Created
February 5, 2023 01:07
-
-
Save epk/a332577bdf9cca76147eb591af9a974e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| node: | |
| id: identity-aware-proxy | |
| cluster: identity-aware-proxy | |
| admin: | |
| address: | |
| socket_address: | |
| address: 0.0.0.0 | |
| port_value: 9901 | |
| static_resources: | |
| listeners: | |
| - name: http_listener | |
| address: | |
| socket_address: | |
| address: 0.0.0.0 | |
| port_value: 80 | |
| listener_filters: | |
| - name: "envoy.filters.listener.http_inspector" | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.listener.http_inspector.v3.HttpInspector | |
| filter_chains: | |
| - filters: | |
| - name: envoy.filters.network.http_connection_manager | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| access_log: | |
| - name: envoy.access_loggers.file | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog | |
| path: /dev/stdout | |
| codec_type: AUTO | |
| stat_prefix: identity-aware-proxy | |
| generate_request_id: true | |
| always_set_request_id_in_response: true | |
| preserve_external_request_id: true | |
| tracing: | |
| provider: | |
| name: envoy.tracers.opentelemetry | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig | |
| grpc_service: | |
| envoy_grpc: | |
| cluster_name: opentelemetry_collector | |
| timeout: 2s | |
| service_name: identity-aware-proxy | |
| http_filters: | |
| - name: envoy.filters.http.oauth2 | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 | |
| config: | |
| token_endpoint: | |
| cluster: oauth2.googleapis.com | |
| uri: https://oauth2.googleapis.com/token | |
| timeout: 3s | |
| credentials: | |
| client_id: ${CLIENT_ID} | |
| token_secret: | |
| name: token | |
| sds_config: | |
| path: "/etc/envoy/token-secret.yaml" | |
| hmac_secret: | |
| name: hmac | |
| sds_config: | |
| path: "/etc/envoy/hmac.yaml" | |
| auth_scopes: | |
| - profile | |
| - openid | |
| authorization_endpoint: https://accounts.google.com/o/oauth2/v2/auth | |
| redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/_oauth2_callback" | |
| redirect_path_matcher: | |
| path: | |
| exact: /_oauth2_callback | |
| signout_path: | |
| path: | |
| exact: /signout | |
| forward_bearer_token: true # forward the bearer token to the upstream | |
| auth_type: URL_ENCODED_BODY # send client_id and client_secret encoded request body. | |
| pass_through_matcher: | |
| - name: authorization # If the request has an authorization header, skip OAuth2 filter. | |
| prefix_match: Bearer | |
| - name: envoy.filters.http.jwt_authn | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication | |
| providers: | |
| accounts-google-com: | |
| issuer: https://accounts.google.com | |
| audiences: | |
| - ${AUDIENCE} | |
| remote_jwks: | |
| http_uri: | |
| uri: https://www.googleapis.com/oauth2/v3/certs | |
| cluster: www.googleapis.com | |
| timeout: 3s | |
| cache_duration: 3600s | |
| async_fetch: | |
| fast_listener: true | |
| failed_refetch_duration: 3s | |
| retry_policy: | |
| retry_back_off: | |
| base_interval: 0.01s | |
| max_interval: 20s | |
| num_retries: 10 | |
| forward: true | |
| forward_payload_header: x-jwt-payload | |
| pad_forward_payload_header: true | |
| payload_in_metadata: jwt_payload | |
| jwt_cache_config: | |
| jwt_cache_size: 1024 | |
| rules: | |
| # Skip verification for /services/ping | |
| - match: | |
| path: /services/ping | |
| - match: | |
| prefix: / | |
| requires: | |
| provider_name: accounts-google-com | |
| - name: envoy.filters.http.rbac | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC | |
| rules: | |
| action: ALLOW | |
| policies: | |
| # Always allow /services/ping | |
| "health_check": | |
| permissions: | |
| - header: | |
| name: ":path" | |
| exact_match: /services/ping | |
| principals: | |
| - any: true | |
| # JWT | |
| "allow-subject-${SUBJECT}": | |
| permissions: | |
| - any: true | |
| principals: | |
| - metadata: | |
| filter: envoy.filters.http.jwt_authn | |
| path: | |
| - key: jwt_payload | |
| - key: sub | |
| value: | |
| string_match: | |
| exact: ${SUBJECT} | |
| - name: envoy.filters.http.health_check | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck | |
| pass_through_mode: true | |
| headers: | |
| - name: ":path" | |
| exact_match: /services/ping | |
| - name: envoy.filters.http.router | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | |
| startChildSpan: true | |
| route_config: | |
| name: hello-world | |
| virtual_hosts: | |
| - name: hello-world | |
| domains: | |
| - "*" | |
| routes: | |
| - name: hello-world | |
| match: | |
| prefix: / | |
| direct_response: | |
| status: 200 | |
| body: | |
| inline_string: "Hello World!" | |
| clusters: | |
| - name: opentelemetry_collector | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| typed_extension_protocol_options: | |
| envoy.extensions.upstreams.http.v3.HttpProtocolOptions: | |
| '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions | |
| explicit_http_config: | |
| http2_protocol_options: {} | |
| load_assignment: | |
| cluster_name: opentelemetry_collector | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: opentelemetry_collector | |
| port_value: 4317 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| - name: oauth2.googleapis.com | |
| dns_lookup_family: V4_ONLY | |
| type: LOGICAL_DNS | |
| connect_timeout: 10s | |
| lb_policy: ROUND_ROBIN | |
| transport_socket: | |
| name: envoy.transport_sockets.tls | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | |
| sni: oauth2.googleapis.com | |
| load_assignment: | |
| cluster_name: oauth2.googleapis.com | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: oauth2.googleapis.com | |
| port_value: 443 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| - name: www.googleapis.com | |
| dns_lookup_family: V4_ONLY | |
| type: LOGICAL_DNS | |
| connect_timeout: 10s | |
| lb_policy: ROUND_ROBIN | |
| transport_socket: | |
| name: envoy.transport_sockets.tls | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | |
| sni: www.googleapis.com | |
| load_assignment: | |
| cluster_name: www.googleapis.com | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: www.googleapis.com | |
| port_value: 443 | |
| upstream_connection_options: | |
| tcp_keepalive: {} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment