Last active
June 23, 2023 09:00
-
-
Save fdeantoni/1f123ef73e856d8d0c78b45597ad32c3 to your computer and use it in GitHub Desktop.
A simple gist on how to setup an envoy proxy fronting a simple echo server with mTLS enabled. The envoy proxy is connected to a spire agent providing it the certificates.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
admin: | |
address: | |
socket_address: { address: 0.0.0.0, port_value: 9901 } | |
node: | |
id: default | |
cluster: echo | |
static_resources: | |
listeners: | |
- name: listener_0 | |
address: | |
socket_address: | |
address: 0.0.0.0 | |
port_value: 10000 | |
filter_chains: | |
- filters: | |
- name: envoy.filters.network.http_connection_manager | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
stat_prefix: ingress_http | |
access_log: | |
- name: envoy.access_loggers.stdout | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog | |
http_filters: | |
- name: envoy.filters.http.router | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | |
route_config: | |
name: local_route | |
virtual_hosts: | |
- name: local_service | |
domains: ["*"] | |
routes: | |
- match: | |
prefix: "/" | |
route: | |
host_rewrite_literal: node1 | |
cluster: service_echo | |
transport_socket: | |
name: envoy.transport_sockets.tls | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext | |
common_tls_context: | |
tls_certificate_sds_secret_configs: | |
- name: "spiffe://example.org/echo" | |
sds_config: | |
resource_api_version: V3 | |
api_config_source: | |
api_type: gRPC | |
transport_api_version: V3 | |
grpc_services: | |
envoy_grpc: | |
cluster_name: spire_agent | |
combined_validation_context: | |
default_validation_context: | |
match_typed_subject_alt_names: | |
- san_type: URI | |
matcher: | |
exact: "spiffe://example.org/client" | |
validation_context_sds_secret_config: | |
name: "spiffe://example.org" | |
sds_config: | |
resource_api_version: V3 | |
api_config_source: | |
api_type: gRPC | |
transport_api_version: V3 | |
grpc_services: | |
envoy_grpc: | |
cluster_name: spire_agent | |
tls_params: | |
ecdh_curves: | |
- X25519:P-256:P-521:P-384 | |
clusters: | |
- name: service_echo | |
type: LOGICAL_DNS | |
# Comment out the following line to test on v6 networks | |
dns_lookup_family: V4_ONLY | |
load_assignment: | |
cluster_name: service_echo | |
endpoints: | |
- lb_endpoints: | |
- endpoint: | |
address: | |
socket_address: | |
address: echo | |
port_value: 9000 | |
- name: spire_agent | |
connect_timeout: 0.25s | |
http2_protocol_options: {} | |
load_assignment: | |
cluster_name: spire_agent | |
endpoints: | |
- lb_endpoints: | |
- endpoint: | |
address: | |
pipe: | |
path: /tmp/spire-agent/public/api.sock |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
./bin/spire-server entry create \ | |
-spiffeID spiffe://example.org/echo \ | |
-parentID spiffe://example.org/node1 \ | |
-selector docker:label:org.example.name:foo \ | |
-dns node1 \ | |
-ttl 600 | |
./bin/spire-server entry create \ | |
-spiffeID spiffe://example.org/client \ | |
-parentID spiffe://example.org/node2 \ | |
-selector unix:user:jdoe \ | |
-ttl 600 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
docker network create my-net | |
docker run -d --net my-net fdeantoni/echo-server | |
docker run --rm -it \ | |
-v $(pwd)/spiffe-envoy.yaml:/config.yaml \ | |
-v /tmp/spire-agent:/tmp/spire-agent \ | |
-p9901:9901 -p10000:10000 \ | |
--net my-net \ | |
--label org.example.name=foo \ | |
envoyproxy/envoy:dev-28fb348d9f25deaedf3b3145305786d2e8579235 -c /config.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
sudo -u jdoe /opt/spire/spire-agent api fetch -write /tmp/echo | |
sudo -u jdoe curl --cacert /tmp/echo/bundle.0.pem --cert /tmp/echo/svid.0.pem --key /tmp/echo/svid.0.key https://node1:10000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment