From d3b876c7181731a8596d58750d1c2046bad8e8a5 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 14:23:07 -0600 Subject: chore: update envoy to proxy requests directly to spicedb --- etc/envoy/envoy.yaml | 42 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index 9594c9e4..bfe2ce16 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -53,6 +53,37 @@ static_resources: max_pending_requests: 1024 max_requests: 1024 max_retries: 3 + - name: spicedb + connect_timeout: 5s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: spicedb + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 50051 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + health_checks: + - timeout: 3s + interval: 5s + unhealthy_threshold: 2 + healthy_threshold: 2 + grpc_health_check: {} + circuit_breakers: + thresholds: + - priority: DEFAULT + max_connections: 1024 + max_pending_requests: 1024 + max_requests: 1024 + max_retries: 3 listeners: - name: main_listener address: @@ -120,14 +151,21 @@ static_resources: key: "x-xss-protection" value: "1; mode=block" virtual_hosts: - - name: backend + - name: grpc_services domains: ["*"] routes: + # Route ext_authz to authzd - match: - prefix: "/" + prefix: "/envoy.service.auth.v3.Authorization/" route: cluster: authzd timeout: 30s + # Default route - everything else goes to SpiceDB + - match: + prefix: "/" + route: + cluster: spicedb + timeout: 30s retry_policy: retry_on: "5xx,reset,connect-failure,retriable-status-codes" num_retries: 3 -- cgit v1.2.3