gateway/envoy.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: gateway-envoy-config
data:
  envoy.yaml: |
    static_resources:
      listeners:
      - address:
          socket_address:
            address: 0.0.0.0
            port_value: 8080
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              codec_type: AUTO
              stat_prefix: ingress_http
              access_log:
                name: json_access_log
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
                  log_format:
                    json_format:
                      message: "%LOCAL_REPLY_BODY%"
                      status: "%RESPONSE_CODE%"
                      duration: "%DURATION%"
                      remote_address: "%DOWNSTREAM_REMOTE_ADDRESS%"
                      x_real_ip: "%REQ(X-Real-IP)%"
                      request_start_time: "%START_TIME%"
                      bytes_sent: "%BYTES_SENT%"
                      http_referer: "%REQ(Referer)%"
                      http_user_agent: "%REQ(User-Agent)%"
              route_config:
                name: http_routes
                virtual_hosts:
                  - name: revoke
                    domains:
                      - "bogus-for-revoke.*"
                    routes: []
                  - name: default_http
                    domains: ["*"]
                    routes:
                      - match:
                          prefix: "/.well-known/acme-challenge"
                        route:
                          timeout: 0s
                          cluster: letsencrypt
                      - match:
                          prefix: "/"
                        redirect:
                          https_redirect: true
              http_filters:
                - name: envoy.filters.http.router
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
      - address:
          socket_address:
            address: 0.0.0.0
            port_value: 8443
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              codec_type: AUTO
              stat_prefix: ingress_http
              upgrade_configs:
                - upgrade_type: websocket
              use_remote_address: true
              skip_xff_append: false
              access_log:
                name: json_access_log
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
                  log_format:
                    json_format:
                      message: "%LOCAL_REPLY_BODY%"
                      status: "%RESPONSE_CODE%"
                      duration: "%DURATION%"
                      remote_address: "%DOWNSTREAM_REMOTE_ADDRESS%"
                      x_real_ip: "%REQ(X-Real-IP)%"
                      request_start_time: "%START_TIME%"
                      bytes_sent: "%BYTES_SENT%"
                      http_referer: "%REQ(Referer)%"
                      http_user_agent: "%REQ(User-Agent)%"
              rds:
                route_config_name: https_routes
                config_source:
                  resource_api_version: V3
                  path_config_source:
                    path: /config_map/xds/rds.yaml
                    watched_directory:
                      path: /config_map/xds
              http_filters:
                - name: envoy.filters.http.ext_authz
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                    http_service:
                      server_uri:
                        uri: https://auth:443
                        cluster: auth
                        timeout: 0.25s
                      path_prefix: /api/v1alpha/verify_dev_credentials?url=
                      authorization_request:
                        allowed_headers:
                          patterns:
                            - exact: "Cookie"
                              ignore_case: true
                            - exact: "X-Hail-Internal-Authorization"
                              ignore_case: true
                - name: envoy.filters.http.local_ratelimit
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
                    stat_prefix: http_local_rate_limiter
                - name: envoy.filters.http.router
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
              local_reply_config:
                mappers:
                - filter:
                    status_code_filter:
                      comparison:
                       op: EQ
                       value:
                         default_value: 401
                         runtime_key: key_b
                  headers_to_add:
                    - header:
                        key: "Location"
                        value: "https://auth.{{ domain }}/login?https://:authority:path"
                      append: false
                  status_code: 302
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      filename: /etc/letsencrypt/fullchain.pem
                    private_key:
                      filename: /etc/letsencrypt/privkey.pem
                tls_params:
                  tls_minimum_protocol_version: TLSv1_2
                  cipher_suites:
                    - ECDHE-ECDSA-AES128-GCM-SHA256
                    - ECDHE-RSA-AES128-GCM-SHA256
                    - ECDHE-ECDSA-AES256-GCM-SHA384
                    - ECDHE-RSA-AES256-GCM-SHA384
      clusters:
        - name: letsencrypt
          type: STRICT_DNS
          lb_policy: ROUND_ROBIN
          load_assignment:
            cluster_name: letsencrypt
            endpoints:
            - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: letsencrypt.default.svc.cluster.local
                      port_value: 80
    admin:
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8001
    layered_runtime:
      layers:
      - name: static_layer_0
        static_layer:
          envoy:
            resource_limits:
              listener:
                example_listener_name:
                  connection_limit: 10000
    dynamic_resources:
      cds_config:
        resource_api_version: V3
        path_config_source:
          path: /config_map/xds/cds.yaml
          watched_directory:
            path: /config_map/xds