Skip to main content

HTTP Egress

Egress Module Deployment

This guide will walk you through deploying the Section Egress reverse proxy. The Egress reverse proxy is a simple reverse proxy that normalizes and routes requests to an external service. You can read more about the Egress technical details. You will need the following Kubernetes resources to deploy the Egress reverse proxy:

ConfigMap

Create the following ConfigMap defining an egress.json file:

egress-configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: egress-config
namespace: default
data:
egress.json: |
{
"origin": {
"address":"my-external-service.example.com",
"enable_sni":true
},
"alternate_origins": {
"another_endpoint": {
"address":"my-external-service2.example.com"
}
}
}

This example will define a default origin routing traffic to my-external-service.example.com. The default origin will be used when no other origin is specified. The section-origin HTTP request header can be used to specify an alternate origin based on the matching key and value, e.g. another_endpoint.

Deployment

The deployment object is defined via the following YAML example:

egress-deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: egress
namespace: default
labels:
app: egress
spec:
replicas: 2
selector:
matchLabels:
app: egress
template:
metadata:
labels:
app: egress
spec:
volumes:
- name: config-mount
configMap:
name: egress-config
containers:
- name: proxy
image: 'gcr.io/section-io/k8s-egress:2.1.1'
ports:
- containerPort: 80
protocol: TCP
env:
- name: SECTION_PROXY_NAME
value: egress
- name: REDIS_HOST
value: 127.0.0.1
- name: PROXY_REGO_KEY
value: abc
- name: LIST_KEY_PREFIX
value: abc
- name: LIST_KEY_SUFFIX
value: abcingress
resources:
limits:
cpu: '16'
memory: 1000Mi
requests:
cpu: 30m
memory: 64Mi
volumeMounts:
- name: config-mount
readOnly: true
mountPath: /opt/proxy_config
livenessProbe:
httpGet:
path: /.well-known/section-io/egress-status
port: 80
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 10
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /.well-known/section-io/egress-status
port: 80
scheme: HTTP
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
imagePullPolicy: Always
restartPolicy: Always
terminationGracePeriodSeconds: 30
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1

Note: The environment variables are a relic of the Section Legacy platform. They are no longer used but are required for the container to function properly.

Service

In order to route traffic to the egress container, we need to define a service. The service is defined via the following YAML example:

egress-service.yaml
apiVersion: v1
kind: Service
metadata:
name: egress-service
spec:
selector:
app: egress
ports:
- protocol: TCP
port: 8080
targetPort: 80

In order to route traffic to the egress service we will use the following Nginx example below.

location / {
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $host;
proxy_pass http://egress-service:8080;
}