diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-10 16:41:34 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-11 21:21:38 -0600 |
| commit | 4c8568d0071c569d04a93028500cfa14d330b4e8 (patch) | |
| tree | 0ca6039aff9713b918b571c40e3ffd520f3f9811 | |
| parent | 18c5623190105a5e99e238d7577e7c896220972c (diff) | |
chore: match outbound requests to oidc provider first
| -rw-r--r-- | envoy.yml | 76 |
1 files changed, 65 insertions, 11 deletions
@@ -13,6 +13,10 @@ static_resources: generic_secret: secret: environment_variable: HMAC_SESSION_SECRET + - name: oidc_host + generic_secret: + secret: + environment_variable: OIDC_HOST listeners: - name: listener_0 address: @@ -44,6 +48,7 @@ static_resources: duration: "%DURATION%" forwarded_for: "%REQ(X-FORWARDED-FOR)%" user_agent: "%REQ(USER-AGENT)%" + codec_type: AUTO http_filters: - name: envoy.filters.http.oauth2 typed_config: @@ -53,6 +58,7 @@ static_resources: - user - openid - email + auth_type: BASIC_AUTH authorization_endpoint: https://gitlab.com/oauth/authorize credentials: client_id: client_id @@ -63,23 +69,38 @@ static_resources: forward_bearer_token: true pass_through_matcher: - name: ":path" - suffix_match: ".html" + string_match: + prefix: "/.well-known/" + - name: ":path" + string_match: + prefix: "/oauth/" - name: ":path" - suffix_match: ".ico" + string_match: + suffix: ".html" - name: ":path" - suffix_match: ".png" + string_match: + suffix: ".ico" - name: ":path" - suffix_match: ".css" + string_match: + suffix: ".png" - name: ":path" - suffix_match: ".js" + string_match: + suffix: ".css" - name: ":path" - exact_match: "/health" + string_match: + suffix: ".js" - name: ":path" - exact_match: "/" + string_match: + exact: "/health" - name: ":path" - exact_match: "/sparkles" + string_match: + exact: "/" - name: ":path" - exact_match: "/dashboard/nav" + string_match: + exact: "/sparkles" + - name: ":path" + string_match: + exact: "/dashboard/nav" redirect_path_matcher: path: exact: /session/callback @@ -89,22 +110,55 @@ static_resources: exact: /session/destroy token_endpoint: cluster: oidc - uri: https://gitlab.com/oauth/token + uri: "%REQ(x-forwarded-proto)%://%DYNAMIC_METADATA(envoy.filters.http.generic_secret:oidc_host)%/oauth/token" timeout: 5s use_refresh_token: true - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + upstream_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + log_format: + json_format: + timestamp: "%START_TIME%" + client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + authority: "%REQ(:AUTHORITY)%" + protocol: "%PROTOCOL%" + method: "%REQ(:METHOD)%" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + request_id: "%REQ(X-REQUEST-ID)%" + response_code: "%RESPONSE_CODE%" + bytes_received: "%BYTES_RECEIVED%" + bytes_sent: "%BYTES_SENT%" + duration: "%DURATION%" + forwarded_for: "%REQ(X-FORWARDED-FOR)%" + user_agent: "%REQ(USER-AGENT)%" + suppress_envoy_headers: true route_config: virtual_hosts: - - name: service + - name: local domains: ["*"] routes: - match: + prefix: "/.well-known/" + route: + cluster: oidc + timeout: 5s + - match: + prefix: "/oauth/" + route: + cluster: oidc + timeout: 5s + - match: prefix: "/" route: cluster: sparkle timeout: 5s + retry_policy: + retry_on: "5xx" + num_retries: 3 stat_prefix: ingress_http clusters: - name: sparkle |