# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You may # not use this file except in compliance with the License. A copy of the # License is located at # # http://aws.amazon.com/apache2.0/ # # or in the "license" file accompanying this file. This file is distributed # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either # express or implied. See the License for the specific language governing # permissions and limitations under the License. static_resources: listeners: - name: ingress_listener_xds_relay address: pipe: path: $APPNET_RELAY_LISTENER_UDS_PATH mode: 384 # decimal form of file permission 0600 (octal) per_connection_buffer_limit_bytes: $RELAY_BUFFER_LIMIT_BYTES default_filter_chain: filters: - name: http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_relay stream_idle_timeout: $RELAY_STREAM_IDLE_TIMEOUT http_filters: - name: envoy.filters.http.grpc_web typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.aws_request_signing typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning service_name: appmesh # TODO: Test if any service changes are needed to change to ecs. region: $AWS_REGION host_rewrite: $APPNET_MANAGEMENT_DOMAIN_NAME use_unsigned_payload: true match_excluded_headers: - exact: te - prefix: x - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router route_config: name: ingress_appnet_route virtual_hosts: - name: appnet_management_service domains: [ "*" ] routes: - match: { prefix: "/" } route: cluster: appnet_management_cluster clusters: - name: appnet_management_cluster type: logical_dns connect_timeout: 5s # DNS resolver will perform a lookup for both IPv4 and IPv6 families, and return all resolved addresses. # Happy Eyeballs will then be enabled for upstream connections. # https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/connection_pooling#happy-eyeballs-support dns_lookup_family: ALL typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: {} lb_policy: round_robin per_connection_buffer_limit_bytes: $RELAY_BUFFER_LIMIT_BYTES load_assignment: cluster_name: appnet_management_cluster endpoints: - lb_endpoints: endpoint: { address: { socket_address: { address: $APPNET_MANAGEMENT_DOMAIN_NAME, port_value: $APPNET_MANAGEMENT_PORT }}} transport_socket: name: transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext common_tls_context: validation_context: trusted_ca: filename: /etc/pki/tls/cert.pem sni: $APPNET_MANAGEMENT_DOMAIN_NAME admin: address: pipe: path: /tmp/envoy_admin.sock mode: 384 # decimal form of file permission 0600 (octal) layered_runtime: layers: - name: "static_layer_0" staticLayer: envoy.reloadable_features.use_http_client_to_fetch_aws_credentials: $ENVOY_USE_HTTP_CLIENT_TO_FETCH_AWS_CREDENTIALS re2.max_program_size.error_level: 1000 - name: "admin_layer" adminLayer: {}