diff options
Diffstat (limited to 'etc/envoy')
| -rw-r--r-- | etc/envoy/envoy.yaml | 84 |
1 files changed, 76 insertions, 8 deletions
diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index 5842448..d07915d 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -3,6 +3,14 @@ admin: socket_address: address: 0.0.0.0 port_value: 9901 +application_log_config: + log_format: + json_format: + Timestamp: "%Y-%m-%dT%T.%F" + ThreadId: "%t" + SourceLine: "%s:%#" + Level: "%l" + Message: "%j" overload_manager: resource_monitors: - name: "envoy.resource_monitors.global_downstream_max_connections" @@ -11,19 +19,22 @@ overload_manager: max_active_downstream_connections: 1024 static_resources: clusters: - - name: sparkle - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: ROUND_ROBIN + - name: authzd + connect_timeout: 5s load_assignment: - cluster_name: sparkle + cluster_name: authzd endpoints: - lb_endpoints: - endpoint: address: socket_address: - address: localhost - port_value: 8080 + address: 127.0.0.1 + port_value: 10003 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} - name: oidc connect_timeout: 5s type: LOGICAL_DNS @@ -43,6 +54,19 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext sni: example.com + - name: sparkle + connect_timeout: 0.25s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: sparkle + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8080 listeners: - name: listener_0 address: @@ -102,7 +126,7 @@ static_resources: id_token: id_token refresh_token: refresh_token oauth_nonce: oauth_nonce - # code_verifier: code_verifier + code_verifier: code_verifier token_secret: name: client_secret hmac_secret: @@ -140,6 +164,50 @@ static_resources: uri: "https://example.com/oauth/token" timeout: 5s use_refresh_token: true + - name: envoy.filters.http.jwt_authn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + provider1: + audiences: + - OAUTH_CLIENT_ID + claim_to_headers: + - header_name: x-jwt-claim-sub + claim_name: sub + forward: true + forward_payload_header: x-jwt-payload + from_cookies: + - id_token + issuer: https://example.com + remote_jwks: + http_uri: + uri: https://example.com/oauth/discovery/keys + cluster: oidc + timeout: 5s + rules: + - match: + path: /health + - match: + prefix: /sparkles + - match: + prefix: /dashboard/nav + - match: + safe_regex: + regex: .*\\.(css|js|png|html|ico)$ + - match: + path: / + - match: + path: /dashboard + requires: + provider_name: provider1 + - name: envoy.filters.http.ext_authz + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + grpc_service: + envoy_grpc: + cluster_name: authzd + timeout: 30s + failure_mode_allow: false - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router |