diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-12 13:24:37 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-12 13:24:37 -0600 |
| commit | 251539d40e89b3bc91dea14ed6afb311788962df (patch) | |
| tree | a6fdd06f7ebc4e05a3d3588fd31c5d3793dd454e /etc | |
| parent | d4bf23c2e05b3aa01885ab1eeb8ff04c539cceda (diff) | |
refactor: mimic target deployment filesystem
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/envoy/envoy.yml | 174 |
1 files changed, 174 insertions, 0 deletions
diff --git a/etc/envoy/envoy.yml b/etc/envoy/envoy.yml new file mode 100644 index 0000000..3c8df3a --- /dev/null +++ b/etc/envoy/envoy.yml @@ -0,0 +1,174 @@ +admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 9901 +static_resources: + clusters: + - name: sparkle + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: sparkle + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost + port_value: 8080 + - name: oidc + connect_timeout: 5s + type: LOGICAL_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: oidc + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: example.com + port_value: 443 + hostname: example.com + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: example.com + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + log_format: + json_format: + timestamp: "%START_TIME%" + client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + authority: "%REQ(:AUTHORITY)%" + protocol: "%PROTOCOL%" + method: "%REQ(:METHOD)%" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + request_id: "%REQ(X-REQUEST-ID)%" + response_code: "%RESPONSE_CODE%" + bytes_received: "%BYTES_RECEIVED%" + bytes_sent: "%BYTES_SENT%" + duration: "%DURATION%" + forwarded_for: "%REQ(X-FORWARDED-FOR)%" + user_agent: "%REQ(USER-AGENT)%" + codec_type: AUTO + http_filters: + - name: envoy.filters.http.oauth2 + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + auth_scopes: + - email + - openid + - profile + auth_type: BASIC_AUTH + authorization_endpoint: "https://example.com/oauth/authorize" + credentials: + client_id: "OAUTH_CLIENT_ID" + cookie_names: + bearer_token: bearer_token + oauth_hmac: oauth_hmac + oauth_expires: oauth_expires + id_token: id_token + refresh_token: refresh_token + oauth_nonce: oauth_nonce + # code_verifier: code_verifier + token_secret: + name: client_secret + hmac_secret: + name: hmac_secret + forward_bearer_token: true + pass_through_matcher: + - name: ":path" + safe_regex_match: + regex: .*\\.(css|js|png|html|ico)$ + - name: ":path" + string_match: + exact: "/health" + - name: ":path" + string_match: + exact: "/" + - name: ":path" + string_match: + exact: "/sparkles" + - name: ":path" + string_match: + exact: "/sparkles/restore" + - name: ":path" + string_match: + exact: "/dashboard/nav" + redirect_path_matcher: + path: + exact: /callback + redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback" + signout_path: + path: + exact: /signout + token_endpoint: + cluster: oidc + uri: "https://example.com/oauth/token" + timeout: 5s + use_refresh_token: true + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + upstream_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + log_format: + json_format: + timestamp: "%START_TIME%" + client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + authority: "%REQ(:AUTHORITY)%" + protocol: "%PROTOCOL%" + method: "%REQ(:METHOD)%" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + request_id: "%REQ(X-REQUEST-ID)%" + response_code: "%RESPONSE_CODE%" + bytes_received: "%BYTES_RECEIVED%" + bytes_sent: "%BYTES_SENT%" + duration: "%DURATION%" + forwarded_for: "%REQ(X-FORWARDED-FOR)%" + user_agent: "%REQ(USER-AGENT)%" + suppress_envoy_headers: true + route_config: + virtual_hosts: + - name: local + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: sparkle + timeout: 5s + retry_policy: + retry_on: "5xx" + num_retries: 3 + stat_prefix: ingress_http + secrets: + - name: client_secret + generic_secret: + secret: + environment_variable: OAUTH_CLIENT_SECRET + - name: hmac_secret + generic_secret: + secret: + environment_variable: HMAC_SESSION_SECRET |