diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-14 14:23:07 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-14 14:23:07 -0600 |
| commit | d3b876c7181731a8596d58750d1c2046bad8e8a5 (patch) | |
| tree | 90b665f21358a4c59f7966e92191d14b10ef0c7a | |
| parent | 2e6d541b2d182f3750dd7033d0e60b849b3e23f8 (diff) | |
chore: update envoy to proxy requests directly to spicedb
| -rw-r--r-- | etc/envoy/envoy.yaml | 42 |
1 files changed, 40 insertions, 2 deletions
diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index 9594c9e4..bfe2ce16 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -53,6 +53,37 @@ static_resources: max_pending_requests: 1024 max_requests: 1024 max_retries: 3 + - name: spicedb + connect_timeout: 5s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: spicedb + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 50051 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + health_checks: + - timeout: 3s + interval: 5s + unhealthy_threshold: 2 + healthy_threshold: 2 + grpc_health_check: {} + circuit_breakers: + thresholds: + - priority: DEFAULT + max_connections: 1024 + max_pending_requests: 1024 + max_requests: 1024 + max_retries: 3 listeners: - name: main_listener address: @@ -120,14 +151,21 @@ static_resources: key: "x-xss-protection" value: "1; mode=block" virtual_hosts: - - name: backend + - name: grpc_services domains: ["*"] routes: + # Route ext_authz to authzd - match: - prefix: "/" + prefix: "/envoy.service.auth.v3.Authorization/" route: cluster: authzd timeout: 30s + # Default route - everything else goes to SpiceDB + - match: + prefix: "/" + route: + cluster: spicedb + timeout: 30s retry_policy: retry_on: "5xx,reset,connect-failure,retriable-status-codes" num_retries: 3 |