fdeantoni/spiffe-envoy.yaml

## spiffe-envoy.yaml
admin:
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }

node:
  id: default
  cluster: echo

static_resources:

  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          access_log:
          - name: envoy.access_loggers.stdout
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  host_rewrite_literal: node1
                  cluster: service_echo
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificate_sds_secret_configs:
            - name: "spiffe://example.org/echo"
              sds_config:
                resource_api_version: V3
                api_config_source:
                  api_type: gRPC
                  transport_api_version: V3
                  grpc_services:
                    envoy_grpc:
                      cluster_name: spire_agent
            combined_validation_context:
              default_validation_context:
                match_typed_subject_alt_names:
                - san_type: URI
                  matcher:
                    exact: "spiffe://example.org/client"
              validation_context_sds_secret_config:
                name: "spiffe://example.org"
                sds_config:
                  resource_api_version: V3
                  api_config_source:
                    api_type: gRPC
                    transport_api_version: V3
                    grpc_services:
                      envoy_grpc:
                        cluster_name: spire_agent
            tls_params:
              ecdh_curves:
                - X25519:P-256:P-521:P-384
  clusters:
  - name: service_echo
    type: LOGICAL_DNS
    # Comment out the following line to test on v6 networks
    dns_lookup_family: V4_ONLY
    load_assignment:
      cluster_name: service_echo
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: echo
                port_value: 9000
  - name: spire_agent
    connect_timeout: 0.25s
    http2_protocol_options: {}
    load_assignment:
      cluster_name: spire_agent
      endpoints:
        - lb_endpoints:
          - endpoint:
              address:
                pipe:
                  path: /tmp/spire-agent/public/api.sock

## spiffy-entries.sh
#!/bin/bash

./bin/spire-server entry create \
                   -spiffeID spiffe://example.org/echo \
                   -parentID spiffe://example.org/node1 \
                   -selector docker:label:org.example.name:foo \
                   -dns node1 \
                   -ttl 600

./bin/spire-server entry create \
                   -spiffeID spiffe://example.org/client \
                   -parentID spiffe://example.org/node2 \
                   -selector unix:user:jdoe \
                   -ttl 600

## start-echo-envoy.sh
#!/bin/bash

docker network create my-net
docker run -d --net my-net fdeantoni/echo-server
docker run --rm -it \
           -v $(pwd)/spiffe-envoy.yaml:/config.yaml \
           -v /tmp/spire-agent:/tmp/spire-agent \
           -p9901:9901 -p10000:10000 \
           --net my-net \
           --label org.example.name=foo \
           envoyproxy/envoy:dev-28fb348d9f25deaedf3b3145305786d2e8579235 -c /config.yaml

## svid-connect.sh
#!/bin/bash

sudo -u jdoe /opt/spire/spire-agent api fetch -write /tmp/echo
sudo -u jdoe curl --cacert /tmp/echo/bundle.0.pem --cert /tmp/echo/svid.0.pem --key /tmp/echo/svid.0.key https://node1:10000
	admin:
	address:
	socket_address: { address: 0.0.0.0, port_value: 9901 }

	node:
	id: default
	cluster: echo

	static_resources:

	listeners:
	- name: listener_0
	address:
	socket_address:
	address: 0.0.0.0
	port_value: 10000
	filter_chains:
	- filters:
	- name: envoy.filters.network.http_connection_manager
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
	stat_prefix: ingress_http
	access_log:
	- name: envoy.access_loggers.stdout
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
	http_filters:
	- name: envoy.filters.http.router
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains: ["*"]
	routes:
	- match:
	prefix: "/"
	route:
	host_rewrite_literal: node1
	cluster: service_echo
	transport_socket:
	name: envoy.transport_sockets.tls
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
	common_tls_context:
	tls_certificate_sds_secret_configs:
	- name: "spiffe://example.org/echo"
	sds_config:
	resource_api_version: V3
	api_config_source:
	api_type: gRPC
	transport_api_version: V3
	grpc_services:
	envoy_grpc:
	cluster_name: spire_agent
	combined_validation_context:
	default_validation_context:
	match_typed_subject_alt_names:
	- san_type: URI
	matcher:
	exact: "spiffe://example.org/client"
	validation_context_sds_secret_config:
	name: "spiffe://example.org"
	sds_config:
	resource_api_version: V3
	api_config_source:
	api_type: gRPC
	transport_api_version: V3
	grpc_services:
	envoy_grpc:
	cluster_name: spire_agent
	tls_params:
	ecdh_curves:
	- X25519:P-256:P-521:P-384
	clusters:
	- name: service_echo
	type: LOGICAL_DNS
	# Comment out the following line to test on v6 networks
	dns_lookup_family: V4_ONLY
	load_assignment:
	cluster_name: service_echo
	endpoints:
	- lb_endpoints:
	- endpoint:
	address:
	socket_address:
	address: echo
	port_value: 9000
	- name: spire_agent
	connect_timeout: 0.25s
	http2_protocol_options: {}
	load_assignment:
	cluster_name: spire_agent
	endpoints:
	- lb_endpoints:
	- endpoint:
	address:
	pipe:
	path: /tmp/spire-agent/public/api.sock
	#!/bin/bash

	./bin/spire-server entry create \
	-spiffeID spiffe://example.org/echo \
	-parentID spiffe://example.org/node1 \
	-selector docker:label:org.example.name:foo \
	-dns node1 \
	-ttl 600

	./bin/spire-server entry create \
	-spiffeID spiffe://example.org/client \
	-parentID spiffe://example.org/node2 \
	-selector unix:user:jdoe \
	-ttl 600
	#!/bin/bash

	docker network create my-net
	docker run -d --net my-net fdeantoni/echo-server
	docker run --rm -it \
	-v $(pwd)/spiffe-envoy.yaml:/config.yaml \
	-v /tmp/spire-agent:/tmp/spire-agent \
	-p9901:9901 -p10000:10000 \
	--net my-net \
	--label org.example.name=foo \
	envoyproxy/envoy:dev-28fb348d9f25deaedf3b3145305786d2e8579235 -c /config.yaml
	#!/bin/bash

	sudo -u jdoe /opt/spire/spire-agent api fetch -write /tmp/echo
	sudo -u jdoe curl --cacert /tmp/echo/bundle.0.pem --cert /tmp/echo/svid.0.pem --key /tmp/echo/svid.0.key https://node1:10000