normalize line endings to LF and add envoy dockerfile in deploy/dev

2026-04-06 05:26:41 +08:00
parent 7ec8b2a8f0
commit c7a33d4174
39 changed files with 12916 additions and 12246 deletions
@@ -1,129 +1,129 @@
-# ETCD Encryption Configuration for Kubernetes
-
-To enable static encryption at rest for Kubernetes secrets in ETCD, you need to configure the API Server with an EncryptionConfiguration.
-
-## 1. Generate an Encryption Key
-
-```bash
-# Generate a 32-byte base64-encoded key
-head -c 32 /dev/urandom | base64
-# Example output: sxFdbKYquCe3EbRWVV+pFe2lS8K8hbiv3V8ExQZ0fD4=
-```
-
-## 2. Create EncryptionConfiguration File
-
-Create `/etc/kubernetes/encryption-config.yaml` on the control plane node:
-
-```yaml
-apiVersion: apiserver.config.k8s.io/v1
-kind: EncryptionConfiguration
-resources:
-  - resources:
-      - secrets
-    providers:
-      - aescbc:
-          keys:
-            - name: key1
-              secret: sxFdbKYquCe3EbRWVV+pFe2lS8K8hbiv3V8ExQZ0fD4=
-      - identity: {}
-```
-
-## 3. Update kube-apiserver Static Pod Manifest
-
-Edit `/etc/kubernetes/manifests/kube-apiserver.yaml` on the control plane node:
-
-```yaml
-spec:
-  containers:
-  - name: kube-apiserver
-    command:
-    - kube-apiserver
-    # ... existing flags ...
-    - --encryption-provider-config=/etc/kubernetes/encryption-config.yaml
-    volumeMounts:
-    - name: encryption-config
-      mountPath: /etc/kubernetes
-      readOnly: true
-  volumes:
-  - name: encryption-config
-    hostPath:
-      path: /etc/kubernetes
-      type: DirectoryOrCreate
-```
-
-## 4. Verify Encryption is Working
-
-```bash
-# After restarting the API server, create a secret and verify it's encrypted
-kubectl create secret generic test-secret --from-literal=key=value -n juwan
-
-# Check if the secret is encrypted in etcd
-kubectl get secret test-secret -o yaml
-
-# You can also check raw etcd data (requires etcd access):
-# etcdctl --endpoints=https://127.0.0.1:2379 get /kubernetes.io/secrets/juwan/test-secret
-# The data should be encrypted (not human-readable)
-```
-
-## 5. Important Notes
-
- **Backup your encryption key** in a secure location
- **Never commit encryption keys** to version control
- If you lose the key, all encrypted secrets will be unrecoverable
- After enabling encryption, existing unencrypted secrets will not be automatically encrypted
-  - To encrypt existing secrets, you can use: `kubectl delete secret <name> && kubectl create secret ...`
-  - Or use: `kubectl patch secret <name> -p '{}' --type=merge` (triggers re-encryption)
-
-## 6. RBAC Configuration for JWT Secret
-
-The `jwt-secret.yaml` includes RBAC rules that:
- Create a `jwt-secret` Secret in the `juwan` namespace
- Create ServiceAccounts for `user-rpc` and `envoy-gateway`
- Create a Role `jwt-secret-reader` that allows reading only the `jwt-secret` Secret
- Bind this Role to both ServiceAccounts via RoleBindings
-
-This ensures:
- Only `user-rpc` and `envoy-gateway` Pods can read the JWT secret
- Other services and users cannot access the JWT secret
- Least privilege access principle is enforced
-
-## 7. Update Deployment to Use ServiceAccount
-
-Make sure your Deployment references the ServiceAccount:
-
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: user-rpc
-  namespace: juwan
-spec:
-  template:
-    spec:
-      serviceAccountName: user-rpc  # This is important!
-      containers:
-      - name: user-rpc
-        env:
-        - name: JWT_SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: jwt-secret
-              key: secret-key
-```
-
-## 8. For Minikube Users
-
-If using Minikube, you can enable encryption with:
-
-```bash
-minikube config set apiserver.encryption-provider-config /path/to/encryption-config.yaml
-minikube start
-```
-
-Or manually edit the kube-apiserver manifest after starting Minikube:
-
-```bash
-minikube ssh
-sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
-# Add the flags and volume mounts as shown above
-```
+# ETCD Encryption Configuration for Kubernetes
+
+To enable static encryption at rest for Kubernetes secrets in ETCD, you need to configure the API Server with an EncryptionConfiguration.
+
+## 1. Generate an Encryption Key
+
+```bash
+# Generate a 32-byte base64-encoded key
+head -c 32 /dev/urandom | base64
+# Example output: sxFdbKYquCe3EbRWVV+pFe2lS8K8hbiv3V8ExQZ0fD4=
+```
+
+## 2. Create EncryptionConfiguration File
+
+Create `/etc/kubernetes/encryption-config.yaml` on the control plane node:
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - aescbc:
+          keys:
+            - name: key1
+              secret: sxFdbKYquCe3EbRWVV+pFe2lS8K8hbiv3V8ExQZ0fD4=
+      - identity: {}
+```
+
+## 3. Update kube-apiserver Static Pod Manifest
+
+Edit `/etc/kubernetes/manifests/kube-apiserver.yaml` on the control plane node:
+
+```yaml
+spec:
+  containers:
+  - name: kube-apiserver
+    command:
+    - kube-apiserver
+    # ... existing flags ...
+    - --encryption-provider-config=/etc/kubernetes/encryption-config.yaml
+    volumeMounts:
+    - name: encryption-config
+      mountPath: /etc/kubernetes
+      readOnly: true
+  volumes:
+  - name: encryption-config
+    hostPath:
+      path: /etc/kubernetes
+      type: DirectoryOrCreate
+```
+
+## 4. Verify Encryption is Working
+
+```bash
+# After restarting the API server, create a secret and verify it's encrypted
+kubectl create secret generic test-secret --from-literal=key=value -n juwan
+
+# Check if the secret is encrypted in etcd
+kubectl get secret test-secret -o yaml
+
+# You can also check raw etcd data (requires etcd access):
+# etcdctl --endpoints=https://127.0.0.1:2379 get /kubernetes.io/secrets/juwan/test-secret
+# The data should be encrypted (not human-readable)
+```
+
+## 5. Important Notes
+
+- **Backup your encryption key** in a secure location
+- **Never commit encryption keys** to version control
+- If you lose the key, all encrypted secrets will be unrecoverable
+- After enabling encryption, existing unencrypted secrets will not be automatically encrypted
+  - To encrypt existing secrets, you can use: `kubectl delete secret <name> && kubectl create secret ...`
+  - Or use: `kubectl patch secret <name> -p '{}' --type=merge` (triggers re-encryption)
+
+## 6. RBAC Configuration for JWT Secret
+
+The `jwt-secret.yaml` includes RBAC rules that:
+- Create a `jwt-secret` Secret in the `juwan` namespace
+- Create ServiceAccounts for `user-rpc` and `envoy-gateway`
+- Create a Role `jwt-secret-reader` that allows reading only the `jwt-secret` Secret
+- Bind this Role to both ServiceAccounts via RoleBindings
+
+This ensures:
+- Only `user-rpc` and `envoy-gateway` Pods can read the JWT secret
+- Other services and users cannot access the JWT secret
+- Least privilege access principle is enforced
+
+## 7. Update Deployment to Use ServiceAccount
+
+Make sure your Deployment references the ServiceAccount:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: user-rpc
+  namespace: juwan
+spec:
+  template:
+    spec:
+      serviceAccountName: user-rpc  # This is important!
+      containers:
+      - name: user-rpc
+        env:
+        - name: JWT_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: jwt-secret
+              key: secret-key
+```
+
+## 8. For Minikube Users
+
+If using Minikube, you can enable encryption with:
+
+```bash
+minikube config set apiserver.encryption-provider-config /path/to/encryption-config.yaml
+minikube start
+```
+
+Or manually edit the kube-apiserver manifest after starting Minikube:
+
+```bash
+minikube ssh
+sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
+# Add the flags and volume mounts as shown above
+```