mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-23 05:57:19 +02:00
envoy: Initial changes
This commit is contained in:
Travis Groth
parent
8f78497e99
commit
99e788a9b4
107 changed files with 2542 additions and 3322 deletions
136
internal/controlplane/xds_routes.go
Normal file
136
internal/controlplane/xds_routes.go
Normal file
|
|
@ -0,0 +1,136 @@
|
|||
package controlplane
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
|
||||
envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
|
||||
"github.com/golang/protobuf/ptypes/any"
|
||||
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
)
|
||||
|
||||
func (srv *Server) buildGRPCRoutes() []*envoy_config_route_v3.Route {
|
||||
action := &envoy_config_route_v3.Route_Route{
|
||||
Route: &envoy_config_route_v3.RouteAction{
|
||||
ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
|
||||
Cluster: "pomerium-control-plane-grpc",
|
||||
},
|
||||
},
|
||||
}
|
||||
return []*envoy_config_route_v3.Route{{
|
||||
Name: "pomerium-grpc",
|
||||
Match: &envoy_config_route_v3.RouteMatch{
|
||||
PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{
|
||||
Prefix: "/",
|
||||
},
|
||||
Grpc: &envoy_config_route_v3.RouteMatch_GrpcRouteMatchOptions{},
|
||||
},
|
||||
Action: action,
|
||||
TypedPerFilterConfig: map[string]*any.Any{
|
||||
"envoy.filters.http.ext_authz": disableExtAuthz,
|
||||
},
|
||||
}}
|
||||
}
|
||||
|
||||
func (srv *Server) buildPomeriumHTTPRoutes(options config.Options, domain string) []*envoy_config_route_v3.Route {
|
||||
routes := []*envoy_config_route_v3.Route{
|
||||
srv.buildControlPlanePathRoute("/ping"),
|
||||
srv.buildControlPlanePathRoute("/healthz"),
|
||||
srv.buildControlPlanePathRoute("/.pomerium"),
|
||||
srv.buildControlPlanePrefixRoute("/.pomerium/"),
|
||||
}
|
||||
// if we're handling authentication, add the oauth2 callback url
|
||||
if config.IsAuthenticate(options.Services) && domain == urlutil.StripPort(options.AuthenticateURL.Host) {
|
||||
routes = append(routes,
|
||||
srv.buildControlPlanePathRoute(options.AuthenticateCallbackPath))
|
||||
}
|
||||
// if we're the proxy and this is the forward-auth url
|
||||
if config.IsProxy(options.Services) && options.ForwardAuthURL != nil && domain == urlutil.StripPort(options.ForwardAuthURL.Host) {
|
||||
routes = append(routes,
|
||||
srv.buildControlPlanePrefixRoute("/"))
|
||||
}
|
||||
return routes
|
||||
}
|
||||
|
||||
func (srv *Server) buildControlPlanePathRoute(path string) *envoy_config_route_v3.Route {
|
||||
return &envoy_config_route_v3.Route{
|
||||
Name: "pomerium-path-" + path,
|
||||
Match: &envoy_config_route_v3.RouteMatch{
|
||||
PathSpecifier: &envoy_config_route_v3.RouteMatch_Path{Path: path},
|
||||
},
|
||||
Action: &envoy_config_route_v3.Route_Route{
|
||||
Route: &envoy_config_route_v3.RouteAction{
|
||||
ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
|
||||
Cluster: "pomerium-control-plane-http",
|
||||
},
|
||||
},
|
||||
},
|
||||
TypedPerFilterConfig: map[string]*any.Any{
|
||||
"envoy.filters.http.ext_authz": disableExtAuthz,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (srv *Server) buildControlPlanePrefixRoute(prefix string) *envoy_config_route_v3.Route {
|
||||
return &envoy_config_route_v3.Route{
|
||||
Name: "pomerium-prefix-" + prefix,
|
||||
Match: &envoy_config_route_v3.RouteMatch{
|
||||
PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{Prefix: prefix},
|
||||
},
|
||||
Action: &envoy_config_route_v3.Route_Route{
|
||||
Route: &envoy_config_route_v3.RouteAction{
|
||||
ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
|
||||
Cluster: "pomerium-control-plane-http",
|
||||
},
|
||||
},
|
||||
},
|
||||
TypedPerFilterConfig: map[string]*any.Any{
|
||||
"envoy.filters.http.ext_authz": disableExtAuthz,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (srv *Server) buildPolicyRoutes(options config.Options, domain string) []*envoy_config_route_v3.Route {
|
||||
var routes []*envoy_config_route_v3.Route
|
||||
for i, policy := range options.Policies {
|
||||
if policy.Source.Hostname() != domain {
|
||||
continue
|
||||
}
|
||||
|
||||
match := &envoy_config_route_v3.RouteMatch{}
|
||||
switch {
|
||||
case policy.Regex != "":
|
||||
match.PathSpecifier = &envoy_config_route_v3.RouteMatch_SafeRegex{
|
||||
SafeRegex: &envoy_type_matcher_v3.RegexMatcher{
|
||||
EngineType: &envoy_type_matcher_v3.RegexMatcher_GoogleRe2{
|
||||
GoogleRe2: &envoy_type_matcher_v3.RegexMatcher_GoogleRE2{},
|
||||
},
|
||||
Regex: policy.Regex,
|
||||
},
|
||||
}
|
||||
case policy.Path != "":
|
||||
match.PathSpecifier = &envoy_config_route_v3.RouteMatch_Path{Path: policy.Path}
|
||||
case policy.Prefix != "":
|
||||
match.PathSpecifier = &envoy_config_route_v3.RouteMatch_Prefix{Prefix: policy.Prefix}
|
||||
default:
|
||||
match.PathSpecifier = &envoy_config_route_v3.RouteMatch_Prefix{Prefix: "/"}
|
||||
}
|
||||
|
||||
clusterName, _, _ := srv.getClusterDetails(policy.Destination)
|
||||
|
||||
routes = append(routes, &envoy_config_route_v3.Route{
|
||||
Name: fmt.Sprintf("policy-%d", i),
|
||||
Match: match,
|
||||
Action: &envoy_config_route_v3.Route_Route{
|
||||
Route: &envoy_config_route_v3.RouteAction{
|
||||
ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
|
||||
Cluster: clusterName,
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
return routes
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue