Install and configure Envoy

images/chromium-headful/Dockerfile

@@ -168,12 +168,31 @@ COPY --from=client /src/dist/ /var/www
 COPY --from=xorg-deps /usr/local/lib/xorg/modules/drivers/dummy_drv.so /usr/lib/xorg/modules/drivers/dummy_drv.so
 COPY --from=xorg-deps /usr/local/lib/xorg/modules/input/neko_drv.so /usr/lib/xorg/modules/input/neko_drv.so
 
+# Install Envoy proxy (official apt.envoyproxy.io) and add bootstrap configuration
+ENV ENVOY_PACKAGE=envoy-1.32
+RUN set -eux; \
+    mkdir -p /etc/apt/keyrings; \
+    curl -fsSL https://apt.envoyproxy.io/signing.key | gpg --dearmor -o /etc/apt/keyrings/envoy-keyring.gpg; \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/envoy-keyring.gpg] https://apt.envoyproxy.io jammy main" > /etc/apt/sources.list.d/envoy.list; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends "${ENVOY_PACKAGE}" || (apt-cache policy "${ENVOY_PACKAGE}" envoy && exit 1); \
+    apt-mark hold "${ENVOY_PACKAGE}"; \
+    apt-get clean -y; \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/
+RUN mkdir -p /etc/envoy/templates
+COPY shared/envoy/bootstrap.yaml /etc/envoy/templates/bootstrap.yaml
+# Copy default config to bootstrap.yaml so supervisor can start envoy immediately
+COPY shared/envoy/default.yaml /etc/envoy/bootstrap.yaml
+COPY shared/envoy/init-envoy.sh /usr/local/bin/init-envoy.sh
+RUN chmod +x /usr/local/bin/init-envoy.sh
+
 COPY images/chromium-headful/image-chromium/ /
 COPY images/chromium-headful/start-chromium.sh /images/chromium-headful/start-chromium.sh
 RUN chmod +x /images/chromium-headful/start-chromium.sh
 COPY images/chromium-headful/wrapper.sh /wrapper.sh
 COPY images/chromium-headful/supervisord.conf /etc/supervisor/supervisord.conf
 COPY images/chromium-headful/supervisor/services/ /etc/supervisor/conf.d/services/
+COPY shared/envoy/supervisor-envoy.conf /etc/supervisor/conf.d/services/envoy.conf
 
 # copy the kernel-images API binary built in the builder stage
 COPY --from=server-builder /out/kernel-images-api /usr/local/bin/kernel-images-api

images/chromium-headful/wrapper.sh

@@ -148,6 +148,8 @@ fi
 sleep 0.2
 done
 
+init-envoy.sh
+
 echo "[wrapper] Starting Xorg via supervisord"
 supervisorctl -c /etc/supervisor/supervisord.conf start xorg
 echo "[wrapper] Waiting for Xorg to open display $DISPLAY..."

images/chromium-headless/image/Dockerfile

@@ -50,6 +50,24 @@ RUN set -xe; \
     software-properties-common \
     supervisor;
 
+# Install Envoy proxy (official apt.envoyproxy.io) and add bootstrap configuration
+ENV ENVOY_PACKAGE=envoy-1.32
+RUN set -eux; \
+    mkdir -p /etc/apt/keyrings; \
+    curl -fsSL https://apt.envoyproxy.io/signing.key | gpg --dearmor -o /etc/apt/keyrings/envoy-keyring.gpg; \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/envoy-keyring.gpg] https://apt.envoyproxy.io jammy main" > /etc/apt/sources.list.d/envoy.list; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends "${ENVOY_PACKAGE}" || (apt-cache policy "${ENVOY_PACKAGE}" envoy && exit 1); \
+    apt-mark hold "${ENVOY_PACKAGE}"; \
+    apt-get clean -y; \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/
+RUN mkdir -p /etc/envoy/templates
+COPY shared/envoy/bootstrap.yaml /etc/envoy/templates/bootstrap.yaml
+# Copy default config to bootstrap.yaml so supervisor can start envoy immediately
+COPY shared/envoy/default.yaml /etc/envoy/bootstrap.yaml
+COPY shared/envoy/init-envoy.sh /usr/local/bin/init-envoy.sh
+RUN chmod +x /usr/local/bin/init-envoy.sh
+
 # install chromium and sqlite3 for debugging the cookies file
 RUN add-apt-repository -y ppa:xtradeb/apps
 RUN apt update -y && apt install -y chromium sqlite3
@@ -83,6 +101,7 @@ COPY images/chromium-headless/image/wrapper.sh /usr/bin/wrapper.sh
 # Supervisord configuration
 COPY images/chromium-headless/image/supervisord.conf /etc/supervisor/supervisord.conf
 COPY images/chromium-headless/image/supervisor/services/ /etc/supervisor/conf.d/services/
+COPY shared/envoy/supervisor-envoy.conf /etc/supervisor/conf.d/services/envoy.conf
 
 # Copy the kernel-images API binary built in the builder stage
 COPY --from=server-builder /out/kernel-images-api /usr/local/bin/kernel-images-api

images/chromium-headless/image/wrapper.sh

@@ -194,6 +194,8 @@ for i in {1..30}; do
   sleep 0.2
 done
 
+init-envoy.sh
+
 echo "[wrapper] Starting system D-Bus daemon via supervisord"
 supervisorctl -c /etc/supervisor/supervisord.conf start dbus
 for i in {1..50}; do

server/e2e/e2e_chromium_test.go

@@ -131,7 +131,7 @@ func runChromiumUserDataSavingFlow(t *testing.T, image, containerName string) {
 	}
 	if strings.Contains(image, "headful") {
 		// headless image sets its own flags, so only do this for headful
-		env["CHROMIUM_FLAGS"] = "--no-sandbox --disable-dev-shm-usage --disable-gpu --start-maximized --disable-software-rasterizer --remote-allow-origins=* --no-zygote --password-store=basic --no-first-run"
+		env["CHROMIUM_FLAGS"] = "--no-sandbox --disable-dev-shm-usage --disable-gpu --start-maximized --disable-software-rasterizer --remote-allow-origins=* --no-zygote --password-store=basic --no-first-run --proxy-server=http://127.0.0.1:3128"
 	}
 	logger.Info("[setup]", "action", "starting container", "image", image, "name", containerName)
 	_, exitCh, err := runContainer(baseCtx, image, containerName, env)

shared/envoy/bootstrap.yaml

@@ -0,0 +1,40 @@
+node:
+  id: "{INSTANCE_NAME}-{METRO_NAME}"
+
+dynamic_resources:
+  ads_config:
+    api_type: GRPC
+    transport_api_version: V3
+    grpc_services:
+    - envoy_grpc:
+        cluster_name: xds_server
+  lds_config:
+    ads: {}
+    resource_api_version: V3
+  cds_config:
+    ads: {}
+    resource_api_version: V3
+
+static_resources:
+  clusters:
+  - name: xds_server
+    type: STRICT_DNS
+    connect_timeout: 2s
+    http2_protocol_options: {}
+    load_assignment:
+      cluster_name: xds_server
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: control-plane
+                port_value: 18000
+
+admin:
+  address:
+    socket_address:
+      address: 127.0.0.1
+      port_value: 9901
+
+

shared/envoy/default.yaml

@@ -0,0 +1,71 @@
+static_resources:
+  listeners:
+    - name: http_explicit_forward_proxy
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 3128
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: hcm
+                normalize_path: true
+                http_filters:
+                  - name: envoy.filters.http.dynamic_forward_proxy
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
+                      dns_cache_config:
+                        name: local_dns_cache
+                        dns_lookup_family: V4_ONLY
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: forward_proxy
+                      domains: ["*"]
+                      routes:
+                        - match: { connect_matcher: {} }
+                          route:
+                            cluster: dynamic_forward_proxy_cluster
+                            upgrade_configs:
+                              - upgrade_type: CONNECT
+                                connect_config: {}
+                        - match: { prefix: "/" }
+                          route:
+                            cluster: dynamic_forward_proxy_cluster
+                access_log:
+                  - name: envoy.access_loggers.stdout
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+                      log_format:
+                        text_format: "[%START_TIME%] %DOWNSTREAM_REMOTE_ADDRESS% %REQ(:method)% %REQ(:authority)% %REQ(:path)% -> %RESPONSE_CODE% (%BYTES_SENT%b) %DURATION%ms %RESPONSE_FLAGS% %UPSTREAM_TRANSPORT_FAILURE_REASON%\n"
+
+  clusters:
+    - name: dynamic_forward_proxy_cluster
+      connect_timeout: 5s
+      lb_policy: CLUSTER_PROVIDED
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http_protocol_options: {}
+          upstream_http_protocol_options:
+            auto_sni: true
+            auto_san_validation: true
+      cluster_type:
+        name: envoy.clusters.dynamic_forward_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
+          dns_cache_config:
+            name: local_dns_cache
+            dns_lookup_family: V4_ONLY
+
+admin:
+  address:
+    socket_address: { address: 127.0.0.1, port_value: 9901 }
+
+

shared/envoy/init-envoy.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -o pipefail -o errexit -o nounset
+
+echo "[envoy-init] Preparing Envoy bootstrap configuration"
+mkdir -p /etc/envoy
+
+render_from_template=false
+if [[ -f /etc/envoy/templates/bootstrap.yaml && -n "${INST_NAME:-}" && -n "${METRO_NAME:-}" ]]; then
+  render_from_template=true
+fi
+
+if $render_from_template; then
+  echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME} and METRO_NAME=${METRO_NAME}"
+  inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g')
+  metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g')
+  sed -e "s|{INSTANCE_NAME}|$inst_esc|g" \
+      -e "s|{METRO_NAME}|$metro_esc|g" \
+      /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml
+else
+  echo "[envoy-init] Using default configuration (template vars INST_NAME and METRO_NAME not provided)"
+fi
+
+echo "[envoy-init] Starting Envoy via supervisord"
+supervisorctl -c /etc/supervisor/supervisord.conf start envoy
+echo "[envoy-init] Waiting for Envoy admin on 127.0.0.1:9901..."
+for i in {1..50}; do
+  if (echo >/dev/tcp/127.0.0.1/9901) >/dev/null 2>&1; then
+    echo "[envoy-init] Envoy is started"
+    break
+  fi
+  sleep 0.1
+  if [[ $i -eq 50 ]]; then
+    echo "[envoy-init] Failed to start Envoy - admin interface not responding after 5 seconds"
+  fi
+done

shared/envoy/supervisor-envoy.conf

@@ -0,0 +1,9 @@
+[program:envoy]
+command=/bin/bash -lc 'set -e; args="-c /etc/envoy/bootstrap.yaml --log-level ${ENVOY_LOG_LEVEL:-info}"; [ -n "${ENVOY_NODE_ID:-}" ] && args="$args --service-node=${ENVOY_NODE_ID}"; [ -n "${ENVOY_CLUSTER:-}" ] && args="$args --service-cluster=${ENVOY_CLUSTER}"; exec envoy $args'
+autostart=false
+autorestart=true
+startsecs=2
+stdout_logfile=/var/log/supervisord/envoy
+redirect_stderr=true
+
+