auth-layer-proxy improvements for envoy configuration configurable

auth-layer-proxy/Dockerfile

@@ -1,13 +1,18 @@
-FROM    envoyproxy/envoy:v1.28-latest
+FROM envoyproxy/envoy:v1.28-latest
 
-# Copy the Filter Scripts
-COPY /filters/ /filters/
+# Copy all necessary files
+COPY /filters/ /etc/envoy/filters/
+COPY /configs/ /etc/envoy/configs/
+COPY /scripts/start-envoy.sh /etc/envoy/start-envoy.sh
 
-# Install Lua and Luarocks
-RUN     apt-get update && apt-get install -y lua5.1 luarocks git
+# Make the start script executable, change ownership, install dependencies, and clean up in a single RUN to reduce layers
+RUN chmod +x /etc/envoy/start-envoy.sh && \
+    chown -R envoy:envoy /etc/envoy && \
+    apt-get update && \
+    apt-get install -y gettext-base=0.19.* lua5.1=5.1.* luarocks=2.4.* git=1:2.* && \
+    luarocks install lua-cjson && \
+    luarocks install luasocket && \
+    rm -rf /var/lib/apt/lists/*
 
-# Install Lua modules
-RUN     luarocks install lua-cjson
-
-# Install http socket module
-RUN    luarocks install luasocket
+# Use the non-root 'envoy' user to run the container
+USER envoy

auth-layer-proxy/README.md

@@ -93,40 +93,58 @@ For instructions on how to set-up the Auth Provider using KeyCloak, refer to the
 ### Build the image
 
 ```bash
-
 docker build -t envoy-auth-proxy .
-
 ```
 
 ### Configure the environment
 
 Add Postgres or Redis credentials to the .env file
 
-```
+```bash
+# EnvoyProxy Configuration
+SERVICE_TYPE=LOGICAL_DNS
+SERVICE_ADDRESS=host.docker.internal
+SERVICE_PORT=8020
+ENVOY_ADMIN_PORT=15000
+PROXY_PORT=10000
+
 # OAuth
 CLIENT_ID=<clientId>
 CLIENT_SECRET=<client_secret>
 TOKEN_INTROSPECTION_URL=http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect
+```
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `SERVICE_TYPE` | EnvoyProxy Configuration downstream address type, can be `LOGICAL_DNS` for a FQDN or `STATIC` when using an IP address | `LOGICAL_DNS` |
+| `SERVICE_ADDRESS` | EnvoyProxy Configuration downstream address, can be either a FQDN or an IP | `host.docker.internal` |
+| `SERVICE_PORT` | EnvoyProxy Configuration downstream port, this would be the admin port on TheGraph indexer node | `8020` |
+| `ENVOY_ADMIN_PORT` | EnvoyProxy Configuration admin port | `15000` |
+| `PROXY_PORT` | EnvoyProxy Configuration proxy port | `10000` |
+| `CLIENT_ID` | OAuth Client ID, provided by the auth server | `htg-auth-layer` |
+| `CLIENT_SECRET` | OAuth Client Secret, provided by the auth server | `` |
+| `TOKEN_INTROSPECTION_URL` | OAuth Token Introspection URL, provided by the auth server | `http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect` |
+
 
+### Configure the details of the service to be proxied on the envoy.yaml
+EnvoyProxy needs a configuration file to run, the configuration will be created or updated on the container start, by the `scripts/start-envoy.sh` script, which will create or replace the `envoy-config.yaml` file using the template `configs/envoy-auth-template.yaml` and the environment variables.
+
+It will also print out the configuration as part of the logs for debugging and verification purposes.
+
+It is important to note that if the downstream service that we are protecting (in this case TheGraph) will be accessed by the proxy using a FQDN, the `SERVICE_TYPE` should be set to `LOGICAL_DNS` and the `SERVICE_ADDRESS` should be set to the FQDN of the service. Otherwise, if the downstream service is accessed by the proxy using an IP address, the `SERVICE_TYPE` should be set to `STATIC` and the `SERVICE_ADDRESS` should be set to the IP address of the service.
+
+#### Configuration Environment Variables by using DNS or FQDN for the service to be proxied.
+
+```bash
+SERVICE_TYPE=LOGICAL_DNS
+SERVICE_ADDRESS=host.docker.internal
 ```
 
-### Configure the details of the service to be proxied on the envoy.yam
-Edit `envoy-auth.yaml` file with config needs, by default will be proxying/relaying the request to address: `host.docker.internal` and port `8020`
-
-```yaml
-  clusters:
-  - name: local_service
-    connect_timeout: 5s
-    type: LOGICAL_DNS
-    load_assignment:
-      cluster_name: local_service
-      endpoints:
-      - lb_endpoints:
-        - endpoint:
-            address:
-              socket_address:
-                address: host.docker.internal
-                port_value: 8020
+#### Configuration Environment Variables by using IP Address for the service to be proxied.
+
+```bash
+SERVICE_TYPE=STATIC
+SERVICE_ADDRESS=10.100.1.1
 ```
 
