node: id: authzd cluster: authzd admin: address: socket_address: address: 0.0.0.0 port_value: 9991 application_log_config: log_format: json_format: timestamp: "%Y-%m-%dT%T.%FZ" thread_id: "%t" level: "%l" logger: "%n" message: "%j" overload_manager: resource_monitors: - name: "envoy.resource_monitors.global_downstream_max_connections" typed_config: "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig max_active_downstream_connections: 10240 static_resources: clusters: - name: authzd connect_timeout: 5s type: STATIC lb_policy: ROUND_ROBIN load_assignment: cluster_name: authzd endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 50052 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: {} health_checks: - timeout: 3s interval: 5s unhealthy_threshold: 2 healthy_threshold: 2 grpc_health_check: {} circuit_breakers: thresholds: - priority: DEFAULT max_connections: 1024 max_pending_requests: 1024 max_requests: 1024 max_retries: 3 - name: spicedb connect_timeout: 5s type: STATIC lb_policy: ROUND_ROBIN load_assignment: cluster_name: spicedb endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 50051 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: {} health_checks: - timeout: 3s interval: 5s unhealthy_threshold: 2 healthy_threshold: 2 grpc_health_check: {} circuit_breakers: thresholds: - priority: DEFAULT max_connections: 1024 max_pending_requests: 1024 max_requests: 1024 max_retries: 3 listeners: - name: main_listener address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 20000 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager access_log: - name: envoy.access_loggers.stdout filter: not_health_check_filter: {} typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog log_format: json_format: timestamp: "%START_TIME(%FT%T.%3fZ)%" method: "%REQ(:METHOD)%" path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" protocol: "%PROTOCOL%" response_code: "%RESPONSE_CODE%" response_flags: "%RESPONSE_FLAGS%" bytes_received: "%BYTES_RECEIVED%" bytes_sent: "%BYTES_SENT%" duration_ms: "%DURATION%" upstream_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%" x_forwarded_for: "%REQ(X-FORWARDED-FOR)%" user_agent: "%REQ(USER-AGENT)%" request_id: "%REQ(X-REQUEST-ID)%" authority: "%REQ(:AUTHORITY)%" upstream_host: "%UPSTREAM_HOST%" codec_type: AUTO request_timeout: 30s stream_idle_timeout: 300s http_filters: - name: envoy.filters.http.health_check typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck pass_through_mode: false headers: - name: ":path" string_match: exact: "/health" - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router suppress_envoy_headers: true route_config: name: local_route response_headers_to_add: - header: key: "x-content-type-options" value: "nosniff" - header: key: "x-frame-options" value: "DENY" - header: key: "x-xss-protection" value: "1; mode=block" virtual_hosts: - name: grpc_services domains: ["*"] routes: # Route ext_authz to authzd - match: prefix: "/envoy.service.auth.v3.Authorization/" route: cluster: authzd timeout: 30s request_headers_to_remove: - authorization - cookie # Default route - everything else goes to SpiceDB - match: prefix: "/" route: cluster: spicedb timeout: 30s retry_policy: retry_on: "5xx,reset,connect-failure,retriable-status-codes" num_retries: 3 per_try_timeout: 10s retriable_status_codes: [503] request_headers_to_add: - header: key: "x-real-ip" value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" - header: key: "x-forwarded-proto" value: "%REQ(X-FORWARDED-PROTO)%" stat_prefix: ingress_http common_http_protocol_options: idle_timeout: 300s headers_with_underscores_action: REJECT_REQUEST http2_protocol_options: max_concurrent_streams: 100 initial_stream_window_size: 65536 server_header_transformation: PASS_THROUGH