Implement envoy route config for opentelemetry-collector

manifests/pipecd/templates/deployment.yaml

@@ -17,6 +17,8 @@ spec:
       labels:
         {{- include "pipecd.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: gateway
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/envoy-configmap.yaml") . | sha256sum }} # ref; https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
     spec:
       {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }}
       serviceAccountName: {{ include "pipecd.serviceAccountName" . }}

manifests/pipecd/templates/envoy-configmap.yaml

@@ -20,7 +20,7 @@ data:
           socket_address:
             address: 0.0.0.0
             port_value: 9090
-        filter_chains:
+        filter_chains: # We cannot turn off ext_authz by default, so we have to turn it off in config for each route that doesn't need authz.
         - filters:
           - name: envoy.filters.network.http_connection_manager
             typed_config:
@@ -32,6 +32,14 @@ data:
                 typed_config:
                   "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
               http_filters:
+              - name: envoy.filters.http.ext_authz
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                  grpc_service:
+                    envoy_grpc:
+                      cluster_name: grpc-envoy-ext-authz
+                  transport_api_version: V3
+                  include_peer_certificate: false
               - name: envoy.filters.http.grpc_web
 {{- if .Values.cors.enabled }}
               - name: envoy.filters.http.cors
@@ -66,38 +74,71 @@ data:
                         grpc:
                       route:
                         cluster: grpc-piped-service
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
                     - match:
                         prefix: /pipe.api.service.pipedservice.PipedService/
                         grpc:
                       route:
                         cluster: grpc-piped-service
                         prefix_rewrite: /grpc.service.pipedservice.PipedService/
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
                     - match:
                         prefix: /grpc.service.webservice.WebService/
                         grpc:
                       route:
                         cluster: grpc-web-service
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
                     - match:
                         prefix: /pipe.api.service.webservice.WebService/
                         grpc:
                       route:
                         cluster: grpc-web-service
                         prefix_rewrite: /grpc.service.webservice.WebService/
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
                     - match:
                         prefix: /grpc.service.apiservice.APIService/
                         grpc:
                       route:
                         cluster: grpc-api-service
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
                     - match:
                         prefix: /pipe.api.service.apiservice.APIService/
                         grpc:
                       route:
                         cluster: grpc-api-service
                         prefix_rewrite: /grpc.service.apiservice.APIService/
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
+                    - match: # We want to protect the opentelemetry service with envoy ext_authz, so this route must not turn off ext_authz.
+                        prefix: "/opentelemetry.proto.collector.trace.v1.TraceService/"
+                        grpc:
+                      route:
+                        cluster: opentelemetry-collector
                     - match:
                         prefix: /
                       route:
                         cluster: server-http
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
 {{- if .Values.gateway.internalTLS.enabled }}
           transport_socket:
             name: envoy.transport_socket.tls
@@ -175,3 +216,35 @@ data:
                     port_value: 9082
         track_cluster_stats:
           request_response_sizes: true
+      - name: grpc-envoy-ext-authz
+        http2_protocol_options: {}
+        connect_timeout: 0.25s
+        type: STRICT_DNS
+        lb_policy: ROUND_ROBIN
+        load_assignment:
+          cluster_name: grpc-envoy-ext-authz
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: {{ include "pipecd.fullname" . }}-server
+                    port_value: 9086
+        track_cluster_stats:
+          request_response_sizes: true
+      - name: opentelemetry-collector
+        http2_protocol_options: {}
+        connect_timeout: 0.25s
+        type: STRICT_DNS
+        lb_policy: ROUND_ROBIN
+        load_assignment:
+          cluster_name: opentelemetry-collector
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: {{ include "pipecd.fullname" . }}-opentelemetry-collector
+                    port_value: 4317
+        track_cluster_stats:
+          request_response_sizes: true