Skip to content

Instantly share code, notes, and snippets.

@zetaab
Created May 24, 2024 06:37
#####
# public routes
#####
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-public
namespace: demo
spec:
parentRefs:
- name: internal
namespace: envoy-gateway-system
sectionName: https
hostnames:
- foobar.com
rules:
- backendRefs:
- group: ""
kind: Service
name: echoserver
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /
#####
# login routes
#####
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-login
namespace: demo
spec:
parentRefs:
- name: internal
namespace: envoy-gateway-system
sectionName: https
hostnames:
- foobar.com
rules:
- backendRefs:
- group: ""
kind: Service
name: echoserver
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /login
- path:
type: PathPrefix
value: /oauth2/callback
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: demo-auth
namespace: demo
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: demo-login
oidc:
provider:
issuer: https://cognito-idp.eu-west-1.amazonaws.com/xxxx
clientID: xxx
scopes:
- openid
- email
- profile
clientSecret:
group: ""
kind: Secret
name: my-cognito-client-secret
#####
# api routes
#####
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-api
namespace: demo
spec:
parentRefs:
- name: internal
namespace: envoy-gateway-system
sectionName: https
hostnames:
- foobar.com
rules:
- backendRefs:
- group: ""
kind: Service
name: echoserver
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /api
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: demo-api-jwt
namespace: demo
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: demo-api
jwt:
providers:
- name: cognito
extractFrom:
cookies:
- IdToken-7aa47edd
claimToHeaders:
- claim: sub
header: x-sub
- claim: email
header: x-email
- claim: cognito:groups
header: x-groups
- claim: name
header: x-name
remoteJWKS:
uri: https://cognito-idp.eu-west-1.amazonaws.com/xxxx/.well-known/jwks.json
- name: kaas
claimToHeaders:
- claim: sub
header: x-sub
audiences:
- xxx
remoteJWKS:
uri: https://yyy.com/.well-known/jwks.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment