From 3191dbb769a28d04658479207a5aeb3c4bfd60fe Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Thu, 2 Nov 2023 09:37:17 +0100
Subject: [PATCH] Added envoy as SNI dynamic forward proxy to
 cloud-config-container

---
 .../envoy-sni-dyn-fwd-proxy/README.md         | 57 +++++++++++++++++++
 .../envoy-sni-dyn-fwd-proxy/files/envoy.yaml  | 56 ++++++++++++++++++
 .../envoy-sni-dyn-fwd-proxy/main.tf           | 44 ++++++++++++++
 .../envoy-sni-dyn-fwd-proxy/outputs.tf        | 20 +++++++
 .../envoy-sni-dyn-fwd-proxy/variables.tf      | 20 +++++++
 .../envoy-sni-dyn-fwd-proxy/versions.tf       | 28 +++++++++
 6 files changed, 225 insertions(+)
 create mode 100644 modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/README.md
 create mode 100644 modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/files/envoy.yaml
 create mode 100644 modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/main.tf
 create mode 100644 modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/outputs.tf
 create mode 100644 modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/variables.tf
 create mode 100644 modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf

diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/README.md b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/README.md
new file mode 100644
index 0000000000..76d1b19d4c
--- /dev/null
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/README.md
@@ -0,0 +1,57 @@
+# Containerized Envoy as SNI dynamic forward proxy on Container Optimized OS
+
+This module manages a `cloud-config` configuration that starts a containerized [Envoy SNI Dynamic forward proxy]https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter) service on Container Optimized OS running on port 443.
+
+This module depends on the cos-generic-metadata module being in the parent folder. If you change its location be sure to adjust the source attribute in main.tf.
+
+Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
+
+## Examples
+
+### Default configuration
+
+This example will create a `cloud-config` that uses the module's defaults, creating a simple hello web server showing host name and request id.
+
+```hcl
+module "cos-envoy-sni-dyn-fwd-proxy" {
+  source      = "./fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy"
+  envoy_image = "envoyproxy/envoy:v1.28-latest"
+}
+
+module "vm-envoy-sni-dyn-fwd-proxy" {
+  source     = "./fabric/modules/compute-vm"
+  project_id = "my-project"
+  zone       = "europe-west8-b"
+  name       = "cos-envoy-sni-dyn-fw-proxy"
+  network_interfaces = [{
+    network    = "default"
+    subnetwork = "gce"
+  }]
+  metadata = {
+    user-data              = module.cos-envoy-sni-dyn-fwd-proxy.cloud_config
+    google-logging-enabled = true
+  }
+  boot_disk = {
+    initialize_params = {
+      image = "projects/cos-cloud/global/images/family/cos-stable"
+      type  = "pd-ssd"
+      size  = 10
+    }
+  }
+  tags = ["https-server", "ssh"]
+}
+# tftest modules=1 resources=1
+```
+<!-- BEGIN TFDOC -->
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [envoy_image](variables.tf#L17) | Image. | <code>string</code> | ✓ |  |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. |  |
+<!-- END TFDOC -->
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/files/envoy.yaml b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/files/envoy.yaml
new file mode 100644
index 0000000000..55a5e08fb1
--- /dev/null
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/files/envoy.yaml
@@ -0,0 +1,56 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+admin:
+  address:
+    socket_address:
+      protocol: TCP
+      address: 127.0.0.1
+      port_value: 9991
+static_resources:
+  listeners:
+  - name: listener
+    address:
+      socket_address:
+        protocol: TCP
+        address: 0.0.0.0
+        port_value: 8443
+    listener_filters:
+    - name: envoy.filters.listener.tls_inspector
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.sni_dynamic_forward_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
+          port_value: 443
+          dns_cache_config:
+            name: dynamic_forward_proxy_cache_config
+            dns_lookup_family: V4_ONLY
+      - name: envoy.tcp_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: tcp
+          cluster: dynamic_forward_proxy_cluster
+  clusters:
+  - name: dynamic_forward_proxy_cluster
+    lb_policy: CLUSTER_PROVIDED
+    cluster_type:
+      name: envoy.clusters.dynamic_forward_proxy
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
+        dns_cache_config:
+          name: dynamic_forward_proxy_cache_config
+          dns_lookup_family: V4_ONLY%
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/main.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/main.tf
new file mode 100644
index 0000000000..f0b7cdfb2c
--- /dev/null
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/main.tf
@@ -0,0 +1,44 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "cos-envoy" {
+  source          = "../cos-generic-metadata"
+  container_image = var.envoy_image
+  container_name  = "envoy"
+  container_args  = "-c /etc/envoy/envoy.yaml --log-level info --allow-unknown-static-fields"
+  container_volumes = [
+    { host = "/etc/envoy/", container = "/etc/envoy/" }
+  ]
+  docker_args = "--network host --pid host"
+  files = {
+    "/etc/envoy/envoy.yaml" = {
+      content     = file("${path.module}/files/envoy.yaml")
+      owner       = "root"
+      permissions = "0644"
+    }
+  }
+  run_commands = [
+    "iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443",
+    "iptables -A INPUT -p tcp --dport 8443 -j ACCEPT",
+    "iptables -t mangle -I PREROUTING -p tcp --dport 8443 -j DROP",
+    "systemctl daemon-reload",
+    "systemctl start envoy",
+  ]
+  users = [{
+    username = "envoy",
+    uid      = 1337
+  }]
+}
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/outputs.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/outputs.tf
new file mode 100644
index 0000000000..417c73e7d7
--- /dev/null
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/outputs.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_config" {
+  description = "Rendered cloud-config file to be passed as user-data instance metadata."
+  value       = module.cos-envoy.cloud_config
+}
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/variables.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/variables.tf
new file mode 100644
index 0000000000..3868a17424
--- /dev/null
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/variables.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "envoy_image" {
+  description = "Image."
+  type        = string
+}
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
new file mode 100644
index 0000000000..0a97638929
--- /dev/null
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
@@ -0,0 +1,28 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.4.4"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.0.0, < 6.0.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 5.0.0, < 6.0.0" # tftest
+    }
+  }
+}
+