diff options
| -rw-r--r-- | Dockerfile | 2 | ||||
| -rw-r--r-- | etc/envoy/envoy.yaml | 109 |
2 files changed, 110 insertions, 1 deletions
@@ -7,7 +7,7 @@ RUN cargo build --release --target x86_64-unknown-linux-musl --offline RUN strip /app/target/x86_64-unknown-linux-musl/release/authzd FROM gcr.io/distroless/static-debian12:nonroot -EXPOSE 50051 +EXPOSE 9901 10000 50051 WORKDIR /var/www COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/authzd /bin/authzd COPY --from=builder /app/etc/authzd /etc/authzd diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml new file mode 100644 index 00000000..e050a49e --- /dev/null +++ b/etc/envoy/envoy.yaml @@ -0,0 +1,109 @@ +admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 9901 +application_log_config: + log_format: + json_format: + Timestamp: "%Y-%m-%dT%T.%F" + ThreadId: "%t" + SourceLine: "%s:%#" + Level: "%l" + Message: "%j" +overload_manager: + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 1024 +static_resources: + clusters: + - name: authzd + connect_timeout: 5s + load_assignment: + cluster_name: authzd + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 50051 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + log_format: + json_format: + app: "envoy" + authority: "%REQ(:AUTHORITY)%" + bytes_received: "%BYTES_RECEIVED%" + bytes_sent: "%BYTES_SENT%" + client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + duration: "%DURATION%" + forwarded_for: "%REQ(X-FORWARDED-FOR)%" + method: "%REQ(:METHOD)%" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + protocol: "%PROTOCOL%" + request_id: "%REQ(X-REQUEST-ID)%" + response_code: "%RESPONSE_CODE%" + timestamp: "%START_TIME%" + user_agent: "%REQ(USER-AGENT)%" + codec_type: AUTO + http_filters: + - name: envoy.filters.http.health_check + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + pass_through_mode: false + headers: + - name: ":path" + string_match: + exact: "/health" + - name: envoy.filters.http.ext_authz + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + grpc_service: + envoy_grpc: + cluster_name: authzd + timeout: 30s + failure_mode_allow: false + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppress_envoy_headers: true + route_config: + request_headers_to_remove: + - authorization + - cookie + - user-agent + virtual_hosts: + - name: local + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: authzd + timeout: 5s + retry_policy: + retry_on: "5xx" + num_retries: 3 + stat_prefix: ingress_http |