Skip to content

srinandan/envoy-router

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
client
client
 
 
images
images
 
 
server
server
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.envoy
Dockerfile.envoy
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cloudbuild.yaml
cloudbuild.yaml
 
 
entrypoint.sh
entrypoint.sh
 
 
envoy-router.yaml
envoy-router.yaml
 
 
envoy.yaml
envoy.yaml
 
 
setup-secrets.sh
setup-secrets.sh
 
 
skaffold-gcp.yaml
skaffold-gcp.yaml
 
 
skaffold-local.yaml
skaffold-local.yaml
 
 

Repository files navigation

envoy-router

This repo demonstrates how to use Envoy's External Authorization aka ext_authz and External Processing aka ext_proc filters

At the time of writing repo, the ext_proc filter was marked as work-in-progress. Most of the major bits of functionality are complete.

Envoy Version

This repo was tested with Envoy version

envoy  version: c919bdec19d79e97f4f56e4095706f8e6a383f1c/1.22.2/Modified/RELEASE/BoringSSL

Sample Use Case

Routing Sample

  1. Client application sends a http request to Envoy
  2. Envoy is configured to call an ext_authz service. ext_authz service looks up a routing table to match the incoming request to a backend server. Despite using the ext_authz filter, no authorization is performed
  3. Envoy routes the http call to a backend (upstream) service. If the routing table has upstream authentication configured, then ext_auth will generate a token and add (or replace) the authorization header
  4. Envoy can be configured to call an ext_proc service. ext_proc service inspects the response status from the upstream service and adds an http header if the call was successful.

NOTES: a. Using an external routing service is useful only when one requires a heavily custom routing logic (ex: inspecting parts of the payload)

This repo relies on three Envoy HTTP filters:

Routing Table

This example of a routing table uses the incoming http path and matches it with the routing table stored as a json file. From that table, the backend/upstream service is picked up.

{
    "routerules" : [
      {
        "name": "mocktarget",
        "prefix": "/iloveapis",
        "backend": "mocktarget.apigee.net",
        "authentication": 0
      }   
    ]
}

Authentication

There are three authentication profiles supported:

  • OFF = 0: Do nothing, if an auth header is passed by the client, it is preserved
  • ACCESS_TOKEN = 1: Uses a google service account, obtains an access token (every 25 mins)
  • OIDC_TOKEN = 2: [TBD] Generates a Google OIDC token

The prefix is removed from the request from sending to the upstream service

Client sends HTTP GET /iloveapi/user to Envoy. This matches an entry to the routing table. The ext_authz service will send /user to mocktarget.apigee.net.

Support

This is not an officially supported Google product

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages