sagikazarmark / curiefense-emissary-poc Goto Github PK
View Code? Open in Web Editor NEWAn attempt to integrate Curiefense into Emissary Ingress
An attempt to integrate Curiefense into Emissary Ingress
We need to figure out a build process for production images. A couple things to consider:
An optimal scenario: support the latest patch versions, two minor versions and all supported major versions of each. That would result in a matrix build, combining all support versions (minus all incompatible versions).
For example:
Emissary 2.3.x and Curiefense 1.6.x are known NOT to work (eg. too old Envoy version, etc).
The build matrix would look like this:
Builds should be automated as much as possible (for example: use Dependabot for automatically updating and releasing patch versions)
Requires #8
References
How can we use a custom (private) Git repository?
Emissary comes with two installation methods:
In order to make Curieproxy work, the following changes have to be made:
Module
CR has to be extended with the necessary lua_scripts
(note: this may change from version to version (Curiefense))In addition to the above, the Curiesync container needs a ConfigMap or a Secret containing credentials to the config store bucket.
Also, a LogService
CR can optionally be created to send logs to Curielogger (although this may change in 1.6).
The Kubernetes YAML method either requires patched YAML files, or use Kustomize (see this repo).
The Helm chart provides all the necessary extension points, so it should be a matter of documentation.
Keep in mind that Curieproxy also requires Redis for features, like rate limiting. The credentials and information for that has to be injeceted.....probably to the Curieproxy (Emissary) container?
The current deployment mechanism is using a Helm chart in https://github.com/curiefense/curiefense-helm
This is in no way suitable for a production environment:
Make collab easier
We need to be able to prove that access to certain subregions is blocked, so we are going to need curiefense/curiefense#694
We could use the LogService CRD of Emissary to configure envoy to send logs to curielogger: https://www.getambassador.io/docs/emissary/latest/topics/running/services/log-service/
I have no idea though if this comes after the requests are passed through Curiefense or not, so it may require some help from Emissary.
In the Kubernetes world a common pattern for collecting and forwarding logs is using FluentBit and Fluentd:
This may not be an issue once Curiefense 1.6 is out.
Create a Dockerfile that contains the minimal files and build steps required for a production image.
I suspect Curiefense (proxy) expects the curielogger component to be in the same namespace (at least I vaguely remember that I had to install nginx ingress in the same namespace as curiefense back when I tried it last time).
How is the MaxMind database handled at the moment? Is it updated? If so, how?
Do we need a custom update process?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.