x95castle1 · January 16, 2025 22:56
diff --git a/01-overlay.yaml b/01-overlay.yaml
 #@ load("@ytt:overlay", "overlay")

 #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
 ---
 spec:
  template:
    spec:
      volumes:
      - configMap:
          name: envoy-config
        name: envoy-config-file

 #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
 ---
 spec:
  template:
    spec:
      initContainers:
      #@overlay/match by=overlay.index(0)
      #@overlay/insert before=True
      - name: copy-config
        image: busybox
        command: ["sh", "-c", "cp /envoyconfig/envoy.yaml /config/envoy.json"]
        volumeMounts:
          - name: envoy-config-file
            mountPath: /envoyconfig
          - name: envoy-config
            mountPath: /config
diff --git a/02-configmap.yaml b/02-configmap.yaml
 apiVersion: v1
 data:
  envoy.yaml: |
    static_resources:
      listeners:
        - name: listener_0
          address:
            socket_address:
              address: 0.0.0.0
              port_value: 8080
          filter_chains:
            - filters:
                - name: envoy.filters.network.http_connection_manager
                  config:
                    codec_type: AUTO
                    stat_prefix: ingress_http
                    route_config:
                      name: local_route
                      virtual_hosts:
                        - name: local_service
                          domains: ["*"]
                          routes:
                            - match:
                                prefix: "/"
                              route:
                                cluster: service
                    http_filters:
                      - name: envoy.filters.http.lua
                        typed_config:
                          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
                          inline_code: |
                            function envoy_on_response(response_handle)
                              -- Get the response body
                              local body = response_handle:body()
                              if body then
                                -- Replace "tanzu" with "mountain dew"
                                local modified_body = string.gsub(body:getBytes(0, body:length()), "Tanzu", "mountain dew")
                                -- Update the response body
                                response_handle:body():setBytes(modified_body)
                              end
                            end
                      - name: envoy.filters.http.router
 kind: ConfigMap
 metadata:
  name: envoy-config
  namespace: tanzu-system-ingress
diff --git a/03-envoy-deployment.yaml b/03-envoy-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: envoy
  namespace: tanzu-system-ingress
 spec:
  progressDeadlineSeconds: 600
  replicas: 2
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: envoy
  strategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        prometheus.io/path: /stats/prometheus
        prometheus.io/port: "8002"
        prometheus.io/scrape: "true"
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: contour.tanzu.vmware.com/envoy-workload-type
                operator: In
                values:
                - Deployment
            topologyKey: kubernetes.io/hostname
      automountServiceAccountToken: false
      containers:
      - args:
        - envoy
        - shutdown-manager
        command:
        - /bin/contour
        image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.10.0/tanzu-application-platform/tap-packages@sha256:d9d7063e1d11f1a518378aedc719f234a808109fbce6fb52701064c9b800c050
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/contour
              - envoy
              - shutdown
        name: shutdown-manager
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /admin
          name: envoy-admin
      - args:
        - -c
        - /config/envoy.json
        - --service-cluster $(CONTOUR_NAMESPACE)
        - --service-node $(ENVOY_POD_NAME)
        - --log-level info
        command:
        - envoy
        env:
        - name: CONTOUR_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: ENVOY_POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.10.0/tanzu-application-platform/tap-packages@sha256:a941610f98381083870953ede2d14d90b52c16f9b9f72b3158ccbbdf8c0bd608
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            httpGet:
              path: /shutdown
              port: 8090
              scheme: HTTP
        name: envoy
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        - containerPort: 8443
          name: https
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /ready
            port: 8002
            scheme: HTTP
          initialDelaySeconds: 3
          periodSeconds: 4
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /config
          name: envoy-config
          readOnly: true
        - mountPath: /certs
          name: envoycert
          readOnly: true
        - mountPath: /admin
          name: envoy-admin
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: contour-reg-creds
      initContainers:
      - args:
        - bootstrap
        - /config/envoy.json
        - --xds-address=contour
        - --xds-port=8001
        - --xds-resource-version=v3
        - --resources-dir=/config/resources
        - --envoy-cafile=/certs/ca.crt
        - --envoy-cert-file=/certs/tls.crt
        - --envoy-key-file=/certs/tls.key
        command:
        - contour
        env:
        - name: CONTOUR_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.10.0/tanzu-application-platform/tap-packages@sha256:d9d7063e1d11f1a518378aedc719f234a808109fbce6fb52701064c9b800c050
        imagePullPolicy: IfNotPresent
        name: envoy-initconfig
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /config
          name: envoy-config
        - mountPath: /certs
          name: envoycert
          readOnly: true
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        runAsGroup: 65534
        runAsNonRoot: true
        runAsUser: 65534
      serviceAccount: envoy
      serviceAccountName: envoy
      terminationGracePeriodSeconds: 300
      volumes:
      - emptyDir: {}
        name: envoy-admin
      - emptyDir: {}
        name: envoy-config
      - name: envoycert
        secret:
          defaultMode: 420
          secretName: envoycert
diff --git a/04-sample-secret-overlay.yml b/04-sample-secret-overlay.yml
 apiVersion: v1
 data:
  envoy-overlay.yaml: 
    #@ load("@ytt:overlay", "overlay")

    #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
    ---
    spec:
      template:
        spec:
          volumes:
          - configMap:
              name: envoy-config
            name: envoy-config-file

    #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
    ---
    spec:
      template:
        spec:
          initContainers:
          #@overlay/match by=overlay.index(0)
          #@overlay/insert before=True
          - name: copy-config
            image: busybox
            command: ["sh", "-c", "cp /envoyconfig/envoy.yaml /config/envoy.json"]
            volumeMounts:
              - name: envoy-config-file
                mountPath: /envoyconfig
              - name: envoy-config
                mountPath: /config
 kind: Secret
 metadata:
  name: envoy-overlay
  namespace: tap-install
 type: Opaque
diff --git a/05-tap-values-example.yml b/05-tap-values-example.yml
 package_overlays:
 - name: contour
  secrets:
    - name: envoy-overlay
	#@ load("@ytt:overlay", "overlay")

	#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
	---
	spec:
	template:
	spec:
	volumes:
	- configMap:
	name: envoy-config
	name: envoy-config-file

	#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
	---
	spec:
	template:
	spec:
	initContainers:
	#@overlay/match by=overlay.index(0)
	#@overlay/insert before=True
	- name: copy-config
	image: busybox
	command: ["sh", "-c", "cp /envoyconfig/envoy.yaml /config/envoy.json"]
	volumeMounts:
	- name: envoy-config-file
	mountPath: /envoyconfig
	- name: envoy-config
	mountPath: /config
	apiVersion: v1
	data:
	envoy.yaml: \|
	static_resources:
	listeners:
	- name: listener_0
	address:
	socket_address:
	address: 0.0.0.0
	port_value: 8080
	filter_chains:
	- filters:
	- name: envoy.filters.network.http_connection_manager
	config:
	codec_type: AUTO
	stat_prefix: ingress_http
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains: ["*"]
	routes:
	- match:
	prefix: "/"
	route:
	cluster: service
	http_filters:
	- name: envoy.filters.http.lua
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
	inline_code: \|
	function envoy_on_response(response_handle)
	-- Get the response body
	local body = response_handle:body()
	if body then
	-- Replace "tanzu" with "mountain dew"
	local modified_body = string.gsub(body:getBytes(0, body:length()), "Tanzu", "mountain dew")
	-- Update the response body
	response_handle:body():setBytes(modified_body)
	end
	end
	- name: envoy.filters.http.router
	kind: ConfigMap
	metadata:
	name: envoy-config
	namespace: tanzu-system-ingress
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: envoy
	namespace: tanzu-system-ingress
	spec:
	progressDeadlineSeconds: 600
	replicas: 2
	revisionHistoryLimit: 10
	selector:
	matchLabels:
	app: envoy
	strategy:
	rollingUpdate:
	maxSurge: 0
	maxUnavailable: 25%
	type: RollingUpdate
	template:
	metadata:
	annotations:
	prometheus.io/path: /stats/prometheus
	prometheus.io/port: "8002"
	prometheus.io/scrape: "true"
	spec:
	affinity:
	podAntiAffinity:
	requiredDuringSchedulingIgnoredDuringExecution:
	- labelSelector:
	matchExpressions:
	- key: contour.tanzu.vmware.com/envoy-workload-type
	operator: In
	values:
	- Deployment
	topologyKey: kubernetes.io/hostname
	automountServiceAccountToken: false
	containers:
	- args:
	- envoy
	- shutdown-manager
	command:
	- /bin/contour
	image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.10.0/tanzu-application-platform/tap-packages@sha256:d9d7063e1d11f1a518378aedc719f234a808109fbce6fb52701064c9b800c050
	imagePullPolicy: IfNotPresent
	lifecycle:
	preStop:
	exec:
	command:
	- /bin/contour
	- envoy
	- shutdown
	name: shutdown-manager
	resources: {}
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	volumeMounts:
	- mountPath: /admin
	name: envoy-admin
	- args:
	- -c
	- /config/envoy.json
	- --service-cluster $(CONTOUR_NAMESPACE)
	- --service-node $(ENVOY_POD_NAME)
	- --log-level info
	command:
	- envoy
	env:
	- name: CONTOUR_NAMESPACE
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: metadata.namespace
	- name: ENVOY_POD_NAME
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: metadata.name
	image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.10.0/tanzu-application-platform/tap-packages@sha256:a941610f98381083870953ede2d14d90b52c16f9b9f72b3158ccbbdf8c0bd608
	imagePullPolicy: IfNotPresent
	lifecycle:
	preStop:
	httpGet:
	path: /shutdown
	port: 8090
	scheme: HTTP
	name: envoy
	ports:
	- containerPort: 8080
	name: http
	protocol: TCP
	- containerPort: 8443
	name: https
	protocol: TCP
	readinessProbe:
	failureThreshold: 3
	httpGet:
	path: /ready
	port: 8002
	scheme: HTTP
	initialDelaySeconds: 3
	periodSeconds: 4
	successThreshold: 1
	timeoutSeconds: 1
	resources: {}
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	volumeMounts:
	- mountPath: /config
	name: envoy-config
	readOnly: true
	- mountPath: /certs
	name: envoycert
	readOnly: true
	- mountPath: /admin
	name: envoy-admin
	dnsPolicy: ClusterFirst
	imagePullSecrets:
	- name: contour-reg-creds
	initContainers:
	- args:
	- bootstrap
	- /config/envoy.json
	- --xds-address=contour
	- --xds-port=8001
	- --xds-resource-version=v3
	- --resources-dir=/config/resources
	- --envoy-cafile=/certs/ca.crt
	- --envoy-cert-file=/certs/tls.crt
	- --envoy-key-file=/certs/tls.key
	command:
	- contour
	env:
	- name: CONTOUR_NAMESPACE
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: metadata.namespace
	image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.10.0/tanzu-application-platform/tap-packages@sha256:d9d7063e1d11f1a518378aedc719f234a808109fbce6fb52701064c9b800c050
	imagePullPolicy: IfNotPresent
	name: envoy-initconfig
	resources: {}
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	volumeMounts:
	- mountPath: /config
	name: envoy-config
	- mountPath: /certs
	name: envoycert
	readOnly: true
	restartPolicy: Always
	schedulerName: default-scheduler
	securityContext:
	runAsGroup: 65534
	runAsNonRoot: true
	runAsUser: 65534
	serviceAccount: envoy
	serviceAccountName: envoy
	terminationGracePeriodSeconds: 300
	volumes:
	- emptyDir: {}
	name: envoy-admin
	- emptyDir: {}
	name: envoy-config
	- name: envoycert
	secret:
	defaultMode: 420
	secretName: envoycert
	apiVersion: v1
	data:
	envoy-overlay.yaml:
	#@ load("@ytt:overlay", "overlay")

	#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
	---
	spec:
	template:
	spec:
	volumes:
	- configMap:
	name: envoy-config
	name: envoy-config-file

	#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "envoy"}})
	---
	spec:
	template:
	spec:
	initContainers:
	#@overlay/match by=overlay.index(0)
	#@overlay/insert before=True
	- name: copy-config
	image: busybox
	command: ["sh", "-c", "cp /envoyconfig/envoy.yaml /config/envoy.json"]
	volumeMounts:
	- name: envoy-config-file
	mountPath: /envoyconfig
	- name: envoy-config
	mountPath: /config
	kind: Secret
	metadata:
	name: envoy-overlay
	namespace: tap-install
	type: Opaque
	package_overlays:
	- name: contour
	secrets:
	- name: envoy-overlay