Skip to content

Latest commit

 

History

History

pattern1

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
client
client
 
 
server
server
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.apigee
Dockerfile.apigee
 
 
README.md
README.md
 
 
build-docker-apigee.sh
build-docker-apigee.sh
 
 
build-docker.sh
build-docker.sh
 
 
clean-docker-apigee.sh
clean-docker-apigee.sh
 
 
clean-docker.sh
clean-docker.sh
 
 
envoy-apigee.yaml
envoy-apigee.yaml
 
 
envoy.yaml
envoy.yaml
 
 
startup-apigee.sh
startup-apigee.sh
 
 
startup.sh
startup.sh
 
 

README.md

Pattern 1 - External Authorization

This sample implements Envoy's external authorization filter to demonstrate simple routing of requests to upstream targets

Scenario

In this example, a client sends requests to an endpoints serviced by Envoy. The consumer passes a header (x-backend-name) with the name the name of the backend. Envoy calls the ext_authz service and dynamically routes the consumer to the appropriate backend.

Routing Sample

Configuration

Routing configuration is managed by routes.json file. The file has three parts to it:

  • allowList: The paths allowed for access by the consumer. The other paths are rejected by the ext_authz service. There is a flag to enable/disable this.
  • routeHeader: The name of the header the consumer uses to select a route. The default header is x-backend-name. One can easily modify this to look for a claim in the JWT token.
  • routerules: A list of rules that map a name to basePath and hostname. This routes are not directly accessible by the consumer.

Testing via docker

Step 1: Build the docker image

./build-docker.sh

Testing locally

These steps work on Linux/Debian machines

Step 1: Run ext-authz server

go run ./server/main.go

Step 2: Run envoy

envoy -c envoy.yaml

Test endpoint(s)

Pass no backend header. The default will send the request to https://httpbin.org

curl localhost:8080/route -v

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Content-Length": "0",
    "Host": "localhost",
    "User-Agent": "curl/7.72.0",
    "X-Amzn-Trace-Id": "Root=1-5f66d5bd-b781a4b0bc327988a65b5308",
    "X-Backend-Url": "default",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000",
    "X-Envoy-Original-Path": "/httpbin/get"
  },
  "origin": "xxxxx",
  "url": "https://localhost/get"
}

Pass mocktarget header to send to https://mocktarget.apigee.net

curl localhost:8080/route -v -H "x-backend-name: mocktarget"

<H2>I <3 APIs</H2>

Pass postman header to send to https://postman-echo.com

curl localhost:8080/route -v -H "x-backend-name: postman"

{"args":{},"headers":{"x-forwarded-proto":"https","x-forwarded-port":"443","host":"postman-echo.com","x-amzn-trace-id":"Root=1-5f66d571-fa7aef58f8499f30a449a694","content-length":"0","user-agent":"curl/7.72.0","accept":"*/*","x-backend-url":"postman","x-request-id":"df845e9a-62ce-403c-ade4-1fcc9352a858","x-envoy-expected-rq-timeout-ms":"15000","x-envoy-original-path":"/postman"},"url":"https://postman-echo.com/get"}

Cleanup

./clean-docker.sh

Testing with Apigee

NOTE: This step assumes you have completed the prereqisuite steps for Apigee Envoy adapter

Step 1: Set up prerequite files in the apigee folder. These files are gotten by settging up the Apigee Envoy adapter

apigee
├── config
│   ├── config.yaml
├── certs
│   ├── tls.key
│   ├── tls.crt
│   ├── ca.crt
├── policy-secret
│   ├── remote-service.key
│   ├── remote-service.crt
│   ├── remote-service.properties

Step 2: Build the docker image

./build-docker-apigee.sh

Step 3: Test the endpoints

Make sure you setup an API Product for /route, get credentials (developer app) and then try the endpoints.

Cleanup

./clean-docker-apigee.sh