Skip to content

Instantly share code, notes, and snippets.

@BrooksCunningham

BrooksCunningham/envoy-ngwaf-ext_authz-deployment.yaml

Created February 6, 2025 14:45
Show Gist options
  • Save BrooksCunningham/fa273f88e42106ddecb482932a403b65 to your computer and use it in GitHub Desktop.
Save BrooksCunningham/fa273f88e42106ddecb482932a403b65 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
envoy-ngwaf-ext_authz-deployment.yaml
# ConfigMap: Contains the updated Envoy configuration with ext_authz integration.
apiVersion: v1
kind: ConfigMap
metadata:
name: envoy-config
data:
envoy.yaml: |
node:
id: proxy-node
cluster: proxy-cluster
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: edge_cluster
host_rewrite_literal: "http.edgecompute.app"
cors:
allow_origin_string_match:
- prefix: "*"
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: "1728000"
expose_headers: custom-header-1,grpc-status,grpc-message
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
- name: envoy.http_grpc_access_log
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig
common_config:
log_name: "sigsci-agent-grpc"
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: sigsci-agent-grpc
timeout: 0.2s
additional_request_headers_to_log:
# These sigsci-agent headers are required for correct processing:
- "x-sigsci-request-id"
- "x-sigsci-waf-response"
# Optionally, additional headers can be added that should be recorded:
- "accept"
- "content-type"
- "content-length"
additional_response_headers_to_log:
- "date"
- "server"
- "content-type"
- "content-length"
http_filters:
# ext_authz filter calls the NGWAF agent via gRPC.
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: sigsci-agent-grpc
failure_mode_allow: false
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
# Cluster for forwarding requests to https://http.edgecompute.app.
- name: edge_cluster
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: edge_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: http.edgecompute.app
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: "http.edgecompute.app"
# Cluster used by the ext_authz filter to contact the NGWAF agent.
- name: sigsci-agent-grpc
connect_timeout: 0.25s
type: STATIC
lb_policy: ROUND_ROBIN
http2_protocol_options: {} # <--- This tells Envoy to use HTTP/2 for gRPC
load_assignment:
cluster_name: sigsci-agent-grpc
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
# Both containers share the same network namespace.
address: 127.0.0.1
port_value: 9999
---
# Deployment: Combines the Envoy proxy and the Next‑Gen WAF Agent sidecar.
apiVersion: apps/v1
kind: Deployment
metadata:
name: envoy-waf-deployment
spec:
replicas: 1
selector:
matchLabels:
app: envoy-waf
template:
metadata:
labels:
app: envoy-waf
spec:
containers:
# Envoy container – set to use debug logging for detailed output.
- name: envoy
image: envoyproxy/envoy:v1.22-latest
args:
- "-c"
- "/etc/envoy/envoy.yaml"
- "-l"
- "debug" # Change to "trace" for even more verbosity.
ports:
- containerPort: 10000
volumeMounts:
- name: envoy-config
mountPath: /etc/envoy
# Next‑Gen WAF Agent container (sigsci-agent) configured for ext_authz (gRPC mode).
- name: sigsci-agent
image: signalsciences/sigsci-agent:latest
imagePullPolicy: IfNotPresent
env:
- name: SIGSCI_ACCESSKEYID
valueFrom:
secretKeyRef:
name: sigsci.my-site-name-here
key: accesskeyid
- name: SIGSCI_SECRETACCESSKEY
valueFrom:
secretKeyRef:
name: sigsci.my-site-name-here
key: secretaccesskey
# Instruct the agent to expect response data and configure its gRPC address.
- name: SIGSCI_ENVOY_EXPECT_RESPONSE_DATA
value: "1"
- name: SIGSCI_ENVOY_GRPC_ADDRESS
value: "localhost:9999"
- name: SIGSCI_DEBUG_ALL_THE_THINGS
value: "true"
- name: SIGSCI_WAF_DATA_LOG
value: "/dev/stdout"
ports:
- containerPort: 9999
securityContext:
readOnlyRootFilesystem: true
volumes:
- name: envoy-config
configMap:
name: envoy-config
---
# Service: Exposes the Envoy listener on port 10000.
apiVersion: v1
kind: Service
metadata:
name: envoy
spec:
selector:
app: envoy-waf
ports:
- protocol: TCP
port: 10000
targetPort: 10000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment