From f1d84a9b36d0a2722ab45b8a13051380c3939ebc Mon Sep 17 00:00:00 2001
From: Keshav Prasad <keshavprasadms@gmail.com>
Date: Fri, 7 Jan 2022 09:17:40 +0530
Subject: [PATCH] fix: opa and envoy changes to support logging and hpa (#3126)
* fix: updated envoy logging and connections
* fix: changes to support hpa and test cases
* fix: updated envoy timeouts
* fix: updated envoy configs to workaround grpc limits
* fix: add option to enable decision logs in opa
* fix: remove pack_as_bytes to allow only UTF-8 contents
* fix: change back to google_grpc
---
ansible/roles/stack-sunbird/defaults/main.yml | 23 -------------
.../core/analytics/templates/deployment.yaml | 3 ++
.../analytics/templates/envoy-config.yaml | 34 ++++++++-----------
.../helm_charts/core/analytics/values.j2 | 25 +++++++++++++-
.../certregistry/templates/envoy-config.yaml | 31 +++++++----------
.../helm_charts/core/certregistry/values.j2 | 24 ++++++++++++-
.../core/content/templates/deployment.yaml | 3 ++
.../core/content/templates/envoy-config.yaml | 31 +++++++----------
kubernetes/helm_charts/core/content/values.j2 | 25 +++++++++++++-
.../knowledgemw/templates/deployment.yaml | 3 ++
.../knowledgemw/templates/envoy-config.yaml | 31 +++++++----------
.../helm_charts/core/knowledgemw/values.j2 | 25 +++++++++++++-
.../core/learner/templates/deployment.yaml | 3 ++
.../core/learner/templates/envoy-config.yaml | 31 +++++++----------
kubernetes/helm_charts/core/learner/values.j2 | 25 +++++++++++++-
.../core/lms/templates/deployment.yaml | 3 ++
.../core/lms/templates/envoy-config.yaml | 31 +++++++----------
kubernetes/helm_charts/core/lms/values.j2 | 25 +++++++++++++-
kubernetes/opa/common/common.rego | 2 +-
19 files changed, 238 insertions(+), 140 deletions(-)
diff --git a/ansible/roles/stack-sunbird/defaults/main.yml b/ansible/roles/stack-sunbird/defaults/main.yml
index 9906574d2..20e18b979 100644
--- a/ansible/roles/stack-sunbird/defaults/main.yml
+++ b/ansible/roles/stack-sunbird/defaults/main.yml
@@ -1034,29 +1034,6 @@ common_opa_policy_files:
- main.rego
- common.rego
-opa_envoy_resources:
- envoy_resources:
- requests:
- cpu: "{{ envoy_cpu_req | default('100m') }}"
- memory: "{{ envoy_mem_req | default('100Mi') }}"
- limits:
- cpu: "{{ envoy_cpu_limit | default('1') }}"
- memory: "{{ envoy_mem_limit | default('1024Mi') }}"
- opa_resources:
- requests:
- cpu: "{{ opa_cpu_req | default('100m') }}"
- memory: "{{ opa_mem_req | default('100Mi') }}"
- limits:
- cpu: "{{ opa_cpu_limit | default('1') }}"
- memory: "{{ opa_mem_limit | default('1024Mi') }}"
- initcontainer_resources:
- requests:
- cpu: "{{ initcontainer_cpu_req | default('100m') }}"
- memory: "{{ initcontainer_mem_req | default('100Mi') }}"
- limits:
- cpu: "{{ initcontainer_cpu_limit | default('200m') }}"
- memory: "{{ initcontainer_mem_limit | default('200Mi') }}"
-
analytics_opa_enabled: true
certregistry_opa_enabled: true
content_opa_enabled: true
diff --git a/kubernetes/helm_charts/core/analytics/templates/deployment.yaml b/kubernetes/helm_charts/core/analytics/templates/deployment.yaml
index 39b7ab1b6..a23c754a5 100644
--- a/kubernetes/helm_charts/core/analytics/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/analytics/templates/deployment.yaml
@@ -93,6 +93,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml b/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml
index 443ef91e6..562c0770d 100644
--- a/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/analytics/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,19 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
- lb_policy: round_robin
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
load_assignment:
cluster_name: service
endpoints:
@@ -66,24 +71,13 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
namespace: {{ .Values.namespace }}
-{{ end }}
\ No newline at end of file
+{{ end }}
diff --git a/kubernetes/helm_charts/core/analytics/values.j2 b/kubernetes/helm_charts/core/analytics/values.j2
index 796187a19..c7966e6ca 100644
--- a/kubernetes/helm_charts/core/analytics/values.j2
