-
Notifications
You must be signed in to change notification settings - Fork 5
/
envoy-template.yaml
123 lines (119 loc) · 5.4 KB
/
envoy-template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Envoy configuration template
# Proxies HTTP -> HTTPS with an AWS V4 signed request prefixed onto a bucket
# e.g. http://example.com/foo ->
# https://$ORIGIN_BUCKET_NAME.$STORAGE_ENDPOINT/foo <V4 signed>
#
# Template contains substitution variables:
# ORIGIN_BUCKET_REGION: Storage bucket region (e.g. "auto")
# ORIGIN_BUCKET_NAME: Name of the storage bucket
# ORIGIN_STORAGE_ENDPOINT: S3 compatible endpoint
# GCS: storage.googleapis.com
# S3: s3.amazonaws.com
#
# AWS V4 signing expect the environment variables to be set:
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
static_resources:
listeners:
- address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: auth-proxy
domains: ["*"]
routes:
- match: { prefix: "/" }
route:
cluster: origin|443
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
-- Called on request path.
function envoy_on_request(request_handle)
local headers = request_handle:headers()
local path = headers:get(':path')
-- strip all query parameters from request
local pos = string.find(path, '?')
if pos then
path = string.sub(path, 1, pos-1)
headers:replace(':path', path)
request_handle:logDebug('Stripped query parms from path: '..path)
end
end
-- Called on response path.
function envoy_on_response(response_handle)
-- Remove headers with these prefixes
local header_remove_prefixes = { 'x-goog', 'x-envoy', 'x-amz', 'x-aws', 'x-guploader-uploadid' }
local headers = response_handle:headers()
local remove_headers = {}
for k, v in pairs(headers) do
for i, pfx in ipairs(header_remove_prefixes) do
match = k:sub(1, #pfx) == pfx
if match then
table.insert(remove_headers, k)
break
end
end
end
for k, v in ipairs(remove_headers) do
-- Always keep object custom user metadata headers
if k ~= 'x-aws-meta' and k ~= 'x-goog-meta' then
response_handle:logDebug('Removed response header:'..v)
headers:remove(v)
end
end
end
- name: envoy.filters.http.aws_request_signing
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
service_name: s3
region: "$ORIGIN_BUCKET_REGION"
host_rewrite: "$ORIGIN_BUCKET_NAME.$ORIGIN_STORAGE_ENDPOINT"
- name: envoy.filters.http.router
clusters:
- name: origin|443
connect_timeout: 0.25s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: origin|443
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address: { address: "$ORIGIN_BUCKET_NAME.$ORIGIN_STORAGE_ENDPOINT", port_value: 443 }
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: $ORIGIN_STORAGE_ENDPOINT
common_tls_context:
validation_context:
trusted_ca:
filename: "/etc/ssl/certs/ca-certificates.crt"
match_subject_alt_names:
- exact: "*.$ORIGIN_STORAGE_ENDPOINT"