Merge branch 'the-spice-must-flow' into 'main'

Add SpiceDB Integration with Service-based Routing

See merge request gitlab-org/software-supply-chain-security/authorization/authzd!9

3 files changed, 54 insertions, 2 deletions

diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar
index 15776ab7..966bbcfb 100644
--- a/etc/authzd/policy1.cedar
+++ b/etc/authzd/policy1.cedar
@@ -28,3 +28,10 @@ when
   context.host == "sparkle.staging.runway.gitlab.net" &&
   principal has username
 };
+
+permit (
+  principal == User::"1",
+  action == Action::"GET",
+  resource == Resource::"/dashboard"
+)
+when { context has host && context.host == "localhost:10000" };
diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema
new file mode 100644
index 00000000..0d6a6482
--- /dev/null
+++ b/etc/authzd/spice.schema
@@ -0,0 +1,7 @@
+definition user {}
+definition project {
+  relation developer: user
+  relation maintainer: user
+  permission read = developer + maintainer
+  permission write = maintainer
+}
diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml
index 19df6a4f..bfe2ce16 100644
--- a/etc/envoy/envoy.yaml
+++ b/etc/envoy/envoy.yaml
@@ -34,6 +34,37 @@ static_resources:
                   address:
                     socket_address:
                       address: 127.0.0.1
+                      port_value: 50052
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http2_protocol_options: {}
+      health_checks:
+        - timeout: 3s
+          interval: 5s
+          unhealthy_threshold: 2
+          healthy_threshold: 2
+          grpc_health_check: {}
+      circuit_breakers:
+        thresholds:
+          - priority: DEFAULT
+            max_connections: 1024
+            max_pending_requests: 1024
+            max_requests: 1024
+            max_retries: 3
+    - name: spicedb
+      connect_timeout: 5s
+      type: STATIC
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: spicedb
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
                       port_value: 50051
       typed_extension_protocol_options:
         envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
@@ -120,14 +151,21 @@ static_resources:
                         key: "x-xss-protection"
                         value: "1; mode=block"
                   virtual_hosts:
-                    - name: backend
+                    - name: grpc_services
                       domains: ["*"]
                       routes:
+                        # Route ext_authz to authzd
                         - match:
-                            prefix: "/"
+                            prefix: "/envoy.service.auth.v3.Authorization/"
                           route:
                             cluster: authzd
                             timeout: 30s
+                        # Default route - everything else goes to SpiceDB
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: spicedb
+                            timeout: 30s
                             retry_policy:
                               retry_on: "5xx,reset,connect-failure,retriable-status-codes"
                               num_retries: 3