cameronmoreau/istio -> envoy.yaml

## istio -> envoy.yaml
admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  host_rewrite: www.google.com
                  cluster: service_google
          http_filters:
          - name: envoy.filters.http.jwt_authn
            config:
              providers:
                provider1:
                  issuer: testing@secure.istio.io
                  local_jwks:
                    inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
          - name: envoy.filters.http.rbac
            config:
              rules:
                policies:
                  productpage-viewer:
                    permissions:
                    - and_rules:
                        rules:
                        - or_rules:
                            rules:
                            - header:
                                name: ":method"
                                exact_match: GET
                    principals:
                    - and_ids:
                        ids:
                        - header:
                            name: "hello"
                            exact_match: "world"
                        - header:
                            name: "goodbye"
                            exact_match: "world"

                        # - metadata:
                        #     filter: envoy.filters.http.rbac
                        #     value:
                        #       string_match:
                        #         exact: bar
                        #     path:
                        #     # - key: request.auth.claims
                        #     - key: foo

                    # - and_ids:
                    #     ids:
                    #     - metadata:
                    #         filter: istio_authn
                    #         value:
                    #           list_match:
                    #             one_of:
                    #               string_match:
                    #                 exact: openid
                    #         path:
                    #         - key: request.auth.claims
                    #         - key: scope
                    # - and_ids:
                    #     ids:
                    #     - metadata:
                    #         value:
                    #           list_match:
                    #             one_of:
                    #               string_match:
                    #                 exact: foo.bar
                    #         path:
                    #         - key: request.auth.claims
                    #         - key: scope
                    #         filter: istio_authn

              # local_jwks:
              #   inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
          # - name: jwt-auth
          #   config:
          #     rules:
          #     - local_jwks:
          #         inline_string:
          #       forward_payload_header: istio-sec-5406b7840708063f65cbdf52153ca364a476d68b
          #       forward: true
          #       issuer: testing@secure.istio.io
          #     allow_missing_or_failed: true
          - name: envoy.router
  clusters:
  - name: service_google
    connect_timeout: 0.25s
    type: LOGICAL_DNS
    # Comment out the following line to test on v6 networks
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    hosts:
      - socket_address:
          address: google.com
          port_value: 443
    tls_context: { sni: www.google.com }
	admin:
	access_log_path: /tmp/admin_access.log
	address:
	socket_address:
	protocol: TCP
	address: 127.0.0.1
	port_value: 9901
	static_resources:
	listeners:
	- name: listener_0
	address:
	socket_address:
	protocol: TCP
	address: 0.0.0.0
	port_value: 10000
	filter_chains:
	- filters:
	- name: envoy.http_connection_manager
	config:
	stat_prefix: ingress_http
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains: ["*"]
	routes:
	- match:
	prefix: "/"
	route:
	host_rewrite: www.google.com
	cluster: service_google
	http_filters:
	- name: envoy.filters.http.jwt_authn
	config:
	providers:
	provider1:
	issuer: testing@secure.istio.io
	local_jwks:
	inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
	- name: envoy.filters.http.rbac
	config:
	rules:
	policies:
	productpage-viewer:
	permissions:
	- and_rules:
	rules:
	- or_rules:
	rules:
	- header:
	name: ":method"
	exact_match: GET
	principals:
	- and_ids:
	ids:
	- header:
	name: "hello"
	exact_match: "world"
	- header:
	name: "goodbye"
	exact_match: "world"

	# - metadata:
	# filter: envoy.filters.http.rbac
	# value:
	# string_match:
	# exact: bar
	# path:
	# # - key: request.auth.claims
	# - key: foo

	# - and_ids:
	# ids:
	# - metadata:
	# filter: istio_authn
	# value:
	# list_match:
	# one_of:
	# string_match:
	# exact: openid
	# path:
	# - key: request.auth.claims
	# - key: scope
	# - and_ids:
	# ids:
	# - metadata:
	# value:
	# list_match:
	# one_of:
	# string_match:
	# exact: foo.bar
	# path:
	# - key: request.auth.claims
	# - key: scope
	# filter: istio_authn

	# local_jwks:
	# inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
	# - name: jwt-auth
	# config:
	# rules:
	# - local_jwks:
	# inline_string:
	# forward_payload_header: istio-sec-5406b7840708063f65cbdf52153ca364a476d68b
	# forward: true
	# issuer: testing@secure.istio.io
	# allow_missing_or_failed: true
	- name: envoy.router
	clusters:
	- name: service_google
	connect_timeout: 0.25s
	type: LOGICAL_DNS
	# Comment out the following line to test on v6 networks
	dns_lookup_family: V4_ONLY
	lb_policy: ROUND_ROBIN
	hosts:
	- socket_address:
	address: google.com
	port_value: 443
	tls_context: { sni: www.google.com }