Defined Type: envoyproxy::tls_terminator

Defined in:
modules/envoyproxy/manifests/tls_terminator.pp

Overview

Examples:

Set up a simple TLS termination for an upstream serving on port 80

envoyproxy::tls_terminator { '443':
  upstreams => [{
    server_names => ['citoid.svc.eqiad.wmnet', 'citoid'],
    cert_path    => '/etc/ssl/localcerts/citoid.crt',
    key_path     => '/etc/ssl/localcerts/citoid.key',
    upstream_port => 1234
  },
  {
    server_names => ['pdfrenderer.svc.eqiad.wmnet', 'pdfrenderer'],
    cert_path    => '/etc/ssl/localcerts/evil.crt',
    key_path     => '/etc/ssl/localcerts/evil.key',
    upstream_port => 666
  }],
  connect_timeout => 0.25,
  global_cert_path => '/etc/ssl/localcerts/services.crt',
  global_cert_key  => '/etc/ssl/localcert/services.key'
}

Set up non-sni only termination to backends, listen on TCP port 444

envoyproxy::tls_terminator { '444':
  upstreams => [{
    server_names => ['citoid.svc.eqiad.wmnet', 'citoid'],
    upstream_port => 1234
  },
  {
    server_names => ['pdfrenderer.svc.eqiad.wmnet', 'pdfrenderer'],
    upstream_port => 666
  }],
  connect_timeout => 0.25,
  global_cert_path => '/etc/ssl/localcerts/services.crt',
  global_cert_key  => '/etc/ssl/localcert/services.key'
}

Set up TLS global proxying in front of apache

envoyproxy::tls_terminator { '443':
  upstreams => [{
    server_names => ['*'],
    upstream_port => 80B
  },
  connect_timeout => 0.25,
  global_cert_path => '/etc/ssl/localcerts/services.crt',
  global_cert_key  => '/etc/ssl/localcert/services.key'
}

Parameters:

  • upstreams (Array[Envoyproxy::Tlsconfig]) (defaults to: [])

    A list of Envoyproxy::Tlsconfig structures defining the upstream server configurations. A non-SNI default catchall will be autogenerated.

  • redir_port (Optional[Stdlib::Port]) (defaults to: undef)

    TCP port to listen on as plain HTTP. This listener will redirect GET/HEAD to HTTPS with 301 and deny all other methods with 403. It does not proxy any traffic. If undefined, no HTTP redirect will be created. Default is undefined.

  • access_log (Boolean) (defaults to: false)

    If true, sets up the access log for the TLS terminator.

  • websockets (Boolean) (defaults to: false)

    If true, allows websocket upgrades.

  • use_remote_address (Boolean) (defaults to: true)

    If true append the client IP to the x-forwarded-for header

  • fast_open_queue (Integer) (defaults to: 0)

    The size of the fast open queue. If zero, TFO is disabled.

  • connect_timeout (Float) (defaults to: 1.0)

    The time is seconds to wait before declaring a connection timeout to the upstream resource

  • listen_ipv6 (Boolean) (defaults to: false)

    Listen on IPv6 adding ipv4_compat allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into IPv6 space as ::FFFF:<IPv4-address>

  • retry_policy (Optional[Hash]) (defaults to: undef)

    An optional hash specifying the retry policy. It should map 1:1 what goes in the envoy configuration.

  • capitalize_headers (Boolean) (defaults to: false)

    If true, will capitalize headers for HTTP/1.1 requests

  • idle_timeout (Optional[Float]) (defaults to: undef)

    The time in seconds to wait before closing a keepalive connection when inactive.

  • max_requests_per_conn (Optional[Integer]) (defaults to: undef)

    The maximum number of requests to send over a connection

  • upstream_response_timeout (Float) (defaults to: 65.0)
  • global_cert_path (Optional[String]) (defaults to: undef)
  • global_key_path (Optional[String]) (defaults to: undef)


82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# File 'modules/envoyproxy/manifests/tls_terminator.pp', line 82

define envoyproxy::tls_terminator(
    Array[Envoyproxy::Tlsconfig] $upstreams                 = [],
    Boolean                      $access_log                = false,
    Boolean                      $websockets                = false,
    Boolean                      $use_remote_address        = true,
    Integer                      $fast_open_queue           = 0,
    Float                        $connect_timeout           = 1.0,
    Float                        $upstream_response_timeout = 65.0,
    Boolean                      $capitalize_headers        = false,
    Boolean                      $listen_ipv6               = false,
    Optional[Hash]               $retry_policy              = undef,
    Optional[Stdlib::Port]       $redir_port                = undef,
    Optional[String]             $global_cert_path          = undef,
    Optional[String]             $global_key_path           = undef,
    Optional[Float]              $idle_timeout              = undef,
    Optional[Integer]            $max_requests_per_conn     = undef,
) {

    # First of all, we can't configure a tls terminator if envoy is not installed.
    if !defined(Class['envoyproxy']) {
        fail('envoyproxy::tls_terminator should only be used once the envoyproxy class is declared.')
    }

    # As this is a fundamental function, install it with high priority
    # Please note they will be removed if we remove the terminator declaration.

    # We need a separate definition for each upstream cluster
    $upstreams.each |$upstream| {
        $upstream_name = "local_port_${upstream['upstream_port']}"
        envoyproxy::cluster { "cluster_${upstream_name}":
            priority => 0,
            content  => template('envoyproxy/tls_terminator/cluster.yaml.erb'),
        }
    }
    envoyproxy::listener { "tls_terminator_${name}":
        priority => 0,
        content  => template('envoyproxy/tls_terminator/listener.yaml.erb'),
    }
    if $redir_port {
        # Redirection is less important, install it at the bottom of the pyle.
        envoyproxy::listener { "http_redirect_${name}":
            priority => 99,
            content  => template('envoyproxy/tls_terminator/redirect_listener.yaml.erb')
        }
    }
}