-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathconfigmap.yml
111 lines (104 loc) · 5.31 KB
/
configmap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
apiVersion: v1
kind: ConfigMap
metadata:
name: example-envoy-config
labels:
app: example-config-map
namespace: example-namespace
data:
envoy.yaml: |
static_resources:
listeners:
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: httpbin #! Your upstream cluster name.
host_rewrite_literal: your-service.com #! You might need this if your service is running in the same cluster (the reverse proxy looks for the host and if it is not changed, it will talk to envoy again).
http_filters:
- name: envoy.filters.http.wasm
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
config:
name: "wasm-oidc-plugin" #! This name must match the name of the plugin in the plugin's code.
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
config_endpoint: "https://accounts.google.com/.well-known/openid-configuration"
reload_interval_in_h: 1 # in hours
exclude_hosts: [] # or ["httpbin.org"]
exclude_paths: [] # or ["/favicon.ico"]
exclude_urls: [] # or ["http://localhost:10000/#/HTTP_Methods/get_get"]
access_token_header_name: # or "Authorization"
access_token_header_prefix: "Bearer "
id_token_header_name: # or "X-Id-Token"
id_token_header_prefix: "Bearer "
cookie_name: "oidcSession"
cookie_duration: 86400 # in seconds
token_validation: true # or false
aes_key: "i-am-a-forty-four-characters-long-string-key" # generate with `openssl rand -base64 32`
authority: "accounts.google.com" # FQDN of the OIDC provider
redirect_uri: "http://localhost:10000/oidc/callback" # redirect uri that is registered with the OIDC provider
client_id: "wasm-oidc-plugin" # client id that is registered with the OIDC provider
scope: "openid profile email"
claims: "{\"id_token\":{\"groups\":null,\"username\":null}}"
client_secret: "redacted"
audience: "wasm-oidc-plugin"
vm_config:
runtime: "envoy.wasm.runtime.v8"
code:
local:
filename: "/etc/envoy/proxy-wasm-plugins/wasm_oidc_plugin.wasm" #! Must match the path where you copy the plugin (when using initContainer)
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: httpbin #! This name must match the name of the cluster in the route_config section.
connect_timeout: 5s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: httpbin #! This name must match the name of the cluster in the route_config section.
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: httpbin #! This is the hostname of the service you want to access.
port_value: 80
hostname: "httpbin.org" #! This is the hostname of the service you want to access.
- name: oidc #! dont change it
connect_timeout: 5s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: oidc
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: your-domain.com #! Your Auth Server's domain name.
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: "your-domain.com" #! Here as well.