-
Notifications
You must be signed in to change notification settings - Fork 0
/
envoy.yaml
278 lines (277 loc) · 13.8 KB
/
envoy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
node:
cluster: test-cluster
id: test-id
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
accessLog:
- name: envoy.access_loggers.file
typedConfig:
'@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: /dev/stdout
log_format:
text_format_source:
inline_string: "[%START_TIME%] %REQ(x-teg-oidcauthentication)% %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% %REQ(X-FORWARDED-FOR)% %REQ(USER-AGENT)% %REQ(X-REQUEST-ID)% %REQ(:AUTHORITY)% %UPSTREAM_HOST%\n"
http_filters:
- name: envoy.filters.http.oauth2-foo
disabled: true
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: google_oauth2
uri: https://oauth2.googleapis.com/token
timeout: 3s
authorization_endpoint: https://accounts.google.com/o/oauth2/v2/auth
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
redirect_path_matcher:
path:
exact: /oauth/callback
signout_path:
path:
exact: /signout
forward_bearer_token: true
credentials:
client_id: 250344188863-lddmgbasbdom9qpt1mr0rkln62281s6d.apps.googleusercontent.com
token_secret:
name: client_secret
sds_config:
path_config_source:
path: "/etc/client-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path_config_source:
path: "/etc/hmac-secret.yaml"
cookie_names:
bearer_token: "EnvoyOauthBearerToken"
oauth_hmac: "EnvoyOauthHMAC"
oauth_expires: "EnvoyOauthExpires"
id_token: "EnvoyOauthIdToken"
refresh_token: "EnvoyOauthRefreshToken"
# (Optional): defaults to 'user' scope if not provided
auth_scopes:
- openid
- email
auth_type: BASIC_AUTH
- name: envoy.filters.http.oauth2-bar
disabled: true
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: auth0
uri: https://samples.auth0.com/oauth/token
timeout: 3s
authorization_endpoint: https://samples.auth0.com/authorize
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
redirect_path_matcher:
path:
exact: /oauth/callback
signout_path:
path:
exact: /signout
forward_bearer_token: true
credentials:
client_id: kbyuFDidLLm280LIwVFiazOqjO3ty8KH
token_secret:
name: client_secret
sds_config:
path_config_source:
path: "/etc/client-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path_config_source:
path: "/etc/hmac-secret.yaml"
cookie_names:
bearer_token: "EnvoyOauthBearerToken"
oauth_hmac: "EnvoyOauthHMAC"
oauth_expires: "EnvoyOauthExpires"
id_token: "EnvoyOauthIdToken"
refresh_token: "EnvoyOauthRefreshToken"
# (Optional): defaults to 'user' scope if not provided
auth_scopes:
- openid
- email
auth_type: BASIC_AUTH
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: local_route
virtual_hosts:
- name: service
domains:
- "*"
routes:
- match:
prefix: "/foo"
route:
cluster: local_service
typed_per_filter_config:
envoy.filters.http.oauth2-foo:
"@type": type.googleapis.com/envoy.config.route.v3.FilterConfig
config: {}
- match:
prefix: "/bar"
route:
cluster: local_service
typed_per_filter_config:
envoy.filters.http.oauth2-bar:
"@type": type.googleapis.com/envoy.config.route.v3.FilterConfig
config: {}
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
inline_string: |
-----BEGIN CERTIFICATE-----
MIIEpDCCAowCCQDoXo45dTDtKTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjMwNjEyMDkzMzUxWhcNMjQwNjExMDkzMzUxWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC6
ebzqeVyF7KOY08FYAgxehE4Irn7CCO1W7m/izcKnue0VJ2LlvvefJhO1jKsqK2cx
yPz4vpcP2v/4HhfcEZScFo7XsUajshAmCEOJENoGja2BVKQCjx5bdtv6HHhgmaD0
dhhPw79y2jt81G3MQSNegVIurywkC0BY8oHZG1hwOtz1aWEX9Q8d9lUqPwTjSggU
0eaBlfO5o7HTwaaRrxtWYGl9+LLE5RnTn2ZtSkNQfKyc5WkZl9YV7rhvlgCptKjw
XhBLAS8+K8MHOrv5xbJ350ssVNox4IxUP2bc3LfMpldjT3xQOTODK94yuK7jcSwU
UHOHQA4q39TWnLfK1O+6zKI1xECQCS8uXfjRY1qLZ+K5Qpdk1h8dB0ZXXownqqPp
FgSg9zOZGHtvAXjAaPZGiTdoGBQ8nlKkrBcsmx1dNe41UFAJTm8sTRRbqYBfU63N
1Rsz/Q5EwKeRBl/qjNYqrQpotwEP0uT9lueAh/JWkBopZ1BlVMnd9GLecG0Xsl5M
En1pwtMr5dJSHH+19byQfSgnXpwoykUF/nzqvpV7oT0vpUFkvHiDGOmqnsZuVWL6
1HWp1HoM/YelfUIW6TDYYfo3SUQrdhBR40Lolkb6h9o9nPRko1ukvLvULkzZMwze
hBw/KYhYT32k2kCDrwK/VUzlogbdyQYnhuvxqjRWlQIDAQABMA0GCSqGSIb3DQEB
CwUAA4ICAQA/g1RKStNjnoxqmE5XCogwIT9h91o9Tla6519G2H+YgE3vZ7vt7/Ta
+s+8PKPUF0A1oSSKp9eiOJvBYzMpMm8NYKKKaC+11ReSZKXI4uGzyAEXTuCAkMjH
s0wIrO2w7wTub1cfHPo3zAlsfGVWnSsmLZuHhA/U2kz1pfH1xtwr4FhFSCVrvF/M
6VkEjDtpKxC5hwf4piYIYtsDSsxxsq26gArEVlG0pUvzTVBSjz7+Girw+mNQnXVa
wSjXXQPIv6x66EnyT5gGlDtd81VG8vmkRjvRbJJcXardakWTRoLy2qY3z2ydDN8u
hdw3p2PyIB7C4tRqNWyn3tTaif7DqaDH7eaq98P5q7XlO2uNUIq7/eagW+WxCo5K
zMnp4HiW26xPbBsw4PlYiMrr4/y6hJnrA+v1aK5Io4EVkuThsVkGVdap1qEwuhsT
1zbTMNDFAiczVZFenabr5kHMSnFQa59wePJKGfcK8gqbPBFq0i3ivquGTf4MAsPS
rhx7SfZecIwWqgbjl07Zoe3pCZQyZ67ZySybOXtny0kBohHYvfv/sxeBXYbu7fHH
xy0HS8XZTZmEs2q+/PwNIRcyCRYCpk8l7mwKzBpBPFFoQTEfKmF2ThCzPBnJRhgy
1JRduLgakkvT3/3b1DiF3VaudEG4bihSj7ZhN/rVp0s8z2rKse7xKA==
-----END CERTIFICATE-----
private_key:
inline_string: |
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC6ebzqeVyF7KOY
08FYAgxehE4Irn7CCO1W7m/izcKnue0VJ2LlvvefJhO1jKsqK2cxyPz4vpcP2v/4
HhfcEZScFo7XsUajshAmCEOJENoGja2BVKQCjx5bdtv6HHhgmaD0dhhPw79y2jt8
1G3MQSNegVIurywkC0BY8oHZG1hwOtz1aWEX9Q8d9lUqPwTjSggU0eaBlfO5o7HT
waaRrxtWYGl9+LLE5RnTn2ZtSkNQfKyc5WkZl9YV7rhvlgCptKjwXhBLAS8+K8MH
Orv5xbJ350ssVNox4IxUP2bc3LfMpldjT3xQOTODK94yuK7jcSwUUHOHQA4q39TW
nLfK1O+6zKI1xECQCS8uXfjRY1qLZ+K5Qpdk1h8dB0ZXXownqqPpFgSg9zOZGHtv
AXjAaPZGiTdoGBQ8nlKkrBcsmx1dNe41UFAJTm8sTRRbqYBfU63N1Rsz/Q5EwKeR
Bl/qjNYqrQpotwEP0uT9lueAh/JWkBopZ1BlVMnd9GLecG0Xsl5MEn1pwtMr5dJS
HH+19byQfSgnXpwoykUF/nzqvpV7oT0vpUFkvHiDGOmqnsZuVWL61HWp1HoM/Yel
fUIW6TDYYfo3SUQrdhBR40Lolkb6h9o9nPRko1ukvLvULkzZMwzehBw/KYhYT32k
2kCDrwK/VUzlogbdyQYnhuvxqjRWlQIDAQABAoICAQCu4L43kssfWbZu+5+lvn4F
IcTgxWxg4ehbD09kfxzfGTFrFj3cQgSNfzManqpi6MNlYB1F1c9rcjF9ahNsMhyR
aWJai4k4uSQF1tgnMeOWI8YktND/CWMp2cUgwRRvW4Qj3qCcJXJk7p69SacS17+o
wFTnLSaTQu38vKjjh46f6cQQbtw8kHi1268w6FrYITSE+fhXbN5eKVL6yPBCTdqw
Xchw+AwHNOfMm/993RhV4iYrGcY/1zJR7UeQdjd279NDYKOdA6ZfgsDrBb0F186w
Pfw0vfrGrdRMqgz4chH43cK0gvWNcqeJi1ldbe+toxP4lR5TJ9JhiPpcrip7EMkk
ZZGcF5RfFwIl0IhrWWQBtsdx91J0JdOLHjOFJoWasAf/a97AbzDvcYsiJ7GvZXgh
/06MJwuk1z2nTi8wlSKMUDLKgoLud9SV/+G725oxZwLBZqoLlJr53cv9PBZ5tz1b
JGiIGPuvgJLrt8I7b+D9Bld/TRNZvU0wW7hGdxl0bqKlfVMAvFRbZTn/t4rOWbfD
qpQ9/QYLSXPWeaiEXJd/d95/EMRPeg3vo/g54FQTAVu3UjiyMqJN6FQ3ww6oKV2V
IbFo6XQl2W/1RiZvBs6oXftYjxXkVLqSxuAMIBfq2jZGicTysVlCEFUrb6TEC+Rq
RjzPgkuiLXy8P6IZE8eBIQKCAQEA7vv//CSvzioaWf/t5OMzUIxdqH1f8aeshvWl
OxoNiVbOLfaEVD8lvLg+35xm9loGv2IRWqt4yQMVjks4a2PDG78rECMGjc27WRlk
OF4U2FHGnItLr+ic/vkF04y4sfROrfjk/a5qt8sVDCt18fp4YkYqTx7JGdS2jS/Y
GxJwHCBnB89ItIHRj3cmq4hP+oWlO/Cl+ov0TLH9IRzH/7g93ci8+12DAzxT9+BN
iMJ1fgDJ4FyXQjpc6uSDKqkXe2y0DOdlWt+VjIXSubeDikPfkP4fC0rwsFVLYS5P
D0kUuwSlzQf2ZckdGZCrowDPZcqL0wS0smtL+oS87brMtjqT3QKCAQEAx8CnB5kG
svtlDTjlfFx7ZYsUD4sHTY6SzZYN0+lSrL4KJFRi9nZZctom+k/694NBekiEtHz2
dDRUHcx9/OvGTPyd6EQ7aLokTnRmsbUesixlnbi2mmbV0RgEEcRDXvyfparAcVPX
ru6nv63crzMSs4wBggnJgxmVpR3/cUptxd76A4sHQ2uKeP0NVjkuNN6NPmjqVDKg
FLJ6dQpXCAowKqcwbUWVtvab8TdKTGa7k7/ff478Esxv+sUWuKcWfuyDeDA8lCPi
t4echcsZ82SHlkXxiFendmN9d+oov3sDsUubnmCX/qGZGNBWonlOgn1dR4fobl9C
T//HSknP50geGQKCAQB8BeWMGhHuoST5zfrMjShFRgMY/K+8/nJnu7WbHWMnAhiP
+94ixn60GL3wV/+LG59i1OcCsfhGAUa/iMPn32cS0Dvt7O9qyfjPPYEoS5LvzEiR
VyzZRpOrMtrWNbJoD8yBNqjICisx5L+wiCF2ibDN93Hfi697q0ttrAWvzvrFbf9q
KyWlH7X8iS5VWLGA5rigibvpcZY/8yLVe1VDnX7lyVZh8N6b4EQHYK18KsbEtG4P
9J0+7oDoGd0EV6prEDfEdpW/+kZnHdAFN3qZV63/VhIQTzznlew/q8O1wAx1He1Z
oSc7HYrviIe6WSJIxjuYMFoCOfK9OQO/L/ErJO01AoIBAC9bE/4wIC90fAt7bqRi
BHsZUsMwkaWoZFNK/LI9gXUkhKECRIfrnN8mqtDy/yuIuZA0+wkTCxaXhU2fOkso
1lVQGluDOZZlctAKtoHwz3ssHVccAGZwdMZibCyOG+6781lCNudnGh4FxE0j+cqr
UAay7XSXv2dOPHTtvK5uF8IuT5Vhc3JfX2+5hlznp3WvQUsHcm5Npjfh7DgtIF7u
k2a5RjjRo2HB60xvcDTWsief+Gt0SXxnbTDFYtKaAjJK/gwTW3k/XLNn+gqaEOfr
8F0G7fEF3tSpV4iDQe/LSR/SLe2JNt+ODg6c7b0NBzjWYbPgm5D3EnCG0gdhomFR
bpkCggEBAKm1FVvLcjR/wSv4vdM/aBY/pKS5oEKJuMj7jWg7HrTdDMKcoYJzDlvt
6h84tM13zCNjdivY1CbhJA5FYQ4zhF7wZaAFmgMXAbqM736L5Vrp9Isqg+odl/xN
TxuYvRVq3Ah802K9Pw4nqtBYYzhsN3Xtf4elK4gfbXbWmYhMXuqfGbzFNo5NvWlc
Fm44x0KH5Ky5ReOWSEtjJmw+k48zlPEZS6KPCUnWIxygENCrhIWVEiXEpjkbjnpV
7ugK1cKBvJIA9/0OPf4XZTm4vQHYtGtxF8XbB3wMF6VIjn7sVHs2gGqF6gbBA01C
iH6ELWrUQ7GrW2B89isKVGEPR92qdIo=
-----END PRIVATE KEY-----
clusters:
- name: local_service
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: local_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: backend
port_value: 8080
- name: google_oauth2
connect_timeout: 20s
type: LOGICAL_DNS
lb_policy: round_robin
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: google_oauth2
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: oauth2.googleapis.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: oauth2.googleapis.com
- name: auth0
connect_timeout: 20s
type: LOGICAL_DNS
lb_policy: round_robin
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: auth0
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: samples.auth0.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: samples.auth0.com
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 10001