examples: Add double proxy sandbox

[phlax]

Signed-off-by: Ryan Northey ryan@synca.io

Commit Message: examples: Add double proxy sandbox
Additional Description:

this provides a sandbox with the following setup:

envoy (front) -> flask-app -> envoy (postgres-front) -> envoy(postgres-back) -> postgres

essentially it demonstrates using Envoy in a situation where a frontend app is not on the same subnet as its db, and uses a proxy in each of the subnets to transport traffic between.

ideally, the traffic between envoy (postgres-front) -> envoy (postgres-back) should be encrypted (and perhaps authenticated) to show a situation of the traffic travelling over insecure/public networks

Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]

[phlax]

@mattklein123 not sure how useful this is or if this is what is meant in docs etc by "double proxy"

its the pattern i was most interested in when i first looked at envoy - kinda like subnet (rather than pod/container) sidecars, that can be used as a bridge/router to upstream services

not sure if encrypting traffic in the middle proxies is possible, but it would make for a much better sandbox if it is, and would remove the need to use vpns etc in this kind of set up, esp if we could do client authentication

[mattklein123]

what is meant in docs etc by "double proxy"

Yeah this is an example of a double proxy scenario. The most common example is in POPs, something like envoy <pop> <-> envoy <origin> <-> backend

We can definitely encrypt across the hops. This is typically done using mTLS but it depends on the scenario. I think we could do this with a self-signed cert and make for a pretty interesting sandbox.

Let me know how you want to proceed on this one.

/wait

[phlax]

ive added mtls and all appears to work - just ironing out wrinkles with the example

i still need to add some docs

one question im now wondering is whether we could/should add compression to the mtls filling

[phlax]

afaict compression wont work as its http/hcm based and in this example the middle proxies arent using http

[mattklein123]

Thanks also super awesome. @ggreenway or @PiotrSikora would one of you be willing to do a quick review of the TLS setup here? Thank you!

/wait

[phlax]

@mattklein123 if we can land the securing quick-start page first, ill update this and tie them together

[mattklein123]

Yeah I think dropping SNI from this one makes sense.

/wait

[phlax]

great, updating...

[phlax]

latest render is here

https://storage.googleapis.com/envoy-pr/075c570/docs/start/sandboxes/double-proxy.html

[mattklein123]

Nice!