examples: Add TLS sandbox

.azure-pipelines/pipelines.yml

@@ -59,7 +59,10 @@ stages:
               GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
             displayName: "Generate docs"
 
-          - script: ci/run_envoy_docker.sh 'ci/upload_gcs_artifact.sh /source/generated/docs docs'
+          - script: |
+              SHORT_COMMIT_SHA=$(git log --pretty=%P -n 1 | cut -d' ' -f2 | head -c7)
+              export SHORT_COMMIT_SHA
+              ci/run_envoy_docker.sh 'ci/upload_gcs_artifact.sh /source/generated/docs docs'
             displayName: "Upload Docs to GCS"
             env:
               ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
@@ -167,7 +170,7 @@ stages:
               AZP_BRANCH: $(Build.SourceBranch)
 
   - stage: linux_x64
-    dependsOn: ["precheck"]
+    dependsOn: []
     # For post-submit builds, continue even if precheck fails
     condition: and(not(canceled()), or(succeeded(), eq(variables['PostSubmit'], true)))
     jobs:
@@ -181,7 +184,7 @@ stages:
               ciTarget: bazel.release
 
   - stage: linux_arm64
-    dependsOn: ["precheck"]
+    dependsOn: []
     # For post-submit builds, continue even if precheck fails
     condition: and(not(canceled()), or(succeeded(), eq(variables['PostSubmit'], true)))
     jobs:

ci/run_envoy_docker.sh

@@ -91,6 +91,7 @@ docker run --rm \
        -e BAZELISK_BASE_URL \
        -e ENVOY_BUILD_ARCH \
        -e SLACK_TOKEN \
+       -e SHORT_COMMIT_SHA \
        -e BUILD_URI\
        -e REPO_URI \
        "${ENVOY_BUILD_IMAGE}" \

ci/upload_gcs_artifact.sh

@@ -18,8 +18,13 @@ if [ ! -d "${SOURCE_DIRECTORY}" ]; then
   exit 1
 fi
 
-BRANCH=${SYSTEM_PULLREQUEST_PULLREQUESTNUMBER:-${BUILD_SOURCEBRANCHNAME}}
-GCS_LOCATION="${GCS_ARTIFACT_BUCKET}/${BRANCH}/${TARGET_SUFFIX}"
+if [ -n "${SHORT_COMMIT_SHA}" ]; then
+    UPLOAD_PATH="${SHORT_COMMIT_SHA}"
+else
+    UPLOAD_PATH="${SYSTEM_PULLREQUEST_PULLREQUESTNUMBER:-${BUILD_SOURCEBRANCHNAME}}"
+fi
+
+GCS_LOCATION="${GCS_ARTIFACT_BUCKET}/${UPLOAD_PATH}/${TARGET_SUFFIX}"
 
 echo "Uploading to gs://${GCS_LOCATION} ..."
 gsutil -mq rsync -dr "${SOURCE_DIRECTORY}" "gs://${GCS_LOCATION}"

docs/root/start/sandboxes/index.rst

@@ -27,5 +27,6 @@ features. The following sandboxes are available:
     mysql
     postgres
     redis
+    tls
     wasm-cc
     zipkin_tracing

docs/root/start/sandboxes/tls.rst

@@ -0,0 +1,92 @@
+.. _install_sandboxes_tls:
+
+TLS
+===
+
+This example walks through some of the ways that Envoy can be configured to make
+use of encrypted connections using ``TLS`` over ``HTTP``.
+
+It demonstrates a number of commonly used proxying and ``TLS`` termination patterns:
+
+- ``https`` -> ``http``
+- ``https`` -> ``https``
+- ``http`` -> ``https``
+- ``https`` passthrough
+
+.. include:: _include/docker-env-setup.rst
+
+Change directory to ``examples/tls`` in the Envoy repository.
+
+Step 3: Build the sandbox
+*************************
+
+.. code-block:: console
+
+  $ pwd
+  envoy/examples/tls
+  $ docker-compose pull
+  $ docker-compose up --build -d
+  $ docker-compose ps
+
+         Name                            Command                 State          Ports
+  -----------------------------------------------------------------------------------------------
+  tls_proxy-https-to-http_1       /docker-entrypoint.sh /usr ... Up      0.0.0.0:10000->10000/tcp
+  tls_proxy-https-to-https_1      /docker-entrypoint.sh /usr ... Up      0.0.0.0:10001->10000/tcp
+  tls_proxy-http-to-https_1       /docker-entrypoint.sh /usr ... Up      0.0.0.0:10002->10000/tcp
+  tls_proxy-https-passthrough_1   /docker-entrypoint.sh /usr ... Up      0.0.0.0:10003->10000/tcp
+  tls_service-http_1              node ./index.js                Up
+  tls_service-https_1             node ./index.js                Up
+
+Step 4: Test proxying ``https`` -> ``http``
+********************************************
+
+The Envoy proxy listening on https://localhost:10000 terminates ``HTTPS`` and proxies to the upstream ``HTTP`` service.
+
+.. code-block:: console
+
+   $ curl -sk https://localhost:10000  | jq  '.headers["x-forwarded-proto"]'
+   "https"
+
+   $ curl -sk https://localhost:10000  | jq  '.os.hostname'
+   "service-http"
+
+Step 5: Test proxying ``https`` -> ``https``
+********************************************
+
+The Envoy proxy listening on https://localhost:10001 terminates ``HTTPS`` and proxies to the upstream ``HTTPS`` service.
+
+.. code-block:: console
+
+   $ curl -sk https://localhost:10001  | jq  '.headers["x-forwarded-proto"]'
+   "https"
+
+   $ curl -sk https://localhost:10001  | jq  '.os.hostname'
+   "service-https"
+
+Step 6: Test proxying ``http`` -> ``https``
+*******************************************
+
+The Envoy proxy listening on https://localhost:10002 terminates ``HTTP`` and proxies to the upstream ``HTTPS`` service.
+
+.. code-block:: console
+
+   $ curl -s http://localhost:10002  | jq  '.headers["x-forwarded-proto"]'
+   "http"
+
+   $ curl -s http://localhost:10002  | jq  '.os.hostname'
+   "service-https"
+
+
+Step 7: Test proxying ``https`` passthrough
+*******************************************
+
+The Envoy proxy listening on https://localhost:10003 proxies directly to the upstream ``HTTPS`` service which
+does the termination.
+
+.. code-block:: console
+
+   $ curl -s http://localhost:10002  | jq  '.headers["x-forwarded-proto"]'
+   "http"
+
+   $ curl -s http://localhost:10002  | jq  '.os.hostname'
+   "service-https"

examples/tls/Dockerfile-proxy-http-https

@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-http-https.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]

examples/tls/Dockerfile-proxy-https-http

@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-https-http.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]

examples/tls/Dockerfile-proxy-https-https

@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-https-https.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]

examples/tls/Dockerfile-proxy-https-passthrough

@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-https-passthrough.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]

examples/tls/README.md

@@ -0,0 +1,2 @@
+To learn about this sandbox and for instructions on how to run it please head over
+to the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/double-proxy.html).

examples/tls/docker-compose.yaml

@@ -0,0 +1,42 @@
+version: "3.7"
+services:
+
+  proxy-https-to-http:
+    build:
+      context: .
+      dockerfile: Dockerfile-proxy-https-http
+    ports:
+      - "10000:10000"
+
+  proxy-https-to-https:
+    build:
+      context: .
+      dockerfile: Dockerfile-proxy-https-https
+    ports:
+      - "10001:10000"
+
+  proxy-http-to-https:
+    build:
+      context: .
+      dockerfile: Dockerfile-proxy-http-https
+    ports:
+      - "10002:10000"
+
+  proxy-https-passthrough:
+    build:
+      context: .
+      dockerfile: Dockerfile-proxy-https-passthrough
+    ports:
+      - "10003:10000"
+
+  service-http:
+    image: mendhak/http-https-echo
+    hostname: service-http
+    environment:
+      - HTTPS_PORT=0
+
+  service-https:
+    image: mendhak/http-https-echo
+    hostname: service-https
+    environment:
+      - HTTP_PORT=0

examples/tls/envoy-http-https.yaml

@@ -0,0 +1,45 @@
+static_resources:
+  listeners:
+  - address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          codec_type: auto
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: app
+              domains:
+              - "*"
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: service-https
+          http_filters:
+          - name: envoy.filters.http.router
+
+  clusters:
+  - name: service-https
+    connect_timeout: 0.25s
+    type: strict_dns
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: service-https
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: service-https
+                port_value: 443
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

examples/tls/envoy-https-http.yaml

@@ -0,0 +1,104 @@
+static_resources:
+  listeners:
+  - address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          codec_type: auto
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: app
+              domains:
+              - "*"
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: service-http
+          http_filters:
+          - name: envoy.filters.http.router
+      transport_socket:
+        name: envoy.transport_sockets.tls
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+          common_tls_context:
+            tls_certificates:
+              # The following self-signed certificate pair is generated using:
+              # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out  a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy'
+              #
+              # Instead of feeding it as an inline_string, certificate pair can also be fed to Envoy
+              # via filename. Reference: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-datasource.
+              #
+              # Or in a dynamic configuration scenario, certificate pair can be fetched remotely via
+              # Secret Discovery Service (SDS). Reference: https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret.
+              certificate_chain:
+                inline_string: |
+                  -----BEGIN CERTIFICATE-----
+                  MIICqDCCAZACCQCquzpHNpqBcDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtm
+                  cm9udC1lbnZveTAeFw0yMDA3MDgwMTMxNDZaFw0zMDA3MDYwMTMxNDZaMBYxFDAS
+                  BgNVBAMMC2Zyb250LWVudm95MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+                  AQEAthnYkqVQBX+Wg7aQWyCCb87hBce1hAFhbRM8Y9dQTqxoMXZiA2n8G089hUou
+                  oQpEdJgitXVS6YMFPFUUWfwcqxYAynLK4X5im26Yfa1eO8La8sZUS+4Bjao1gF5/
+                  VJxSEo2yZ7fFBo8M4E44ZehIIocipCRS+YZehFs6dmHoq/MGvh2eAHIa+O9xssPt
+                  ofFcQMR8rwBHVbKy484O10tNCouX4yUkyQXqCRy6HRu7kSjOjNKSGtjfG+h5M8bh
+                  10W7ZrsJ1hWhzBulSaMZaUY3vh5ngpws1JATQVSK1Jm/dmMRciwlTK7KfzgxHlSX
+                  58ENpS7yPTISkEICcLbXkkKGEQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCmj6Hg
+                  vwOxWz0xu+6fSfRL6PGJUGq6wghCfUvjfwZ7zppDUqU47fk+yqPIOzuGZMdAqi7N
