I provisioned a mysql instance with nomad and i want to use envoy un-top the service, i want to implement CIDR on my database so that i can whitelist the ip addresses that can connect to my db instance, how can i do this efficiently. And NO, i don’t want to use iptables configuration to set this up, because i want to isolate the network configuration, here is my current setup below
job "db-instance" {
datacenters = ["dc1"]
group "db" {
network {
mode = "host"
port "db" {
static = 3306
}
port "proxy" {
static = 10000
}
port "admin" {
static = 9901
}
}
task "mysql" {
driver = "docker"
config {
image = "mysql:latest"
ports = ["db"]
args = [
"--bind-address=0.0.0.0"
]
}
env {
MYSQL_ROOT_PASSWORD = "example-password"
}
resources {
cpu = 500
memory = 512
}
}
task "envoy" {
driver = "docker"
config {
image = "envoyproxy/envoy:v1.22.0"
ports = ["proxy", "admin"]
args = [
"-c", "/etc/envoy/envoy.yaml"
]
}
env {
CIDR_BLOCKS = "[{\"address\": \"192.168.1.0\", \"prefix\": 24}, {\"address\": \"10.0.0.0\", \"prefix\": 8}]"
}
template {
destination = "local/envoy.yaml"
change_mode = "restart"
data = <<EOH
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
- name: db_listener
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: ingress_tcp
cluster: db_cluster
filter_chain_match:
source_prefix_ranges:
{{ $cidr_blocks := parseJSON (env "CIDR_BLOCKS") }}
{{ if $cidr_blocks }}
{{ range $cidr := $cidr_blocks }}
- address_prefix: "{{ $cidr.address }}"
prefix_len: {{ $cidr.prefix }}
{{ end }}
{{ else }}
- address_prefix: "127.0.0.1"
prefix_len: 32
{{ end }}
clusters:
- name: db_cluster
connect_timeout: 5s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: db_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 3306
EOH
}
resources {
cpu = 200
memory = 256
}
service {
name = "envoy-proxy"
port = "proxy"
check {
type = "http"
path = "/ready"
port = "admin"
interval = "10s"
timeout = "2s"
}
tags = [
"ip-whitelist-enabled"
]
}
service {
name = "envoy-admin"
port = "admin"
tags = [
"admin"
]
}
}
}
}