docs/content/integration/openid-connect/clients/envoy-gateway/index.md
{{% oidc-common %}}
This example makes the following assumptions:
https://envoy.{{< sitevar name="domain" nojs="example.com" >}}/https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/envoyinsecure_secretSome of the values presented in this guide can automatically be replaced with documentation variables.
{{< sitevar-preferences >}}
The following YAML configuration is an example Authelia client configuration for use with Envoy Gateway which will operate with the application example:
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_id: 'envoy'
client_name: 'Envoy Gateway'
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: 'two_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://envoy.{{< sitevar name="domain" nojs="example.com" >}}/authelia/openid_connect/callback'
scopes:
- 'openid'
- 'offline_access'
grant_types:
- 'authorization_code'
- 'refresh_token'
response_types:
- 'code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
To configure Envoy Gateway there is one method, using the Configuration File.
{{< callout context="caution" title="Important Notes" icon="outline/alert-triangle" >}} Because this setup stores the ID Token and Access Token in session cookies, it is strongly recommended that all of the following are true:
To configure Envoy Gateway to utilize Authelia as an OpenID Connect 1.0 Provider for a single HTTPRoute, use the following instructions:
kubectl to create the secret:
kubectl create secret generic envoy-oidc-client-secret --from-literal=client-secret=insecure_secretThe following example HTTPRoute is a example real application just for the purposes of showcasing this. The important
factors are the name value being envoy.
---
apiVersion: 'gateway.networking.k8s.io/v1'
kind: 'HTTPRoute'
metadata:
name: 'envoy'
spec:
parentRefs:
- name: 'eg'
hostnames:
- 'envoy.{{< sitevar name="domain" nojs="example.com" >}}'
rules:
- matches:
- path:
type: 'PathPrefix'
value: '/'
backendRefs:
- name: 'envoy-service-backend'
port: 80
...
The following SecurityPolicy requires OpenID Connect 1.0 authorization for just the envoy HTTPRoute as
described above, the important factors are the targetRefs which indicates what resource to apply this to.
---
apiVersion: 'gateway.envoyproxy.io/v1alpha1'
kind: 'SecurityPolicy'
metadata:
name: 'envoy-oidc'
spec:
targetRefs:
- group: 'gateway.networking.k8s.io'
kind: 'HTTPRoute'
name: 'envoy'
oidc:
provider:
issuer: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}'
authorizationEndpoint: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/authorization'
tokenEndpoint: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/token'
clientID: 'envoy'
clientSecret:
name: 'envoy-oidc-client-secret'
cookieDomain: 'envoy.{{< sitevar name="domain" nojs="example.com" >}}'
cookieNames:
idToken: ''
accessToken: ''
scopes:
- 'openid'
- 'offline_access'
redirectURL: 'https://envoy.{{< sitevar name="domain" nojs="example.com" >}}/authelia/openid_connect/callback'
forwardAccessToken: false
refreshToken: true
passThroughAuthHeader: false
To configure Envoy Gateway to utilize Authelia as an OpenID Connect 1.0 Provider for an entire Gateway, use the following instructions:
kubectl to create the secret:kubectl create secret generic envoy-oidc-client-secret --from-literal=client-secret=insecure_secreteg Gateway.The following example HTTPRoute is a fake application just for the redirection behavior.
---
apiVersion: 'gateway.networking.k8s.io/v1'
kind: 'HTTPRoute'
metadata:
name: 'envoy-oidc'
spec:
parentRefs:
- name: 'eg'
hostnames:
- 'envoy-oidc.{{< sitevar name="domain" nojs="example.com" >}}'
rules:
- matches:
- path:
type: 'PathPrefix'
value: '/'
...
The following SecurityPolicy requires OpenID Connect 1.0 authorization for every HTTPRoute on the eg Gateway,
the important factors are the targetRefs which indicates what resource to apply this to.
---
apiVersion: 'gateway.envoyproxy.io/v1alpha1'
kind: 'SecurityPolicy'
metadata:
name: 'envoy-oidc'
spec:
targetRefs:
- group: 'gateway.networking.k8s.io'
kind: 'Gateway'
name: 'eg'
oidc:
provider:
issuer: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}'
authorizationEndpoint: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/authorization'
tokenEndpoint: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/token'
clientID: 'envoy'
clientSecret:
name: 'envoy-oidc-client-secret'
cookieDomain: 'envoy-oidc.{{< sitevar name="domain" nojs="example.com" >}}'
cookieNames:
idToken: ''
accessToken: ''
scopes:
- 'openid'
- 'offline_access'
redirectURL: 'https://envoy-oidc.{{< sitevar name="domain" nojs="example.com" >}}/authelia/openid_connect/callback'
forwardAccessToken: false
refreshToken: true
passThroughAuthHeader: false