envoy-tls.yaml•4.92 kB
# Envoy Configuration File for TLS Termination with Let's Encrypt Certificate
#
# For creating a self-signed certificate, see:
# https://itnext.io/how-to-setup-and-test-tls-in-grpc-grpc-web-1b67cc4413e6
#
# When using self-signed certificates, additional steps are required to ensure compatibility with the browser.
# For instance, to connect to the API using the WebSDK, you must trust the certificate in your browser.
#
# Conversely, if you are using the NodeSDK, you will need to add the CA directly to the client.
static_resources:
listeners:
- name: listener_https
address:
socket_address: { address: 0.0.0.0, port_value: 443 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/api"
route:
cluster: apiserver-cluster-http
timeout: 0s
- match:
prefix: "/"
headers:
- name: "content-type"
safe_regex_match:
google_re2: {}
regex: "^(application/grpc|application/grpc-web-text)$"
route:
cluster: apiserver-cluster
timeout: 0s
max_stream_duration:
grpc_timeout_header_max: 0s
- match:
prefix: "/"
route:
cluster: dashboard-cluster
timeout: 0s
cors:
allow_origin_string_match:
- prefix: "*"
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: token,accesskeyid,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: "1728000"
expose_headers: grpc-status,grpc-message
http_filters:
- name: envoy.filters.http.grpc_web
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
- name: envoy.filters.http.cors
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/letsencrypt/fullchain.pem"
private_key:
filename: "/etc/letsencrypt/privkey.pem"
clusters:
- name: apiserver-cluster
type: logical_dns
connect_timeout: 20s
http2_protocol_options: {}
lb_policy: round_robin
load_assignment:
cluster_name: apiserver-cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: apiserver
port_value: 50051
- name: apiserver-cluster-http
type: logical_dns
connect_timeout: 20s
lb_policy: round_robin
load_assignment:
cluster_name: apiserver-cluster-http
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: apiserver
port_value: 9876
- name: dashboard-cluster
type: logical_dns
connect_timeout: 20s
lb_policy: round_robin
load_assignment:
cluster_name: dashboard-cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: dashboard
port_value: 3030