blob: a6977d1f2ebfc212c8fcfcbcb02667234cfc5d64 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901
application_log_config:
log_format:
json_format:
Timestamp: "%Y-%m-%dT%T.%F"
ThreadId: "%t"
SourceLine: "%s:%#"
Level: "%l"
Message: "%j"
overload_manager:
resource_monitors:
- name: "envoy.resource_monitors.global_downstream_max_connections"
typed_config:
"@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
max_active_downstream_connections: 1024
static_resources:
clusters:
- name: authzd
connect_timeout: 5s
load_assignment:
cluster_name: authzd
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 10003
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options: {}
- name: oidc
connect_timeout: 5s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: oidc
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: example.com
port_value: 443
hostname: example.com
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: example.com
- name: sparkle
connect_timeout: 0.25s
type: STATIC
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: sparkle
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 8080
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
log_format:
json_format:
app: "envoy"
authority: "%REQ(:AUTHORITY)%"
bytes_received: "%BYTES_RECEIVED%"
bytes_sent: "%BYTES_SENT%"
client_ip: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
duration: "%DURATION%"
forwarded_for: "%REQ(X-FORWARDED-FOR)%"
method: "%REQ(:METHOD)%"
path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
protocol: "%PROTOCOL%"
request_id: "%REQ(X-REQUEST-ID)%"
response_code: "%RESPONSE_CODE%"
timestamp: "%START_TIME%"
user_agent: "%REQ(USER-AGENT)%"
codec_type: AUTO
http_filters:
- name: envoy.filters.http.health_check
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
pass_through_mode: false
headers:
- name: ":path"
string_match:
exact: "/health"
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
auth_scopes:
- email
- openid
- profile
auth_type: BASIC_AUTH
authorization_endpoint: "https://example.com/oauth/authorize"
credentials:
client_id: "OAUTH_CLIENT_ID"
cookie_names:
bearer_token: bearer_token
oauth_hmac: oauth_hmac
oauth_expires: oauth_expires
id_token: id_token
refresh_token: refresh_token
oauth_nonce: oauth_nonce
code_verifier: code_verifier
token_secret:
name: client_secret
hmac_secret:
name: hmac_secret
forward_bearer_token: true
pass_through_matcher:
- name: ":path"
string_match:
safe_regex:
regex: .*\\.(css|js|png|html|ico)$
- name: ":path"
string_match:
exact: "/health"
- name: ":path"
string_match:
exact: "/"
- name: ":path"
string_match:
exact: "/sparkles"
- name: ":path"
string_match:
exact: "/sparkles/restore"
- name: ":path"
string_match:
exact: "/dashboard/nav"
redirect_path_matcher:
path:
exact: /callback
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
retry_policy:
num_retries: 3
signout_path:
path:
exact: /signout
token_endpoint:
cluster: oidc
uri: "https://example.com/oauth/token"
timeout: 5s
use_refresh_token: true
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
id_token_provider:
audiences:
- OAUTH_CLIENT_ID
claim_to_headers:
- claim_name: sub
header_name: x-jwt-claim-sub
- claim_name: nickname
header_name: x-jwt-claim-username
- claim_name: profile
header_name: x-jwt-claim-profile-url
- claim_name: picture
header_name: x-jwt-claim-picture-url
forward: false
forward_payload_header: x-jwt-payload
from_cookies:
- id_token
issuer: https://example.com
remote_jwks:
http_uri:
uri: https://example.com/oauth/discovery/keys
cluster: oidc
timeout: 5s
rules:
- match:
safe_regex:
regex: .*\\.(css|js|png|html|ico)$
- match:
prefix: /
requires:
requires_any:
requirements:
- provider_name: id_token_provider
- allow_missing: {}
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service:
envoy_grpc:
cluster_name: authzd
timeout: 30s
failure_mode_allow: false
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppress_envoy_headers: true
route_config:
request_headers_to_remove:
- authorization
- cookie
- user-agent
virtual_hosts:
- name: local
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: sparkle
timeout: 5s
retry_policy:
retry_on: "5xx"
num_retries: 3
stat_prefix: ingress_http
secrets:
- name: client_secret
generic_secret:
secret:
environment_variable: OAUTH_CLIENT_SECRET
- name: hmac_secret
generic_secret:
secret:
environment_variable: HMAC_SESSION_SECRET
|
