service-exposure/templates/EnvoyFilter-template.txt

   1 #
   2 # ============LICENSE_START=======================================================
   3 #  Copyright (C) 2022 Nordix Foundation.
   4 # ================================================================================
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 #      http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16 #
  17 # SPDX-License-Identifier: Apache-2.0
  18 # ============LICENSE_END=========================================================
  19 #
  20 apiVersion: networking.istio.io/v1alpha3
  21 kind: EnvoyFilter
  22 metadata:
  23   name: {{.Name}}-outbound-filter
  24   namespace: {{.Namespace}}
  25 spec:
  26   workloadSelector:
  27     labels:
  28       app.kubernetes.io/name: {{.Name}}
  29   configPatches:
  30     # The first patch adds the lua filter to the listener/http connection manager
  31   - applyTo: HTTP_FILTER
  32     match:
  33       context: SIDECAR_OUTBOUND
  34       listener:
  35         filterChain:
  36           filter:
  37             name: "envoy.filters.network.http_connection_manager"
  38             subFilter:
  39               name: "envoy.filters.http.router"
  40     patch:
  41       operation: INSERT_BEFORE
  42       value: # lua filter specification
  43         name: envoy.lua
  44         typed_config:
  45           "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
  46           inlineCode: |
  47             function envoy_on_request(request_handle)
  48               local uri = request_handle:headers():get(":path")
  49               local method = request_handle:headers():get(":method")
  50               if (method ~= "POST" and uri ~= "/auth/realms/{{.Realm}}/protocol/openid-connect/token")
  51               then
  52                -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
  53                local headers, body = request_handle:httpCall(
  54                 "jwt_cluster",
  55                 {
  56                  [":method"] = "GET",
  57                  [":path"] = "/token",
  58                  [":authority"] = "jwt-proxy",
  59                  ["realm"] = "{{.Realm}}",
  60                  ["client"] = "{{.Client}}",
  61                  ["authenticator"] = "{{.Authenticator}}",
  62                  ["ns"] = "{{.Namespace}}"
  63                 },
  64                "jwt call",
  65                5000)
  66                if (headers["authorization"] ~= nil)
  67                then
  68                    request_handle:headers():add("authorization", headers["authorization"])
  69                end
  70               end
  71             end
  72   - applyTo: CLUSTER
  73     match:
  74       context: SIDECAR_OUTBOUND
  75     patch:
  76       operation: ADD
  77       value: # cluster specification
  78         name: jwt_cluster
  79         type: STRICT_DNS
  80         connect_timeout: 60s
  81         lb_policy: ROUND_ROBIN
  82         load_assignment:
  83           cluster_name: jwt_cluster
  84           endpoints:
  85           - lb_endpoints:
  86             - endpoint:
  87                 address:
  88                   socket_address:
  89                     address: 0.0.0.0
  90                     port_value: 8888