diff options
| -rw-r--r-- | share/man/ENVOY.md | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/share/man/ENVOY.md b/share/man/ENVOY.md index 01607ae..3f11f9e 100644 --- a/share/man/ENVOY.md +++ b/share/man/ENVOY.md @@ -549,6 +549,70 @@ func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse { } ``` +## Distribution + +To deploy Sparkle I used bundled envoy, sparkled and authzd inside a single +docker image. This docker image uses dumb-init to run these three services +simultaneously so that these three processes can coordinate with one another to +form a logical service. Sparkle is currently distributed via Runway and all +secrets and configuration management is handled through environment variables +that are exported into the docker container when it is booted up by Runway and +OpenBao. + +Below is the Dockerfile that is used to build and distribute the Sparkle docker +image. It uses a temporary stage to build the sparkle and authz services and +then copies the compiled artifacts into the envoy base image. The final image +bundles dumb-init, sparkled, authzd and envoy. + +```Dockerfile +# syntax=docker/dockerfile:1 +FROM golang:1.24.3 AS build +ENV CGO_ENABLED=0 +WORKDIR /app +COPY . ./ +RUN go build -o /bin/sparkled ./cmd/sparkled/main.go +RUN go build -o /bin/authzd ./cmd/authzd/main.go + +FROM envoyproxy/envoy:v1.34-latest +EXPOSE 8080 9901 10000 10003 +RUN apt-get update && apt-get install -y dumb-init && rm -rf /var/lib/apt/lists/* +WORKDIR /opt/sparkle/ +RUN mkdir -p bin etc public +COPY --from=build /bin/authzd bin/authzd +COPY --from=build /bin/sparkled bin/sparkled +COPY --from=build /app/public public +COPY etc/ etc +COPY bin/*.sh bin/ +RUN chmod +x bin/*.sh +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/opt/sparkle/bin/entrypoint.sh"] +``` + +The entrypoint script uses dumb-init as PID 1 to forward signals to child +processes. Sparkle is started up with on a limited set of environment variables. +Environment variables such as `HMAC_SECRET` and `OAUTH_CLIENT_SECRET` are not +available to sparkle. + +```sh +#!/usr/bin/dumb-init /bin/sh +# shellcheck shell=sh +set -e + +[ -n "$DEBUG" ] && set -x + +cd "$(dirname "$0")/.." + +./bin/envoy.sh & # launch envoy in background +./bin/authzd & # launch authzd in background + +/usr/bin/env -i - \ + APP_ENV="$APP_ENV" \ + BIND_ADDR="$BIND_ADDR" \ + OAUTH_CLIENT_ID="$OAUTH_CLIENT_ID" \ + OIDC_ISSUER="$OIDC_ISSUER" \ + ./bin/sparkled # launch sparkled in foreground +``` + ## References * [Envoy Proxy](https://www.envoyproxy.io/) |