$ git clone https://github.com/sappier/example-cf-envoy-xsuaa.git
$ cd example-cf-envoy-xsuaa
VCAP_SERVICES
environment variable and uses it to generate envoy configuration containing references to the xsuaa
instance bound to our application.envoy.yaml.erb
file. And we highlight here the most important parts.<% require 'uri' -%>
<% XSUAA = URI.parse(VCAP_SERVICES["xsuaa"][0]["credentials"]["url"]) -%>
static_resources:
listeners:
- name: listener_8080
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
Jwt Authentication
filter configuration. Sets the issuer
to match the value from tokens, - name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
xsuaa:
issuer: <%= URI.join(XSUAA.to_s, "/oauth/token") %>
forward: true
remote_jwks:
http_uri:
uri: <%= URI.join(XSUAA.to_s, "/token_keys") %>
cluster: xsuaa
timeout: 5s
cache_duration: { seconds: 600 }
/robots.txt
doesn't have the requires
section, hence Jwt verification is turned off for it. All other routes use the provider named xsuaa
(from above) to verify incoming requests: rules:
- match:
prefix: /robots.txt
- match:
prefix: /
requires: { provider_name: xsuaa }
clusters
specifies 2 instances:app
routes requests to the address 127.0.0.1:8000
where our httpbin
application listens.xsuaa
with the xsuaa server address and TLS config to connect to xsuaa over HTTPS.manifest.yml
is: buildpacks:
- https://github.com/r0mk1/cf-envoyproxy-buildpack.git
- python_buildpack
command: gunicorn -b 127.0.0.1:8000 -k gevent httpbin:app
services:
- xsuaa
health-check-type: http
health-check-http-endpoint: /robots.txt
cf-envoyproxy-buildpack
to run the Envoy Proxy as a sidecar process with the configuration created from the envoy.yaml.erb
template.python_buildpack
installs the httpbin
web application with dependencies specified in the requests.txt
file. The application runs through the gunicorn
http server on port 8000.services
section binds the service instance named xsuaa
to our application.xsuaa
, the same as in the manifest.$ cf create-service xsuaa application xsuaa
Creating service instance xsuaa in ...
Service instance xsuaa created.
OK
$ cf push
Pushing app httpbin to ...
...
name: httpbin
requested state: started
routes: httpbin.cfapps.us10.hana.ondemand.com
...
#0 running 2023-11-11T17:04:59Z 0.0% 0 of 0 0 of 0 0/s of 0/s
$ curl https://httpbin.cfapps.us10.hana.ondemand.com/robots.txt
User-agent: *
Disallow: /deny
/robots.txt
returns data without the need to provide an authentication token.$ curl https://httpbin.cfapps.us10.hana.ondemand.com/uuid
Jwt is missing
TOKEN
. Then we can call the /uuid
path again with the token in the Authorization
header:$ curl -H "Authorization: Bearer $TOKEN" https://httpbin.cfapps.us10.hana.ondemand.com/uuid
{"uuid":"f767a625-c98b-4e94-b113-Boise5ff4me0ad"}
admin
section at the beginning of the envoy configuration. It allows us to see detailed statistics of (un)authorized requests:$ cf ssh httpbin -c 'curl -s localhost:9909/stats?filter=http.ingress_http.jwt_authn'
http.ingress_http.jwt_authn.allowed: 9
http.ingress_http.jwt_authn.cors_preflight_bypassed: 0
http.ingress_http.jwt_authn.denied: 1
http.ingress_http.jwt_authn.jwks_fetch_failed: 0
http.ingress_http.jwt_authn.jwks_fetch_success: 1
http.ingress_http.jwt_authn.jwt_cache_hit: 0
http.ingress_http.jwt_authn.jwt_cache_miss: 1
cf ssh httpbin -c 'curl -s localhost:9909/stats/prometheus'
"cf ssh -L 9909:localhost:9909 httpbin"
and explore extra options by pointing a browser to localhost:9909.You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
33 | |
13 | |
11 | |
11 | |
10 | |
9 | |
9 | |
9 | |
8 | |
7 |