From 24fa81de8802d5cfa59b2cd5c7cadd7c245c7bca Mon Sep 17 00:00:00 2001 From: commoddity <47662958+commoddity@users.noreply.github.com> Date: Fri, 10 Jan 2025 15:03:38 +0000 Subject: [PATCH] fix: small tweaks to improve localnet dev experience (#122) ## Summary A couple small tweaks to the localnet configuration for improved developer experience. --------- Co-authored-by: Daniel Olshansky --- Tiltfile | 25 +++++------ envoy/envoy.template.yaml | 71 ++++++++++++++++--------------- local/kubernetes/path-values.yaml | 12 ++++-- router/router.go | 2 + 4 files changed, 60 insertions(+), 50 deletions(-) diff --git a/Tiltfile b/Tiltfile index a06e1d5..cd2c6fb 100644 --- a/Tiltfile +++ b/Tiltfile @@ -103,15 +103,14 @@ else: "ratelimit", "redis", ], - port_forwards=["3000:3000"], ) if MODE == "path_with_auth": # ---------------------------------------------------------------------------- # # Envoy Auth Resources # # ---------------------------------------------------------------------------- # - # 1. External Auth Server # - # 2. Envoy Proxy # + # 1. Envoy Proxy # + # 2. External Auth Server # # 3. Path Auth Data Server (PADS) # # 4. Rate Limiter # # 5. Redis # @@ -139,7 +138,17 @@ if MODE == "path_with_auth": watch=True, ) - # 1. Build the External Auth Server image from envoy/auth_server/Dockerfile + # 1. Load the Kubernetes YAML for the envoy-proxy service + k8s_yaml("./local/kubernetes/envoy-proxy.yaml") + k8s_resource( + "envoy-proxy", + labels=["envoy_auth"], + # By default the Envoy Proxy container will bind to 127.0.0.1:3001. + # Adding 0.0.0.0 allows it to be accessible from any IP address. + port_forwards=["0.0.0.0:3001:3001"], + ) + + # 2. Build the External Auth Server image from envoy/auth_server/Dockerfile docker_build( "ext-authz", context="./envoy/auth_server", @@ -155,14 +164,6 @@ if MODE == "path_with_auth": resource_deps=["path-auth-data-server"], ) - # 2. Load the Kubernetes YAML for the envoy-proxy service - k8s_yaml("./local/kubernetes/envoy-proxy.yaml") - k8s_resource( - "envoy-proxy", - labels=["envoy_auth"], - port_forwards=["3001:3001"], - ) - # 3. Load the Kubernetes YAML for the path-auth-data-server service k8s_yaml("./local/kubernetes/envoy-pads.yaml") k8s_resource( diff --git a/envoy/envoy.template.yaml b/envoy/envoy.template.yaml index d265b34..95709f9 100644 --- a/envoy/envoy.template.yaml +++ b/envoy/envoy.template.yaml @@ -113,42 +113,43 @@ static_resources: - name: envoy.filters.http.lua typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua - inline_code: | - function envoy_on_request(handle) - -- Check if the subdomain_to_service_id is already loaded - if not _G.subdomain_to_service_id then - -- Load the mapping of subdomains to service IDs from an external file - _G.subdomain_to_service_id = dofile("/etc/envoy/.allowed-services.lua") + default_source_code: + inline_string: | + function envoy_on_request(handle) + -- Check if the subdomain_to_service_id is already loaded + if not _G.subdomain_to_service_id then + -- Load the mapping of subdomains to service IDs from an external file + _G.subdomain_to_service_id = dofile("/etc/envoy/.allowed-services.lua") + end + + local host = handle:headers():get(":authority") + local subdomain = string.match(host, "^([^.]+)") + local target_service_id_header = handle:headers():get("target-service-id") + + -- Function to resolve service ID from a given key + local function resolve_service_id(key) + return _G.subdomain_to_service_id[key] + end + + -- Attempt to resolve service ID from subdomain + local service_id = resolve_service_id(subdomain) + + -- If not found, attempt to resolve from "target-service-id" header + if not service_id and target_service_id_header then + service_id = resolve_service_id(target_service_id_header) + end + + if service_id then + -- Update the "target-service-id" header with the resolved service ID + handle:headers():replace("target-service-id", service_id) + else + -- Reject the request if the service ID is not found in both subdomain and header + handle:respond( + {[":status"] = "404"}, + "Not Found: No valid service ID found for subdomain or 'target-service-id' header" + ) + end end - - local host = handle:headers():get(":authority") - local subdomain = string.match(host, "^([^.]+)") - local target_service_id_header = handle:headers():get("target-service-id") - - -- Function to resolve service ID from a given key - local function resolve_service_id(key) - return _G.subdomain_to_service_id[key] - end - - -- Attempt to resolve service ID from subdomain - local service_id = resolve_service_id(subdomain) - - -- If not found, attempt to resolve from "target-service-id" header - if not service_id and target_service_id_header then - service_id = resolve_service_id(target_service_id_header) - end - - if service_id then - -- Update the "target-service-id" header with the resolved service ID - handle:headers():replace("target-service-id", service_id) - else - -- Reject the request if the service ID is not found in both subdomain and header - handle:respond( - {[":status"] = "404"}, - "Not Found: No valid service ID found for subdomain or 'target-service-id' header" - ) - end - end # Removes the `jwt-user-id` header before forwarding the request to the external authorization filter. # See: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/header_mutation_filter # diff --git a/local/kubernetes/path-values.yaml b/local/kubernetes/path-values.yaml index c9d7a24..0bb33e6 100644 --- a/local/kubernetes/path-values.yaml +++ b/local/kubernetes/path-values.yaml @@ -28,15 +28,21 @@ path: service: type: ClusterIP + # The PATH service uses the `/healthz` endpoint to check if the service is ready, + # which uses the response from the QoS service to determine whether to send a + # 503 (Service Unavailable) or 200 (OK) status code. + # + # When using PATH with large numbers of services enabled, the QoS service + # may take a long time to return a healthy response. Therefore, it is expected + # that the readinessProbe may take a large number of attempts to succeed. readinessProbe: - failureThreshold: 6 + failureThreshold: 600 # Set to high value to account for the potential long response time of the QoS service. httpGet: path: /healthz port: 3000 scheme: HTTP - livenessProbe: - failureThreshold: 6 + failureThreshold: 600 # Set to high value to account for the potential long response time of the QoS service. httpGet: path: /healthz port: 3000 diff --git a/router/router.go b/router/router.go index 6046fa9..d641f0d 100644 --- a/router/router.go +++ b/router/router.go @@ -49,6 +49,8 @@ func (r *router) handleRoutes() { // This depends on the EnvoyProxy behavior in accepting and possibly modifying the request's URL. // * /v1/ - handles service requests r.mux.HandleFunc("/v1/", r.corsMiddleware(r.handleServiceRequest)) + // * /v1 - handles service requests + r.mux.HandleFunc("/v1", r.corsMiddleware(r.handleServiceRequest)) } // Start starts the API server on the specified port