Envoy OPA配置示例

目录

• 架构示例
• envoy.yaml
• policy.rego
• docker-compose.yaml

 

---

回到顶部

架构示例

回到顶部

envoy.yaml

node:
  id: "backend"
  cluster: "demo-cluster-spire"
  
static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 8000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: upstream
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: upstream-service
          http_filters:
          - name: envoy.filters.http.ext_authz   # OPA
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
              with_request_body:
                max_request_bytes: 8192
                allow_partial_message: true
              failure_mode_allow: false              
              grpc_service:
                envoy_grpc:
                  cluster_name: ext_authz-opa-service
                timeout: 0.250s
              transport_api_version: V3
          - name: envoy.filters.http.router

      transport_socket:
        name: envoy.transport_sockets.tls    # spire
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificate_sds_secret_configs:
            - name: "spiffe://wgs.com/backend-server"
              sds_config:
                api_config_source:
                  api_type: GRPC
                  grpc_services:
                    envoy_grpc:
                      cluster_name: spire_agent
                  transport_api_version: V3
                resource_api_version: V3
            combined_validation_context:
              # validate the SPIFFE ID of incoming clients (optionally)
              default_validation_context:
                match_subject_alt_names:
                  exact: "spiffe://wgs.com/frontend-server"
              # obtain the trust bundle from SDS
              validation_context_sds_secret_config:
                name: "spiffe://wgs.com"
                sds_config:
                  api_config_source:
                    api_type: GRPC
                    grpc_services:
                      envoy_grpc:
                        cluster_name: spire_agent
                    transport_api_version: V3
                  resource_api_version: V3
            tls_params:
              ecdh_curves:
                - X25519:P-256:P-521:P-384


  clusters:

  - name: spire_agent
    connect_timeout: 0.25s
    http2_protocol_options: {}
    load_assignment:  
      cluster_name: spire_agent
      endpoints:  
      - lb_endpoints: 
        - endpoint: 
            address:  
              pipe: 
                path: /tmp/agent.sock

  - name: upstream-service
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: upstream-service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 80

  - name: ext_authz-opa-service     # openpolicyagent/opa:latest-envoy
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http2_protocol_options: {}
    load_assignment:
      cluster_name: ext_authz-opa-service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: ext_authz-opa-service
                port_value: 9191

回到顶部

policy.rego

package envoy.authz
  
import input.attributes.request.http as http_request

default allow = false

response := {
  "allowed": true,
  "headers": {"x-current-user": "OPA"}
}

allow = response {
  http_request.method == "GET"
}

allow = response {
  http_request.method == "POST"
  glob.match("/livez", ["/"], http_request.path)
}

回到顶部

docker-compose.yaml

version: "3.7"
services:

  spire-server:
    image: uhub.service.ucloud.cn/xk-base/spire-server:1.4.0
    hostname: spire-server
    volumes:
      - ./conf/spire-server.conf /opt/spire/conf/server/server.conf
      - ./conf/agent-cacert.crt.pem /opt/spire/conf/server/agent-cacert.pem
    tty: true
    privileged: true
    networks:
      envoymesh:
        aliases:
          - spire-server

  front-envoy:
    image: envoyproxy/envoy:v1.23-latest
    volumes:
      - ./front-envoy/front-envoy-zipkin.yaml:/etc/envoy/envoy.yaml
    networks:
      envoymesh:
        aliases:
        - front-envoy
        - front
    ports:
    - "8000:8000"
    - "9901:9901"

  upstream-service:
    image: nginx
    network_mode: "service:front-envoy"
    depends_on:
    - front-envoy

  ext_authz-opa-service:
    image: openpolicyagent/opa:latest-envoy
    volumes:
      - ./policy.rego:/etc/policy.rego
    ports:
      - "9191:9191"
    command:
      - run
      - --server
      - --addr=localhost:8181
      - --diagnostic-addr=0.0.0.0:8282
      - --set=services.default.url=http://127.0.0.1:8888
      - --set=bundles.default.resource=bundle.tar.gz
      - --set=plugins.envoy_ext_authz_grpc.addr=:9191
      - --set=plugins.envoy_ext_authz_grpc.path=envoy/authz/allow
      - --set=decision_logs.console=true
      - --set=status.console=true
      - --ignore=.*
      - /etc/policy.rego
    networks:
      envoymesh:
        aliases:
          - opa

networks:
  envoymesh:
    driver: bridge
    ipam:
      config:
        - subnet: 172.31.92.0/24