CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| FROM envoyproxy/envoy-dev:latest | ||
|
|
||
| COPY ./envoy-https-http.yaml /etc/envoy.yaml | ||
| RUN chmod go+r /etc/envoy.yaml | ||
| CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| FROM envoyproxy/envoy-dev:latest | ||
|
|
||
| COPY ./envoy-https-https.yaml /etc/envoy.yaml | ||
| RUN chmod go+r /etc/envoy.yaml | ||
| CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| FROM envoyproxy/envoy-dev:latest | ||
|
|
||
| COPY ./envoy-https-passthrough.yaml /etc/envoy.yaml | ||
| RUN chmod go+r /etc/envoy.yaml | ||
| CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| To learn about this sandbox and for instructions on how to run it please head over | ||
| to the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/tls.html). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| version: "3.7" | ||
| services: | ||
|
|
||
| proxy-https-to-http: | ||
| build: | ||
| context: . | ||
| dockerfile: Dockerfile-proxy-https-http | ||
| ports: | ||
| - "10000:10000" | ||
|
|
||
| proxy-https-to-https: | ||
| build: | ||
| context: . | ||
| dockerfile: Dockerfile-proxy-https-https | ||
| ports: | ||
| - "10001:10000" | ||
|
|
||
| proxy-http-to-https: | ||
| build: | ||
| context: . | ||
| dockerfile: Dockerfile-proxy-http-https | ||
| ports: | ||
| - "10002:10000" | ||
|
|
||
| proxy-https-passthrough: | ||
| build: | ||
| context: . | ||
| dockerfile: Dockerfile-proxy-https-passthrough | ||
| ports: | ||
| - "10003:10000" | ||
|
|
||
| service-http: | ||
| image: mendhak/http-https-echo | ||
| hostname: service-http | ||
| environment: | ||
| - HTTPS_PORT=0 | ||
|
|
||
| service-https: | ||
| image: mendhak/http-https-echo | ||
| hostname: service-https | ||
| environment: | ||
| - HTTP_PORT=0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| static_resources: | ||
| listeners: | ||
| - address: | ||
| socket_address: | ||
| address: 0.0.0.0 | ||
| port_value: 10000 | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.http_connection_manager | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
| codec_type: auto | ||
| stat_prefix: ingress_http | ||
| route_config: | ||
| name: local_route | ||
| virtual_hosts: | ||
| - name: app | ||
| domains: | ||
| - "*" | ||
| routes: | ||
| - match: | ||
| prefix: "/" | ||
| route: | ||
| cluster: service-https | ||
| http_filters: | ||
| - name: envoy.filters.http.router | ||
|
|
||
| clusters: | ||
| - name: service-https | ||
| connect_timeout: 0.25s | ||
| type: strict_dns | ||
| lb_policy: round_robin | ||
| load_assignment: | ||
| cluster_name: service-https | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: service-https | ||
| port_value: 443 | ||
| transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
|
phlax marked this conversation as resolved.
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| static_resources: | ||
| listeners: | ||
| - address: | ||
| socket_address: | ||
| address: 0.0.0.0 | ||
| port_value: 10000 | ||
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.http_connection_manager | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
| codec_type: auto | ||
| stat_prefix: ingress_http | ||
| route_config: | ||
| name: local_route | ||
| virtual_hosts: | ||
| - name: app | ||
| domains: | ||
| - "*" | ||
| routes: | ||
| - match: | ||
| prefix: "/" | ||
| route: | ||
| cluster: service-http | ||
| http_filters: | ||
| - name: envoy.filters.http.router | ||
| transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext | ||
| common_tls_context: | ||
| tls_certificates: | ||
| # The following self-signed certificate pair is generated using: | ||
| # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy' | ||
| # | ||
| # Instead of feeding it as an inline_string, certificate pair can also be fed to Envoy | ||
| # via filename. Reference: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-datasource. | ||
| # | ||
| # Or in a dynamic configuration scenario, certificate pair can be fetched remotely via | ||
| # Secret Discovery Service (SDS). Reference: https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret. | ||
| certificate_chain: | ||
| inline_string: | | ||
| -----BEGIN CERTIFICATE----- | ||
| MIICqDCCAZACCQCquzpHNpqBcDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtm | ||
| cm9udC1lbnZveTAeFw0yMDA3MDgwMTMxNDZaFw0zMDA3MDYwMTMxNDZaMBYxFDAS | ||
| BgNVBAMMC2Zyb250LWVudm95MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC | ||
| AQEAthnYkqVQBX+Wg7aQWyCCb87hBce1hAFhbRM8Y9dQTqxoMXZiA2n8G089hUou | ||
| oQpEdJgitXVS6YMFPFUUWfwcqxYAynLK4X5im26Yfa1eO8La8sZUS+4Bjao1gF5/ | ||
| VJxSEo2yZ7fFBo8M4E44ZehIIocipCRS+YZehFs6dmHoq/MGvh2eAHIa+O9xssPt | ||
| ofFcQMR8rwBHVbKy484O10tNCouX4yUkyQXqCRy6HRu7kSjOjNKSGtjfG+h5M8bh | ||
| 10W7ZrsJ1hWhzBulSaMZaUY3vh5ngpws1JATQVSK1Jm/dmMRciwlTK7KfzgxHlSX | ||
| 58ENpS7yPTISkEICcLbXkkKGEQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCmj6Hg | ||
| vwOxWz0xu+6fSfRL6PGJUGq6wghCfUvjfwZ7zppDUqU47fk+yqPIOzuGZMdAqi7N | ||
| v1DXkeO4A3hnMD22Rlqt25vfogAaZVToBeQxCPd/ALBLFrvLUFYuSlS3zXSBpQqQ | ||
| Ny2IKFYsMllz5RSROONHBjaJOn5OwqenJ91MPmTAG7ujXKN6INSBM0PjX9Jy4Xb9 | ||
| zT+I85jRDQHnTFce1WICBDCYidTIvJtdSSokGSuy4/xyxAAc/BpZAfOjBQ4G1QRe | ||
| 9XwOi790LyNUYFJVyeOvNJwveloWuPLHb9idmY5YABwikUY6QNcXwyHTbRCkPB2I | ||
| m+/R4XnmL4cKQ+5Z | ||
| -----END CERTIFICATE----- | ||
| private_key: | ||
| inline_string: | | ||
| -----BEGIN PRIVATE KEY----- | ||
| MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2GdiSpVAFf5aD | ||
| tpBbIIJvzuEFx7WEAWFtEzxj11BOrGgxdmIDafwbTz2FSi6hCkR0mCK1dVLpgwU8 | ||
| VRRZ/ByrFgDKcsrhfmKbbph9rV47wtryxlRL7gGNqjWAXn9UnFISjbJnt8UGjwzg | ||
| Tjhl6EgihyKkJFL5hl6EWzp2Yeir8wa+HZ4Achr473Gyw+2h8VxAxHyvAEdVsrLj | ||
| zg7XS00Ki5fjJSTJBeoJHLodG7uRKM6M0pIa2N8b6HkzxuHXRbtmuwnWFaHMG6VJ | ||
| oxlpRje+HmeCnCzUkBNBVIrUmb92YxFyLCVMrsp/ODEeVJfnwQ2lLvI9MhKQQgJw | ||
| tteSQoYRAgMBAAECggEAeDGdEkYNCGQLe8pvg8Z0ccoSGpeTxpqGrNEKhjfi6NrB | ||
| NwyVav10iq4FxEmPd3nobzDPkAftfvWc6hKaCT7vyTkPspCMOsQJ39/ixOk+jqFx | ||
| lNa1YxyoZ9IV2DIHR1iaj2Z5gB367PZUoGTgstrbafbaNY9IOSyojCIO935ubbcx | ||
| DWwL24XAf51ez6sXnI8V5tXmrFlNXhbhJdH8iIxNyM45HrnlUlOk0lCK4gmLJjy9 | ||
| 10IS2H2Wh3M5zsTpihH1JvM56oAH1ahrhMXs/rVFXXkg50yD1KV+HQiEbglYKUxO | ||
| eMYtfaY9i2CuLwhDnWp3oxP3HfgQQhD09OEN3e0IlQKBgQDZ/3poG9TiMZSjfKqL | ||
| xnCABMXGVQsfFWNC8THoW6RRx5Rqi8q08yJrmhCu32YKvccsOljDQJQQJdQO1g09 | ||
| e/adJmCnTrqxNtjPkX9txV23Lp6Ak7emjiQ5ICu7iWxrcO3zf7hmKtj7z+av8sjO | ||
| mDI7NkX5vnlE74nztBEjp3eC0wKBgQDV2GeJV028RW3b/QyP3Gwmax2+cKLR9PKR | ||
| nJnmO5bxAT0nQ3xuJEAqMIss/Rfb/macWc2N/6CWJCRT6a2vgy6xBW+bqG6RdQMB | ||
| xEZXFZl+sSKhXPkc5Wjb4lQ14YWyRPrTjMlwez3k4UolIJhJmwl+D7OkMRrOUERO | ||
| EtUvc7odCwKBgBi+nhdZKWXveM7B5N3uzXBKmmRz3MpPdC/yDtcwJ8u8msUpTv4R | ||
| JxQNrd0bsIqBli0YBmFLYEMg+BwjAee7vXeDFq+HCTv6XMva2RsNryCO4yD3I359 | ||
| XfE6DJzB8ZOUgv4Dvluie3TB2Y6ZQV/p+LGt7G13yG4hvofyJYvlg3RPAoGAcjDg | ||
| +OH5zLN2eqah8qBN0CYa9/rFt0AJ19+7/smLTJ7QvQq4g0gwS1couplcCEnNGWiK | ||
| 72y1n/ckvvplmPeAE19HveMvR9UoCeV5ej86fACy8V/oVpnaaLBvL2aCMjPLjPP9 | ||
| DWeCIZp8MV86cvOrGfngf6kJG2qZTueXl4NAuwkCgYEArKkhlZVXjwBoVvtHYmN2 | ||
| o+F6cGMlRJTLhNc391WApsgDZfTZSdeJsBsvvzS/Nc0burrufJg0wYioTlpReSy4 | ||
| ohhtprnQQAddfjHP7rh2LGt+irFzhdXXQ1ybGaGM9D764KUNCXLuwdly0vzXU4HU | ||
| q5sGxGrC1RECGB5Zwx2S2ZY= | ||
| -----END PRIVATE KEY----- | ||
|
|
||
| clusters: | ||
| - name: service-http | ||
| connect_timeout: 0.25s | ||
| type: strict_dns | ||
| lb_policy: round_robin | ||
| load_assignment: | ||
| cluster_name: service-http | ||
| endpoints: | ||
| - lb_endpoints: | ||
| - endpoint: | ||
| address: | ||
| socket_address: | ||
| address: service-http | ||
| port_value: 80 |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.