Skip to content

Instantly share code, notes, and snippets.

@rezamt

rezamt/README.md

Created August 16, 2021 04:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rezamt/33f1659ea37d09c2359eca23997bb933 to your computer and use it in GitHub Desktop.
Save rezamt/33f1659ea37d09c2359eca23997bb933 to your computer and use it in GitHub Desktop.
Download ZIP
apigee-envoy-sidecar
Raw
README.md

apigee-remote-service-cli samples templates

Supported templates:

  • envoy-1.15
  • envoy-1.16
  • envoy-1.17
  • istio-1.7
  • istio-1.8
  • istio-1.9

For Apigee Envoy Standalone - samples

  • envoy-config.yaml

For Apigee Envoy in Istio - samples

  • apigee-envoy-adapter.yaml
  • envoyfilter-sidecar.yaml
  • httpbin.yaml
  • request-authentication.yaml
Raw
apigee-envoy-adapter.yaml
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: apigee-remote-service-envoy
namespace: apigee
spec:
replicas: 1
selector:
matchLabels:
app: apigee-remote-service-envoy
template:
metadata:
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
prometheus.io/path: /metrics
prometheus.io/port: "5001"
prometheus.io/scheme: https
prometheus.io/scrape: "true"
prometheus.io/type: prometheusspec
labels:
app: apigee-remote-service-envoy
version: v1
org: rezamt-28035-eval
env: test
spec:
serviceAccountName: apigee-remote-service-envoy
securityContext:
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
containers:
- name: apigee-remote-service-envoy
image: "google/apigee-envoy-adapter:v2.0.2"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5000
livenessProbe:
httpGet:
path: /healthz
port: 5001
failureThreshold: 1
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 5001
failureThreshold: 30
periodSeconds: 10
args:
- --log-level=debug
- --config=/config/config.yaml
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 100Mi
volumeMounts:
- mountPath: /config
name: apigee-remote-service-envoy
readOnly: true
volumes:
- name: apigee-remote-service-envoy
configMap:
name: apigee-remote-service-envoy
---
apiVersion: v1
kind: Service
metadata:
name: apigee-remote-service-envoy
namespace: apigee
labels:
app: apigee-remote-service-envoy
org: rezamt-28035-eval
env: test
spec:
ports:
- port: 5000
name: grpc
selector:
app: apigee-remote-service-envoy
Raw
envoy-config.yaml
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This is for Envoy 1.16+.
admin:
access_log_path: /tmp/envoy_admin.log
address:
socket_address:
address: 127.0.0.1
port_value: 9000
static_resources:
listeners:
- address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
virtual_hosts:
- name: default
domains: "*"
routes:
- match: { prefix: / }
route:
cluster: helloworld
http_filters:
# evaluate JWT tokens, allow_missing allows API Key also
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
apigee:
issuer: https://rezamt-28035-eval-test.apigee.net/remote-token/token
audiences:
- remote-service-client
remote_jwks:
http_uri:
uri: https://rezamt-28035-eval-test.apigee.net/remote-token/certs
cluster: apigee-auth-service
timeout: 5s
cache_duration:
seconds: 300
payload_in_metadata: https://rezamt-28035-eval-test.apigee.net/remote-token/token
rules:
- match:
prefix: /
requires:
requires_any:
requirements:
- provider_name: apigee
- allow_missing: {}
# evaluate Apigee rules
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: apigee-remote-service-envoy
timeout: 1s
metadata_context_namespaces:
- envoy.filters.http.jwt_authn
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
access_log:
# collect Apigee analytics
- name: envoy.access_loggers.http_grpc
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig
common_config:
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: apigee-remote-service-envoy
log_name: apigee-remote-service-envoy
clusters:
# define cluster for http://rezamt-28035-eval-test.apigee.net/ target
- name: helloworld
connect_timeout: 2s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: helloworld
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: "http://rezamt-28035-eval-test.apigee.net/"
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: "http://rezamt-28035-eval-test.apigee.net/"
# define cluster for Apigee remote service
- name: apigee-remote-service-envoy
type: LOGICAL_DNS
http2_protocol_options: {}
load_assignment:
cluster_name: apigee-remote-service-envoy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: "localhost"
port_value: 5000
common_lb_config:
healthy_panic_threshold:
value: 50.0
health_checks:
- timeout: 1s
interval: 5s
interval_jitter: 1s
no_traffic_interval: 5s
unhealthy_threshold: 1
healthy_threshold: 3
grpc_health_check: {}
connect_timeout: 0.25s
# define cluster for Apigee JWKS certs
- name: apigee-auth-service
connect_timeout: 2s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: apigee-auth-service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: "rezamt-28035-eval-test.apigee.net"
port_value: "443"
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: "rezamt-28035-eval-test.apigee.net"
Raw
envoyfilter-sidecar.yaml
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Installs an Istio EnvoyFilter in the default namespace.
# It applies to all services in the namespace. If you wish, you
# may tailor by specifying `workloadSelector` for specific targets.
# Uses `apigee-remote-service-envoy.apigee:5000` as target.
# This is for Istio 1.7 and 1.8.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: apigee-remote-httpbin
namespace: default
spec:
workloadSelector:
labels:
managed-by: apigee
configPatches:
- applyTo: HTTP_FILTER
match:
proxy:
proxyVersion: '^1\.[78].*'
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
grpc_service:
google_grpc:
target_uri: apigee-remote-service-envoy.apigee:5000
stat_prefix: apigee-remote-service
timeout: 1s
metadata_context_namespaces:
- envoy.filters.http.jwt_authn
- applyTo: NETWORK_FILTER
match:
proxy:
proxyVersion: '^1\.[78].*'
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
access_log:
- name: envoy.access_loggers.http_grpc
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig
common_config:
transport_api_version: V3
log_name: apigee-remote-service
grpc_service:
google_grpc:
target_uri: apigee-remote-service-envoy.apigee:5000
stat_prefix: apigee-remote-service
additional_request_headers_to_log:
- :authority # default target header
# context headers
- x-apigee-accesstoken
- x-apigee-api
- x-apigee-apiproducts
- x-apigee-application
- x-apigee-clientid
- x-apigee-developeremail
- x-apigee-environment
Raw
httpbin.yaml
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# An httpbin target example Deployment and Service.
apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: default
labels:
app: httpbin
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
managed-by: apigee
spec:
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
Raw
request-authentication.yaml
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Note: An AuthorizationPolicy sample is shown below and commented out.
# By not having an AuthorizationPolicy, either API Keys or JWTs can be
# used by clients. If you enable the AuthorizationPolicy, JWT tokens will
# be required and API Keys will not work by themselves.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: apigee
namespace: default
spec:
selector:
matchLabels:
managed-by: apigee
jwtRules:
- issuer: https://rezamt-28035-eval-test.apigee.net/remote-token/token
jwksUri: https://rezamt-28035-eval-test.apigee.net/remote-token/certs
# ---
# apiVersion: security.istio.io/v1beta1
# kind: AuthorizationPolicy
# metadata:
# name: apigee
# namespace: default
# spec:
# selector:
# matchLabels:
# managed-by: apigee
# rules:
# - from:
# - source:
# requestPrincipals: ["*"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment