Add Envoy sidecar

charts/document-engine/templates/deployment.yaml

@@ -203,13 +203,41 @@ spec:
           lifecycle:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+      {{- if .Values.envoySidecar.enabled }}
+        - name: envoy-sidecar
+          image: {{ .Values.envoySidecar.image }}
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: envoy
+              containerPort: {{ .Values.envoySidecar.port }}
+              protocol: TCP
+            - name: envoy-admin
+              containerPort: {{ .Values.envoySidecar.adminPort }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.envoySidecar.resources | nindent 12 }}
+          volumeMounts:
+            - name: envoy-config
+              mountPath: /etc/envoy
+              readOnly: true
+          command:
+            - envoy
+            - -c
+            - /etc/envoy/envoy.yaml
+      {{- end }}
       {{- if .Values.sidecars }}
         {{ toYaml .Values.sidecars | nindent 8 }}
       {{- end }}
       {{- if or .Values.extraVolumeMounts
-                .Values.certificateTrust.digitalSignatures 
-                .Values.certificateTrust.customCertificates }}
+                .Values.certificateTrust.digitalSignatures
+                .Values.certificateTrust.customCertificates
+                .Values.envoySidecar.enabled }}
       volumes:
+        {{- if .Values.envoySidecar.enabled }}
+        - name: envoy-config
+          configMap:
+            name: {{ include "document-engine.fullname" . }}-envoy-sidecar
+        {{- end }}
         {{- with .Values.extraVolumes }}
         {{ toYaml . | nindent 8 }}
         {{- end }}

charts/document-engine/templates/envoy-sidecar-configmap.yaml

@@ -0,0 +1,109 @@
+{{- if .Values.envoySidecar.enabled -}}
+{{- $fullName := include "document-engine.fullname" . -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $fullName }}-envoy-sidecar
+  labels:
+    {{- include "document-engine.labels" . | nindent 4 }}
+data:
+  envoy.yaml: |
+    admin:
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: {{ .Values.envoySidecar.adminPort }}
+
+    static_resources:
+      listeners:
+      - name: listener_0
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: {{ .Values.envoySidecar.port }}
+        filter_chains:
+        - filters:
+          - name: envoy.filters.network.http_connection_manager
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+              stat_prefix: ingress_http
+              access_log:
+              - name: envoy.access_loggers.stdout
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+              route_config:
+                name: local_route
+                virtual_hosts:
+                - name: backend
+                  domains: ["*"]
+                  response_headers_to_add:
+                  - header:
+                      key: "x-hash-by"
+                      value: "%REQ(X-Hash-By)%"
+                  - header:
+                      key: "x-envoy-upstream-remote-address"
+                      value: "%UPSTREAM_REMOTE_ADDRESS%"
+                  routes:
+                  - match:
+                      prefix: "/"
+                    route:
+                      cluster: document_engine_cluster
+                      hash_policy:
+                      - header:
+                          header_name: "X-Hash-By"
+              http_filters:
+              # Extract document ID from URI and set as header
+              - name: envoy.filters.http.lua
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+                  inline_code: |
+                    function envoy_on_request(request_handle)
+                      local path = request_handle:headers():get(":path")
+                      local document_id = nil
+
+                      -- Try different URI patterns
+                      document_id = string.match(path, "^/api/documents/([a-zA-Z0-9._~-]+)")
+                      if not document_id then
+                        document_id = string.match(path, "^/i/d/([a-zA-Z0-9._~-]+)")
+                      end
+                      if not document_id then
+                        document_id = string.match(path, "^/documents/([a-zA-Z0-9._~-]+)")
+                      end
+                      if not document_id then
+                        document_id = string.match(path, "^/dashboard/api/document/([a-zA-Z0-9._~-]+)")
+                      end
+
+                      -- Only set header if document_id found, otherwise use round-robin
+                      if document_id then
+                        request_handle:headers():add("X-Hash-By", document_id)
+                      end
+                    end
+              - name: envoy.filters.http.router
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+      clusters:
+      - name: document_engine_cluster
+        connect_timeout: 5s
+        type: STRICT_DNS
+        dns_lookup_family: V4_ONLY
+        lb_policy: RING_HASH
+        ring_hash_lb_config:
+          minimum_ring_size: 1024
+        load_assignment:
+          cluster_name: document_engine_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: {{ $fullName }}-headless.{{ .Release.Namespace }}.svc.cluster.local
+                    port_value: {{ .Values.service.port }}
+        health_checks:
+        - timeout: 1s
+          interval: 10s
+          unhealthy_threshold: 2
+          healthy_threshold: 2
+          http_health_check:
+            path: /health
+{{- end }}

charts/document-engine/templates/service-headless.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.envoySidecar.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "document-engine.fullname" . }}-headless
+  labels:
+    {{- include "document-engine.labels" . | nindent 4 }}
+spec:
+  clusterIP: None
+  selector:
+    {{- include "document-engine.selectorLabels" . | nindent 4 }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: api
+      protocol: TCP
+      name: api
+{{- end }}

charts/document-engine/templates/service.yaml

@@ -18,7 +18,11 @@ spec:
   {{- end }}
   ports:
     - port: {{ .Values.service.port }}
+      {{- if .Values.envoySidecar.enabled }}
+      targetPort: envoy
+      {{- else }}
       targetPort: api
+      {{- end }}
       protocol: TCP
       name: api
     {{- with .Values.observability.metrics.prometheusEndpoint }}

charts/document-engine/values.yaml

@@ -890,6 +890,32 @@ extraIngresses: {}
   #           pathType: Prefix
   #   tls: []
 
+# -- (object) Envoy sidecar for consistent hashing by document ID
+# @section -- C. Networking
+# @notationType -- reference
+envoySidecar:
+  # -- Enable Envoy sidecar for consistent hashing
+  # @section -- C. Networking
+  enabled: false
+  # -- Envoy sidecar image
+  # @section -- C. Networking
+  image: envoyproxy/envoy:v1.31-latest
+  # -- Port where Envoy sidecar listens
+  # @section -- C. Networking
+  port: 8080
+  # -- Admin port for Envoy
+  # @section -- C. Networking
+  adminPort: 9901
+  # -- Resource limits for Envoy sidecar
+  # @section -- C. Networking
+  resources:
+    limits:
+      cpu: 200m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
 # https://editor.networkpolicy.io/
 # -- (object) [Network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 # @section -- C. Networking