fix: small tweaks to improve localnet dev experience (#122)

## Summary A couple small tweaks to the localnet configuration for improved developer experience. --------- Co-authored-by: Daniel Olshansky <[email protected]>
buildwithgrove · Jan 10, 2025 · 24fa81d · 24fa81d
1 parent cd27f84
commit 24fa81d
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 50 deletions.
diff --git a/Tiltfile b/Tiltfile
@@ -103,15 +103,14 @@ else:
             "ratelimit",
             "redis",
         ],
-        port_forwards=["3000:3000"],
     )
 
 if MODE == "path_with_auth":
     # ---------------------------------------------------------------------------- #
     #                             Envoy Auth Resources                             #
     # ---------------------------------------------------------------------------- #
-    # 1. External Auth Server                                                      #
-    # 2. Envoy Proxy                                                               #
+    # 1. Envoy Proxy                                                               #
+    # 2. External Auth Server                                                      #
     # 3. Path Auth Data Server (PADS)                                              #
     # 4. Rate Limiter                                                              #
     # 5. Redis                                                                     #
@@ -139,7 +138,17 @@ if MODE == "path_with_auth":
         watch=True,
     )
 
-    # 1. Build the External Auth Server image from envoy/auth_server/Dockerfile
+    # 1. Load the Kubernetes YAML for the envoy-proxy service
+    k8s_yaml("./local/kubernetes/envoy-proxy.yaml")
+    k8s_resource(
+        "envoy-proxy",
+        labels=["envoy_auth"],
+        # By default the Envoy Proxy container will bind to 127.0.0.1:3001.
+        # Adding 0.0.0.0 allows it to be accessible from any IP address.
+        port_forwards=["0.0.0.0:3001:3001"],
+    )
+
+    # 2. Build the External Auth Server image from envoy/auth_server/Dockerfile
     docker_build(
         "ext-authz",
         context="./envoy/auth_server",
@@ -155,14 +164,6 @@ if MODE == "path_with_auth":
         resource_deps=["path-auth-data-server"],
     )
 
-    # 2. Load the Kubernetes YAML for the envoy-proxy service
-    k8s_yaml("./local/kubernetes/envoy-proxy.yaml")
-    k8s_resource(
-        "envoy-proxy",
-        labels=["envoy_auth"],
-        port_forwards=["3001:3001"],
-    )
-
     # 3. Load the Kubernetes YAML for the path-auth-data-server service
     k8s_yaml("./local/kubernetes/envoy-pads.yaml")
     k8s_resource(

diff --git a/envoy/envoy.template.yaml b/envoy/envoy.template.yaml
@@ -113,42 +113,43 @@ static_resources:
                   - name: envoy.filters.http.lua
                     typed_config:
                       "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
-                      inline_code: |
-                        function envoy_on_request(handle)
-                          -- Check if the subdomain_to_service_id is already loaded
-                          if not _G.subdomain_to_service_id then
-                            -- Load the mapping of subdomains to service IDs from an external file
-                            _G.subdomain_to_service_id = dofile("/etc/envoy/.allowed-services.lua")
+                      default_source_code: 
+                        inline_string: |
+                          function envoy_on_request(handle)
+                            -- Check if the subdomain_to_service_id is already loaded
+                            if not _G.subdomain_to_service_id then
+                              -- Load the mapping of subdomains to service IDs from an external file
+                              _G.subdomain_to_service_id = dofile("/etc/envoy/.allowed-services.lua")
+                            end
+                          
+                            local host = handle:headers():get(":authority")
+                            local subdomain = string.match(host, "^([^.]+)")
+                            local target_service_id_header = handle:headers():get("target-service-id")
+                          
+                            -- Function to resolve service ID from a given key
+                            local function resolve_service_id(key)
+                              return _G.subdomain_to_service_id[key]
+                            end
+                          
+                            -- Attempt to resolve service ID from subdomain
+                            local service_id = resolve_service_id(subdomain)
+                          
+                            -- If not found, attempt to resolve from "target-service-id" header
+                            if not service_id and target_service_id_header then
+                              service_id = resolve_service_id(target_service_id_header)
+                            end
+                          
+                            if service_id then
+                              -- Update the "target-service-id" header with the resolved service ID
+                              handle:headers():replace("target-service-id", service_id)
+                            else
+                              -- Reject the request if the service ID is not found in both subdomain and header
+                              handle:respond(
+                                  {[":status"] = "404"},
+                                  "Not Found: No valid service ID found for subdomain or 'target-service-id' header"
+                              )
+                            end
                           end
-
-                          local host = handle:headers():get(":authority")
-                          local subdomain = string.match(host, "^([^.]+)")
-                          local target_service_id_header = handle:headers():get("target-service-id")
-
-                          -- Function to resolve service ID from a given key
-                          local function resolve_service_id(key)
-                            return _G.subdomain_to_service_id[key]
-                          end
-
-                          -- Attempt to resolve service ID from subdomain
-                          local service_id = resolve_service_id(subdomain)
-
-                          -- If not found, attempt to resolve from "target-service-id" header
-                          if not service_id and target_service_id_header then
-                            service_id = resolve_service_id(target_service_id_header)
-                          end
-                        
-                          if service_id then
-                            -- Update the "target-service-id" header with the resolved service ID
-                            handle:headers():replace("target-service-id", service_id)
-                          else
-                            -- Reject the request if the service ID is not found in both subdomain and header
-                            handle:respond(
-                                {[":status"] = "404"},
-                                "Not Found: No valid service ID found for subdomain or 'target-service-id' header"
-                            )
-                          end
-                        end
                   # Removes the `jwt-user-id` header before forwarding the request to the external authorization filter.
                   # See: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/header_mutation_filter
                   #

diff --git a/local/kubernetes/path-values.yaml b/local/kubernetes/path-values.yaml
@@ -28,15 +28,21 @@ path:
       service:
         type: ClusterIP
 
+  # The PATH service uses the `/healthz` endpoint to check if the service is ready,
+  # which uses the response from the QoS service to determine whether to send a 
+  # 503 (Service Unavailable) or 200 (OK) status code.
+  #
+  # When using PATH with large numbers of services enabled, the QoS service
+  # may take a long time to return a healthy response. Therefore, it is expected
+  # that the readinessProbe may take a large number of attempts to succeed.
   readinessProbe:
-    failureThreshold: 6
+    failureThreshold: 600 # Set to high value to account for the potential long response time of the QoS service.
     httpGet:
       path: /healthz
       port: 3000
       scheme: HTTP
-
   livenessProbe:
-    failureThreshold: 6
+    failureThreshold: 600 # Set to high value to account for the potential long response time of the QoS service.
     httpGet:
       path: /healthz
       port: 3000

diff --git a/router/router.go b/router/router.go
@@ -49,6 +49,8 @@ func (r *router) handleRoutes() {
 	// This depends on the EnvoyProxy behavior in accepting and possibly modifying the request's URL.
 	// * /v1/ - handles service requests
 	r.mux.HandleFunc("/v1/", r.corsMiddleware(r.handleServiceRequest))
+	// * /v1 - handles service requests
+	r.mux.HandleFunc("/v1", r.corsMiddleware(r.handleServiceRequest))
 }
 
 // Start starts the API server on the specified port