Skip to content

Commit 574e680

Browse files
committed
wip
Signed-off-by: npolshakova <nina.polshakova@solo.io>
1 parent a0d689b commit 574e680

6 files changed

Lines changed: 750 additions & 0 deletions

File tree

demos/counter/counter.go

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,43 @@ func main() {
5050
w.WriteHeader(http.StatusOK)
5151
w.Write([]byte(response))
5252
})
53+
defaultMux.HandleFunc("/egress", func(w http.ResponseWriter, r *http.Request) {
54+
ctx := r.Context()
55+
targetURL := r.URL.Query().Get("url")
56+
if targetURL == "" {
57+
targetURL = "http://example.com/"
58+
}
59+
60+
req, err := http.NewRequestWithContext(ctx, http.MethodGet, targetURL, nil)
61+
if err != nil {
62+
http.Error(w, err.Error(), http.StatusBadRequest)
63+
return
64+
}
65+
66+
client := &http.Client{}
67+
68+
resp, err := client.Do(req)
69+
if err != nil {
70+
slog.ErrorContext(ctx, "Egress request failed",
71+
slog.String("url", targetURL),
72+
slog.Any("err", err))
73+
http.Error(w, err.Error(), http.StatusBadGateway)
74+
return
75+
}
76+
defer resp.Body.Close()
77+
78+
body, err := io.ReadAll(io.LimitReader(resp.Body, 512))
79+
if err != nil {
80+
http.Error(w, err.Error(), http.StatusBadGateway)
81+
return
82+
}
83+
84+
slog.InfoContext(ctx, "Egress request completed",
85+
slog.String("url", targetURL),
86+
slog.Int("status", resp.StatusCode))
87+
w.WriteHeader(http.StatusOK)
88+
fmt.Fprintf(w, "egress url: %s\nstatus: %d\nbody_prefix:\n%s\n", targetURL, resp.StatusCode, string(body))
89+
})
5390

5491
go func() {
5592
//time.Sleep(60 * time.Second)

demos/counter/counter.yaml.tmpl

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,3 +53,14 @@ spec:
5353
name: counter
5454
snapshotsConfig:
5555
location: gs://${BUCKET_NAME}/ate-demo-counter/
56+
egressPolicy:
57+
defaultAction: Deny
58+
allow:
59+
- name: example
60+
to:
61+
- host: example.com
62+
ports:
63+
- port: 80
64+
protocol: TCP
65+
audit:
66+
logs: true

