Get support for sagikazarmark/curiefense-emissary-poc

If you're new to LTH, please see our FAQ for more information on what it is we do.

Support Options

Unfortunately, there are currently no active helpers for this repository on the platform. Until they become available, we reccomend the following actions:

View Open Issues

Take a look to see if anyone else has experienced the same issue as you and if they managed to solve it.

Open an Issue

Make sure to read any relevant guidelines for opening issues on this repo before posting a new issue.

Sponsor directly

Check out the page and see if there are any options to sponsor this project or it's developers directly.

sagikazarmark/curiefense-emissary-poc

View on github

Curiefense WAF + Emissary Ingress POC

Clone the repository with the following command:

git clone --recurse-submodules https://github.com/sagikazarmark/curiefense-emissary-poc.git

Preparations

Build container image:

docker build .

If you use Kind (proceed to the instructions below if you are here for the first time), you can build a local image and load into Kind:

docker build -t curiefense-emissary .
kind load docker-image curiefense-emissary:latest

Setup

Gain access to a Kubernetes cluster. Check out the Using Kind section for a local setup.

Using Kind

  1. Create a new Kind cluster:
kind create cluster --config kind/kind.yaml
  1. Run the setup script to install required components:
./kind/setup.sh

Deploy Curiefense

Deploy Curiefense:

kubectl create namespace curiefense

kubectl apply -f curiefense/secret.yaml

cd curiefense/curiefense-helm/curiefense-helm
DOCKER_TAG=v1.5.0 ./deploy.sh -f curiefense/use-minio.yaml --set "global.proxy.frontend=envoy" --set "global.settings.curiefense_minio_insecure=true"
cd -

TODO: quality of life improvement: push (prod) chart to a chart repo? Use Kustomize to install components (uiserver, confserver) separately?

Deploy Emissary Ingress

Deploy Emissary:

# If you run into any error, run it again
kustomize build emissary | k apply -f -

kubectl -n emissary wait --for condition=available --timeout=90s deploy emissary-ingress

Deploy the echo app

kubectl apply -f app/app.yaml

Usage

First, you might want to create some configuration that proves the system works.

For example, you could create a Global Filter that matches requests with a specific header (eg. breakme: true).

Check out the documentation to learn about the vast number of features Curiefense has.

First, port-forward into the Curiefense UI server:

kubectl -n curiefense port-forward deploy/uiserver 8080:80

Then follow these steps to setup a simple deny rule:

  1. Go to Policies & Rules
  2. Choose Global Filters
  3. Click the + (plus) sign in the right upper corner
  4. Give the new filter a name
  5. Add a new match for a Header (eg. breakme: true)
  6. Choose 503 Service Unavailable as action
  7. Hit save (floppy icon)
  8. Go to Publish Changes
  9. Hit Publish configuration

Next, port-forward into Emissary Ingress:

kubectl -n emissary port-forward deploy/emissary-ingress 8888:8080

Finally, send a request to the ingress:

curl -H "Host: host2.example.com" -H "breakme: true" localhost:8888

You should get an 503 from the server.

Cleanup

Ideally, delete the cluster.

In case of Kind:

kind delete cluster

Best effort attempt to delete resources:

kubectl delete namespace emissary
kubectl delete namespace curiefense
Our Mission

We want to make open source more sustainable. The entire platform was born from this and everything we do is in aid of this.

From the Blog
Interesting Articles
Company

Thank you for checking out LiveTechHelper |
2025 © lth-dev incorporated

p-e622a1a2