125 lines
4.7 KiB
YAML
125 lines
4.7 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: backend-envoy
|
|
data:
|
|
envoy.yaml: |
|
|
node:
|
|
id: "backend"
|
|
cluster: "demo-cluster-spire"
|
|
static_resources:
|
|
listeners:
|
|
- name: local_service
|
|
address:
|
|
socket_address:
|
|
address: 0.0.0.0
|
|
port_value: 9001
|
|
filter_chains:
|
|
- filters:
|
|
- name: envoy.filters.network.http_connection_manager
|
|
typed_config:
|
|
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
|
|
common_http_protocol_options:
|
|
idle_timeout: 1s
|
|
forward_client_cert_details: sanitize_set
|
|
set_current_client_cert_details:
|
|
uri: true
|
|
codec_type: auto
|
|
access_log:
|
|
- name: envoy.access_loggers.file
|
|
typed_config:
|
|
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
|
|
path: "/tmp/inbound-proxy.log"
|
|
stat_prefix: ingress_http
|
|
route_config:
|
|
name: local_route
|
|
virtual_hosts:
|
|
- name: local_service
|
|
domains: ["*"]
|
|
routes:
|
|
- match:
|
|
prefix: "/"
|
|
route:
|
|
cluster: local_service
|
|
http_filters:
|
|
- name: envoy.filters.http.rbac
|
|
typed_config:
|
|
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
|
|
rules:
|
|
action: ALLOW
|
|
policies:
|
|
"general-rules":
|
|
permissions:
|
|
- and_rules:
|
|
rules:
|
|
- header: { name: ":method", exact_match: "GET" }
|
|
- url_path:
|
|
path: { prefix: "/profiles" }
|
|
principals:
|
|
- authenticated:
|
|
principal_name:
|
|
exact: "spiffe://example.org/ns/default/sa/default/frontend"
|
|
- name: envoy.filters.http.router
|
|
typed_config:
|
|
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
|
|
transport_socket:
|
|
name: envoy.transport_sockets.tls
|
|
typed_config:
|
|
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
|
|
common_tls_context:
|
|
tls_certificate_sds_secret_configs:
|
|
- name: "spiffe://example.org/ns/default/sa/default/backend"
|
|
sds_config:
|
|
resource_api_version: V3
|
|
api_config_source:
|
|
api_type: GRPC
|
|
transport_api_version: V3
|
|
grpc_services:
|
|
envoy_grpc:
|
|
cluster_name: spire_agent
|
|
combined_validation_context:
|
|
# validate the SPIFFE ID of incoming clients (optionally)
|
|
default_validation_context:
|
|
match_typed_subject_alt_names:
|
|
- san_type: URI
|
|
matcher:
|
|
exact: "spiffe://example.org/ns/default/sa/default/frontend"
|
|
# obtain the trust bundle from SDS
|
|
validation_context_sds_secret_config:
|
|
name: "spiffe://example.org"
|
|
sds_config:
|
|
resource_api_version: V3
|
|
api_config_source:
|
|
api_type: GRPC
|
|
transport_api_version: V3
|
|
grpc_services:
|
|
envoy_grpc:
|
|
cluster_name: spire_agent
|
|
tls_params:
|
|
ecdh_curves:
|
|
- X25519:P-256:P-521:P-384
|
|
clusters:
|
|
- name: spire_agent
|
|
connect_timeout: 0.25s
|
|
http2_protocol_options: {}
|
|
load_assignment:
|
|
cluster_name: spire_agent
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
pipe:
|
|
path: /run/spire/sockets/agent.sock
|
|
- name: local_service
|
|
connect_timeout: 1s
|
|
type: strict_dns
|
|
load_assignment:
|
|
cluster_name: local_service
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: 127.0.0.1
|
|
port_value: 80
|