1 files changed, 37 insertions, 34 deletions

diff --git a/envoy.yml b/envoy.yml
index bff7a31..270606d 100644
--- a/envoy.yml
+++ b/envoy.yml
@@ -4,6 +4,15 @@ admin:
       address: 0.0.0.0
       port_value: 9901
 static_resources:
+  secrets:
+    - name: client_secret
+      generic_secret:
+        secret:
+          environment_variable: OAUTH_CLIENT_SECRET
+    - name: hmac_secret
+      generic_secret:
+        secret:
+          environment_variable: HMAC_SESSION_SECRET
   listeners:
     - name: listener_0
       address:
@@ -36,40 +45,34 @@ static_resources:
                           forwarded_for: "%REQ(X-FORWARDED-FOR)%"
                           user_agent: "%REQ(USER-AGENT)%"
                 http_filters:
-                  # - name: envoy.filters.http.oauth2
-                  #   typed_config:
-                  #     "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
-                  #     config:
-                  #       auth_scopes:
-                  #         - user
-                  #         - openid
-                  #         - email
-                  #       authorization_endpoint: https://gitlab.com/oauth/authorize
-                  #       credentials:
-                  #         client_id: client_id
-                  #         token_secret:
-                  #           name: token
-                  #           sds_config:
-                  #             path_config_source:
-                  #               path: "/etc/envoy/client_secret.yaml"
-                  #         hmac_secret:
-                  #           name: hmac
-                  #           sds_config:
-                  #             path_config_source:
-                  #               path: "/etc/envoy/hmac.yaml"
-                  #       forward_bearer_token: true
-                  #       redirect_path_matcher:
-                  #         path:
-                  #           exact: /session/callback
-                  #       redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/session/callback"
-                  #       signout_path:
-                  #         path:
-                  #           exact: /session/destroy
-                  #       token_endpoint:
-                  #         cluster: oidc
-                  #         uri: https://gitlab.com/oauth/token
-                  #         timeout: 5s
-                  #       use_refresh_token: true
+                  - name: envoy.filters.http.oauth2
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
+                      config:
+                        auth_scopes:
+                          - user
+                          - openid
+                          - email
+                        authorization_endpoint: https://gitlab.com/oauth/authorize
+                        credentials:
+                          client_id: client_id
+                          token_secret:
+                            name: client_secret
+                          hmac_secret:
+                            name: hmac_secret
+                        forward_bearer_token: true
+                        redirect_path_matcher:
+                          path:
+                            exact: /session/callback
+                        redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/session/callback"
+                        signout_path:
+                          path:
+                            exact: /session/destroy
+                        token_endpoint:
+                          cluster: oidc
+                          uri: https://gitlab.com/oauth/token
+                          timeout: 5s
+                        use_refresh_token: true
                   - name: envoy.filters.http.router
                     typed_config:
                       "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router