|
| 1 | +# Reset-resilient copy of the downstream Envoy Gateway install with the |
| 2 | +# prod-fidelity pins baked in (EG chart v1.7.4, extensionManager |
| 3 | +# maxMessageSize:256Mi, e2e certificateRef). This lives in an UNTRACKED dir so an |
| 4 | +# external `git reset --hard` on the shared branch cannot revert these settings |
| 5 | +# (it kept clobbering the tracked config/tools/envoy-gateway-downstream copy). |
| 6 | +# |
| 7 | +# The non-volatile siblings (namespace.yaml, nso-crd-rbac.yaml) are reused from |
| 8 | +# the tracked tool dir via relative path; only the kustomization itself (the |
| 9 | +# thing that got reset) is vendored here. |
| 10 | +resources: |
| 11 | + - namespace.yaml |
| 12 | + - nso-crd-rbac.yaml |
| 13 | +helmCharts: |
| 14 | + - name: gateway-helm |
| 15 | + includeCRDs: false |
| 16 | + namespace: datum-downstream-gateway |
| 17 | + releaseName: envoy-datum-downstream-gateway |
| 18 | + # Prod EG version (rolled back from 1.8.1 for the OIDC regression). Pulled |
| 19 | + # from the OCI repo so this dir needs no vendored chart. |
| 20 | + version: v1.7.4 |
| 21 | + repo: oci://docker.io/envoyproxy |
| 22 | + valuesInline: |
| 23 | + config: |
| 24 | + envoyGateway: |
| 25 | + gateway: |
| 26 | + controllerName: gateway.envoyproxy.io/datum-downstream-gateway |
| 27 | + extensionApis: |
| 28 | + enableBackend: true |
| 29 | + enableEnvoyPatchPolicy: false |
| 30 | + runtimeFlags: |
| 31 | + enabled: |
| 32 | + - XDSNameSchemeV2 |
| 33 | + provider: |
| 34 | + type: Kubernetes |
| 35 | + kubernetes: |
| 36 | + watch: |
| 37 | + type: NamespaceSelector |
| 38 | + namespaceSelector: |
| 39 | + matchExpressions: |
| 40 | + - key: meta.datumapis.com/upstream-cluster-name |
| 41 | + operator: Exists |
| 42 | + extensionManager: |
| 43 | + # Match the extension server's larger message limit. The default is |
| 44 | + # far smaller, and once configuration grows past it, updates silently |
| 45 | + # stop reaching the proxies. |
| 46 | + maxMessageSize: 256Mi |
| 47 | + policyResources: |
| 48 | + - group: networking.datumapis.com |
| 49 | + version: v1alpha |
| 50 | + kind: TrafficProtectionPolicy |
| 51 | + resources: |
| 52 | + - group: networking.datumapis.com |
| 53 | + version: v1alpha1 |
| 54 | + kind: Connector |
| 55 | + service: |
| 56 | + fqdn: |
| 57 | + hostname: network-services-operator-envoy-gateway-extension-server.network-services-operator-system.svc.cluster.local |
| 58 | + port: 5005 |
| 59 | + tls: |
| 60 | + certificateRef: |
| 61 | + # The certificate authority that signed the extension server's |
| 62 | + # certificate, so the control plane can trust it. Published by |
| 63 | + # bring-up. |
| 64 | + name: e2e-extension-server-ca |
| 65 | + namespace: network-services-operator-system |
| 66 | + clientCertificateRef: |
| 67 | + name: envoy-gateway-extension-server-eg-client-tls |
| 68 | + namespace: network-services-operator-system |
| 69 | + retry: |
| 70 | + maxAttempts: 4 |
| 71 | + initialBackoff: 100ms |
| 72 | + maxBackoff: 1s |
| 73 | + backoffMultiplier: |
| 74 | + numerator: 200 |
| 75 | + retryableStatusCodes: |
| 76 | + - UNAVAILABLE |
| 77 | + hooks: |
| 78 | + xdsTranslator: |
| 79 | + post: |
| 80 | + - Translation |
| 81 | + translation: |
| 82 | + listener: |
| 83 | + includeAll: true # MANDATORY — without this, WAF listener filter + per-route mutations are silently dropped |
| 84 | + route: |
| 85 | + includeAll: true # MANDATORY — without this, WAF listener filter + per-route mutations are silently dropped |
| 86 | + cluster: |
| 87 | + includeAll: true |
| 88 | + secret: |
| 89 | + includeAll: true |
| 90 | + # Block updates when the extension server errors instead of serving |
| 91 | + # unprotected configuration; the proxy keeps its last good config. |
| 92 | + failOpen: false |
0 commit comments