Skip to content

shipperizer/fluffy-octo-telegram

Repository files navigation

fluffy-octo-telegram

Simple grpc app implementing envoy CheckRequest Protocol for Client Authorization

Currently it simply logs informations about the request coming in

pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Request: time:{seconds:1619659317 nanos:447016000} http:{id:\"15956125687004427156\" method:\"GET\" headers:{key:\":authority\" value:\"api.shipperizer.org\"} headers:{key:\":method\" value:\"GET\"} headers:{key:\":path\" value:\"/api/v0/status\"} headers:{key:\":scheme\" value:\"https\"} headers:{key:\"accept-encoding\" value:\"gzip\"} headers:{key:\"content-type\" value:\"text/html\"} headers:{key:\"user-agent\" value:\"hey/0.0.1\"} headers:{key:\"x-envoy-internal\" value:\"true\"} headers:{key:\"x-forwarded-for\" value:\"192.168.86.1\"} headers:{key:\"x-forwarded-proto\" value:\"https\"} headers:{key:\"x-request-id\" value:\"e883eb25-6763-4bce-889e-797ecc562482\"} path:\"/api/v0/status\" host:\"api.shipperizer.org\" scheme:\"https\" protocol:\"HTTP/1.1\"}"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Source: address:{socket_address:{address:\"192.168.86.1\" port_value:57755}}"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.ContextExtension: map[]"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Destination: address:{socket_address:{address:\"10.42.0.101\" port_value:8443}} principal:\"api.shipperizer.org\""
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.MetadataContext: "
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Request: time:{seconds:1619659317 nanos:321078000} http:{id:\"1329126468091730213\" method:\"GET\" headers:{key:\":authority\" value:\"api.shipperizer.org\"} headers:{key:\":method\" value:\"GET\"} headers:{key:\":path\" value:\"/api/v0/status\"} headers:{key:\":scheme\" value:\"https\"} headers:{key:\"accept-encoding\" value:\"gzip\"} headers:{key:\"content-type\" value:\"text/html\"} headers:{key:\"user-agent\" value:\"hey/0.0.1\"} headers:{key:\"x-envoy-internal\" value:\"true\"} headers:{key:\"x-forwarded-for\" value:\"192.168.86.1\"} headers:{key:\"x-forwarded-proto\" value:\"https\"} headers:{key:\"x-request-id\" value:\"ba15b8d3-d828-418a-923b-1c8daae4b43d\"} path:\"/api/v0/status\" host:\"api.shipperizer.org\" scheme:\"https\" protocol:\"HTTP/1.1\"}"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Source: address:{socket_address:{address:\"192.168.86.1\" port_value:57731}}"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.ContextExtension: map[]"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Destination: address:{socket_address:{address:\"10.42.0.101\" port_value:8443}} principal:\"api.shipperizer.org\""
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.MetadataContext: "
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Request: time:{seconds:1619659317 nanos:320170000} http:{id:\"86128091661570278\" method:\"GET\" headers:{key:\":authority\" value:\"api.shipperizer.org\"} headers:{key:\":method\" value:\"GET\"} headers:{key:\":path\" value:\"/api/v0/status\"} headers:{key:\":scheme\" value:\"https\"} headers:{key:\"accept-encoding\" value:\"gzip\"} headers:{key:\"content-type\" value:\"text/html\"} headers:{key:\"user-agent\" value:\"hey/0.0.1\"} headers:{key:\"x-envoy-internal\" value:\"true\"} headers:{key:\"x-forwarded-for\" value:\"192.168.86.1\"} headers:{key:\"x-forwarded-proto\" value:\"https\"} headers:{key:\"x-request-id\" value:\"7c1522d7-9983-4333-9ee5-0c742e61e50f\"} path:\"/api/v0/status\" host:\"api.shipperizer.org\" scheme:\"https\" protocol:\"HTTP/1.1\"}"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Source: address:{socket_address:{address:\"192.168.86.1\" port_value:57756}}"
[pod/fluffy-octo-telegram-grpc-app-68b5b5ff64-r4qs9/fluffy-octo-telegram-grpc-app] time="2021-04-29T01:21:57Z" level=debug msg="request attributes.Source: address:{socket_address:{address:\"192.168.86.1\" port_value:57771}}"

## JWK

Use step cli to create a jwk, then create a k8s secret with it

step crypto jwk create jwk.pub.json jwk.json  --kty=EC --use=sig --crv=P-521 --no-password --insecure

kubectl create secret generic jwk-pub --from-file=jwk.pub.json
kubectl create secret generic jwk-priv --from-file=jwk.json

secrets will need to be mounted via volume (k8s for deployment, docker-compose for local dev)

will use env vars to determine path

Build and deploy

Build setup is for multiarch support, a requirements for this is buildx

For skaffold integration i followed the suggestion here as ther eis no direct integration between skaffold and buildx

Images are pushed to ghcr.io/shipperizer/fluffy-octo-telegram-grpc-app, k3s cluster has a secret allowing it to pull them, see the snippet below in deployments.yaml

containers:
- image: ghcr.io/shipperizer/fluffy-octo-telegram-grpc-app
  name: fluffy-octo-telegram-grpc-app
  envFrom:
    - configMapRef:
        name: fluffy-octo-telegram-grpc-app
  name: fluffy-octo-telegram-grpc-app
  ports:
  - name: http
    containerPort: 8000
imagePullSecrets:
- name: regcred-github

*** deployments/kustomize/extServer.yaml will have to be deployed manually via kubectl, argocd won't do it as it errors with the following***

Unable to create application: application spec is invalid: InvalidSpecError: Unable to get app details: rpc error: code =
Unknown desc = `kustomize build /tmp/git@github.com_shipperizer_fluffy-octo-telegram/deployments/kustomize` failed exit
status 1: Error: accumulating resources: 2 errors occurred:
* accumulateFile error: "accumulating resources from 'extServer.yaml': evalsymlink failure on '/tmp/git@github.com_shipperizer_fluffy-octo-telegram/deployments/kustomize/extServer.yaml' : lstat /tmp/git@github.com_shipperizer_fluffy-octo-telegram/deployments/kustomize/extServer.yaml: no such file or directory"
* loader.New error: "error loading extServer.yaml with git: url lacks orgRepo: extServer.yaml, dir: evalsymlink failure on '/tmp/git@github.com_shipperizer_fluffy-octo-telegram/deployments/kustomize/extServer.yaml' : lstat /tmp/git@github.com_shipperizer_fluffy-octo-telegram/deployments/kustomize/extServer.yaml: no such file or directory, get: invalid source string: extServer.yaml"

Kaniko

For kaniko builds, use the --profile kaniko modifier on skaffold, for this you will need an Opaque secret:

 echo '{"auths":{"ghcr.io":{"auth":"****************"}}}' | kubectl create secret generic regcred-github-kaniko --from-file=config.json=/dev/stdin

the profile is targeted at building on an arm64 cluster only, if you need to use a different arch change initImage and image values

ArgoCD

ArgoCD is used (together with ArgoCD image updater) to keep application up-to-date

see the argocd.yaml for extra informations local setup will be described eventually in here, step by step

ArgoCD

About

GRPC server implementring Envoy Client Authorization

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 2

  •  
  •