diff --git a/modules/envoy-gateway/resources/envoy-proxy.yaml b/modules/envoy-gateway/resources/envoy-proxy.yaml index bb6dbb39..858e0cc1 100644 --- a/modules/envoy-gateway/resources/envoy-proxy.yaml +++ b/modules/envoy-gateway/resources/envoy-proxy.yaml @@ -3,4 +3,10 @@ kind: EnvoyProxy metadata: name: custom-proxy-config spec: - mergeGateways: false \ No newline at end of file + mergeGateways: false + provider: + type: Kubernetes + kubernetes: + envoyService: + annotations: + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" diff --git a/modules/envoy-gateway/resources/traffic-policy.yaml b/modules/envoy-gateway/resources/traffic-policy.yaml index f95cc046..ee3d45b5 100644 --- a/modules/envoy-gateway/resources/traffic-policy.yaml +++ b/modules/envoy-gateway/resources/traffic-policy.yaml @@ -8,4 +8,5 @@ spec: kind: Gateway name: eg tls: - minVersion: "1.3" \ No newline at end of file + minVersion: "1.3" + enableProxyProtocol: true \ No newline at end of file diff --git a/modules/signoz/main.tf b/modules/signoz/main.tf index 5f65e539..00024fc3 100644 --- a/modules/signoz/main.tf +++ b/modules/signoz/main.tf @@ -251,6 +251,7 @@ spec: value: ${var.namespace} - target: kind: SecurityPolicy + name: require-jwt-for-collector patch: |- - op: replace path: /metadata/namespace diff --git a/modules/signoz/resources-otel-ingress/http-route.yaml b/modules/signoz/resources-otel-ingress/http-route.yaml index fab998e6..ee17a213 100644 --- a/modules/signoz/resources-otel-ingress/http-route.yaml +++ b/modules/signoz/resources-otel-ingress/http-route.yaml @@ -24,3 +24,24 @@ spec: - path: type: PathPrefix value: /telemetry/v1 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: signoz-ui-route + namespace: envoy-gateway +spec: + parentRefs: + - name: eg + rules: + - backendRefs: + - group: "" + kind: Service + name: signoz-frontend + namespace: signoz + port: 3301 + weight: 1 + matches: + - path: + type: PathPrefix + value: / \ No newline at end of file diff --git a/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml b/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml index 4fa26cb3..b0df519d 100644 --- a/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml +++ b/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml @@ -12,3 +12,7 @@ spec: - group: "" kind: Service name: signoz-otel-collector + - group: "" + kind: Service + name: signoz-frontend + diff --git a/modules/signoz/resources-otel-ingress/security-policy.yaml b/modules/signoz/resources-otel-ingress/security-policy.yaml index 3d45d127..f717bd6e 100644 --- a/modules/signoz/resources-otel-ingress/security-policy.yaml +++ b/modules/signoz/resources-otel-ingress/security-policy.yaml @@ -1,7 +1,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: - name: require-audience-for-authorization + name: require-jwt-for-collector namespace: envoy-gateway spec: targetRef: @@ -11,3 +11,22 @@ spec: jwt: providers: authorization: +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: restrict-ui-to-sage-vpn + namespace: envoy-gateway +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: signoz-ui-route + authorization: + defaultAction: Deny + rules: + - action: Allow + principal: + clientCIDRs: + # Public IP address for the Sage VPN. `/32` CIDR mask means a single IP address. + - 52.44.61.21/32