From: JingLu5 <lvjing5@huawei.com>
Date: Tue, 28 Aug 2018 08:34:07 +0000 (+0800)
Subject: Add envoy.ext_authz filter
X-Git-Tag: opnfv-7.0.0~39^2
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=32714b39cdb85d6076ded8af6fa266d567df4992;p=clover.git

Add envoy.ext_authz filter

JIRA: CLOVER-86

This external authorization HTTP filter calls an external HTTP service (ModSecuruty service) to check if the incoming HTTP request is authorized or not. If the request is deemed unauthorized then the request will be denied normally with 403 (Forbidden) response.

Change-Id: I0fe14c73defec027c54f42713cbdf69b0b83e102
Signed-off-by: JingLu5 <lvjing5@huawei.com>
---

diff --git a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml b/samples/scenarios/istio_ingressgateway_envoyfilter.yaml
new file mode 100644
index 0000000..46f730c
--- /dev/null
+++ b/samples/scenarios/istio_ingressgateway_envoyfilter.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ext-authz
+  namespace: istio-system
+spec:
+  workloadLabels:
+    app: istio-ingressgateway
+  filters:
+  - insertPosition:
+      index: FIRST
+    listenerMatch:
+      portNumber: 80
+      listenerType: GATEWAY
+      listenerProtocol: HTTP
+    filterType: HTTP
+    filterName: "envoy.ext_authz"
+    filterConfig:
+      http_service:
+        server_uri:
+          uri: "http://modsecurity-crs.istio-system.svc.cluster.local"
+          cluster: "outbound|80||modsecurity-crs.istio-system.svc.cluster.local"
+          timeout: 0.5s
+      failure_mode_allow: false