diff --git a/ansible/roles/stack-sunbird/defaults/main.yml b/ansible/roles/stack-sunbird/defaults/main.yml
index 9906574d28a57cce389ea7bd48a3a12a191a447f..20e18b97923d17d6a2ba7b637b93d403bafffbc9 100644
--- a/ansible/roles/stack-sunbird/defaults/main.yml
+++ b/ansible/roles/stack-sunbird/defaults/main.yml
@@ -1034,29 +1034,6 @@ common_opa_policy_files:
- main.rego
- common.rego
-opa_envoy_resources:
- envoy_resources:
- requests:
- cpu: "{{ envoy_cpu_req | default('100m') }}"
- memory: "{{ envoy_mem_req | default('100Mi') }}"
- limits:
- cpu: "{{ envoy_cpu_limit | default('1') }}"
- memory: "{{ envoy_mem_limit | default('1024Mi') }}"
- opa_resources:
- requests:
- cpu: "{{ opa_cpu_req | default('100m') }}"
- memory: "{{ opa_mem_req | default('100Mi') }}"
- limits:
- cpu: "{{ opa_cpu_limit | default('1') }}"
- memory: "{{ opa_mem_limit | default('1024Mi') }}"
- initcontainer_resources:
- requests:
- cpu: "{{ initcontainer_cpu_req | default('100m') }}"
- memory: "{{ initcontainer_mem_req | default('100Mi') }}"
- limits:
- cpu: "{{ initcontainer_cpu_limit | default('200m') }}"
- memory: "{{ initcontainer_mem_limit | default('200Mi') }}"
-
analytics_opa_enabled: true
certregistry_opa_enabled: true
content_opa_enabled: true
diff --git a/kubernetes/helm_charts/core/analytics/templates/deployment.yaml b/kubernetes/helm_charts/core/analytics/templates/deployment.yaml
index 39b7ab1b6c608dc8939826178397c89283684102..a23c754a5f68c20bece924759e4a847044c2d576 100644
--- a/kubernetes/helm_charts/core/analytics/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/analytics/templates/deployment.yaml
@@ -93,6 +93,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml b/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml
index 443ef91e640078bfbd6be4edc3367a826e5ccc14..562c0770dde3b18da6a67dd939f29d953347bd6a 100644
--- a/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,19 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
- lb_policy: round_robin
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
load_assignment:
cluster_name: service
endpoints:
@@ -66,24 +71,13 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
namespace: {{ .Values.namespace }}
-{{ end }}
\ No newline at end of file
+{{ end }}
diff --git a/kubernetes/helm_charts/core/analytics/values.j2 b/kubernetes/helm_charts/core/analytics/values.j2
index 796187a19bb2770ade1efa7a7119dad617a343c4..c7966e6ca0cd19b19bb9fd25762ca9858230fbfc 100644
--- a/kubernetes/helm_charts/core/analytics/values.j2
+++ b/kubernetes/helm_charts/core/analytics/values.j2
@@ -36,8 +36,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
analytics_opa_enabled: {{ analytics_opa_enabled | default('true') }}
+opa_decision_logs: {{ analytics_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ analytics_envoy_cpu_req | default('100m') }}"
+ memory: "{{ analytics_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ analytics_envoy_cpu_limit | default('1') }}"
+ memory: "{{ analytics_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ analytics_opa_cpu_req | default('100m') }}"
+ memory: "{{ analytics_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ analytics_opa_cpu_limit | default('1') }}"
+ memory: "{{ analytics_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ analytics_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ analytics_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ analytics_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ analytics_initcontainer_mem_limit | default('100Mi') }}"
serviceMonitor:
enabled: true
diff --git a/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml b/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml
index 5f7f9e5074d8b13e3baf5b3d429f22213b9e82a7..5c75bb2a858d169d53bd4691cc13718299f94eb5 100644
--- a/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/certregistry/values.j2 b/kubernetes/helm_charts/core/certregistry/values.j2
index 41c41e80aa43e0a6eee16ffef6609d4cf5e64ede..7eda1d499c8cc0465e1e2031c393851df283f7a4 100644
--- a/kubernetes/helm_charts/core/certregistry/values.j2
+++ b/kubernetes/helm_charts/core/certregistry/values.j2
@@ -31,7 +31,29 @@ strategy:
certregistry_opa_enabled: {{ certregistry_opa_enabled | default('true') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ certregistry_envoy_cpu_req | default('100m') }}"
+ memory: "{{ certregistry_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ certregistry_envoy_cpu_limit | default('1') }}"
+ memory: "{{ certregistry_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ certregistry_opa_cpu_req | default('100m') }}"
+ memory: "{{ certregistry_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ certregistry_opa_cpu_limit | default('1') }}"
+ memory: "{{ certregistry_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ certregistry_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ certregistry_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ certregistry_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ certregistry_initcontainer_mem_limit | default('100Mi') }}"
autoscaling:
enabled: {{ certregistry_autoscaling_enabled | default('false') }}
diff --git a/kubernetes/helm_charts/core/content/templates/deployment.yaml b/kubernetes/helm_charts/core/content/templates/deployment.yaml
index f363e3dc7f9ef2976bcf20ee8e0332156f357575..fb121ac7b203f38614b6813964536cce17d09c87 100644
--- a/kubernetes/helm_charts/core/content/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/content/templates/deployment.yaml
@@ -84,6 +84,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/content/templates/envoy-config.yaml b/kubernetes/helm_charts/core/content/templates/envoy-config.yaml
index d37c1f264421340bfa71895988a903a40797659b..5bc3e603452f84065a087348b863a86b50b89559 100644
--- a/kubernetes/helm_charts/core/content/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/content/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/content/values.j2 b/kubernetes/helm_charts/core/content/values.j2
index 5f0c04b98d9afc5cd3f91828f25c7df476dc551b..505a2b90d66009d5eeddf39533ff37e1a89e142d 100644
--- a/kubernetes/helm_charts/core/content/values.j2
+++ b/kubernetes/helm_charts/core/content/values.j2
@@ -30,8 +30,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
content_opa_enabled: {{ content_opa_enabled | default('true') }}
+opa_decision_logs: {{ content_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ content_envoy_cpu_req | default('100m') }}"
+ memory: "{{ content_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ content_envoy_cpu_limit | default('1') }}"
+ memory: "{{ content_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ content_opa_cpu_req | default('100m') }}"
+ memory: "{{ content_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ content_opa_cpu_limit | default('1') }}"
+ memory: "{{ content_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ content_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ content_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ content_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ content_initcontainer_mem_limit | default('100Mi') }}"
autoscaling:
enabled: {{ content_autoscaling_enabled | default('false') }}
diff --git a/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml b/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml
index b0b4e68f25703f39ea1eb6d58560e4b9e89840df..5432b2579f4400ae0f424e355256a77e3fbc8e3b 100644
--- a/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml
@@ -77,6 +77,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml b/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml
index d9705aa804fcdc68c01d72e0b5c4c18645a31301..53bdbf0262e70262755b63af028cfcd36e3c5599 100644
--- a/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/knowledgemw/values.j2 b/kubernetes/helm_charts/core/knowledgemw/values.j2
index 864288cc855c6d7933854c0fb7be0d3f7b746712..a1dba6944dea0573292b1e20b629cf9f227e962b 100644
--- a/kubernetes/helm_charts/core/knowledgemw/values.j2
+++ b/kubernetes/helm_charts/core/knowledgemw/values.j2
@@ -27,8 +27,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
knowledgemw_opa_enabled: {{ knowledgemw_opa_enabled | default('true') }}
+opa_decision_logs: {{ knowledgemw_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ knowledgemw_envoy_cpu_req | default('100m') }}"
+ memory: "{{ knowledgemw_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ knowledgemw_envoy_cpu_limit | default('1') }}"
+ memory: "{{ knowledgemw_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ knowledgemw_opa_cpu_req | default('100m') }}"
+ memory: "{{ knowledgemw_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ knowledgemw_opa_cpu_limit | default('1') }}"
+ memory: "{{ knowledgemw_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ knowledgemw_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ knowledgemw_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ knowledgemw_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ knowledgemw_initcontainer_mem_limit | default('100Mi') }}"
