Skip to content

Commit 79c663b

Browse files
hfhf
authored
feat: remove api key checks in envoy (#1465)
* feat: remove api key checks in envoy * bump vars * add `x-sb-error-code` header to envoy lds.yaml when api key or opk don't match
1 parent d558fb3 commit 79c663b

File tree

3 files changed

+10
-65
lines changed

3 files changed

+10
-65
lines changed

ansible/files/envoy_config/lds.supabase.yaml

Lines changed: 4 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -37,51 +37,6 @@ resources:
3737
rules:
3838
action: DENY
3939
policies:
40-
api_key_missing:
41-
permissions:
42-
- any: true
43-
principals:
44-
- not_id:
45-
or_ids:
46-
ids:
47-
- header:
48-
name: apikey
49-
present_match: true
50-
- header:
51-
name: ':path'
52-
string_match:
53-
contains: apikey=
54-
api_key_not_valid:
55-
permissions:
56-
- any: true
57-
principals:
58-
- not_id:
59-
or_ids:
60-
ids:
61-
- header:
62-
name: apikey
63-
string_match:
64-
exact: anon_key
65-
- header:
66-
name: apikey
67-
string_match:
68-
exact: service_key
69-
- header:
70-
name: apikey
71-
string_match:
72-
exact: supabase_admin_key
73-
- header:
74-
name: ':path'
75-
string_match:
76-
contains: apikey=anon_key
77-
- header:
78-
name: ':path'
79-
string_match:
80-
contains: apikey=service_key
81-
- header:
82-
name: ':path'
83-
string_match:
84-
contains: apikey=supabase_admin_key
8540
origin_protection_key_missing:
8641
permissions:
8742
- any: true
@@ -234,6 +189,10 @@ resources:
234189
prefix: /metrics/aggregated
235190
invert_match: true
236191
status_code: 401
192+
headers_to_add:
193+
- header:
194+
key: x-sb-error-code
195+
value: '%RESPONSE_CODE_DETAILS%'
237196
body_format_override:
238197
json_format:
239198
message: >-
@@ -383,24 +342,6 @@ resources:
383342
route:
384343
cluster: admin_api
385344
prefix_rewrite: /privileged/
386-
typed_per_filter_config:
387-
envoy.filters.http.rbac:
388-
'@type': >-
389-
type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
390-
rbac:
391-
rules:
392-
action: DENY
393-
policies:
394-
basic_auth:
395-
permissions:
396-
- any: true
397-
principals:
398-
- header:
399-
name: authorization
400-
invert_match: true
401-
string_match:
402-
exact: Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
403-
treat_missing_header_as_empty: true
404345
- match:
405346
prefix: /metrics/aggregated
406347
request_headers_to_remove:

ansible/files/envoy_config/lds.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,10 @@ resources:
215215
prefix: /metrics/aggregated
216216
invert_match: true
217217
status_code: 401
218+
headers_to_add:
219+
- header:
220+
key: x-sb-error-code
221+
value: '%RESPONSE_CODE_DETAILS%'
218222
body_format_override:
219223
json_format:
220224
message: >-

ansible/vars.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ postgres_major:
88

99
# Full version strings for each major version
1010
postgres_release:
11-
postgresorioledb-17: "17.0.1.040-orioledb"
12-
postgres15: "15.8.1.046"
11+
postgresorioledb-17: "17.0.1.041-orioledb"
12+
postgres15: "15.8.1.047"
1313

1414
# Non Postgres Extensions
1515
pgbouncer_release: "1.19.0"

0 commit comments

Comments
 (0)