+                  v1DXkeO4A3hnMD22Rlqt25vfogAaZVToBeQxCPd/ALBLFrvLUFYuSlS3zXSBpQqQ
+                  Ny2IKFYsMllz5RSROONHBjaJOn5OwqenJ91MPmTAG7ujXKN6INSBM0PjX9Jy4Xb9
+                  zT+I85jRDQHnTFce1WICBDCYidTIvJtdSSokGSuy4/xyxAAc/BpZAfOjBQ4G1QRe
+                  9XwOi790LyNUYFJVyeOvNJwveloWuPLHb9idmY5YABwikUY6QNcXwyHTbRCkPB2I
+                  m+/R4XnmL4cKQ+5Z
+                  -----END CERTIFICATE-----
+              private_key:
+                inline_string: |
+                  -----BEGIN PRIVATE KEY-----
+                  MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2GdiSpVAFf5aD
+                  tpBbIIJvzuEFx7WEAWFtEzxj11BOrGgxdmIDafwbTz2FSi6hCkR0mCK1dVLpgwU8
+                  VRRZ/ByrFgDKcsrhfmKbbph9rV47wtryxlRL7gGNqjWAXn9UnFISjbJnt8UGjwzg
+                  Tjhl6EgihyKkJFL5hl6EWzp2Yeir8wa+HZ4Achr473Gyw+2h8VxAxHyvAEdVsrLj
+                  zg7XS00Ki5fjJSTJBeoJHLodG7uRKM6M0pIa2N8b6HkzxuHXRbtmuwnWFaHMG6VJ
+                  oxlpRje+HmeCnCzUkBNBVIrUmb92YxFyLCVMrsp/ODEeVJfnwQ2lLvI9MhKQQgJw
+                  tteSQoYRAgMBAAECggEAeDGdEkYNCGQLe8pvg8Z0ccoSGpeTxpqGrNEKhjfi6NrB
+                  NwyVav10iq4FxEmPd3nobzDPkAftfvWc6hKaCT7vyTkPspCMOsQJ39/ixOk+jqFx
+                  lNa1YxyoZ9IV2DIHR1iaj2Z5gB367PZUoGTgstrbafbaNY9IOSyojCIO935ubbcx
+                  DWwL24XAf51ez6sXnI8V5tXmrFlNXhbhJdH8iIxNyM45HrnlUlOk0lCK4gmLJjy9
+                  10IS2H2Wh3M5zsTpihH1JvM56oAH1ahrhMXs/rVFXXkg50yD1KV+HQiEbglYKUxO
+                  eMYtfaY9i2CuLwhDnWp3oxP3HfgQQhD09OEN3e0IlQKBgQDZ/3poG9TiMZSjfKqL
+                  xnCABMXGVQsfFWNC8THoW6RRx5Rqi8q08yJrmhCu32YKvccsOljDQJQQJdQO1g09
+                  e/adJmCnTrqxNtjPkX9txV23Lp6Ak7emjiQ5ICu7iWxrcO3zf7hmKtj7z+av8sjO
+                  mDI7NkX5vnlE74nztBEjp3eC0wKBgQDV2GeJV028RW3b/QyP3Gwmax2+cKLR9PKR
+                  nJnmO5bxAT0nQ3xuJEAqMIss/Rfb/macWc2N/6CWJCRT6a2vgy6xBW+bqG6RdQMB
+                  xEZXFZl+sSKhXPkc5Wjb4lQ14YWyRPrTjMlwez3k4UolIJhJmwl+D7OkMRrOUERO
+                  EtUvc7odCwKBgBi+nhdZKWXveM7B5N3uzXBKmmRz3MpPdC/yDtcwJ8u8msUpTv4R
+                  JxQNrd0bsIqBli0YBmFLYEMg+BwjAee7vXeDFq+HCTv6XMva2RsNryCO4yD3I359
+                  XfE6DJzB8ZOUgv4Dvluie3TB2Y6ZQV/p+LGt7G13yG4hvofyJYvlg3RPAoGAcjDg
+                  +OH5zLN2eqah8qBN0CYa9/rFt0AJ19+7/smLTJ7QvQq4g0gwS1couplcCEnNGWiK
+                  72y1n/ckvvplmPeAE19HveMvR9UoCeV5ej86fACy8V/oVpnaaLBvL2aCMjPLjPP9
+                  DWeCIZp8MV86cvOrGfngf6kJG2qZTueXl4NAuwkCgYEArKkhlZVXjwBoVvtHYmN2
+                  o+F6cGMlRJTLhNc391WApsgDZfTZSdeJsBsvvzS/Nc0burrufJg0wYioTlpReSy4
+                  ohhtprnQQAddfjHP7rh2LGt+irFzhdXXQ1ybGaGM9D764KUNCXLuwdly0vzXU4HU
+                  q5sGxGrC1RECGB5Zwx2S2ZY=
+                  -----END PRIVATE KEY-----
+
+  clusters:
+  - name: service-http
+    connect_timeout: 0.25s
+    type: strict_dns
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: service-http
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: service-http
+                port_value: 80