Merge branch 'the-spice-must-flow' into 'main'

Add SpiceDB Integration with Service-based Routing See merge request gitlab-org/software-supply-chain-security/authorization/authzd!9
author: mo khan <mo@mokhan.ca> 2025-07-14 16:29:33 -0600
committer: mo khan <mo@mokhan.ca> 2025-07-14 16:29:33 -0600
commit: 0432cfbbb07f234dd2cd294cfe7dfa065b113182 (patch)
tree: cab9f759b7d656dab92eab48694e5924c54b9644 /etc/envoy/envoy.yaml
parent: 5a74d3988d8a029f1c879da709db623611aa545a (diff)
parent: e0b38f6ca22b28a0c4fe4192d642fceb48030737 (diff)
1 files changed, 40 insertions, 2 deletions
diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml
index 19df6a4f..bfe2ce16 100644
--- a/etc/envoy/envoy.yaml
+++ b/etc/envoy/envoy.yaml
@@ -34,6 +34,37 @@ static_resources:
                   address:
                     socket_address:
                       address: 127.0.0.1
+                      port_value: 50052
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http2_protocol_options: {}
+      health_checks:
+        - timeout: 3s
+          interval: 5s
+          unhealthy_threshold: 2
+          healthy_threshold: 2
+          grpc_health_check: {}
+      circuit_breakers:
+        thresholds:
+          - priority: DEFAULT
+            max_connections: 1024
+            max_pending_requests: 1024
+            max_requests: 1024
+            max_retries: 3
+    - name: spicedb
+      connect_timeout: 5s
+      type: STATIC
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: spicedb
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
                       port_value: 50051
       typed_extension_protocol_options:
         envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
@@ -120,14 +151,21 @@ static_resources:
                         key: "x-xss-protection"
                         value: "1; mode=block"
                   virtual_hosts:
-                    - name: backend
+                    - name: grpc_services
                       domains: ["*"]
                       routes:
+                        # Route ext_authz to authzd
                         - match:
-                            prefix: "/"
+                            prefix: "/envoy.service.auth.v3.Authorization/"
                           route:
                             cluster: authzd
                             timeout: 30s
+                        # Default route - everything else goes to SpiceDB
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: spicedb
+                            timeout: 30s
                             retry_policy:
                               retry_on: "5xx,reset,connect-failure,retriable-status-codes"
                               num_retries: 3
author	mo khan <mo@mokhan.ca>	2025-07-14 16:29:33 -0600
committer	mo khan <mo@mokhan.ca>	2025-07-14 16:29:33 -0600
commit	0432cfbbb07f234dd2cd294cfe7dfa065b113182 (patch)
tree	cab9f759b7d656dab92eab48694e5924c54b9644 /etc/envoy/envoy.yaml
parent	5a74d3988d8a029f1c879da709db623611aa545a (diff)
parent	e0b38f6ca22b28a0c4fe4192d642fceb48030737 (diff)