 

auth-layer-proxy/configs/envoy-auth.yaml → auth-layer-proxy/configs/envoy-auth-template.yaml

@@ -1,10 +1,30 @@
+admin:
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: ${ENVOY_ADMIN_PORT}
+
 static_resources:
+  clusters:
+  - name: upstream_service
+    connect_timeout: 5s
+    type: ${SERVICE_TYPE}
+    load_assignment:
+      cluster_name: upstream_service
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: ${SERVICE_ADDRESS}
+                port_value: ${SERVICE_PORT}
+
   listeners:
   - name: listener_0
     address:
       socket_address:
         address: 0.0.0.0
-        port_value: 10000
+        port_value: ${PROXY_PORT}
     filter_chains:
     - filters:
       - name: envoy.filters.network.http_connection_manager
@@ -16,7 +36,7 @@ static_resources:
             typed_config:
               "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
               default_source_code: 
-                filename: /filters/TokenVerificationFilter.lua
+                filename: /etc/envoy/filters/TokenVerificationFilter.lua
 
           - name: envoy.filters.http.router
             typed_config:
@@ -32,18 +52,4 @@ static_resources:
                     name: ":method"
                     exact_match: "POST"
                 route:
-                  cluster: local_service
-
-  clusters:
-  - name: local_service
-    connect_timeout: 5s
-    type: LOGICAL_DNS
-    load_assignment:
-      cluster_name: local_service
-      endpoints:
-      - lb_endpoints:
-        - endpoint:
-            address:
-              socket_address:
-                address: host.docker.internal
-                port_value: 8020
+                  cluster: upstream_service

auth-layer-proxy/docker-compose.yaml

@@ -2,15 +2,16 @@ version: '3'
 
 services:
   envoy:
-    image: envoy-auth-layer:latest
-    command: -c /configs/envoy-auth.yaml
+    image: envoy-auth-proxy:latest
+    command: ["/etc/envoy/start-envoy.sh"]
     env_file:
       - .env
-    volumes:
-      - ./configs/:/configs/
-      - ./filters/:/filters/
-    ports:
-      - "9901:9901"
+#    volumes:
+#      - ./configs/:/etc/envoy/configs/
+#      - ./filters/:/etc/envoy/filters/
+#      - ./scripts/start-envoy.sh:/etc/envoy/start-envoy.sh
+    ports:      
       - "10000:10000"
+      - "15000:15000"
     stdin_open: true
     tty: true

auth-layer-proxy/example.env

@@ -1,3 +1,10 @@
+# EnvoyProxy Configuration
+SERVICE_TYPE=LOGICAL_DNS
+SERVICE_ADDRESS=host.docker.internal
+SERVICE_PORT=8020
+ENVOY_ADMIN_PORT=15000
+PROXY_PORT=10000
+
 # OAuth
 CLIENT_ID=htg-auth-layer
 CLIENT_SECRET=0cyYtDVVbVvaZjrDViiw4p2kegTy9Q5X

auth-layer-proxy/scripts/start-envoy.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Set default values for environment variables if they are not already set
+export SERVICE_TYPE=${SERVICE_TYPE:-LOGICAL_DNS}
+export SERVICE_ADDRESS=${SERVICE_ADDRESS:-host.docker.internal}
+export SERVICE_PORT=${SERVICE_PORT:-8020}
+export ENVOY_ADMIN_PORT=${ENVOY_ADMIN_PORT:-15000}
+export PROXY_PORT=${PROXY_PORT:-10000}
+export CLIENT_ID=${CLIENT_ID:-htg-auth-layer}
+export TOKEN_INTROSPECTION_URL=${TOKEN_INTROSPECTION_URL:-http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect}
+
+# print the environment variables
+echo "----------------------------------------"
+echo "---  Environment variables:          ---"
+echo "----------------------------------------"
+echo "SERVICE_TYPE: $SERVICE_TYPE"
+echo "SERVICE_ADDRESS: $SERVICE_ADDRESS"
+echo "SERVICE_PORT: $SERVICE_PORT"
+echo "ENVOY_ADMIN_PORT: $ENVOY_ADMIN_PORT"
+echo "PROXY_PORT: $PROXY_PORT"
+echo "CLIENT_ID: $CLIENT_ID"
+# Extract the first 4 characters of CLIENT_SECRET
+CLIENT_SECRET_FIRST_4=$(echo $CLIENT_SECRET | cut -c 1-4)
+echo "CLIENT_SECRET: ${CLIENT_SECRET_FIRST_4}******"
+echo "TOKEN_INTROSPECTION_URL: $TOKEN_INTROSPECTION_URL"
+echo "----------------------------------------"
+
+
+# Use envsubst to replace environment variables in the template
+envsubst < /etc/envoy/configs/envoy-auth-template.yaml > /etc/envoy/envoy-config.yaml
+
+# Print the processed configuration
+echo "----------------------------------------"
+echo "---  Processed Envoy configuration:  ---"
+echo "----------------------------------------"
+cat /etc/envoy/envoy-config.yaml
+echo "----------------------------------------"
+
+# Now start Envoy with the processed configuration
+envoy -c /etc/envoy/envoy-config.yaml