manifests/ate-install/generated/ate.dev_actortemplates.yaml

Lines changed: 279 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,285 @@ spec:
278278
type: object
279279
maxItems: 10
280280
type: array
281+
egressPolicy:
282+
description: |-
283+
EgressPolicy defines the default outbound network policy for actors
284+
created from this template.
285+
properties:
286+
allow:
287+
description: Allow contains destination rules actors created from
288+
this template may reach.
289+
items:
290+
properties:
291+
headers:
292+
description: Headers defines logging and trace handling
293+
for headers on matching traffic.
294+
properties:
295+
redact:
296+
description: Redact is the list of headers that must
297+
be redacted from egress logs and traces.
298+
items:
299+
type: string
300+
type: array
301+
type: object
302+
name:
303+
description: Name is an optional human-readable identifier
304+
for this rule.
305+
type: string
306+
pathPrefixes:
307+
description: PathPrefixes is the list of HTTP path prefixes
308+
matched by this rule.
309+
items:
310+
type: string
311+
type: array
312+
paths:
313+
description: Paths is the list of exact HTTP paths matched
314+
by this rule.
315+
items:
316+
type: string
317+
type: array
318+
ports:
319+
description: |-
320+
Ports is the list of destination ports matched by this rule.
321+
If empty, the rule applies to all destination ports.
322+
items:
323+
properties:
324+
port:
325+
description: Port is the destination port number.
326+
format: int32
327+
type: integer
328+
protocol:
329+
description: Protocol is the transport protocol for
330+
this port.
331+
type: string
332+
required:
333+
- port
334+
type: object
335+
type: array
336+
rateLimit:
337+
description: RateLimit defines request or token rate limits
338+
for matching traffic.
339+
items:
340+
properties:
341+
dimensions:
342+
description: |-
343+
Dimensions selects the bucket keys used by the enforcement layer, such as
344+
actor, template, or namespace.
345+
items:
346+
type: string
347+
type: array
348+
max:
349+
description: Max is the maximum number of requests
350+
or tokens allowed during Window.
351+
format: int64
352+
type: integer
353+
type:
354+
description: Type selects request-based or LLM token-based
355+
rate limiting.
356+
enum:
357+
- Requests
358+
- Tokens
359+
type: string
360+
window:
361+
description: Window is the time window for this limit,
362+
such as 1m or 1h.
363+
type: string
364+
required:
365+
- max
366+
- type
367+
- window
368+
type: object
369+
type: array
370+
tls:
371+
description: TLS defines transport security requirements
372+
for this destination.
373+
properties:
374+
mode:
375+
description: Mode controls how TLS is handled for matching
376+
egress traffic.
377+
enum:
378+
- Require
379+
- Originate
380+
- Disable
381+
type: string
382+
required:
383+
description: Required controls whether matching egress
384+
traffic must use TLS.
385+
type: boolean
386+
type: object
387+
to:
388+
description: To lists the destinations matched by this rule.
389+
items:
390+
properties:
391+
host:
392+
description: Host is the DNS name to match for egress
393+
traffic.
394+
type: string
395+
ipBlock:
396+
description: IPBlock is the IP range to match for
397+
egress traffic.
398+
properties:
399+
cidr:
400+
description: CIDR is an IP address range in CIDR
401+
notation.
402+
type: string
403+
required:
404+
- cidr
405+
type: object
406+
type: object
407+
type: array
408+
type: object
409+
type: array
410+
audit:
411+
description: Audit configures egress logging and tracing for actors
412+
created from this template.
413+
properties:
414+
logs:
415+
description: Logs enables egress access logs for actors created
416+
from this template.
417+
type: boolean
418+
redactHeaders:
419+
description: RedactHeaders is the list of headers that must
420+
be redacted from audit output.
421+
items:
422+
type: string
423+
type: array
424+
traces:
425+
description: Traces enables egress tracing for actors created
426+
from this template.
427+
type: boolean
428+
type: object
429+
defaultAction:
430+
description: DefaultAction is applied when no allow rule matches.
431+
enum:
432+
- Allow
433+
- Deny
434+
type: string
435+
deny:
436+
description: Deny contains destination rules actors created from
437+
this template may not reach.
438+
items:
439+
properties:
440+
headers:
441+
description: Headers defines logging and trace handling
442+
for headers on matching traffic.
443+
properties:
444+
redact:
445+
description: Redact is the list of headers that must
446+
be redacted from egress logs and traces.
447+
items:
448+
type: string
449+
type: array
450+
type: object
451+
name:
452+
description: Name is an optional human-readable identifier
453+
for this rule.
454+
type: string
455+
pathPrefixes:
456+
description: PathPrefixes is the list of HTTP path prefixes
457+
matched by this rule.
458+
items:
459+
type: string
460+
type: array
461+
paths:
462+
description: Paths is the list of exact HTTP paths matched
463+
by this rule.
464+
items:
465+
type: string
466+
type: array
467+
ports:
468+
description: |-
469+
Ports is the list of destination ports matched by this rule.
470+
If empty, the rule applies to all destination ports.
471+
items:
472+
properties:
473+
port:
474+
description: Port is the destination port number.
475+
format: int32
476+
type: integer
477+
protocol:
478+
description: Protocol is the transport protocol for
479+
this port.
480+
type: string
481+
required:
482+
- port
483+
type: object
484+
type: array
485+
rateLimit:
486+
description: RateLimit defines request or token rate limits
487+
for matching traffic.
488+
items:
489+
properties:
490+
dimensions:
491+
description: |-
492+
Dimensions selects the bucket keys used by the enforcement layer, such as
493+
actor, template, or namespace.
494+
items:
495+
type: string
496+
type: array
497+
max:
498+
description: Max is the maximum number of requests
499+
or tokens allowed during Window.
500+
format: int64
501+
type: integer
502+
type:
503+
description: Type selects request-based or LLM token-based
504+
rate limiting.
505+
enum:
506+
- Requests
507+
- Tokens
508+
type: string
509+
window:
510+
description: Window is the time window for this limit,
511+
such as 1m or 1h.
512+
type: string
513+
required:
514+
- max
515+
- type
516+
- window
517+
type: object
518+
type: array
519+
tls:
520+
description: TLS defines transport security requirements
521+
for this destination.
522+
properties:
523+
mode:
524+
description: Mode controls how TLS is handled for matching
525+
egress traffic.
526+
enum:
527+
- Require
528+
- Originate
529+
- Disable
530+
type: string
531+
required:
532+
description: Required controls whether matching egress
533+
traffic must use TLS.
534+
type: boolean
535+
type: object
536+
to:
537+
description: To lists the destinations matched by this rule.
538+
items:
539+
properties:
540+
host:
541+
description: Host is the DNS name to match for egress
542+
traffic.
543+
type: string
544+
ipBlock:
545+
description: IPBlock is the IP range to match for
546+
egress traffic.
547+
properties:
548+
cidr:
549+
description: CIDR is an IP address range in CIDR
550+
notation.
551+
type: string
552+
required:
553+
- cidr
554+
type: object
555+
type: object
556+
type: array
557+
type: object
558+
type: array
559+
type: object
281560
pauseImage:
282561
description: |-
283562
PauseImage is the container to use as the root sandbox container.

0 commit comments

Comments
 (0)