diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-08 17:37:36 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-08 17:37:36 -0600 |
| commit | 5d2450fa8c76be8de251d691bf44ab12804d715d (patch) | |
| tree | a131f9dcb563c766266935346c981484857b60b8 | |
| parent | 2c909dcef60f2439e28ef8e550a5b107ca31ece8 (diff) | |
chore: start to build oauth filter configuration
| -rw-r--r-- | envoy.yml | 82 |
1 files changed, 70 insertions, 12 deletions
@@ -1,18 +1,21 @@ admin: - access_log_path: /dev/stdout address: - socket_address: {address: 0.0.0.0, port_value: 9901} + socket_address: + address: 0.0.0.0 + port_value: 9901 static_resources: listeners: - name: listener_0 address: - socket_address: {address: 0.0.0.0, port_value: 10000} + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http access_log: - name: envoy.access_loggers.stdout typed_config: @@ -32,18 +35,55 @@ static_resources: duration: "%DURATION%" forwarded_for: "%REQ(X-FORWARDED-FOR)%" user_agent: "%REQ(USER-AGENT)%" - route_config: - name: local_route - virtual_hosts: - - name: local_service - domains: ["*"] - routes: - - match: {prefix: "/"} - route: {cluster: sparkle} http_filters: + # - name: envoy.filters.http.oauth2 + # typed_config: + # "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + # config: + # auth_scopes: + # - user + # - openid + # - email + # authorization_endpoint: https://gitlab.com/oauth/authorize + # credentials: + # client_id: client_id + # token_secret: + # name: token + # sds_config: + # path_config_source: + # path: "/etc/envoy/client_secret.yaml" + # hmac_secret: + # name: hmac + # sds_config: + # path_config_source: + # path: "/etc/envoy/hmac.yaml" + # forward_bearer_token: true + # redirect_path_matcher: + # path: + # exact: /session/callback + # redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/session/callback" + # signout_path: + # path: + # exact: /session/destroy + # token_endpoint: + # cluster: oidc + # uri: https://gitlab.com/oauth/token + # timeout: 5s + # use_refresh_token: true - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + virtual_hosts: + - name: service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: sparkle + timeout: 5s + stat_prefix: ingress_http clusters: - name: sparkle connect_timeout: 0.25s @@ -58,3 +98,21 @@ static_resources: socket_address: address: localhost port_value: 8080 + - name: oidc + connect_timeout: 5s + type: LOGICAL_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: oidc + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: gitlab.com + port_value: 443 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: gitlab.com |