Skip to content

Commit

Permalink
feat(strm-1332): update jwks endpoints for event gateway and web sock…
Browse files Browse the repository at this point in the history 
…et (#20)

* feat(strm-1332): update jwks endpoints for event gateway and web socket

* feat(strm-1332): add missing lua in filter chain

* feat(strm-1332): add lua script and update envoy yaml

Co-authored-by: Robin Trietsch <robin@strmprivacy.io>
  • Loading branch information
@trietsch
trietsch and trietsch authored Jul 15, 2022
1 parent 9f600aa commit 3f4affc
Show file tree
Hide file tree
Showing 6 changed files with 109 additions and 63 deletions.
2 changes: 1 addition & 1 deletion .husky/pre-commit
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@

#mandatory flag --rerun-tasks, otherwise build will be successful second run without making changes
# once we have some more meat in the chart, add `--strict`
helm lint helm --with-subcharts
helm lint helm --with-subcharts --set registry.imagePullSecret="dummy"
56 changes: 43 additions & 13 deletions helm/resources/event-gateway/envoy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,25 +73,55 @@ static_resources:
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
google-jwt:
issuer: 'https://securetoken.google.com/{{ .Values.registry.base.prefix }}'
audiences:
- {{ .Values.registry.base.prefix }}
forward: true
accounts-streams-jwt:
issuer: 'https://{{ .Values.api.authHost }}/auth/realms/streams'
payload_in_metadata: jwt_payload
remote_jwks:
http_uri:
uri: https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
cluster: jwt.www.googleapis.com|443
timeout: 30s
cache_duration: 300s
uri: "https://{{ .Values.api.authHost }}/auth/realms/streams/protocol/openid-connect/certs"
cluster: {{ .Values.api.authHost }}
timeout: 5s
cache_duration: 600s
async_fetch:
fast_listener: false
retry_policy:
retry_back_off:
base_interval: 0.01s
max_interval: 20s
num_retries: 10
rules:
- match:
path: "/event"
headers:
- name: ":method"
exact_match: "POST"
requires:
provider_name: "google-jwt"
provider_name: "accounts-streams-jwt"
- name: envoy.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local auth = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn")
-- unset client id header
request_handle:headers():remove("strm-client-id")
if auth
then
if auth["jwt_payload"].clientId
then
-- Keycloak Users Realm JWTs
request_handle:headers():add("strm-client-id", auth["jwt_payload"].clientId)
else
local content = "{\"error\": \"Client ID is missing in the provided JWT\"}"
request_handle:logWarn("Client ID is missing in provided JWT.")
request_handle:respond({[":status"] = "401",
["content-type"] = "application/json"
}, content)
end
end
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
Expand Down Expand Up @@ -125,19 +155,19 @@ static_resources:
socket_address:
address: 127.0.0.1
port_value: {{ .Values.components.eventGateway.configuration.appPort }}
- name: jwt.www.googleapis.com|443
- name: {{ .Values.api.authHost }}
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
connect_timeout: 20s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: jwt.www.googleapis.com|443
cluster_name: {{ .Values.api.authHost }}
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: www.googleapis.com
address: {{ .Values.api.authHost }}
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
Expand Down
106 changes: 61 additions & 45 deletions helm/resources/web-socket/envoy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@ static_resources:
- upgrade_type: websocket
access_log:
- name: envoy.access_loggers.file
# filter:
# status_code_filter:
# comparison:
# op: GE
# value:
# default_value: 500
# runtime_key: access_log.access_error.status
filter:
status_code_filter:
comparison:
op: GE
value:
default_value: 500
runtime_key: access_log.access_error.status
typed_config:
"@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog"
path: /dev/stdout
Expand All @@ -45,15 +45,15 @@ static_resources:
- name: ":method"
exact_match: "GET"
route:
cluster: egress
cluster: web_socket
prefix_rewrite: "/is-alive"
- match:
prefix: "/"
headers:
- name: ":method"
exact_match: "GET"
route:
cluster: egress
cluster: web_socket
http_filters:
- name: envoy.filters.http.health_check
typed_config:
Expand All @@ -66,17 +66,22 @@ static_resources:
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
google-jwt:
issuer: 'https://securetoken.google.com/{{ .Values.registry.base.prefix }}'
audiences:
- {{ .Values.registry.base.prefix }}
forward: true
accounts-streams-jwt:
issuer: 'https://{{ .Values.api.authHost }}/auth/realms/streams'
payload_in_metadata: jwt_payload
remote_jwks:
http_uri:
uri: https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
cluster: jwt.www.googleapis.com|443
timeout: 30s
cache_duration: 300s
uri: "https://{{ .Values.api.authHost }}/auth/realms/streams/protocol/openid-connect/certs"
cluster: {{ .Values.api.authHost }}
timeout: 5s
cache_duration: 600s
async_fetch:
fast_listener: false
retry_policy:
retry_back_off:
base_interval: 0.01s
max_interval: 20s
num_retries: 10
rules:
- match:
path: "/"
Expand All @@ -89,27 +94,52 @@ static_resources:
- name: ":method"
exact_match: "GET"
requires:
provider_name: "google-jwt"
provider_name: "accounts-streams-jwt"
- name: envoy.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local auth = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn")
-- unset client id header
request_handle:headers():remove("strm-client-id")
if auth
then
if auth["jwt_payload"].clientId
then
-- Keycloak Users Realm JWTs
request_handle:headers():add("strm-client-id", auth["jwt_payload"].clientId)
else
local content = "{\"error\": \"Client ID is missing in the provided JWT\"}"
request_handle:logWarn("Client ID is missing in provided JWT.")
request_handle:respond({[":status"] = "401",
["content-type"] = "application/json"
}, content)
end
end
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
start_child_span: false
suppress_envoy_headers: true
upstream_log:
- name: envoy.upstream_loggers.file
# filter:
# status_code_filter:
# comparison:
# op: GE
# value:
# default_value: 500
# runtime_key: upstream_log.access_error.status
filter:
status_code_filter:
comparison:
op: GE
value:
default_value: 500
runtime_key: upstream_log.access_error.status
typed_config:
"@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog"
path: /dev/stdout

clusters:
- name: egress
- name: web_socket
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
connect_timeout: 2s
Expand All @@ -122,41 +152,27 @@ static_resources:
header_key_format:
proper_case_words: {}
load_assignment:
cluster_name: egress
cluster_name: web_socket
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: {{ .Values.components.webSocket.configuration.appPort }}
- name: health
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
connect_timeout: 2s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: health
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: localhost
port_value: {{ .Values.components.webSocket.configuration.appPort }}
- name: jwt.www.googleapis.com|443
- name: {{ .Values.api.authHost }}
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
connect_timeout: 20s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: jwt.www.googleapis.com|443
cluster_name: {{ .Values.api.authHost }}
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: www.googleapis.com
address: {{ .Values.api.authHost }}
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
Expand Down
2 changes: 1 addition & 1 deletion helm/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
- name: STRM_API_PORT
value: "{{.Values.api.port }}"
- name: STRM_AUTH_URL
value: {{ .Values.api.authUrl }}
value: "https://{{ .Values.api.authHost }}"
- name: STRM_AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
Expand Down
4 changes: 2 additions & 2 deletions helm/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@
"required": [
"host",
"port",
"authUrl"
"authHost"
],
"properties": {
"host": {
Expand All @@ -107,7 +107,7 @@
"type": "integer",
"default": 0
},
"authUrl": {
"authHost": {
"type": "string",
"default": ""
}
Expand Down
2 changes: 1 addition & 1 deletion helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ license:
api:
host: "api.strmprivacy.io"
port: 443
authUrl: "https://accounts.strmprivacy.io"
authHost: "accounts.strmprivacy.io"

prometheus:
enabled: true
Expand Down

0 comments on commit 3f4affc

Please sign in to comment.