+++ b/kubernetes/helm_charts/core/analytics/values.j2
@@ -36,8 +36,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
analytics_opa_enabled: {{ analytics_opa_enabled | default('true') }}
+opa_decision_logs: {{ analytics_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ analytics_envoy_cpu_req | default('100m') }}"
+ memory: "{{ analytics_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ analytics_envoy_cpu_limit | default('1') }}"
+ memory: "{{ analytics_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ analytics_opa_cpu_req | default('100m') }}"
+ memory: "{{ analytics_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ analytics_opa_cpu_limit | default('1') }}"
+ memory: "{{ analytics_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ analytics_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ analytics_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ analytics_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ analytics_initcontainer_mem_limit | default('100Mi') }}"
serviceMonitor:
enabled: true
diff --git a/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml b/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml
index 5f7f9e507..5c75bb2a8 100644
--- a/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/certregistry/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/certregistry/values.j2 b/kubernetes/helm_charts/core/certregistry/values.j2
index 41c41e80a..7eda1d499 100644
--- a/kubernetes/helm_charts/core/certregistry/values.j2
+++ b/kubernetes/helm_charts/core/certregistry/values.j2
@@ -31,7 +31,29 @@ strategy:
certregistry_opa_enabled: {{ certregistry_opa_enabled | default('true') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ certregistry_envoy_cpu_req | default('100m') }}"
+ memory: "{{ certregistry_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ certregistry_envoy_cpu_limit | default('1') }}"
+ memory: "{{ certregistry_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ certregistry_opa_cpu_req | default('100m') }}"
+ memory: "{{ certregistry_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ certregistry_opa_cpu_limit | default('1') }}"
+ memory: "{{ certregistry_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ certregistry_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ certregistry_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ certregistry_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ certregistry_initcontainer_mem_limit | default('100Mi') }}"
autoscaling:
enabled: {{ certregistry_autoscaling_enabled | default('false') }}
diff --git a/kubernetes/helm_charts/core/content/templates/deployment.yaml b/kubernetes/helm_charts/core/content/templates/deployment.yaml
index f363e3dc7..fb121ac7b 100644
--- a/kubernetes/helm_charts/core/content/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/content/templates/deployment.yaml
@@ -84,6 +84,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/content/templates/envoy-config.yaml b/kubernetes/helm_charts/core/content/templates/envoy-config.yaml
index d37c1f264..5bc3e6034 100644
--- a/kubernetes/helm_charts/core/content/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/content/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/content/values.j2 b/kubernetes/helm_charts/core/content/values.j2
index 5f0c04b98..505a2b90d 100644
--- a/kubernetes/helm_charts/core/content/values.j2
+++ b/kubernetes/helm_charts/core/content/values.j2
@@ -30,8 +30,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
content_opa_enabled: {{ content_opa_enabled | default('true') }}
+opa_decision_logs: {{ content_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ content_envoy_cpu_req | default('100m') }}"
+ memory: "{{ content_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ content_envoy_cpu_limit | default('1') }}"
+ memory: "{{ content_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ content_opa_cpu_req | default('100m') }}"
+ memory: "{{ content_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ content_opa_cpu_limit | default('1') }}"
