templates/gateway: use internal listener to route api requests

API requests should be authenticated, all other requests should be redirected to the service docs.
osbuild · Feb 2, 2024 · aec69c7 · aec69c7
1 parent 5cfcec5
commit aec69c7
Showing 1 changed file with 60 additions and 8 deletions.
diff --git a/templates/gateway.yml b/templates/gateway.yml
@@ -22,8 +22,12 @@ objects:
           pipe:
             path: /sockets/admin.socket
 
-      static_resources:
+      bootstrap_extensions:
+      - name: envoy.bootstrap.internal_listener
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener
 
+      static_resources:
         ### Clusters ###
         clusters:
         # This backend is used to send metrics and probe requests to the admin endpoint.
@@ -40,6 +44,18 @@ objects:
                     pipe:
                       path: /sockets/admin.socket
 
+        - name: api-listener
+          connect_timeout: 2s
+          type: STRICT_DNS
+          load_assignment:
+            cluster_name: api-listener
+            endpoints:
+            - lb_endpoints:
+              - endpoint:
+                  address:
+                    envoy_internal_address:
+                      server_listener_name: api-listener
+
         - name: ext_fedora_auth
           connect_timeout: 2s
           type: STRICT_DNS
@@ -103,11 +119,8 @@ objects:
                   typed_config:
                     "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
 
-        - name: ingress
-          address:
-            socket_address:
-              address: 0.0.0.0
-              port_value: 10000
+        - name: api-listener
+          internal_listener: {}
           filter_chains:
             filters:
             - name: envoy.filters.network.http_connection_manager
@@ -136,8 +149,6 @@ objects:
                         cluster: image-builder
                         auto_host_rewrite: true
                         timeout: 30s
-
-
                 http_filters:
                 # Remove any identity headers cheeky clients might try to add
                 - name: envoy.filters.http.header_mutation
@@ -166,6 +177,47 @@ objects:
                     "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
 
 
+        - name: ingress
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 10000
+          filter_chains:
+            filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                access_log:
+                - name: envoy.access_loggers.file
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+                    path: /dev/stdout
+                stat_prefix: ingress
+                route_config:
+                  name: ingress
+                  virtual_hosts:
+                  - name: api
+                    domains:
+                    - "*"
+                    # Remove these headers in case someone adds them to the response
+                    response_headers_to_remove:
+                    - x-rh-identity
+                    - x-fedora-identity
+                    routes:
+                    - match:
+                        prefix: /api
+                      route:
+                        cluster: api-listener
+                        auto_host_rewrite: true
+                        timeout: 30s
+                    - match:
+                        prefix: /
+                      redirect:
+                        https_redirect: true
+                        host_redirect: osbuild.org
+                        path_redirect: /docs/service/fedora-console
+
+
 - apiVersion: apps/v1
   kind: Deployment
   metadata: