diff options
| -rw-r--r-- | envoy.yml | 98 | ||||
| -rw-r--r-- | start.sh | 7 |
2 files changed, 54 insertions, 51 deletions
@@ -4,19 +4,39 @@ admin: address: 0.0.0.0 port_value: 9901 static_resources: - secrets: - - name: client_secret - generic_secret: - secret: - environment_variable: OAUTH_CLIENT_SECRET - - name: hmac_secret - generic_secret: - secret: - environment_variable: HMAC_SESSION_SECRET - - name: oidc_host - generic_secret: - secret: - environment_variable: OIDC_HOST + clusters: + - name: sparkle + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: sparkle + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost + port_value: 8080 + - name: oidc + connect_timeout: 5s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: oidc + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: example.com + port_value: 443 + hostname: example.com + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + auto_host_sni: true listeners: - name: listener_0 address: @@ -55,13 +75,13 @@ static_resources: "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 config: auth_scopes: - - user - - openid - email + - openid + - profile auth_type: BASIC_AUTH - authorization_endpoint: https://gitlab.com/oauth/authorize + authorization_endpoint: "https://example.com/oauth/authorize" credentials: - client_id: client_id + client_id: "OAUTH_CLIENT_ID" token_secret: name: client_secret hmac_secret: @@ -110,7 +130,7 @@ static_resources: exact: /session/destroy token_endpoint: cluster: oidc - uri: "%REQ(x-forwarded-proto)%://%DYNAMIC_METADATA(envoy.filters.http.generic_secret:oidc_host)%/oauth/token" + uri: "https://example.com/oauth/token" timeout: 5s use_refresh_token: true - name: envoy.filters.http.router @@ -146,6 +166,7 @@ static_resources: route: cluster: oidc timeout: 5s + auto_host_rewrite: true - match: prefix: "/oauth/" route: @@ -160,35 +181,12 @@ static_resources: retry_on: "5xx" num_retries: 3 stat_prefix: ingress_http - clusters: - - name: sparkle - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: sparkle - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: localhost - port_value: 8080 - - name: oidc - connect_timeout: 5s - type: LOGICAL_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: oidc - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: gitlab.com - port_value: 443 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - sni: gitlab.com + secrets: + - name: client_secret + generic_secret: + secret: + environment_variable: OAUTH_CLIENT_SECRET + - name: hmac_secret + generic_secret: + secret: + environment_variable: HMAC_SESSION_SECRET @@ -1,3 +1,8 @@ #!/bin/sh -/usr/local/bin/sparkled & /usr/local/bin/envoy -c /etc/envoy/envoy.yaml +set -ex + +oidc_host=$(echo "$OIDC_ISSUER" | sed 's/https\?:\/\///') +yaml=$(sed "s/OAUTH_CLIENT_ID/$OAUTH_CLIENT_ID/" /etc/envoy/envoy.yaml) +yaml=$(echo "$yaml" | sed "s/example.com/$oidc_host/") +/usr/local/bin/sparkled & /usr/local/bin/envoy --config-yaml "$yaml" |