admin: address: socket_address: address: 0.0.0.0 port_value: 9901 application_log_config: log_format: json_format: Timestamp: "%Y-%m-%dT%T.%F" ThreadId: "%t" SourceLine: "%s:%#" Level: "%l" Message: "%j" overload_manager: resource_monitors: - name: "envoy.resource_monitors.global_downstream_max_connections" typed_config: "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig max_active_downstream_connections: 1024 static_resources: clusters: - name: authzd connect_timeout: 5s load_assignment: cluster_name: authzd endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 10003 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: {} - name: oidc connect_timeout: 5s type: LOGICAL_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: oidc endpoints: - lb_endpoints: - endpoint: address: socket_address: address: example.com port_value: 443 hostname: example.com transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext sni: example.com - name: sparkle connect_timeout: 0.25s type: STATIC lb_policy: ROUND_ROBIN load_assignment: cluster_name: sparkle endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.1 port_value: 8080 listeners: - name: listener_0 address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 10000 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager access_log: - name: envoy.access_loggers.stdout typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog log_format: json_format: app: "envoy" authority: "%REQ(:AUTHORITY)%" bytes_received: "%BYTES_RECEIVED%" bytes_sent: "%BYTES_SENT%" client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" duration: "%DURATION%" forwarded_for: "%REQ(X-FORWARDED-FOR)%" method: "%REQ(:METHOD)%" path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%" protocol: "%PROTOCOL%" request_id: "%REQ(X-REQUEST-ID)%" response_code: "%RESPONSE_CODE%" timestamp: "%START_TIME%" user_agent: "%REQ(USER-AGENT)%" codec_type: AUTO http_filters: - name: envoy.filters.http.health_check typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck pass_through_mode: false headers: - name: ":path" string_match: exact: "/health" - name: envoy.filters.http.oauth2 typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 config: auth_scopes: - email - openid - profile auth_type: BASIC_AUTH authorization_endpoint: "https://example.com/oauth/authorize" credentials: client_id: "OAUTH_CLIENT_ID" cookie_names: bearer_token: bearer_token oauth_hmac: oauth_hmac oauth_expires: oauth_expires id_token: id_token refresh_token: refresh_token oauth_nonce: oauth_nonce code_verifier: code_verifier token_secret: name: client_secret hmac_secret: name: hmac_secret forward_bearer_token: true pass_through_matcher: - name: ":path" string_match: safe_regex: regex: \A.+\.(css|html|ico|js|png)\z - name: ":path" string_match: exact: "/health" - name: ":path" string_match: exact: "/" - name: ":path" string_match: exact: "/sparkles" - name: ":path" string_match: exact: "/dashboard/nav" redirect_path_matcher: path: exact: /callback redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback" retry_policy: num_retries: 3 signout_path: path: exact: /signout token_endpoint: cluster: oidc uri: "https://example.com/oauth/token" timeout: 5s use_refresh_token: true - name: envoy.filters.http.jwt_authn typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication providers: id_token_provider: audiences: - OAUTH_CLIENT_ID claim_to_headers: - claim_name: sub header_name: x-jwt-claim-sub - claim_name: nickname header_name: x-jwt-claim-username - claim_name: profile header_name: x-jwt-claim-profile-url - claim_name: picture header_name: x-jwt-claim-picture-url forward: false forward_payload_header: x-jwt-payload from_cookies: - id_token issuer: https://example.com remote_jwks: http_uri: uri: https://example.com/oauth/discovery/keys cluster: oidc timeout: 5s rules: - match: safe_regex: regex: .*\\.(css|js|png|html|ico)$ - match: prefix: / requires: requires_any: requirements: - provider_name: id_token_provider - allow_missing: {} - name: envoy.filters.http.ext_authz typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz grpc_service: envoy_grpc: cluster_name: authzd timeout: 30s failure_mode_allow: false - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router suppress_envoy_headers: true route_config: request_headers_to_remove: - authorization - cookie - user-agent virtual_hosts: - name: local domains: ["*"] routes: - match: prefix: "/" route: cluster: sparkle timeout: 5s retry_policy: retry_on: "5xx" num_retries: 3 stat_prefix: ingress_http secrets: - name: client_secret generic_secret: secret: environment_variable: OAUTH_CLIENT_SECRET - name: hmac_secret generic_secret: secret: environment_variable: HMAC_SESSION_SECRET