feat: WIP envoy into the image

ansible/files/adminapi.sudoers.conf

@@ -2,6 +2,7 @@ Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.se
 Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service
 Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service
 Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl stop pgbouncer.service, /bin/systemctl restart pgbouncer.service, /bin/systemctl disable pgbouncer.service, /bin/systemctl enable pgbouncer.service, /bin/systemctl reload pgbouncer.service
+Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service
 
 %adminapi ALL= NOPASSWD: /root/grow_fs.sh
 %adminapi ALL= NOPASSWD: /root/manage_readonly_mode.sh
@@ -24,3 +25,4 @@ Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl st
 %adminapi ALL= NOPASSWD: POSTGREST
 %adminapi ALL= NOPASSWD: GOTRUE
 %adminapi ALL= NOPASSWD: PGBOUNCER
+%adminapi ALL= NOPASSWD: ENVOY

ansible/files/envoy_config/envoy.service.j2

@@ -0,0 +1,22 @@
+Description=Envoy Proxy Server
+After=postgrest.service gotrue.service adminapi.service
+Wants=postgrest.service gotrue.service adminapi.service
+
+[Service]
+Type=simple
+#ExecStart=/opt/envoy/envoy --config-path /opt/envoy/envoy.yml
+ExecStart=/usr/bin/bash -c '/opt/envoy/envoy --config-path /opt/envoy/envoy.yml'
+User=envoy
+
+Slice=envoy.slice
+Restart=always
+RestartSec=3
+LimitNOFILE=100000
+
+# The envoy user is unpriviledged and thus not permited to bind on ports < 1024
+# Via systemd we grant the process a set of priviledges to bind to 80/443
+# See http://archive.vn/36zJU
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target

ansible/files/envoy_config/envoy.yml

@@ -0,0 +1,103 @@
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address: { address: 0.0.0.0, port_value: 443 }
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          codec_type: AUTO
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: "/health"
+                direct_response:
+                  status: 200
+                  body:
+                    inline_string: "Healthy"
+              - match:
+                  prefix: "/rest/v1/"
+                  headers:
+                  - name: apikey
+                    string_match:
+                      exact: '{{ supabase-api-key-2020-07-28 }}'
+                route:
+                  cluster: rest
+                  prefix_rewrite: "/"
+              - match:
+                  prefix: "/auth/v1/admin/"
+                  headers:
+                  - name: apikey
+                    string_match:
+                      exact: '{{ supabase-api-key-2020-07-28 }}'
+                route:
+                  cluster: gotrue
+                  prefix_rewrite: "/"
+              - match:
+                  prefix: "/auth/v1/"
+                route:
+                  cluster: gotrue
+                  prefix_rewrite: "/"
+              - match:
+                  prefix: "/pg/"
+                  headers:
+                  - name: apikey
+                    string_match:
+                      exact: '{{ supabase-api-key-2020-07-28 }}'
+                route:
+                  cluster: pg-v1
+                  prefix_rewrite: "/"
+          http_filters:
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+  - name: gotrue
+    connect_timeout: 0.25s
+    type: STATIC
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: gotrue
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 9998
+
+  - name: rest
+    connect_timeout: 0.25s
+    type: STATIC
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: rest
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 3000
+
+  - name: pg-v1
+    connect_timeout: 0.25s
+    type: STATIC
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: pg-v1
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 1337

ansible/playbook.yml

@@ -56,6 +56,11 @@
       tags:
         - install-supabase-internal
 
+    - name: Install Envoy
+      import_tasks: tasks/setup-envoy.yml
+      tags:
+        - install-supabase-internal
+
     - name: Install nginx
       import_tasks: tasks/setup-nginx.yml
       tags:

ansible/tasks/internal/admin-api.yml

@@ -1,7 +1,7 @@
 - name: adminapi - system user
   user:
     name: adminapi
-    groups: root,admin,kong,pgbouncer,postgres,postgrest,systemd-journal,wal-g
+    groups: root,admin,kong,envoy,pgbouncer,postgres,postgrest,systemd-journal,wal-g
     append: yes
 
 - name: Move shell scripts to /root dir

ansible/tasks/setup-envoy.yml

@@ -0,0 +1,48 @@
+- name: Envoy - system user
+  user: name=envoy
+
+- name: envoy - create /opt/envoy
+  file:
+    path: /opt/envoy
+    state: directory
+    owner: envoy
+    mode: 0775
+
+- name: Envoy - download binary
+  get_url:
+    url: "https://github.com/envoyproxy/envoy/releases/download/v{{ envoy_release }}/envoy-{{ envoy_release }}-linux-aarch_64"
+    dest: /opt/envoy/envoy
+    checksum: "{{ envoy_release_checksum }}"
+
+- name: Envoy - add execution bit to binary
+  file:
+    path: /opt/envoy/envoy
+    state: file
+    owner: envoy
+    mode: u+rwx
+
+- name: Envoy - copy basic conf
+  copy:
+    src: files/envoy_config/envoy.yml
+    dest: /opt/envoy/envoy.yml
+
+# [warn] ulimit is currently set to "1024". For better performance set it to at least
+# "4096" using "ulimit -n"
+- name: Envoy - bump up ulimit
+  pam_limits:
+    limit_item: nofile
+    limit_type: soft
+    domain: envoy
+    value: "4096"
+
+- name: Envoy - create service file
+  template:
+    src: files/envoy_config/envoy.service.j2
+    dest: /etc/systemd/system/envoy.service
+
+- name: Envoy - disable service
+  systemd:
+    enabled: no
+    name: envoy
+    state: stopped
+    daemon_reload: yes

ansible/vars.yml

@@ -28,6 +28,9 @@ kong_release_target: focal # if it works, it works
 kong_deb: kong_2.8.1_arm64.deb
 kong_deb_checksum: sha1:2086f6ccf8454fe64435252fea4d29d736d7ec61
 
+envoy_release: "1.26.0"
+envoy_release_checksum: sha1:57d5bb8bfbc66d7ba4705b98ddab9ddebc069708
+
 nginx_release: 1.22.0
 nginx_release_checksum: sha1:419efb77b80f165666e2ee406ad8ae9b845aba93
 

common.vars.pkr.hcl

@@ -1 +1 @@
-postgres-version = "15.1.0.115"
+postgres-version = "15.1.0.115-envoy-rc9"