From 4bd72e131c7db3093c7bd4236a5d2319462fcbad Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 12 May 2025 13:40:49 -0600 Subject: chore: mimic how services are run between docker and host machine --- etc/envoy/envoy.yaml | 174 +++++++++++++++++++++++++++++++++++++++++++++++++++ etc/envoy/envoy.yml | 174 --------------------------------------------------- 2 files changed, 174 insertions(+), 174 deletions(-) create mode 100644 etc/envoy/envoy.yaml delete mode 100644 etc/envoy/envoy.yml (limited to 'etc') diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml new file mode 100644 index 0000000..3c8df3a --- /dev/null +++ b/etc/envoy/envoy.yaml @@ -0,0 +1,174 @@ +admin: + address: + socket_address: + address: 0.0.0.0 + port_value: 9901 +static_resources: + clusters: + - name: sparkle + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: sparkle + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost + port_value: 8080 + - name: oidc + connect_timeout: 5s + type: LOGICAL_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: oidc + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: example.com + port_value: 443 + hostname: example.com + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: example.com + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + log_format: + json_format: + timestamp: "%START_TIME%" + client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + authority: "%REQ(:AUTHORITY)%" + protocol: "%PROTOCOL%" + method: "%REQ(:METHOD)%" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + request_id: "%REQ(X-REQUEST-ID)%" + response_code: "%RESPONSE_CODE%" + bytes_received: "%BYTES_RECEIVED%" + bytes_sent: "%BYTES_SENT%" + duration: "%DURATION%" + forwarded_for: "%REQ(X-FORWARDED-FOR)%" + user_agent: "%REQ(USER-AGENT)%" + codec_type: AUTO + http_filters: + - name: envoy.filters.http.oauth2 + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + auth_scopes: + - email + - openid + - profile + auth_type: BASIC_AUTH + authorization_endpoint: "https://example.com/oauth/authorize" + credentials: + client_id: "OAUTH_CLIENT_ID" + cookie_names: + bearer_token: bearer_token + oauth_hmac: oauth_hmac + oauth_expires: oauth_expires + id_token: id_token + refresh_token: refresh_token + oauth_nonce: oauth_nonce + # code_verifier: code_verifier + token_secret: + name: client_secret + hmac_secret: + name: hmac_secret + forward_bearer_token: true + pass_through_matcher: + - name: ":path" + safe_regex_match: + regex: .*\\.(css|js|png|html|ico)$ + - name: ":path" + string_match: + exact: "/health" + - name: ":path" + string_match: + exact: "/" + - name: ":path" + string_match: + exact: "/sparkles" + - name: ":path" + string_match: + exact: "/sparkles/restore" + - name: ":path" + string_match: + exact: "/dashboard/nav" + redirect_path_matcher: + path: + exact: /callback + redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback" + signout_path: + path: + exact: /signout + token_endpoint: + cluster: oidc + uri: "https://example.com/oauth/token" + timeout: 5s + use_refresh_token: true + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + upstream_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + log_format: + json_format: + timestamp: "%START_TIME%" + client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + authority: "%REQ(:AUTHORITY)%" + protocol: "%PROTOCOL%" + method: "%REQ(:METHOD)%" + path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" + request_id: "%REQ(X-REQUEST-ID)%" + response_code: "%RESPONSE_CODE%" + bytes_received: "%BYTES_RECEIVED%" + bytes_sent: "%BYTES_SENT%" + duration: "%DURATION%" + forwarded_for: "%REQ(X-FORWARDED-FOR)%" + user_agent: "%REQ(USER-AGENT)%" + suppress_envoy_headers: true + route_config: + virtual_hosts: + - name: local + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: sparkle + timeout: 5s + retry_policy: + retry_on: "5xx" + num_retries: 3 + stat_prefix: ingress_http + secrets: + - name: client_secret + generic_secret: + secret: + environment_variable: OAUTH_CLIENT_SECRET + - name: