Skip to content

Commit

Permalink
docs: replaces json patch bodies with yaml format (envoyproxy#3180)
Browse files Browse the repository at this point in the history
Signed-off-by: Eitan Suez <eitan@tetrate.io>
  • Loading branch information
Eitan Suez committed Apr 12, 2024
1 parent 231b3b4 commit 5c634f3
Show file tree
Hide file tree
Showing 10 changed files with 208 additions and 253 deletions.
38 changes: 19 additions & 19 deletions site/content/en/v1.0.1/tasks/extensibility/envoy-patch-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,10 +63,10 @@ kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system

### Customize Response

* Lets use EnvoyProxy's [Local Reply Modification][] feature to return a custom response back to the client when
* Use EnvoyProxy's [Local Reply Modification][] feature to return a custom response back to the client when
the status code is `404`

* Lets apply the configuration
* Apply the configuration

```shell
cat <<EOF | kubectl apply -f -
Expand Down Expand Up @@ -94,10 +94,10 @@ spec:
- filter:
status_code_filter:
comparison:
op: EQ
value:
default_value: 404
runtime_key: key_b
op: EQ
value:
default_value: 404
runtime_key: key_b
status_code: 406
body:
inline_string: "could not find what you are looking for"
Expand Down Expand Up @@ -133,27 +133,27 @@ spec:
- filter:
status_code_filter:
comparison:
op: EQ
value:
default_value: 404
runtime_key: key_b
op: EQ
value:
default_value: 404
runtime_key: key_b
status_code: 406
body:
inline_string: "could not find what you are looking for"
EOF
```

* Lets edit the HTTPRoute resource from the Quickstart to only match on paths with value `/get`
* Edit the HTTPRoute resource from the Quickstart to only match on paths with value `/get`

```
kubectl patch httproute backend --type=json --patch '[{
"op": "add",
"path": "/spec/rules/0/matches/0/path/value",
"value": "/get",
}]'
```shell
kubectl patch httproute backend --type=json --patch '
- op: add
path: /spec/rules/0/matches/0/path/value
value: /get
'
```

* Lets test it out by specifying a path apart from `/get`
* Test it out by specifying a path apart from `/get`

```
$ curl --header "Host: www.example.com" http://localhost:8888/find
Expand All @@ -169,7 +169,7 @@ could not find what you are looking for
`Accepted=True` and `Programmed=True` conditions are set to ensure that the policy has been
applied to Envoy Proxy.

```
```yaml
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyPatchPolicy
metadata:
Expand Down
106 changes: 40 additions & 66 deletions site/content/en/v1.0.1/tasks/security/backend-tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ Create a certificate and a private key for `www.example.com`:

```shell
openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization"
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt
```

Store the cert/key in a Secret:
Expand All @@ -49,56 +49,34 @@ kubectl create configmap example-ca --from-file=ca.crt
Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume.

```shell
kubectl patch deployment backend --type=json --patch '[
{
"op": "add",
"path": "/spec/template/spec/containers/0/volumeMounts",
"value": [
{
"name": "secret-volume",
"mountPath": "/etc/secret-volume"
}
]
},
{
"op": "add",
"path": "/spec/template/spec/volumes",
"value": [
{
"name": "secret-volume",
"secret": {
"secretName": "example-cert",
"items": [
{
"key": "tls.crt",
"path": "crt"
},
{
"key": "tls.key",
"path": "key"
}
]
}
}
]
},
{
"op": "add",
"path": "/spec/template/spec/containers/0/env/-",
"value": {
"name": "TLS_SERVER_CERT",
"value": "/etc/secret-volume/crt"
}
},
{
"op": "add",
"path": "/spec/template/spec/containers/0/env/-",
"value": {
"name": "TLS_SERVER_PRIVKEY",
"value": "/etc/secret-volume/key"
}
}
]'
kubectl patch deployment backend --type=json --patch '
- op: add
path: /spec/template/spec/containers/0/volumeMounts
value:
- name: secret-volume
mountPath: /etc/secret-volume
- op: add
path: /spec/template/spec/volumes
value:
- name: secret-volume
secret:
secretName: example-cert
items:
- key: tls.crt
path: crt
- key: tls.key
path: key
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: TLS_SERVER_CERT
value: /etc/secret-volume/crt
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: TLS_SERVER_PRIVKEY
value: /etc/secret-volume/key
'
```

Create a service that exposes port 443 on the backend service.
Expand Down Expand Up @@ -141,28 +119,24 @@ spec:
sectionName: "443"
tls:
caCertRefs:
- name: example-ca
group: ''
kind: ConfigMap
- name: example-ca
group: ''
kind: ConfigMap
hostname: www.example.com
EOF
```

Patch the HTTPRoute's backend reference, so that it refers to the new TLS-enabled service:

```shell
kubectl patch HTTPRoute backend --type=json --patch '[
{
"op": "replace",
"path": "/spec/rules/0/backendRefs/0/port",
"value": 443
},
{
"op": "replace",
"path": "/spec/rules/0/backendRefs/0/name",
"value": "tls-backend"
}
]'
kubectl patch HTTPRoute backend --type=json --patch '
- op: replace
path: /spec/rules/0/backendRefs/0/port
value: 443
- op: replace
path: /spec/rules/0/backendRefs/0/name
value: tls-backend
'
```

Verify the HTTPRoute status:
Expand Down
31 changes: 14 additions & 17 deletions site/content/en/v1.0.1/tasks/security/basic-auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,23 +49,20 @@ Update the Gateway from the Quickstart to include an HTTPS listener that listens
`example-cert` Secret:

```shell
kubectl patch gateway eg --type=json --patch '[{
"op": "add",
"path": "/spec/listeners/-",
"value": {
"name": "https",
"protocol": "HTTPS",
"port": 443,
"tls": {
"mode": "Terminate",
"certificateRefs": [{
"kind": "Secret",
"group": "",
"name": "example-cert",
}],
},
},
}]'
kubectl patch gateway eg --type=json --patch '
- op: add
path: /spec/listeners/-
value:
name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
group: ""
name: example-cert
'
```

### Create a .htpasswd file
Expand Down
31 changes: 14 additions & 17 deletions site/content/en/v1.0.1/tasks/security/mutual-tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,23 +54,20 @@ Update the Gateway from the Quickstart to include an HTTPS listener that listens
`example-cert` Secret:

```shell
kubectl patch gateway eg --type=json --patch '[{
"op": "add",
"path": "/spec/listeners/-",
"value": {
"name": "https",
"protocol": "HTTPS",
"port": 443,
"tls": {
"mode": "Terminate",
"certificateRefs": [{
"kind": "Secret",
"group": "",
"name": "example-cert",
}],
},
},
}]'
kubectl patch gateway eg --type=json --patch '
- op: add
path: /spec/listeners/-
value:
name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
group: ""
name: example-cert
'
```

Verify the Gateway status:
Expand Down
Loading

0 comments on commit 5c634f3

Please sign in to comment.