service mesh egress #160
service mesh egress #160
Conversation
3u13r
force-pushed
the
feat/service-mesh-egress
branch
from
3f1d26e to
53a6450
Compare
| - name: sidecar | ||
| image: "ghcr.io/edgelesssys/nunki/service-mesh-proxy:latest" | ||
| volumeMounts: | ||
| - name: tls-certs | ||
| mountPath: /tls-config | ||
| env: | ||
| - name: EDG_PROXY_CONFIG | ||
| value: "emoji#127.137.0.1:8080#emoji-svc##voting#127.137.0.2:8080#voting-svc" | ||
| securityContext: | ||
| capabilities: | ||
| add: | ||
| - NET_ADMIN | ||
| - NET_RAW | ||
| - env: | ||
| - name: WEB_PORT | ||
| value: "8080" | ||
| - name: EMOJISVC_HOST | ||
| value: 127.137.0.1:8080 | ||
| - name: VOTINGSVC_HOST | ||
| value: 127.137.0.2:8080 |
There was a problem hiding this comment.
Could we implement this as a kustomization or similar overlay, instead of copying all the resources?
There was a problem hiding this comment.
Technically we could but I think it's out of scope for this PR. We had a discussion a few days ago, since we also need an ergonomic way to apply the deployments in the e2e tests. So Paul and Moritz S. are also aware of the problem. Since we haven't decided on a solution there is no ticket yet, I think.
There was a problem hiding this comment.
Fine with me, but we should address this question before we reach deployments/emojivoto(-sm(-(in|e)gress)+)?
3u13r
force-pushed
the
feat/service-mesh-egress
branch
from
53a6450 to
94e09a6
Compare
3u13r
force-pushed
the
feat/service-mesh-egress
branch
2 times, most recently
from
51eb82a to
9462905
Compare
go.work.sum
Outdated
justfile
Outdated
| @@ -1,5 +1,5 @@ | |||
| # Undeploy, rebuild, deploy. | |||
| default target=default_deploy_target: undeploy coordinator initializer openssl port-forwarder (deploy target) set verify (wait-for-workload target) | |||
| default target=default_deploy_target: undeploy coordinator initializer openssl port-forwarder service-mesh-proxy (deploy target) set verify (wait-for-workload target) | |||
There was a problem hiding this comment.
We should think of a way to only push the container for the deployment we actually want.
packages/default.nix
Outdated
| @@ -67,6 +78,7 @@ rec { | |||
| runHook postCheck | |||
| ''; | |||
|
|
|||
| # TODO(@katexochen): Allow subPackages with "-" in their names | |||
There was a problem hiding this comment.
| # TODO(@katexochen): Allow subPackages with "-" in their names |
I'm not gonna look into this anytime soon. Whoever needs this should look into it themselves.
3u13r
force-pushed
the
feat/service-mesh-egress
branch
4 times, most recently
from
05e9de3 to
936bd8d
Compare
3u13r
force-pushed
the
feat/service-mesh-egress
branch
from
936bd8d to
461ab1a
Compare
This PR adds the optional nunki plugin in form of a service mesh sidecar.
This sidecar can be configured via a ENV variable which in turn configures Envoy.
The structure in which the user defines the config is preliminary and subject to discussions, proposals and change.
I also added a manual test / example in the form of emojivoto where the upstream "web" container is used and we use the sidecar so that the web service talks mTLS with the emoji-svc and voting-svc.
There is a difference between the RFC and the implementation since it is not possible with Envoy to proxy only on L3 (aka. only change the IP/Endpoint and keep the original port). Therefore, the user also needs to specify the port.