[SCHEMATIC-215] Enable ingress for SigNoz UI (#51)

* Enable ingress for SigNoz UI

Author: BryanFauble

modules/envoy-gateway/resources/envoy-proxy.yaml

@@ -3,4 +3,10 @@ kind: EnvoyProxy
 metadata:
   name: custom-proxy-config
 spec:
-  mergeGateways: false
+  mergeGateways: false
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyService:
+        annotations:
+          service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"

modules/envoy-gateway/resources/traffic-policy.yaml

@@ -8,4 +8,5 @@ spec:
       kind: Gateway
       name: eg
   tls:
-    minVersion: "1.3"
+    minVersion: "1.3"
+  enableProxyProtocol: true

modules/signoz/main.tf

@@ -251,6 +251,7 @@ spec:
           value: ${var.namespace}
     - target:
         kind: SecurityPolicy
+        name: require-jwt-for-collector
       patch: |-
         - op: replace
           path: /metadata/namespace

modules/signoz/resources-otel-ingress/http-route.yaml

@@ -24,3 +24,24 @@ spec:
         - path:
             type: PathPrefix
             value: /telemetry/v1
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: signoz-ui-route
+  namespace: envoy-gateway
+spec:
+  parentRefs:
+    - name: eg
+  rules:
+    - backendRefs:
+        - group: ""
+          kind: Service
+          name: signoz-frontend
+          namespace: signoz
+          port: 3301
+          weight: 1
+      matches:
+        - path:
+            type: PathPrefix
+            value: /

modules/signoz/resources-otel-ingress/reference-grant-signoz.yaml

@@ -12,3 +12,7 @@ spec:
   - group: ""
     kind: Service
     name: signoz-otel-collector
+  - group: ""
+    kind: Service
+    name: signoz-frontend
+

modules/signoz/resources-otel-ingress/security-policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: SecurityPolicy
 metadata:
-  name: require-audience-for-authorization
+  name: require-jwt-for-collector
   namespace: envoy-gateway
 spec:
   targetRef:
@@ -11,3 +11,22 @@ spec:
   jwt:
     providers: <replaced-by-kustomize>
   authorization: <replaced-by-kustomize>
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: restrict-ui-to-sage-vpn
+  namespace: envoy-gateway
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: signoz-ui-route
+  authorization:
+    defaultAction: Deny
+    rules:
+    - action: Allow
+      principal:
+        clientCIDRs:
+        # Public IP address for the Sage VPN. `/32` CIDR mask means a single IP address.
+        - 52.44.61.21/32