add envoy gcp_authentication filter example

Signed-off-by: sal rashid <[email protected]>
salrashid123 · Nov 5, 2024 · 7f91364 · 7f91364
1 parent 49d09cb
commit 7f91364
Show file tree

Hide file tree

Showing 2 changed files with 147 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -170,7 +170,7 @@ r.Handle("/")
   - [golang](#golang)
   - [nodejs](#nodejs) 
   - [dotnet](#dotnet)  
-  - [gcloud](#gcloud)        
+  - [gcloud](#gcloud)      
 * [Other Runtimes](#other-runtimes)
     - [Run emulator as container](#run-emulator-as-container)    
     - [Run with containers](#run-with-containers)
@@ -184,6 +184,7 @@ r.Handle("/")
 - [Building with Bazel](#building-with-bazel)
 - [Building with Kaniko](#building-with-kaniko)
 * [GCE mTLS](#gce-mtls)
+* [Envoy Authentication Filter](#envoy-gcp-authentication-filter)  
 * [Metrics](#metrics)
 * [Testing](#testing)
 
@@ -1092,6 +1093,58 @@ Certificate:
     Signature Algorithm: ecdsa-with-SHA256
 ```
 
+## Envoy Authentication Filter
+
+[GCP Authentication Filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a way to for envoy to automatically inject an `id_token` into the upstream request.
+
+It does this as an http filter that first acquires the token from a metadata service.  If you want to use this repos' metadata service to test with, 
+
+
+run enovy 
+
+```bash
+cd example/envoy_gcp_authentication/
+
+docker cp `docker create  envoyproxy/envoy-dev:latest`:/usr/local/bin/envoy /tmp/
+
+/tmp/envoy -c sidecar.yaml -l debug
+```
+
+then when you invoke envoy, the request has the id_token added on by envoy.  The echo response in this example shows the headers upstream:
+
+
+```bash
+$ curl -v  http://localhost:18080/get
+{
+  "args": {}, 
+  "headers": {
+    "Accept": "*/*", 
+    "Authorization": "Bearer eyJhbGciOiJSU...", 
+    "Host": "localhost", 
+    "User-Agent": "curl/8.8.0", 
+    "X-Amzn-Trace-Id": "Root=1-672a30f1-74e63bf55e1f189f3eedac33", 
+    "X-Envoy-Expected-Rq-Timeout-Ms": "15000"
+  }, 
+  "origin": "71.127.34.114", 
+  "url": "https://localhost/get"
+}
+```
+
+the token has the audience set to the envoy configuration file
+
+```json
+{
+  "aud": "http://test.com",
+  "azp": "metadata-sa@$PROJECT.iam.gserviceaccount.com",
+  "email": "metadata-sa@$PROJECT.iam.gserviceaccount.com",
+  "email_verified": true,
+  "exp": 1730821889,
+  "iat": 1730818289,
+  "iss": "https://accounts.google.com",
+  "sub": "100890260483227123111"
+}
+```
+
 ## Metrics
 
 Basic latency and counter Prometheus metrics are enabled using the `--metrisEnabled` flag.

diff --git a/examples/envoy_gcp_authentication/sidecar.yaml b/examples/envoy_gcp_authentication/sidecar.yaml
@@ -0,0 +1,93 @@
+admin:
+node:
+  cluster: service_greeter
+  id: test-id
+
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 18080      
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          codec_type: AUTO
+          http2_protocol_options: {}          
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains:
+              - "*"
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: service_httpbin
+          http_filters:
+          - name: envoy.filters.http.gcp_authn
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig
+              http_uri:
+                uri: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]"
+                cluster: "gcp_authn"
+                timeout: 10s       
+
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router    
+
+  secrets:
+  - name: credential-bearer
+    generic_secret:
+      secret:
+        filename: "/tmp/token"
+
+  clusters:
+  - name: service_httpbin
+    connect_timeout: 0.25s
+    type: strict_dns
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: service_httpbin
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: httpbin.org
+                port_value: 443
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        explicit_http_config:
+          http2_protocol_options:
+            {}
+    metadata:
+      typed_filter_metadata:
+        envoy.filters.http.gcp_authn:
+          "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.Audience
+          url: http://test.com
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+
+  - name: gcp_authn
+    type: STRICT_DNS
+    connect_timeout: 5s
+    dns_lookup_family: V4_ONLY
+    load_assignment:
+      cluster_name: "gcp_authn"
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 8080