+ memory: "{{ content_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ content_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ content_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ content_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ content_initcontainer_mem_limit | default('100Mi') }}"
autoscaling:
enabled: {{ content_autoscaling_enabled | default('false') }}
diff --git a/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml b/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml
index b0b4e68f2..5432b2579 100644
--- a/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/knowledgemw/templates/deployment.yaml
@@ -77,6 +77,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml b/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml
index d9705aa80..53bdbf026 100644
--- a/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/knowledgemw/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/knowledgemw/values.j2 b/kubernetes/helm_charts/core/knowledgemw/values.j2
index 864288cc8..a1dba6944 100644
--- a/kubernetes/helm_charts/core/knowledgemw/values.j2
+++ b/kubernetes/helm_charts/core/knowledgemw/values.j2
@@ -27,8 +27,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
knowledgemw_opa_enabled: {{ knowledgemw_opa_enabled | default('true') }}
+opa_decision_logs: {{ knowledgemw_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ knowledgemw_envoy_cpu_req | default('100m') }}"
+ memory: "{{ knowledgemw_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ knowledgemw_envoy_cpu_limit | default('1') }}"
+ memory: "{{ knowledgemw_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ knowledgemw_opa_cpu_req | default('100m') }}"
+ memory: "{{ knowledgemw_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ knowledgemw_opa_cpu_limit | default('1') }}"
+ memory: "{{ knowledgemw_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ knowledgemw_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ knowledgemw_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ knowledgemw_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ knowledgemw_initcontainer_mem_limit | default('100Mi') }}"
knowledgemw_access_basepath: {{ knowledgemw_access_basepath | default('/home/sunbird/mw/content/keys/') }}
diff --git a/kubernetes/helm_charts/core/learner/templates/deployment.yaml b/kubernetes/helm_charts/core/learner/templates/deployment.yaml
index a863eba6c..fcf765e76 100644
--- a/kubernetes/helm_charts/core/learner/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/learner/templates/deployment.yaml
@@ -86,6 +86,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml b/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml
index d571252eb..99873787f 100644
--- a/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/learner/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/learner/values.j2 b/kubernetes/helm_charts/core/learner/values.j2
index b7de6f529..9a463b202 100644
--- a/kubernetes/helm_charts/core/learner/values.j2
+++ b/kubernetes/helm_charts/core/learner/values.j2
@@ -31,8 +31,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
learner_opa_enabled: {{ learner_opa_enabled | default('true') }}
+opa_decision_logs: {{ learner_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ learner_envoy_cpu_req | default('100m') }}"
+ memory: "{{ learner_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ learner_envoy_cpu_limit | default('1') }}"
+ memory: "{{ learner_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ learner_opa_cpu_req | default('100m') }}"
+ memory: "{{ learner_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ learner_opa_cpu_limit | default('1') }}"
+ memory: "{{ learner_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ learner_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ learner_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ learner_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ learner_initcontainer_mem_limit | default('100Mi') }}"
learner_access_basepath: {{ learner_access_basepath | default('/keys/') }}
