Skip to content

Commit aef0897

Browse files
thebengeuthebengeu
committed
feat: add Envoy proxy support
1 parent fa1c67c commit aef0897

File tree

19 files changed

+579
-9
lines changed

19 files changed

+579
-9
lines changed

ansible/files/adminapi.sudoers.conf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service
12
Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.service, /bin/systemctl restart kong.service, /bin/systemctl disable kong.service, /bin/systemctl enable kong.service, /bin/systemctl reload kong.service
23
Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service
34
Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service

ansible/files/envoy.service

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
[Unit]
2+
Description=Envoy
3+
After=postgrest.service gotrue.service adminapi.service
4+
Wants=postgrest.service gotrue.service adminapi.service
5+
Conflicts=kong.service
6+
7+
[Service]
8+
Type=simple
9+
ExecStart=/opt/envoy-hot-restarter.py /opt/start-envoy.sh
10+
ExecReload=/bin/kill -HUP $MAINPID
11+
ExecStop=/bin/kill -TERM $MAINPID
12+
User=envoy
13+
Slice=services.slice
14+
Restart=always
15+
RestartSec=3
16+
LimitNOFILE=100000
17+
18+
# The envoy user is unpriviledged and thus not permited to bind on ports < 1024
19+
# Via systemd we grant the process a set of priviledges to bind to 80/443
20+
# See http://archive.vn/36zJU
21+
AmbientCapabilities=CAP_NET_BIND_SERVICE
22+
23+
[Install]
24+
WantedBy=multi-user.target

ansible/files/envoy_config/basic_auth.lua

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
function envoy_on_request(request_handle)
2+
local authorization = request_handle:headers():get("authorization")
3+
4+
if authorization and authorization:find("^[Bb][Aa][Ss][Ii][Cc] " .. request_handle:metadata():get("credentials")) then
5+
return
6+
end
7+
8+
request_handle:respond({
9+
[":status"] = "401",
10+
["WWW-Authenticate"] = "Basic realm=\"Unknown\""
11+
}, "Unauthorized")
12+
end

ansible/files/envoy_config/cds.yaml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
resources:
2+
- '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
3+
name: admin_api
4+
load_assignment:
5+
cluster_name: admin_api
6+
endpoints:
7+
- lb_endpoints:
8+
- endpoint:
9+
address:
10+
socket_address:
11+
address: 127.0.0.1
12+
port_value: 8085
13+
transport_socket:
14+
name: envoy.transport_sockets.tls
15+
typed_config:
16+
'@type': >-
17+
type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
18+
- '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
19+
name: gotrue
20+
load_assignment:
21+
cluster_name: gotrue
22+
endpoints:
23+
- lb_endpoints:
24+
- endpoint:
25+
address:
26+
socket_address:
27+
address: 127.0.0.1
28+
port_value: 9999
29+
- '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
30+
name: postgrest
31+
load_assignment:
32+
cluster_name: postgrest
33+
endpoints:
34+
- lb_endpoints:
35+
- endpoint:
36+
address:
37+
socket_address:
38+
address: 127.0.0.1
39+
port_value: 3000
40+
- '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
41+
name: postgrest_admin
42+
load_assignment:
43+
cluster_name: postgrest_admin
44+
endpoints:
45+
- lb_endpoints:
46+
- endpoint:
47+
address:
48+
socket_address:
49+
address: 127.0.0.1
50+
port_value: 3001
51+

ansible/files/envoy_config/envoy.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
dynamic_resources:
2+
cds_config:
3+
path_config_source:
4+
path: /etc/envoy/cds.yaml
5+
resource_api_version: V3
6+
lds_config:
7+
path_config_source:
8+
path: /etc/envoy/lds.yaml
9+
resource_api_version: V3
10+
node:
11+
cluster: cluster_0
12+
id: node_0
13+
overload_manager:
14+
resource_monitors:
15+
- name: envoy.resource_monitors.global_downstream_max_connections
16+
typed_config:
17+
'@type': >-
18+
type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
19+
max_active_downstream_connections: 2000
20+
stats_config:
21+
stats_matcher:
22+
reject_all: true
23+

0 commit comments

Comments
 (0)