From 9ddeeb4f87d28d439feba52bb7325ff25ca9fece Mon Sep 17 00:00:00 2001 From: Patrick Ballard Date: Wed, 30 Aug 2023 16:21:34 -0400 Subject: [PATCH] feat: WIP envoy into the image --- ansible/files/adminapi.sudoers.conf | 2 + ansible/files/envoy_config/envoy.service.j2 | 22 +++++ ansible/files/envoy_config/envoy.yml | 103 ++++++++++++++++++++ ansible/playbook.yml | 5 + ansible/tasks/internal/admin-api.yml | 2 +- ansible/tasks/setup-envoy.yml | 48 +++++++++ ansible/vars.yml | 3 + common.vars.pkr.hcl | 2 +- 8 files changed, 185 insertions(+), 2 deletions(-) create mode 100644 ansible/files/envoy_config/envoy.service.j2 create mode 100644 ansible/files/envoy_config/envoy.yml create mode 100644 ansible/tasks/setup-envoy.yml diff --git a/ansible/files/adminapi.sudoers.conf b/ansible/files/adminapi.sudoers.conf index fa7dae900..03198589d 100644 --- a/ansible/files/adminapi.sudoers.conf +++ b/ansible/files/adminapi.sudoers.conf @@ -2,6 +2,7 @@ Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.se Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl stop pgbouncer.service, /bin/systemctl restart pgbouncer.service, /bin/systemctl disable pgbouncer.service, /bin/systemctl enable pgbouncer.service, /bin/systemctl reload pgbouncer.service +Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service %adminapi ALL= NOPASSWD: /root/grow_fs.sh %adminapi ALL= NOPASSWD: /root/manage_readonly_mode.sh @@ -24,3 +25,4 @@ Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl st %adminapi ALL= NOPASSWD: POSTGREST %adminapi ALL= NOPASSWD: GOTRUE %adminapi ALL= NOPASSWD: PGBOUNCER +%adminapi ALL= NOPASSWD: ENVOY diff --git a/ansible/files/envoy_config/envoy.service.j2 b/ansible/files/envoy_config/envoy.service.j2 new file mode 100644 index 000000000..263cb029b --- /dev/null +++ b/ansible/files/envoy_config/envoy.service.j2 @@ -0,0 +1,22 @@ +Description=Envoy Proxy Server +After=postgrest.service gotrue.service adminapi.service +Wants=postgrest.service gotrue.service adminapi.service + +[Service] +Type=simple +#ExecStart=/opt/envoy/envoy --config-path /opt/envoy/envoy.yml +ExecStart=/usr/bin/bash -c '/opt/envoy/envoy --config-path /opt/envoy/envoy.yml' +User=envoy + +Slice=envoy.slice +Restart=always +RestartSec=3 +LimitNOFILE=100000 + +# The envoy user is unpriviledged and thus not permited to bind on ports < 1024 +# Via systemd we grant the process a set of priviledges to bind to 80/443 +# See http://archive.vn/36zJU +AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target diff --git a/ansible/files/envoy_config/envoy.yml b/ansible/files/envoy_config/envoy.yml new file mode 100644 index 000000000..9a3f41d6a --- /dev/null +++ b/ansible/files/envoy_config/envoy.yml @@ -0,0 +1,103 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: { address: 0.0.0.0, port_value: 443 } + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + codec_type: AUTO + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/health" + direct_response: + status: 200 + body: + inline_string: "Healthy" + - match: + prefix: "/rest/v1/" + headers: + - name: apikey + string_match: + exact: '{{ supabase-api-key-2020-07-28 }}' + route: + cluster: rest + prefix_rewrite: "/" + - match: + prefix: "/auth/v1/admin/" + headers: + - name: apikey + string_match: + exact: '{{ supabase-api-key-2020-07-28 }}' + route: + cluster: gotrue + prefix_rewrite: "/" + - match: + prefix: "/auth/v1/" + route: + cluster: gotrue + prefix_rewrite: "/" + - match: + prefix: "/pg/" + headers: + - name: apikey + string_match: + exact: '{{ supabase-api-key-2020-07-28 }}' + route: + cluster: pg-v1 + prefix_rewrite: "/" + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: gotrue + connect_timeout: 0.25s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: gotrue + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 9998 + + - name: rest + connect_timeout: 0.25s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: rest + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 3000 + + - name: pg-v1 + connect_timeout: 0.25s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: pg-v1 + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 1337 diff --git a/ansible/playbook.yml b/ansible/playbook.yml index ececf09b9..ea4058abd 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -56,6 +56,11 @@ tags: - install-supabase-internal + - name: Install Envoy + import_tasks: tasks/setup-envoy.yml + tags: + - install-supabase-internal + - name: Install nginx import_tasks: tasks/setup-nginx.yml tags: diff --git a/ansible/tasks/internal/admin-api.yml b/ansible/tasks/internal/admin-api.yml index fe40d6f46..4c3334921 100644 --- a/ansible/tasks/internal/admin-api.yml +++ b/ansible/tasks/internal/admin-api.yml @@ -1,7 +1,7 @@ - name: adminapi - system user user: name: adminapi - groups: root,admin,kong,pgbouncer,postgres,postgrest,systemd-journal,wal-g + groups: root,admin,kong,envoy,pgbouncer,postgres,postgrest,systemd-journal,wal-g append: yes - name: Move shell scripts to /root dir diff --git a/ansible/tasks/setup-envoy.yml b/ansible/tasks/setup-envoy.yml new file mode 100644 index 000000000..b9371aedf --- /dev/null +++ b/ansible/tasks/setup-envoy.yml @@ -0,0 +1,48 @@ +- name: Envoy - system user + user: name=envoy + +- name: envoy - create /opt/envoy + file: + path: /opt/envoy + state: directory + owner: envoy + mode: 0775 + +- name: Envoy - download binary + get_url: + url: "https://github.com/envoyproxy/envoy/releases/download/v{{ envoy_release }}/envoy-{{ envoy_release }}-linux-aarch_64" + dest: /opt/envoy/envoy + checksum: "{{ envoy_release_checksum }}" + +- name: Envoy - add execution bit to binary + file: + path: /opt/envoy/envoy + state: file + owner: envoy + mode: u+rwx + +- name: Envoy - copy basic conf + copy: + src: files/envoy_config/envoy.yml + dest: /opt/envoy/envoy.yml + +# [warn] ulimit is currently set to "1024". For better performance set it to at least +# "4096" using "ulimit -n" +- name: Envoy - bump up ulimit + pam_limits: + limit_item: nofile + limit_type: soft + domain: envoy + value: "4096" + +- name: Envoy - create service file + template: + src: files/envoy_config/envoy.service.j2 + dest: /etc/systemd/system/envoy.service + +- name: Envoy - disable service + systemd: + enabled: no + name: envoy + state: stopped + daemon_reload: yes diff --git a/ansible/vars.yml b/ansible/vars.yml index 18d4d1e00..246ee1a82 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -28,6 +28,9 @@ kong_release_target: focal # if it works, it works kong_deb: kong_2.8.1_arm64.deb kong_deb_checksum: sha1:2086f6ccf8454fe64435252fea4d29d736d7ec61 +envoy_release: "1.26.0" +envoy_release_checksum: sha1:57d5bb8bfbc66d7ba4705b98ddab9ddebc069708 + nginx_release: 1.22.0 nginx_release_checksum: sha1:419efb77b80f165666e2ee406ad8ae9b845aba93 diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl index f9cee1202..e012c6483 100644 --- a/common.vars.pkr.hcl +++ b/common.vars.pkr.hcl @@ -1 +1 @@ -postgres-version = "15.1.0.115" +postgres-version = "15.1.0.115-envoy-rc9"