Dockerfile to replace Istio proxy configuration. Add a Dockerfile to build a version of the proxy that has different check_cache behavior.
diff --git a/proxy/Dockerfile b/proxy/Dockerfile new file mode 100644 index 0000000..452e2ed --- /dev/null +++ b/proxy/Dockerfile
@@ -0,0 +1,4 @@ +FROM istio/proxy:0.1.3 + +COPY envoy.conf.template /etc/opt/proxy/envoy.conf.template +
diff --git a/proxy/README.md b/proxy/README.md new file mode 100644 index 0000000..2a64a4a --- /dev/null +++ b/proxy/README.md
@@ -0,0 +1,11 @@ +# Proxy Docker image + +This directory contains a Dockerfile that will replace the Envoy +configuration in the standard Istio proxy image with the configuration +template in this directory. + +The main reason to change the configuration template here is to change +the "check_cache_keys" parameter. With this change, the default +Istio proxy will cache "check" results with the same URL. This change +adds HTTP headers "apikey" and "Authorization" so that the caching +will take authentication into account.
diff --git a/proxy/envoy.conf.template b/proxy/envoy.conf.template new file mode 100644 index 0000000..e5984cc --- /dev/null +++ b/proxy/envoy.conf.template
@@ -0,0 +1,152 @@ +{ + "listeners": [ + { + "address": "tcp://0.0.0.0:${PORT}", + "bind_to_port": true, + "filters": [ + { + "type": "read", + "name": "http_connection_manager", + "config": { + "codec_type": "auto", + "stat_prefix": "ingress_http", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": ["*"], + "routes": [ + { + "timeout_ms": 0, + "prefix": "/", + "cluster": "service1", + "opaque_config": { + "mixer_control": "on", + "mixer_forward": "off" + } + } + ] + } + ] + }, + "access_log": [ + { + "path": "/dev/stdout" + } + ], + "filters": [ + { + "type": "decoder", + "name": "mixer", + "config": { + "mixer_server": "${MIXER_SERVER}", + "mixer_attributes": { + "target.uid": "POD222", + "target.service": "foo.svc.cluster.local" + }, + "quota_name": "RequestCount", + "quota_amount": "1", + "check_cache_expiration_seconds": 1, + "check_cache_keys": [ + "request.host", + "request.path", + "origin.user", + "request.headers/apikey", + "request.headers/authorization" + ] + } + }, + { + "type": "decoder", + "name": "router", + "config": {} + } + ] + } + } + ] + }, + { + "address": "tcp://0.0.0.0:7070", + "bind_to_port": true, + "filters": [ + { + "type": "read", + "name": "http_connection_manager", + "config": { + "codec_type": "auto", + "stat_prefix": "ingress_http", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": ["*"], + "routes": [ + { + "timeout_ms": 0, + "prefix": "/", + "cluster": "service2" + } + ] + } + ] + }, + "access_log": [ + { + "path": "/dev/stdout" + } + ], + "filters": [ + { + "type": "decoder", + "name": "mixer", + "config": { + "mixer_server": "${MIXER_SERVER}", + "forward_attributes": { + "source.uid": "POD11", + "source.namespace": "XYZ11" + } + } + }, + { + "type": "decoder", + "name": "router", + "config": {} + } + ] + } + } + ] + } + ], + "admin": { + "access_log_path": "/dev/stdout", + "address": "tcp://0.0.0.0:9001" + }, + "cluster_manager": { + "clusters": [ + { + "name": "service1", + "connect_timeout_ms": 5000, + "type": "strict_dns", + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://${BACKEND}" + } + ] + }, + { + "name": "service2", + "connect_timeout_ms": 5000, + "type": "strict_dns", + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://localhost:9090" + } + ] + } + ] + } +}