From f5d28969785a9f374b62325d61abd3e18e0644f4 Mon Sep 17 00:00:00 2001 From: BryanFauble <17128019+BryanFauble@users.noreply.github.com> Date: Tue, 3 Dec 2024 10:33:59 -0700 Subject: [PATCH 1/4] Enable ingress for SigNoz UI --- .../envoy-gateway/resources/envoy-proxy.yaml | 8 +++++- .../resources/traffic-policy.yaml | 3 ++- .../resources-otel-ingress/http-route.yaml | 27 +++++++++++++++++++ .../reference-grant-signoz.yaml | 4 +++ .../security-policy.yaml | 21 ++++++++++++++- 5 files changed, 60 insertions(+), 3 deletions(-) diff --git a/modules/envoy-gateway/resources/envoy-proxy.yaml b/modules/envoy-gateway/resources/envoy-proxy.yaml index bb6dbb39..858e0cc1 100644 --- a/modules/envoy-gateway/resources/envoy-proxy.yaml +++ b/modules/envoy-gateway/resources/envoy-proxy.yaml @@ -3,4 +3,10 @@ kind: EnvoyProxy metadata: name: custom-proxy-config spec: - mergeGateways: false \ No newline at end of file + mergeGateways: false + provider: + type: Kubernetes + kubernetes: + envoyService: + annotations: + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" diff --git a/modules/envoy-gateway/resources/traffic-policy.yaml b/modules/envoy-gateway/resources/traffic-policy.yaml index f95cc046..ee3d45b5 100644 --- a/modules/envoy-gateway/resources/traffic-policy.yaml +++ b/modules/envoy-gateway/resources/traffic-policy.yaml @@ -8,4 +8,5 @@ spec: kind: Gateway name: eg tls: - minVersion: "1.3" \ No newline at end of file + minVersion: "1.3" + enableProxyProtocol: true \ No newline at end of file diff --git a/modules/signoz/resources-otel-ingress/http-route.yaml b/modules/signoz/resources-otel-ingress/http-route.yaml index fab998e6..4f2bfcfb 100644 --- a/modules/signoz/resources-otel-ingress/http-route.yaml +++ b/modules/signoz/resources-otel-ingress/http-route.yaml @@ -24,3 +24,30 @@ spec: - path: type: PathPrefix value: /telemetry/v1 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: signoz-ui-route + namespace: envoy-gateway +spec: + parentRefs: + - name: eg + rules: + - backendRefs: + - group: "" + kind: Service + name: signoz-frontend + namespace: signoz + port: 3301 + weight: 1 + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: / + matches: + - path: + type: PathPrefix + value: /telemetry/ui \ No newline at end of file diff --git a/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml b/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml index 4fa26cb3..b0df519d 100644 --- a/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml +++ b/modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml @@ -12,3 +12,7 @@ spec: - group: "" kind: Service name: signoz-otel-collector + - group: "" + kind: Service + name: signoz-frontend + diff --git a/modules/signoz/resources-otel-ingress/security-policy.yaml b/modules/signoz/resources-otel-ingress/security-policy.yaml index 3d45d127..f717bd6e 100644 --- a/modules/signoz/resources-otel-ingress/security-policy.yaml +++ b/modules/signoz/resources-otel-ingress/security-policy.yaml @@ -1,7 +1,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: - name: require-audience-for-authorization + name: require-jwt-for-collector namespace: envoy-gateway spec: targetRef: @@ -11,3 +11,22 @@ spec: jwt: providers: authorization: +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: restrict-ui-to-sage-vpn + namespace: envoy-gateway +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: signoz-ui-route + authorization: + defaultAction: Deny + rules: + - action: Allow + principal: + clientCIDRs: + # Public IP address for the Sage VPN. `/32` CIDR mask means a single IP address. + - 52.44.61.21/32 From b274c4a33e5511d6275f21c3b9b20ebce1819f97 Mon Sep 17 00:00:00 2001 From: BryanFauble <17128019+BryanFauble@users.noreply.github.com> Date: Tue, 3 Dec 2024 10:52:22 -0700 Subject: [PATCH 2/4] Apply new rule for Referer header --- modules/signoz/main.tf | 1 + .../resources-otel-ingress/http-route.yaml | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/signoz/main.tf b/modules/signoz/main.tf index 5f65e539..00024fc3 100644 --- a/modules/signoz/main.tf +++ b/modules/signoz/main.tf @@ -251,6 +251,7 @@ spec: value: ${var.namespace} - target: kind: SecurityPolicy + name: require-jwt-for-collector patch: |- - op: replace path: /metadata/namespace diff --git a/modules/signoz/resources-otel-ingress/http-route.yaml b/modules/signoz/resources-otel-ingress/http-route.yaml index 4f2bfcfb..bbff9f2a 100644 --- a/modules/signoz/resources-otel-ingress/http-route.yaml +++ b/modules/signoz/resources-otel-ingress/http-route.yaml @@ -50,4 +50,18 @@ spec: matches: - path: type: PathPrefix - value: /telemetry/ui \ No newline at end of file + value: /telemetry/ui + - backendRefs: + - group: "" + kind: Service + name: signoz-frontend + namespace: signoz + port: 3301 + weight: 1 + matches: + - path: + type: PathPrefix + value: / + - headers: + - name: Referer + value: https://dev.sagedpe.org/telemetry/ui \ No newline at end of file From 1e9e1cb1da0178eeaf98b7aca10a372c1722a23e Mon Sep 17 00:00:00 2001 From: BryanFauble <17128019+BryanFauble@users.noreply.github.com> Date: Tue, 3 Dec 2024 10:55:44 -0700 Subject: [PATCH 3/4] Swap to exact match --- modules/signoz/resources-otel-ingress/http-route.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signoz/resources-otel-ingress/http-route.yaml b/modules/signoz/resources-otel-ingress/http-route.yaml index bbff9f2a..efcbdbbc 100644 --- a/modules/signoz/resources-otel-ingress/http-route.yaml +++ b/modules/signoz/resources-otel-ingress/http-route.yaml @@ -60,7 +60,7 @@ spec: weight: 1 matches: - path: - type: PathPrefix + type: Exact value: / - headers: - name: Referer From 30947feeb7a2b761573f345efc30613a20ba9d96 Mon Sep 17 00:00:00 2001 From: BryanFauble <17128019+BryanFauble@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:21:56 -0700 Subject: [PATCH 4/4] Use root prefix --- .../resources-otel-ingress/http-route.yaml | 22 +------------------ 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/modules/signoz/resources-otel-ingress/http-route.yaml b/modules/signoz/resources-otel-ingress/http-route.yaml index efcbdbbc..ee17a213 100644 --- a/modules/signoz/resources-otel-ingress/http-route.yaml +++ b/modules/signoz/resources-otel-ingress/http-route.yaml @@ -41,27 +41,7 @@ spec: namespace: signoz port: 3301 weight: 1 - filters: - - type: URLRewrite - urlRewrite: - path: - type: ReplacePrefixMatch - replacePrefixMatch: / matches: - path: type: PathPrefix - value: /telemetry/ui - - backendRefs: - - group: "" - kind: Service - name: signoz-frontend - namespace: signoz - port: 3301 - weight: 1 - matches: - - path: - type: Exact - value: / - - headers: - - name: Referer - value: https://dev.sagedpe.org/telemetry/ui \ No newline at end of file + value: / \ No newline at end of file