service-exposure/templates/EnvoyFilter-template.txt

   1 apiVersion: networking.istio.io/v1alpha3
   2 kind: EnvoyFilter
   3 metadata:
   4   name: {{.Name}}-outbound-filter
   5   namespace: {{.Namespace}}
   6 spec:
   7   workloadSelector:
   8     labels:
   9       app.kubernetes.io/name: {{.Name}}
  10   configPatches:
  11     # The first patch adds the lua filter to the listener/http connection manager
  12   - applyTo: HTTP_FILTER
  13     match:
  14       context: SIDECAR_OUTBOUND
  15       listener:
  16         filterChain:
  17           filter:
  18             name: "envoy.filters.network.http_connection_manager"
  19             subFilter:
  20               name: "envoy.filters.http.router"
  21     patch:
  22       operation: INSERT_BEFORE
  23       value: # lua filter specification
  24         name: envoy.lua
  25         typed_config:
  26           "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  27           inlineCode: |
  28             function envoy_on_request(request_handle)
  29               local uri = request_handle:headers():get(":path")
  30               local method = request_handle:headers():get(":method")
  31               if (method ~= "POST" and uri ~= "/auth/realms/{{.Realm}}/protocol/openid-connect/token")
  32               then
  33                -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  34                local headers, body = request_handle:httpCall(
  35                 "jwt_cluster",
  36                 {
  37                  [":method"] = "GET",
  38                  [":path"] = "/token",
  39                  [":authority"] = "jwt-proxy",
  40                  ["realm"] = "{{.Realm}}",
  41                  ["client"] = "{{.Client}}",
  42                  ["authenticator"] = "{{.Authenticator}}",
  43                  ["caCrt"] = "{{.CaCrt}}",
  44                  ["tlsCrt"] = "{{.TlsCrt}}",
  45                  ["tlsKey"] = "{{.TlsKey}}",
  46                  ["ns"] = "{{.Namespace}}"
  47                 },
  48                "jwt call",
  49                5000)
  50                if (headers["authorization"] ~= nil)
  51                then
  52                    request_handle:headers():add("authorization", headers["authorization"])
  53                end
  54               end
  55             end
  56   - applyTo: CLUSTER
  57     match:
  58       context: SIDECAR_OUTBOUND
  59     patch:
  60       operation: ADD
  61       value: # cluster specification
  62         name: jwt_cluster
  63         type: STRICT_DNS
  64         connect_timeout: 60s
  65         lb_policy: ROUND_ROBIN
  66         load_assignment:
  67           cluster_name: jwt_cluster
  68           endpoints:
  69           - lb_endpoints:
  70             - endpoint:
  71                 address:
  72                   socket_address:
  73                     address: 0.0.0.0
  74                     port_value: 8888