diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-09 12:12:00 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-11 21:21:38 -0600 |
| commit | cb3f6782aa8b627eab37e10cc2a234ce44c6ebb0 (patch) | |
| tree | 1dff8ce713d13b5ae3fc8feb253255aa7b769e95 | |
| parent | 60440f90dca28e99a31dd328c5f6d5dc0f9b6a2e (diff) | |
chore: enable oidc filter with static secrets
| -rw-r--r-- | .env | 1 | ||||
| -rw-r--r-- | envoy.yml | 71 |
2 files changed, 38 insertions, 34 deletions
@@ -1,5 +1,6 @@ APP_ENV=development BIND_ADDR=:8080 +HMAC_SESSION_SECRET=session_secret HOST=localhost OAUTH_CLIENT_ID=client_id OAUTH_CLIENT_SECRET=client_secret @@ -4,6 +4,15 @@ admin: address: 0.0.0.0 port_value: 9901 static_resources: + secrets: + - name: client_secret + generic_secret: + secret: + environment_variable: OAUTH_CLIENT_SECRET + - name: hmac_secret + generic_secret: + secret: + environment_variable: HMAC_SESSION_SECRET listeners: - name: listener_0 address: @@ -36,40 +45,34 @@ static_resources: forwarded_for: "%REQ(X-FORWARDED-FOR)%" user_agent: "%REQ(USER-AGENT)%" http_filters: - # - name: envoy.filters.http.oauth2 - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - # config: - # auth_scopes: - # - user - # - openid - # - email - # authorization_endpoint: https://gitlab.com/oauth/authorize - # credentials: - # client_id: client_id - # token_secret: - # name: token - # sds_config: - # path_config_source: - # path: "/etc/envoy/client_secret.yaml" - # hmac_secret: - # name: hmac - # sds_config: - # path_config_source: - # path: "/etc/envoy/hmac.yaml" - # forward_bearer_token: true - # redirect_path_matcher: - # path: - # exact: /session/callback - # redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/session/callback" - # signout_path: - # path: - # exact: /session/destroy - # token_endpoint: - # cluster: oidc - # uri: https://gitlab.com/oauth/token - # timeout: 5s - # use_refresh_token: true + - name: envoy.filters.http.oauth2 + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + auth_scopes: + - user + - openid + - email + authorization_endpoint: https://gitlab.com/oauth/authorize + credentials: + client_id: client_id + token_secret: + name: client_secret + hmac_secret: + name: hmac_secret + forward_bearer_token: true + redirect_path_matcher: + path: + exact: /session/callback + redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/session/callback" + signout_path: + path: + exact: /session/destroy + token_endpoint: + cluster: oidc + uri: https://gitlab.com/oauth/token + timeout: 5s + use_refresh_token: true - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router |