-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SCHEMATIC-215] Enable ingress for SigNoz UI #51
Conversation
--- | ||
apiVersion: gateway.networking.k8s.io/v1 | ||
kind: HTTPRoute | ||
metadata: | ||
name: signoz-ui-route | ||
namespace: envoy-gateway | ||
spec: | ||
parentRefs: | ||
- name: eg | ||
rules: | ||
- backendRefs: | ||
- group: "" | ||
kind: Service | ||
name: signoz-frontend | ||
namespace: signoz | ||
port: 3301 | ||
weight: 1 | ||
matches: | ||
- path: | ||
type: PathPrefix | ||
value: / |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SigNoz only supports working at the root URL of the domain it's running on. In favor of getting a solution I am going to use the ${environment}.sagedpe.org URLs. If we want to swap to using a different sub-domain later we'll be able to do that, for example Sage-Bionetworks-IT/organizations-infra#1302 shows what we might do on the Sage IT infra stack.
On this side it's going to be a larger shift (And why I didn't want to worry about doing it now). It's because we'll need to make sure that we request SSL certs from Let's Encrypt and make sure it all works with the Listeners in the Envoy Gateway.
@@ -11,3 +11,22 @@ spec: | |||
jwt: | |||
providers: <replaced-by-kustomize> | |||
authorization: <replaced-by-kustomize> | |||
--- | |||
apiVersion: gateway.envoyproxy.io/v1alpha1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alpha version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's the latest at the moment (https://gateway.envoyproxy.io/latest/api/extension_types/#gatewayenvoyproxyiov1alpha1)
The gateway itself is past the v1.x.x mark, but the APIs (aka definition of this YAML) are subject to updates. I've been impressed with the changes this project has been publishing out and they have smoothed out a bunch of rough edges for shaping traffic into the K8s cluster. I've worked with other tools like Istio, and Traefik Proxy
before & were a huge pain to manage at the time.
authorization: | ||
defaultAction: Deny | ||
rules: | ||
- action: Allow | ||
principal: | ||
clientCIDRs: | ||
# Public IP address for the Sage VPN. `/32` CIDR mask means a single IP address. | ||
- 52.44.61.21/32 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i do't know about the rest but this looks like what we want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
https://sagebionetworks.jira.com/browse/SCHEMATIC-215
Problem:
Solution:
X-Forwarded-For
header.authorization
SecurityPolicy to restrict access to the SigNoz HTTP routeTesting:
dev
url: