-
Notifications
You must be signed in to change notification settings - Fork 14
/
envoy.yaml
148 lines (142 loc) · 5.84 KB
/
envoy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
admin:
access_log_path: /dev/null
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 10000 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: index_http
route_config:
name: local_route
virtual_hosts:
- name: burgers_backend
domains: ["*"]
routes:
- name: basket
match:
prefix: "/api/basket"
route:
prefix_rewrite: "/api/basket"
cluster: burgers.basket.api
- name: orders
match:
prefix: "/api/orders"
route:
prefix_rewrite: "/api/orders"
cluster: burgers.ordering.api
upgrade_configs:
- upgrade_type: websocket
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2
config:
token_endpoint:
cluster: keycloak
uri: http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token
timeout: 5s
authorization_endpoint: http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth
redirect_uri: "http://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
credentials:
client_id: "burger-shop"
token_secret:
name: token
sds_config:
path: "/etc/envoy/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/envoy/hmac-secret.yaml"
auth_scopes:
- openid
- profile
- email
- roles
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
oidc_provider:
issuer: http://kubernetes.docker.internal:8080/auth/realms/master
audiences:
- master-realm
- account
payload_in_metadata: jwt_payload
forward_payload_header: x-jwt-payload
remote_jwks:
http_uri:
uri: http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs
cluster: keycloak
timeout: 5s
rules:
- match:
prefix: /api
requires:
requires_any:
requirements:
- provider_name: oidc_provider
- allow_missing_or_failed: {}
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local payload = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn")["jwt_payload"]
request_handle:headers():add("jwt-extracted-sub", payload.sub)
end
function envoy_on_response(response_handle)
end
- name: envoy.router
clusters:
- name: keycloak
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: keycloak
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address: { address: keycloak, port_value: 8080 }
- name: burgers.basket.api
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: burgers.basket.api
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
{ address: burgers.basket.api, port_value: 80 }
- name: burgers.ordering.api
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: burgers.ordering.api
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
{ address: burgers.ordering.api, port_value: 80 }