diff --git a/kubernetes/helm_charts/core/lms/templates/deployment.yaml b/kubernetes/helm_charts/core/lms/templates/deployment.yaml
index 1c455207e..d394b5f75 100644
--- a/kubernetes/helm_charts/core/lms/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/lms/templates/deployment.yaml
@@ -90,6 +90,9 @@ spec:
- --diagnostic-addr=0.0.0.0:8282
- --set=plugins.envoy_ext_authz_grpc.addr=:9191
- --set=plugins.envoy_ext_authz_grpc.path=main/allow
+ {{- if .Values.opa_decision_logs }}
+ - --set=decision_logs.console=true
+ {{- end }}
- --log-level=error
- --ignore=.*
image: openpolicyagent/opa:0.34.2-envoy-2
diff --git a/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml b/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml
index ca5b325c5..c1cdfd8f6 100644
--- a/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml
+++ b/kubernetes/helm_charts/core/lms/templates/envoy-config.yaml
@@ -5,10 +5,12 @@ data:
envoy-config.yaml: |
static_resources:
listeners:
- - address:
+ - name: listener_0
+ address:
socket_address:
address: 0.0.0.0
port_value: 9999
+ per_connection_buffer_limit_bytes: 62914560
filter_chains:
- filters:
- name: envoy.http_connection_manager
@@ -16,6 +18,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
+ access_log:
+ - name: envoy.access_loggers.stdout
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: local_route
virtual_hosts:
@@ -43,18 +49,18 @@ data:
with_request_body:
max_request_bytes: 62914560
allow_partial_message: true
- pack_as_bytes: true
- failure_mode_allow: false
+ failure_mode_allow: true
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
- timeout: 0.5s
+ timeout: 5s
- name: envoy.filters.http.router
clusters:
- name: service
- connect_timeout: 0.25s
- type: strict_dns
+ connect_timeout: 30s
+ per_connection_buffer_limit_bytes: 62914560
+ type: static
lb_policy: round_robin
load_assignment:
cluster_name: service
@@ -66,22 +72,11 @@ data:
address: 127.0.0.1
port_value: {{ .Values.network.targetport }}
admin:
- access_log_path: "/dev/null"
+ access_log_path: "/dev/stdout"
address:
socket_address:
address: 0.0.0.0
port_value: 10000
- layered_runtime:
- layers:
- - name: static_layer_0
- static_layer:
- envoy:
- resource_limits:
- listener:
- example_listener_name:
- connection_limit: 10000
- overload:
- global_downstream_max_connections: 50000
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-envoy-config
diff --git a/kubernetes/helm_charts/core/lms/values.j2 b/kubernetes/helm_charts/core/lms/values.j2
index 43589dc13..519736aaa 100644
--- a/kubernetes/helm_charts/core/lms/values.j2
+++ b/kubernetes/helm_charts/core/lms/values.j2
@@ -30,8 +30,31 @@ strategy:
{{ envoy_liveness_readiness | to_nice_yaml }}
lms_opa_enabled: {{ lms_opa_enabled | default('true') }}
+opa_decision_logs: {{ lms_opa_decision_logs | default('false') }}
-{{ opa_envoy_resources | to_nice_yaml }}
+envoy_resources:
+ requests:
+ cpu: "{{ lms_envoy_cpu_req | default('100m') }}"
+ memory: "{{ lms_envoy_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ lms_envoy_cpu_limit | default('1') }}"
+ memory: "{{ lms_envoy_mem_limit | default('1024Mi') }}"
+
+opa_resources:
+ requests:
+ cpu: "{{ lms_opa_cpu_req | default('100m') }}"
+ memory: "{{ lms_opa_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ lms_opa_cpu_limit | default('1') }}"
+ memory: "{{ lms_opa_mem_limit | default('1024Mi') }}"
+
+initcontainer_resources:
+ requests:
+ cpu: "{{ lms_initcontainer_cpu_req | default('100m') }}"
+ memory: "{{ lms_initcontainer_mem_req | default('100Mi') }}"
+ limits:
+ cpu: "{{ lms_initcontainer_cpu_limit | default('100m') }}"
+ memory: "{{ lms_initcontainer_mem_limit | default('100Mi') }}"
lms_access_basepath: {{ lms_access_basepath | default('/keys/') }}
diff --git a/kubernetes/opa/common/common.rego b/kubernetes/opa/common/common.rego
index 384a67b65..f6267368d 100644
--- a/kubernetes/opa/common/common.rego
+++ b/kubernetes/opa/common/common.rego
@@ -72,7 +72,7 @@ org_check(roles) = token_organisationids {
}
federation_id_check {
- federation_id := token_federation_id
+ federation_id == token_federation_id
}
parent_id_check {
--
GitLab