From cb3f6782aa8b627eab37e10cc2a234ce44c6ebb0 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 9 May 2025 12:12:00 -0600 Subject: chore: enable oidc filter with static secrets --- .env | 1 + envoy.yml | 71 +++++++++++++++++++++++++++++++++------------------------------ 2 files changed, 38 insertions(+), 34 deletions(-) diff --git a/.env b/.env index 92f8770..7a33d59 100644 --- a/.env +++ b/.env @@ -1,5 +1,6 @@ APP_ENV=development BIND_ADDR=:8080 +HMAC_SESSION_SECRET=session_secret HOST=localhost OAUTH_CLIENT_ID=client_id OAUTH_CLIENT_SECRET=client_secret diff --git a/envoy.yml b/envoy.yml index bff7a31..270606d 100644 --- a/envoy.yml +++ b/envoy.yml @@ -4,6 +4,15 @@ admin: address: 0.0.0.0 port_value: 9901 static_resources: + secrets: + - name: client_secret + generic_secret: + secret: + environment_variable: OAUTH_CLIENT_SECRET + - name: hmac_secret + generic_secret: + secret: + environment_variable: HMAC_SESSION_SECRET listeners: - name: listener_0 address: @@ -36,40 +45,34 @@ static_resources: forwarded_for: "%REQ(X-FORWARDED-FOR)%" user_agent: "%REQ(USER-AGENT)%" http_filters: - # - name: envoy.filters.http.oauth2 - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - # config: - # auth_scopes: - # - user - # - openid - # - email - # authorization_endpoint: https://gitlab.com/oauth/authorize - # credentials: - # client_id: client_id - # token_secret: - # name: token - # sds_config: - # path_config_source: - # path: "/etc/envoy/client_secret.yaml" - # hmac_secret: - # name: hmac - # sds_config: - # path_config_source: - # path: "/etc/envoy/hmac.yaml" - # forward_bearer_token: true - # redirect_path_matcher: - # path: - # exact: /session/callback - # redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/session/callback" - # signout_path: - # path: - # exact: /session/destroy - # token_endpoint: - # cluster: oidc - # uri: https://gitlab.com/oauth/token - # timeout: 5s - # use_refresh_token: true + - name: envoy.filters.http.oauth2 + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + auth_scopes: + - user + - openid + - email + authorization_endpoint: https://gitlab.com/oauth/authorize + credentials: + client_id: client_id + token_secret: + name: client_secret + hmac_secret: + name: hmac_secret + forward_bearer_token: true + redirect_path_matcher: + path: + exact: /session/callback + redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/session/callback" + signout_path: + path: + exact: /session/destroy + token_endpoint: + cluster: oidc + uri: https://gitlab.com/oauth/token + timeout: 5s + use_refresh_token: true - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router -- cgit v1.2.3