Skip to content

Instantly share code, notes, and snippets.

@maksim-paskal

maksim-paskal/envoy-simple-basic-auth.md

Created December 3, 2020 09:53
Show Gist options
  • Save maksim-paskal/50c933129b3210988e300afecc94b0e7 to your computer and use it in GitHub Desktop.
Save maksim-paskal/50c933129b3210988e300afecc94b0e7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
envoy-simple-basic-auth.md

Simple envoy configuration with basic authentication and without authorization service

Sometime you need scrape prometheus metrics from external envoy that deploy not to kubernetes environment

You can use iptable or other stuff on external server to allow only trusted IP for scraping metrics - but for dynamic infrastructure some time it's hard to support it.

Envoy can expose this metrics more elegant style - using basic auth

Simple envoy.yaml

layered_runtime:
  layers:
  - name: static_layer_0
    static_layer:
      overload:
        global_downstream_max_connections: 50000
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 127.0.0.1
      port_value: 18000
static_resources:
  listeners:
  - name: admin_proxy_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 18001
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: admin_proxy
          codec_type: AUTO
          route_config:
            name: admin_proxy
            virtual_hosts:
            - name: admin_proxy
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/stats/prometheus"
                  headers:
                  - name: "Authorization"
                    exact_match: "Basic QWxhZGRpbjpPcGVuU2VzYW1l"
                route:
                  cluster: admin-cluster
              - match:
                  prefix: "/"
                direct_response:
                  status: "404"
          http_filters:
          - name: envoy.filters.http.router
  clusters:
  - name: admin-cluster
    connect_timeout: 0.25s
    lb_policy: ROUND_ROBIN
    type: STATIC
    load_assignment:
      cluster_name: admin-cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 18000

run it

docker run -it --rm \
  -p 18001:18001 \
  -v $(pwd)/envoy.yaml:/envoy/envoy.yaml \
  envoyproxy/envoy:v1.15.2 \
  /usr/local/bin/envoy \
  --config-path /envoy/envoy.yaml \
  --log-level warn \
  --bootstrap-version 3 \
  --service-cluster test \
  --service-node test1-id \
  --service-zone test

test it

# http 404 - without basic auth
curl -I http://localhost:18001/stats/prometheus

# http 200 - with basic auth
curl --user Aladdin:OpenSesame -I http://localhost:18001/stats/prometheus

on prometheus add job in extraScrapeConfigs file

- job_name: external-envoy
  metrics_path: /stats/prometheus
  basic_auth:
    username: Aladdin
    password: OpenSesame
  static_configs:
  - targets:
    - <external-ip>:18001
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment