Wildcard configuration for arbitrary domains with non root user (#9350)

* Wildcard configuration with non root user * Generate snips.sh for wildcard-egress-hosts
2021-03-23 03:41:07 +08:00 · 2021-03-23 03:41:07 +08:00 · 4ed801d0f8
parent f23fcb5fb0
commit 4ed801d0f8
3 changed files with 22 additions and 26 deletions
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
@ -297,7 +297,8 @@ The SNI proxy will forward the traffic to port `443`.

    {{< text bash >}}
    $ cat <<EOF > ./sni-proxy.conf
-    user www-data;
+    # setup custom path that do not require root access
+    pid /tmp/nginx.pid;

    events {
    }
@ -312,7 +313,7 @@ The SNI proxy will forward the traffic to port `443`.
      # tcp forward proxy by SNI
      server {
        resolver 8.8.8.8 ipv6=off;
-        listen       127.0.0.1:8443;
+        listen       127.0.0.1:18443;
        proxy_pass   \$ssl_preread_server_name:443;
        ssl_preread  on;
      }
@ -349,6 +350,7 @@ The SNI proxy will forward the traffic to port `443`.
            service:
              ports:
              - port: 443
+                targetPort: 8443
                name: https
            overlays:
            - kind: Deployment
@ -363,18 +365,14 @@ The SNI proxy will forward the traffic to port `443`.
                    mountPath: /etc/nginx
                    readOnly: true
                  securityContext:
-                    runAsNonRoot: false
-                    runAsUser: 0
+                    runAsNonRoot: true
+                    runAsUser: 101
              - path: spec.template.spec.volumes[-1]
                value: |
                  name: sni-proxy-config
                  configMap:
                    name: egress-sni-proxy-configmap
                    defaultMode: 292 # 0444
-      values:
-        gateways:
-          istio-egressgateway:
-            runAsRoot: true
    EOF
    {{< /text >}}

@ -407,7 +405,7 @@ The SNI proxy will forward the traffic to port `443`.
      - sni-proxy.local
      location: MESH_EXTERNAL
      ports:
-      - number: 8443
+      - number: 18443
        name: tcp
        protocol: TCP
      resolution: STATIC
@ -518,7 +516,7 @@ The SNI proxy will forward the traffic to port `443`.
        - destination:
            host: sni-proxy.local
            port:
-              number: 8443
+              number: 18443
          weight: 100
    ---
    # The following filter is used to forward the original SNI (sent by the application) as the SNI of the
@ -599,8 +597,8 @@ The SNI proxy will forward the traffic to port `443`.
    You should see lines similar to the following:

    {{< text plain >}}
-    [2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
-    [2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
+    [2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
+    [2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
    {{< /text >}}

 1.  Check the logs of the SNI proxy. If Istio is deployed in the `istio-system` namespace, the command to print the
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh
@ -175,7 +175,8 @@ kubectl delete destinationrule egressgateway-for-wikipedia

 snip_setup_egress_gateway_with_sni_proxy_1() {
 cat <<EOF > ./sni-proxy.conf
-user www-data;
+# setup custom path that do not require root access
+pid /tmp/nginx.pid;

 events {
 }
@ -190,7 +191,7 @@ stream {
  # tcp forward proxy by SNI
  server {
    resolver 8.8.8.8 ipv6=off;
-    listen       127.0.0.1:8443;
+    listen       127.0.0.1:18443;
    proxy_pass   \$ssl_preread_server_name:443;
    ssl_preread  on;
  }
@ -222,6 +223,7 @@ spec:
        service:
          ports:
          - port: 443
+            targetPort: 8443
            name: https
        overlays:
        - kind: Deployment
@ -236,18 +238,14 @@ spec:
                mountPath: /etc/nginx
                readOnly: true
              securityContext:
-                runAsNonRoot: false
-                runAsUser: 0
+                runAsNonRoot: true
+                runAsUser: 101
          - path: spec.template.spec.volumes[-1]
            value: |
              name: sni-proxy-config
              configMap:
                name: egress-sni-proxy-configmap
                defaultMode: 292 # 0444
-  values:
-    gateways:
-      istio-egressgateway:
-        runAsRoot: true
 EOF
 }

@ -275,7 +273,7 @@ spec:
  - sni-proxy.local
  location: MESH_EXTERNAL
  ports:
-  - number: 8443
+  - number: 18443
    name: tcp
    protocol: TCP
  resolution: STATIC
@ -379,7 +377,7 @@ spec:
    - destination:
        host: sni-proxy.local
        port:
-          number: 8443
+          number: 18443
      weight: 100
 ---
 # The following filter is used to forward the original SNI (sent by the application) as the SNI of the
@ -453,8 +451,8 @@ kubectl logs -l istio=egressgateway-with-sni-proxy -c istio-proxy -n istio-syste
 }

 ! read -r -d '' snip_configure_traffic_through_egress_gateway_with_sni_proxy_6 <<\ENDSNIP
-[2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
-[2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
+[2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
+[2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
 ENDSNIP

 snip_configure_traffic_through_egress_gateway_with_sni_proxy_7() {
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh
@ -31,7 +31,7 @@ _wait_for_deployment default sleep
 snip_before_you_begin_4

 confirm_blocking() {
-kubectl exec "$SOURCE_POD" -c sleep -sS -I https://www.google.com | grep  "HTTP/"; kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://edition.cnn.com | grep "HTTP/"
+kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://www.google.com | grep  "HTTP/"; kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://edition.cnn.com | grep "HTTP/"
 }
 _verify_contains confirm_blocking "command terminated with exit code 35"

@ -86,7 +86,7 @@ _wait_for_istio envoyfilter istio-system egress-gateway-sni-verifier
 _verify_same snip_configure_traffic_through_egress_gateway_with_sni_proxy_4 "$snip_configure_traffic_through_egress_gateway_with_sni_proxy_4_out"

 _verify_lines snip_configure_traffic_through_egress_gateway_with_sni_proxy_5 "
-+ outbound|8443||sni-proxy.local
+ outbound|18443||sni-proxy.local
 + en.wikipedia.org
 + de.wikipedia.org
 "