hmac_secret + generic_secret: + secret: + environment_variable: HMAC_SESSION_SECRET diff --git a/etc/envoy/envoy.yml b/etc/envoy/envoy.yml deleted file mode 100644 index 3c8df3a..0000000 --- a/etc/envoy/envoy.yml +++ /dev/null @@ -1,174 +0,0 @@ -admin: - address: - socket_address: - address: 0.0.0.0 - port_value: 9901 -static_resources: - clusters: - - name: sparkle - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: sparkle - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: localhost - port_value: 8080 - - name: oidc - connect_timeout: 5s - type: LOGICAL_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: oidc - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: example.com - port_value: 443 - hostname: example.com - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - sni: example.com - listeners: - - name: listener_0 - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 10000 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - access_log: - - name: envoy.access_loggers.stdout - typed_config: - "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog - log_format: - json_format: - timestamp: "%START_TIME%" - client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" - authority: "%REQ(:AUTHORITY)%" - protocol: "%PROTOCOL%" - method: "%REQ(:METHOD)%" - path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" - request_id: "%REQ(X-REQUEST-ID)%" - response_code: "%RESPONSE_CODE%" - bytes_received: "%BYTES_RECEIVED%" - bytes_sent: "%BYTES_SENT%" - duration: "%DURATION%" - forwarded_for: "%REQ(X-FORWARDED-FOR)%" - user_agent: "%REQ(USER-AGENT)%" - codec_type: AUTO - http_filters: - - name: envoy.filters.http.oauth2 - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - auth_scopes: - - email - - openid - - profile - auth_type: BASIC_AUTH - authorization_endpoint: "https://example.com/oauth/authorize" - credentials: - client_id: "OAUTH_CLIENT_ID" - cookie_names: - bearer_token: bearer_token - oauth_hmac: oauth_hmac - oauth_expires: oauth_expires - id_token: id_token - refresh_token: refresh_token - oauth_nonce: oauth_nonce - # code_verifier: code_verifier - token_secret: - name: client_secret - hmac_secret: - name: hmac_secret - forward_bearer_token: true - pass_through_matcher: - - name: ":path" - safe_regex_match: - regex: .*\\.(css|js|png|html|ico)$ - - name: ":path" - string_match: - exact: "/health" - - name: ":path" - string_match: - exact: "/" - - name: ":path" - string_match: - exact: "/sparkles" - - name: ":path" - string_match: - exact: "/sparkles/restore" - - name: ":path" - string_match: - exact: "/dashboard/nav" - redirect_path_matcher: - path: - exact: /callback - redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback" - signout_path: - path: - exact: /signout - token_endpoint: - cluster: oidc - uri: "https://example.com/oauth/token" - timeout: 5s - use_refresh_token: true - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - upstream_log: - - name: envoy.access_loggers.stdout - typed_config: - "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog - log_format: - json_format: - timestamp: "%START_TIME%" - client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" - authority: "%REQ(:AUTHORITY)%" - protocol: "%PROTOCOL%" - method: "%REQ(:METHOD)%" - path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" - request_id: "%REQ(X-REQUEST-ID)%" - response_code: "%RESPONSE_CODE%" - bytes_received: "%BYTES_RECEIVED%" - bytes_sent: "%BYTES_SENT%" - duration: "%DURATION%" - forwarded_for: "%REQ(X-FORWARDED-FOR)%" - user_agent: "%REQ(USER-AGENT)%" - suppress_envoy_headers: true - route_config: - virtual_hosts: - - name: local - domains: ["*"] - routes: - - match: - prefix: "/" - route: - cluster: sparkle - timeout: 5s - retry_policy: - retry_on: "5xx" - num_retries: 3 - stat_prefix: ingress_http - secrets: - - name: client_secret - generic_secret: - secret: - environment_variable: OAUTH_CLIENT_SECRET - - name: hmac_secret - generic_secret: - secret: - environment_variable: HMAC_SESSION_SECRET -- cgit v1.2.3