knowledgemw_access_basepath: {{ knowledgemw_access_basepath | default('/home/sunbird/mw/content/keys/') }}
diff --git a/kubernetes/helm_charts/core/learner/templates/deployment.yaml b/kubernetes/helm_charts/core/learner/templates/deployment.yaml
index a863eba6ca174e89f67ee6c31af7d683d7bad198..fcf765e76c574898f80791471bcf4a7eaa0416fe 100644
--- a/kubernetes/helm_charts/core/learner/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/learner/templates/deployment.yaml
@@ -86,6 +86,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml b/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml
index d571252ebdb26668d83fca6ddba70d80259dc7ac..99873787fadbcc7cc4077c748b07e653bb0608c5 100644
--- a/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/learner/values.j2 b/kubernetes/helm_charts/core/learner/values.j2
index b7de6f529d2c31c24d8f4e3ccac84d85d53e0ac0..9a463b20261e19ba5fc06b6eaede248b4a077713 100644
--- a/kubernetes/helm_charts/core/learner/values.j2
+++ b/kubernetes/helm_charts/core/learner/values.j2
@@ -31,8 +31,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
learner_opa_enabled: {{ learner_opa_enabled | default('true') }}
+opa_decision_logs: {{ learner_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ learner_envoy_cpu_req | default('100m') }}"
+ memory: "{{ learner_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ learner_envoy_cpu_limit | default('1') }}"
+ memory: "{{ learner_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ learner_opa_cpu_req | default('100m') }}"
+ memory: "{{ learner_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ learner_opa_cpu_limit | default('1') }}"
+ memory: "{{ learner_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ learner_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ learner_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ learner_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ learner_initcontainer_mem_limit | default('100Mi') }}"
learner_access_basepath: {{ learner_access_basepath | default('/keys/') }}
diff --git a/kubernetes/helm_charts/core/lms/templates/deployment.yaml b/kubernetes/helm_charts/core/lms/templates/deployment.yaml
index 1c455207e2c49bc97abc4003c5dbe91b706edac5..d394b5f750ee43ddc338042d15e9fe3a34421665 100644
--- a/kubernetes/helm_charts/core/lms/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/lms/templates/deployment.yaml
@@ -90,6 +90,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml b/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml
index ca5b325c552113721f373d5b994d94c844b9dcf1..c1cdfd8f65beb0c9ac6a29ec0e9b23024ad08c95 100644
--- a/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/lms/values.j2 b/kubernetes/helm_charts/core/lms/values.j2
index 43589dc1385f43af150596e5b5484ed810480371..519736aaac189475ff4b7c18360d0e7f2cdd8bb6 100644
--- a/kubernetes/helm_charts/core/lms/values.j2
+++ b/kubernetes/helm_charts/core/lms/values.j2
@@ -30,8 +30,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
lms_opa_enabled: {{ lms_opa_enabled | default('true') }}
+opa_decision_logs: {{ lms_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ lms_envoy_cpu_req | default('100m') }}"
+ memory: "{{ lms_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ lms_envoy_cpu_limit | default('1') }}"
+ memory: "{{ lms_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ lms_opa_cpu_req | default('100m') }}"
+ memory: "{{ lms_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ lms_opa_cpu_limit | default('1') }}"
+ memory: "{{ lms_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ lms_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ lms_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ lms_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ lms_initcontainer_mem_limit | default('100Mi') }}"
lms_access_basepath: {{ lms_access_basepath | default('/keys/') }}
diff --git a/kubernetes/opa/common/common.rego b/kubernetes/opa/common/common.rego
index 384a67b6506f9864a283027f30aa8639f66a8d46..f6267368d9d5afe53d3888b302aacffe23dc9cd4 100644
--- a/kubernetes/opa/common/common.rego
+++ b/kubernetes/opa/common/common.rego
@@ -72,7 +72,7 @@ org_check(roles) = token_organisationids {
}
federation_id_check {
- federation_id := token_federation_id
+ federation_id == token_federation_id
}
parent_id_check {