Envoy Proxy Integration

Introduction

Envoy is an open-source edge and service proxy, designed for cloud-native applications.
When a request comes to the Envoy proxy, it delegates the request's metadata (name and description) and payload to an external engine (PDP) which is responsible for deciding whether to allow or deny the request reaching upstream.
The following sequence diagram describes the full authorization request flow using Envoy, as mention above:
Full request flow using Envoy
Additional Information
For more information on external authorization filter - click here

Prerequisites

This tutorial requires docker-compose (tested on 1.27.4)

1. Enable gRPC on the PDP settings.

In the PDP settings screen, make sure gRPC is enabled.

2. Grab the API Key and Secret for your PDP.

In the Policy Decision Points screen, grab an API and secret.

3. Create an Envoy config file.

Create the following config.yaml file. The configuration instructs the proxy to listen on port 10000 and to behave as a reverse proxy to google.com. Envoy will also delegate all incoming requests to the sidecar PDP in order to allow / deny the access.
1
admin:
2
access_log_path: /tmp/admin_access.log
3
address:
4
socket_address:
5
protocol: TCP
6
address: 127.0.0.1
7
port_value: 9901
8
static_resources:
9
listeners:
10
- name: listener_0
11
address:
12
socket_address:
13
protocol: TCP
14
address: 0.0.0.0
15
port_value: 10000
16
filter_chains:
17
- filters:
18
- name: envoy.filters.network.http_connection_manager
19
typed_config:
20
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
21
stat_prefix: ingress_http
22
route_config:
23
name: local_route
24
virtual_hosts:
25
- name: local_service
26
domains: ["*"]
27
routes:
28
- match:
29
prefix: "/"
30
route:
31
host_rewrite: www.google.com
32
cluster: service_google
33
http_filters:
34
- name: envoy.ext_authz
35
typed_config:
36
"@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
37
with_request_body:
38
max_request_bytes: 8192
39
allow_partial_message: false
40
failure_mode_allow: false
41
grpc_service:
42
google_grpc:
43
target_uri: pdp:9191
44
stat_prefix: ext_authz
45
timeout: 120s
46
- name: envoy.filters.http.router
47
typed_config: {}
48
clusters:
49
- name: service_google
50
connect_timeout: 0.25s
51
type: LOGICAL_DNS
52
dns_lookup_family: V4_ONLY
53
lb_policy: ROUND_ROBIN
54
load_assignment:
55
cluster_name: service_google
56
endpoints:
57
- lb_endpoints:
58
- endpoint:
59
address:
60
socket_address:
61
address: www.google.com
62
port_value: 443
63
transport_socket:
64
name: envoy.transport_sockets.tls
65
typed_config:
66
"@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
67
sni: www.google.com
Copied!

4. Create docker-compose file.

To quickly spin up the Envoy and the PDP dockers and their common network, create the following docker-compose file, while using the API key and secret from step 1:
1
version: "3.8"
2
services:
3
envoy:
4
image: envoyproxy/envoy:v1.16.0
5
ports:
6
- "9901:9901"
7
- "10000:10000"
8
networks:
9
- dev
10
volumes:
11
- "./config.yaml:/etc/envoy/envoy.yaml"
12
command:
13
- --log-level error
14
- --component-log-level ext_authz:trace,connection:trace,grpc:trace
15
- --config-path /etc/envoy/envoy.yaml
16
pdp:
17
image: buildsecurity/pdp:latest
18
networks:
19
- dev
20
environment:
21
- API_KEY=rHlKxxnyb45AVkhGtXLQQmiAZLHie3FH
22
- API_SECRET=****
23
- CONTROL_PLANE_ADDR=https://api.dev.build.security/v1/api/pdp
24
- MYSQL_PASSWORD=""
25
networks:
26
dev:
27
Copied!
Remember
Do not forget to to replace API_KEY and API_SECRET with your own.

5. Start the proxy and the PDP.

Execute docker-compose up. The output should be:
docker-compose for envoy + pdp

6. Test it!

In the build.security control plane:
    1.
    Observe your new PDP in the Policy Decision Points screen.
    2.
    Create a new Envoy policy.
    3.
    Change the default behavior of the policy to be ALLOW
    4.
    Publish changes to the PDP.
    5.
    Open a browser and go to localhost:10000
    6.
    Observe the newly created decision logs.
Envoy decision logs

7. Change the default policy and test again...

    1.
    Change the default behavior of the policy to DENY
    2.
    Browse again.
    3.
    This time, the access will be denied.

Additional information

For more information on Envoy - click here or contact us at: [email protected]
Last modified 4mo ago