Supported templates:
- envoy-1.15
- envoy-1.16
- envoy-1.17
- istio-1.7
- istio-1.8
- istio-1.9
- envoy-config.yaml
- apigee-envoy-adapter.yaml
- envoyfilter-sidecar.yaml
- httpbin.yaml
- request-authentication.yaml
Supported templates:
# Copyright 2020 Google LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: apigee-remote-service-envoy | |
namespace: apigee | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: apigee-remote-service-envoy | |
template: | |
metadata: | |
annotations: | |
sidecar.istio.io/rewriteAppHTTPProbers: "true" | |
prometheus.io/path: /metrics | |
prometheus.io/port: "5001" | |
prometheus.io/scheme: https | |
prometheus.io/scrape: "true" | |
prometheus.io/type: prometheusspec | |
labels: | |
app: apigee-remote-service-envoy | |
version: v1 | |
org: rezamt-28035-eval | |
env: test | |
spec: | |
serviceAccountName: apigee-remote-service-envoy | |
securityContext: | |
runAsUser: 999 | |
runAsGroup: 999 | |
runAsNonRoot: true | |
containers: | |
- name: apigee-remote-service-envoy | |
image: "google/apigee-envoy-adapter:v2.0.2" | |
imagePullPolicy: IfNotPresent | |
ports: | |
- containerPort: 5000 | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 5001 | |
failureThreshold: 1 | |
periodSeconds: 10 | |
readinessProbe: | |
httpGet: | |
path: /healthz | |
port: 5001 | |
failureThreshold: 30 | |
periodSeconds: 10 | |
args: | |
- --log-level=debug | |
- --config=/config/config.yaml | |
resources: | |
limits: | |
cpu: 100m | |
memory: 100Mi | |
requests: | |
cpu: 10m | |
memory: 100Mi | |
volumeMounts: | |
- mountPath: /config | |
name: apigee-remote-service-envoy | |
readOnly: true | |
volumes: | |
- name: apigee-remote-service-envoy | |
configMap: | |
name: apigee-remote-service-envoy | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: apigee-remote-service-envoy | |
namespace: apigee | |
labels: | |
app: apigee-remote-service-envoy | |
org: rezamt-28035-eval | |
env: test | |
spec: | |
ports: | |
- port: 5000 | |
name: grpc | |
selector: | |
app: apigee-remote-service-envoy |
# Copyright 2020 Google LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# This is for Envoy 1.16+. | |
admin: | |
access_log_path: /tmp/envoy_admin.log | |
address: | |
socket_address: | |
address: 127.0.0.1 | |
port_value: 9000 | |
static_resources: | |
listeners: | |
- address: | |
socket_address: { address: 0.0.0.0, port_value: 8080 } | |
filter_chains: | |
- filters: | |
- name: envoy.filters.network.http_connection_manager | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
stat_prefix: ingress_http | |
route_config: | |
virtual_hosts: | |
- name: default | |
domains: "*" | |
routes: | |
- match: { prefix: / } | |
route: | |
cluster: helloworld | |
http_filters: | |
# evaluate JWT tokens, allow_missing allows API Key also | |
- name: envoy.filters.http.jwt_authn | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication | |
providers: | |
apigee: | |
issuer: https://rezamt-28035-eval-test.apigee.net/remote-token/token | |
audiences: | |
- remote-service-client | |
remote_jwks: | |
http_uri: | |
uri: https://rezamt-28035-eval-test.apigee.net/remote-token/certs | |
cluster: apigee-auth-service | |
timeout: 5s | |
cache_duration: | |
seconds: 300 | |
payload_in_metadata: https://rezamt-28035-eval-test.apigee.net/remote-token/token | |
rules: | |
- match: | |
prefix: / | |
requires: | |
requires_any: | |
requirements: | |
- provider_name: apigee | |
- allow_missing: {} | |
# evaluate Apigee rules | |
- name: envoy.filters.http.ext_authz | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz | |
transport_api_version: V3 | |
grpc_service: | |
envoy_grpc: | |
cluster_name: apigee-remote-service-envoy | |
timeout: 1s | |
metadata_context_namespaces: | |
- envoy.filters.http.jwt_authn | |
- name: envoy.filters.http.router | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | |
access_log: | |
# collect Apigee analytics | |
- name: envoy.access_loggers.http_grpc | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig | |
common_config: | |
transport_api_version: V3 | |
grpc_service: | |
envoy_grpc: | |
cluster_name: apigee-remote-service-envoy | |
log_name: apigee-remote-service-envoy | |
clusters: | |
# define cluster for http://rezamt-28035-eval-test.apigee.net/ target | |
- name: helloworld | |
connect_timeout: 2s | |
type: LOGICAL_DNS | |
dns_lookup_family: V4_ONLY | |
lb_policy: ROUND_ROBIN | |
load_assignment: | |
cluster_name: helloworld | |
endpoints: | |
- lb_endpoints: | |
- endpoint: | |
address: | |
socket_address: | |
address: "http://rezamt-28035-eval-test.apigee.net/" | |
port_value: 443 | |
transport_socket: | |
name: envoy.transport_sockets.tls | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | |
sni: "http://rezamt-28035-eval-test.apigee.net/" | |
# define cluster for Apigee remote service | |
- name: apigee-remote-service-envoy | |
type: LOGICAL_DNS | |
http2_protocol_options: {} | |
load_assignment: | |
cluster_name: apigee-remote-service-envoy | |
endpoints: | |
- lb_endpoints: | |
- endpoint: | |
address: | |
socket_address: | |
address: "localhost" | |
port_value: 5000 | |
common_lb_config: | |
healthy_panic_threshold: | |
value: 50.0 | |
health_checks: | |
- timeout: 1s | |
interval: 5s | |
interval_jitter: 1s | |
no_traffic_interval: 5s | |
unhealthy_threshold: 1 | |
healthy_threshold: 3 | |
grpc_health_check: {} | |
connect_timeout: 0.25s | |
# define cluster for Apigee JWKS certs | |
- name: apigee-auth-service | |
connect_timeout: 2s | |
type: LOGICAL_DNS | |
dns_lookup_family: V4_ONLY | |
lb_policy: ROUND_ROBIN | |
load_assignment: | |
cluster_name: apigee-auth-service | |
endpoints: | |
- lb_endpoints: | |
- endpoint: | |
address: | |
socket_address: | |
address: "rezamt-28035-eval-test.apigee.net" | |
port_value: "443" | |
transport_socket: | |
name: envoy.transport_sockets.tls | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | |
sni: "rezamt-28035-eval-test.apigee.net" |
# Copyright 2020 Google LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# Installs an Istio EnvoyFilter in the default namespace. | |
# It applies to all services in the namespace. If you wish, you | |
# may tailor by specifying `workloadSelector` for specific targets. | |
# Uses `apigee-remote-service-envoy.apigee:5000` as target. | |
# This is for Istio 1.7 and 1.8. | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: EnvoyFilter | |
metadata: | |
name: apigee-remote-httpbin | |
namespace: default | |
spec: | |
workloadSelector: | |
labels: | |
managed-by: apigee | |
configPatches: | |
- applyTo: HTTP_FILTER | |
match: | |
proxy: | |
proxyVersion: '^1\.[78].*' | |
context: SIDECAR_INBOUND | |
listener: | |
filterChain: | |
filter: | |
name: envoy.http_connection_manager | |
subFilter: | |
name: envoy.router | |
patch: | |
operation: INSERT_BEFORE | |
value: | |
name: envoy.filters.http.ext_authz | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz | |
transport_api_version: V3 | |
grpc_service: | |
google_grpc: | |
target_uri: apigee-remote-service-envoy.apigee:5000 | |
stat_prefix: apigee-remote-service | |
timeout: 1s | |
metadata_context_namespaces: | |
- envoy.filters.http.jwt_authn | |
- applyTo: NETWORK_FILTER | |
match: | |
proxy: | |
proxyVersion: '^1\.[78].*' | |
context: SIDECAR_INBOUND | |
listener: | |
filterChain: | |
filter: | |
name: "envoy.http_connection_manager" | |
patch: | |
operation: MERGE | |
value: | |
typed_config: | |
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" | |
access_log: | |
- name: envoy.access_loggers.http_grpc | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig | |
common_config: | |
transport_api_version: V3 | |
log_name: apigee-remote-service | |
grpc_service: | |
google_grpc: | |
target_uri: apigee-remote-service-envoy.apigee:5000 | |
stat_prefix: apigee-remote-service | |
additional_request_headers_to_log: | |
- :authority # default target header | |
# context headers | |
- x-apigee-accesstoken | |
- x-apigee-api | |
- x-apigee-apiproducts | |
- x-apigee-application | |
- x-apigee-clientid | |
- x-apigee-developeremail | |
- x-apigee-environment |
# Copyright 2020 Google LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# An httpbin target example Deployment and Service. | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: httpbin | |
namespace: default | |
labels: | |
app: httpbin | |
spec: | |
ports: | |
- name: http | |
port: 80 | |
targetPort: 80 | |
selector: | |
app: httpbin | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: httpbin | |
namespace: default | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: httpbin | |
version: v1 | |
template: | |
metadata: | |
labels: | |
app: httpbin | |
version: v1 | |
managed-by: apigee | |
spec: | |
containers: | |
- image: docker.io/kennethreitz/httpbin | |
imagePullPolicy: IfNotPresent | |
name: httpbin | |
ports: | |
- containerPort: 80 |
# Copyright 2020 Google LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# Note: An AuthorizationPolicy sample is shown below and commented out. | |
# By not having an AuthorizationPolicy, either API Keys or JWTs can be | |
# used by clients. If you enable the AuthorizationPolicy, JWT tokens will | |
# be required and API Keys will not work by themselves. | |
apiVersion: security.istio.io/v1beta1 | |
kind: RequestAuthentication | |
metadata: | |
name: apigee | |
namespace: default | |
spec: | |
selector: | |
matchLabels: | |
managed-by: apigee | |
jwtRules: | |
- issuer: https://rezamt-28035-eval-test.apigee.net/remote-token/token | |
jwksUri: https://rezamt-28035-eval-test.apigee.net/remote-token/certs | |
# --- | |
# apiVersion: security.istio.io/v1beta1 | |
# kind: AuthorizationPolicy | |
# metadata: | |
# name: apigee | |
# namespace: default | |
# spec: | |
# selector: | |
# matchLabels: | |
# managed-by: apigee | |
# rules: | |
# - from: | |
# - source: | |
# requestPrincipals: ["*"] |