171 lines
3.5 KiB
YAML
171 lines
3.5 KiB
YAML
---
|
|
apiVersion: gateway.envoyproxy.io/v1alpha1
|
|
kind: EnvoyProxy
|
|
metadata:
|
|
name: envoy
|
|
spec:
|
|
logging:
|
|
level:
|
|
default: info
|
|
provider:
|
|
type: Kubernetes
|
|
kubernetes:
|
|
envoyDeployment:
|
|
replicas: 2
|
|
container:
|
|
imageRepository: mirror.gcr.io/envoyproxy/envoy
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
limits:
|
|
memory: 1Gi
|
|
envoyService:
|
|
externalTrafficPolicy: Cluster
|
|
shutdown:
|
|
drainTimeout: 180s
|
|
telemetry:
|
|
metrics:
|
|
prometheus:
|
|
compression:
|
|
type: Zstd
|
|
---
|
|
apiVersion: gateway.networking.k8s.io/v1
|
|
kind: GatewayClass
|
|
metadata:
|
|
name: envoy
|
|
spec:
|
|
controllerName: gateway.envoyproxy.io/gatewayclass-controller
|
|
parametersRef:
|
|
group: gateway.envoyproxy.io
|
|
kind: EnvoyProxy
|
|
name: envoy
|
|
namespace: network
|
|
---
|
|
apiVersion: gateway.networking.k8s.io/v1
|
|
kind: Gateway
|
|
metadata:
|
|
name: envoy-external
|
|
annotations:
|
|
external-dns.alpha.kubernetes.io/target: external.${SECRET_DOMAIN}
|
|
spec:
|
|
gatewayClassName: envoy
|
|
infrastructure:
|
|
annotations:
|
|
external-dns.alpha.kubernetes.io/hostname: external.${SECRET_DOMAIN}
|
|
lbipam.cilium.io/ips: "10.0.0.158"
|
|
listeners:
|
|
- name: http
|
|
protocol: HTTP
|
|
port: 80
|
|
allowedRoutes:
|
|
namespaces:
|
|
from: Same
|
|
- name: https
|
|
protocol: HTTPS
|
|
port: 443
|
|
allowedRoutes:
|
|
namespaces:
|
|
from: All
|
|
tls:
|
|
certificateRefs:
|
|
- kind: Secret
|
|
name: ${SECRET_DOMAIN/./-}-production-tls
|
|
---
|
|
apiVersion: gateway.networking.k8s.io/v1
|
|
kind: Gateway
|
|
metadata:
|
|
name: envoy-internal
|
|
annotations:
|
|
external-dns.alpha.kubernetes.io/target: internal.${SECRET_DOMAIN}
|
|
spec:
|
|
gatewayClassName: envoy
|
|
infrastructure:
|
|
annotations:
|
|
external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_DOMAIN}
|
|
lbipam.cilium.io/ips: "10.0.0.157"
|
|
listeners:
|
|
- name: http
|
|
protocol: HTTP
|
|
port: 80
|
|
allowedRoutes:
|
|
namespaces:
|
|
from: Same
|
|
- name: https
|
|
protocol: HTTPS
|
|
port: 443
|
|
allowedRoutes:
|
|
namespaces:
|
|
from: All
|
|
tls:
|
|
certificateRefs:
|
|
- kind: Secret
|
|
name: ${SECRET_DOMAIN/./-}-production-tls
|
|
---
|
|
apiVersion: gateway.envoyproxy.io/v1alpha1
|
|
kind: BackendTrafficPolicy
|
|
metadata:
|
|
name: envoy
|
|
spec:
|
|
compressor:
|
|
- type: Zstd
|
|
zstd: {}
|
|
- type: Brotli
|
|
brotli: {}
|
|
- type: Gzip
|
|
gzip: {}
|
|
retry:
|
|
numRetries: 2
|
|
retryOn:
|
|
triggers:
|
|
- reset
|
|
targetSelectors:
|
|
- group: gateway.networking.k8s.io
|
|
kind: Gateway
|
|
tcpKeepalive: {}
|
|
timeout:
|
|
http:
|
|
requestTimeout: 0s
|
|
---
|
|
apiVersion: gateway.envoyproxy.io/v1alpha1
|
|
kind: ClientTrafficPolicy
|
|
metadata:
|
|
name: envoy
|
|
spec:
|
|
clientIPDetection:
|
|
xForwardedFor:
|
|
trustedCIDRs:
|
|
- "10.42.0.0/16"
|
|
http2:
|
|
onInvalidMessage: TerminateStream
|
|
http3: {}
|
|
targetSelectors:
|
|
- group: gateway.networking.k8s.io
|
|
kind: Gateway
|
|
tcpKeepalive: {}
|
|
tls:
|
|
minVersion: "1.2"
|
|
alpnProtocols:
|
|
- h2
|
|
- http/1.1
|
|
---
|
|
apiVersion: gateway.networking.k8s.io/v1
|
|
kind: HTTPRoute
|
|
metadata:
|
|
name: https-redirect
|
|
annotations:
|
|
external-dns.alpha.kubernetes.io/controller: none
|
|
spec:
|
|
parentRefs:
|
|
- name: envoy-external
|
|
namespace: network
|
|
sectionName: http
|
|
- name: envoy-internal
|
|
namespace: network
|
|
sectionName: http
|
|
rules:
|
|
- filters:
|
|
- type: RequestRedirect
|
|
requestRedirect:
|
|
scheme: https
|
|
statusCode: 301
|