Deploy Envoy DaemonSet as Ingress Proxy (bind host network) on Kubernetes

# Deploy Envoy DaemonSet as Ingress Proxy (bind host network) on Kubernetes ###### tags: `kubernetes`, `envoy` ## 1. Deploy ### 1-1. Deploy demonstrate web app ```bash= kubectl apply -f whoami.yaml ``` * whoami.yaml ```yaml= --- apiVersion: apps/v1 kind: Deployment metadata: name: whoami spec: selector: matchLabels: run: whoami replicas: 2 template: metadata: labels: run: whoami spec: containers: - name: whoami image: containous/whoami ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: whoami labels: run: whoami spec: ports: - port: 80 protocol: TCP selector: run: whoami ``` ### 1-2. Create TLS secret ```bash= kubectl create secret tls ssl-kettan.dev \ --cert=kettan.dev.crt \ --key=kettan.dev.key ``` ### 1-3. Deploy Envoy DaemonSet ```bash= kubectl apply -f envoy.yaml ``` * envoy.yaml ```yaml= --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app: envoy name: envoy spec: selector: matchLabels: app: envoy template: metadata: labels: app: envoy spec: hostIPC: true hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - name: envoy image: envoyproxy/envoy:v1.12.0 command: ["envoy"] args: [ "-c", "/etc/envoy/envoy.yaml", "--service-cluster", "envoy-mesh", "--service-node", "$(HOSTNAME)" ] volumeMounts: - mountPath: /etc/envoy name: envoy-conf - mountPath: /ssl name: envoy-ssl volumes: - name: envoy-conf configMap: name: envoy - name: envoy-ssl secret: secretName: ssl-kettan.dev --- apiVersion: v1 kind: ConfigMap metadata: name: envoy data: cds.yaml: |+ --- version_info: '0' resources: - "@type": type.googleapis.com/envoy.api.v2.Cluster name: srv_whoami connect_timeout: 0.25s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: srv_whoami endpoints: - lb_endpoints: - endpoint: address: socket_address: address: whoami port_value: 80 envoy.yaml: |+ admin: access_log_path: "/dev/null" address: socket_address: address: 0.0.0.0 port_value: 10000 dynamic_resources: cds_config: path: "/etc/envoy/cds.yaml" lds_config: path: "/etc/envoy/lds.yaml" lds.yaml: |+ --- version_info: '0' resources: - "@type": type.googleapis.com/envoy.api.v2.Listener name: listener_http address: socket_address: address: 0.0.0.0 port_value: 80 filter_chains: - filters: - name: envoy.http_connection_manager config: stat_prefix: ingress_http codec_type: AUTO route_config: name: all_http virtual_hosts: - name: all_http domains: - "*" require_tls: EXTERNAL_ONLY http_filters: - name: envoy.router - "@type": type.googleapis.com/envoy.api.v2.Listener name: listener_https address: socket_address: address: 0.0.0.0 port_value: 443 filter_chains: - filters: - name: envoy.http_connection_manager config: stat_prefix: ingress_http codec_type: AUTO route_config: name: swarm virtual_hosts: - name: ingress_whoami domains: - "whoami.kettan.dev" - "zzzzz.kettan.dev" require_tls: EXTERNAL_ONLY routes: - match: prefix: "/" route: cluster: srv_whoami http_filters: - name: envoy.router tls_context: common_tls_context: tls_certificates: - certificate_chain: filename: "/ssl/tls.crt" private_key: filename: "/ssl/tls.key" ``` ## 2. Update CDS or LDS ### 2-1. Edit configs ```bash= vim envoy.yaml ``` ### 2-2. Update new configs ```bash= kubectl apply -f envoy.yaml ``` ### 2-3. Restart Envoy pods to apply config changes ```bash= kubectl rollout restart ds envoy ```