Add envoy.ext_authz filter

JIRA: CLOVER-86 This external authorization HTTP filter calls an external HTTP service (ModSecuruty service) to check if the incoming HTTP request is authorized or not. If the request is deemed unauthorized then the request will be denied normally with 403 (Forbidden) response. Change-Id: I0fe14c73defec027c54f42713cbdf69b0b83e102 Signed-off-by: JingLu5 <lvjing5@huawei.com>
author: JingLu5 <lvjing5@huawei.com> 2018-08-28 16:34:07 +0800
committer: JingLu5 <lvjing5@huawei.com> 2018-08-28 16:34:07 +0800
commit: 32714b39cdb85d6076ded8af6fa266d567df4992 (patch)
tree: d457d156f2ece0a80c8a05f458f3921c75eea6ba /samples
parent: c7e0f161092e6affccf50e4faf59d6eef4f4314d (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml b/samples/scenarios/istio_ingressgateway_envoyfilter.yaml
new file mode 100644
index 0000000..46f730c
--- /dev/null
+++ b/samples/scenarios/istio_ingressgateway_envoyfilter.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ext-authz
+  namespace: istio-system
+spec:
+  workloadLabels:
+    app: istio-ingressgateway
+  filters:
+  - insertPosition:
+      index: FIRST
+    listenerMatch:
+      portNumber: 80
+      listenerType: GATEWAY
+      listenerProtocol: HTTP
+    filterType: HTTP
+    filterName: "envoy.ext_authz"
+    filterConfig:
+      http_service:
+        server_uri:
+          uri: "http://modsecurity-crs.istio-system.svc.cluster.local"
+          cluster: "outbound|80||modsecurity-crs.istio-system.svc.cluster.local"
+          timeout: 0.5s
+      failure_mode_allow: false
author	JingLu5 <lvjing5@huawei.com>	2018-08-28 16:34:07 +0800
committer	JingLu5 <lvjing5@huawei.com>	2018-08-28 16:34:07 +0800
commit	32714b39cdb85d6076ded8af6fa266d567df4992 (patch)
tree	d457d156f2ece0a80c8a05f458f3921c75eea6ba /samples
parent	c7e0f161092e6affccf50e4faf59d6eef4f4314d (diff)