Describe the feature request
I have the following Envoy configuration, highlighting the basics of what I need:
- Envoy Sidecar
- Listen on Port 8443
- Ingresses
only
ProtocolHTTP2
- Outputs logs to stdout
- Uses Self-signed certs for ALPN
h2
- Proxies to Port 50051
What I’d like to eliminate is the Maintenance of the following:
-
Deployment
container for Envoy as a Proxy -
ConfigMap
for Envoy settings -
Secret
as a result of theself-signed
certs formTLS
/`h2/ requirement
kind: ConfigMap
apiVersion: v1
metadata:
name: http2-service-appd-envoy-tls.yaml
namespace: services-qal
data:
envoy.yaml: |
static_resources:
listeners:
- name: listener_https
address:
socket_address:
address: 0.0.0.0
port_value: 8443
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: HTTP2
stat_prefix: ingress_http
access_log:
- name: envoy.file_access_log
typed_config:
"@type": type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog
path: "/dev/stdout"
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
grpc: {}
route:
cluster: grpc-service
max_grpc_timeout: 0s
http_filters:
- name: envoy.router
config: {}
tls_context:
common_tls_context:
alpn_protocols: "h2"
tls_certificates:
- certificate_chain:
filename: "/etc/envoy/certs/server.crt"
private_key:
filename: "/etc/envoy/certs/server.key"
clusters:
- name: grpc-service
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
hosts:
- socket_address:
address: localhost
port_value: 50051
admin:
access_log_path: "/tmp/admin_access.log"
address:
socket_address:
address: 0.0.0.0
port_value: 8001
The deployment has an additional container for Envoy
- image: docker.company.com/services/api/grpc/envoy-proxy:62-2b860e0
imagePullPolicy: IfNotPresent
name: envoy-proxy
ports:
- containerPort: 8443
name: proxy-https
protocol: TCP
- containerPort: 8001
name: admin
protocol: TCP
resources:
limits:
cpu: 2
memory: 1Gi
requests:
cpu: 1
memory: 1Gi
volumeMounts:
- mountPath: /etc/envoy
name: envoy-yaml
readOnly: true
- mountPath: /etc/envoy/certs
name: envoy-certs
Describe alternatives you’ve considered
- We’d like to use Istio Sidecar to create an Envoy Proxy that will only do these settings.
- This way, we can create a pattern with Istio for Load Balancer using the
Istio Ingress Gateway
forHTTP/2
applications that will be written ingRCP
.
- This way, we can create a pattern with Istio for Load Balancer using the
I noticed that we can inject the sidecar by using an annotation, as shown at https://jimmysong.io/posts/envoy-sidecar-injection-in-istio-service-mesh-deep-dive/:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
creationTimestamp: null
name: productpage-v1
spec:
replicas: 1
strategy: {}
template:
metadata:
annotations:
sidecar.istio.io/status: '{"version":"fde14299e2ae804b95be08e0f2d171d466f47983391c00519bbf01392d9ad6bb","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}'
creationTimestamp: null
labels:
app: productpage
version: v1
- How can I use this same strategy to replace my solution with Istio Sidecar?
- How can we provide the settings for H2, Ingress Port, etc?
- I couldn’t find any example in the official docs, so I’d like to know if this is possible
Affected product area (please put an X in all that apply)
Configuration Infrastructure
Docs
Installation
Networking
Performance and Scalability
Policies and Telemetry
Security
Test and Release
User Experience
Developer Infrastructure
Additional context