diff --git a/src/app_charts/base/cloud/istio.yaml b/src/app_charts/base/cloud/istio.yaml index b295c5154..6813b17d3 100644 --- a/src/app_charts/base/cloud/istio.yaml +++ b/src/app_charts/base/cloud/istio.yaml @@ -3,6 +3,8 @@ apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: crc-gateway + labels: + gateway.networking.k8s.io/gateway-name: crc-gateway annotations: # Use standard K8s annotations for cloud-specific LB settings networking.istio.io/service-type: LoadBalancer @@ -47,4 +49,34 @@ spec: requestRedirect: scheme: https statusCode: 301 +# --- +# apiVersion: networking.istio.io/v1 +# kind: ServiceEntry +# metadata: +# name: token-vendor-robot-and-human-auth +# spec: +# hosts: +# - "token-vendor-robot-and-human-auth.local" # The service name to be used in the extension provider in the mesh config. +# endpoints: +# - address: "127.0.0.1" +# ports: +# - name: http +# number: 80 # The port number to be used in the extension provider in the mesh config. +# protocol: HTTP +# resolution: STATIC +# --- +# apiVersion: networking.istio.io/v1 +# kind: ServiceEntry +# metadata: +# name: token-vendor-human-only-auth +# spec: +# hosts: +# - "token-vendor-human-only-auth.local" # The service name to be used in the extension provider in the mesh config. +# endpoints: +# - address: "127.0.0.1" +# ports: +# - name: http +# number: 80 # The port number to be used in the extension provider in the mesh config. +# protocol: HTTP +# resolution: STATIC {{- end}} diff --git a/src/app_charts/token-vendor/cloud/auth-policy.yaml b/src/app_charts/token-vendor/cloud/auth-policy.yaml new file mode 100644 index 000000000..678d680af --- /dev/null +++ b/src/app_charts/token-vendor/cloud/auth-policy.yaml @@ -0,0 +1,43 @@ +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: tokenvendor-public-key-access-auth + namespace: default # the policy can only target gateways in the same namespace +spec: + # Single baseline policy. + # Finding: PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS did not resolve + # the '1 provider per workload' error in this environment when using multiple CUSTOM actions. + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: crc-gateway + action: CUSTOM + provider: + # Must match name in meshConfig.extensionProviders exactly. + name: "token-vendor-robot-and-human-auth" + rules: + - to: + - operation: + paths: + - "/apis/core.token-vendor/v1/public-key.read" + - "/apis/core.token-vendor/v1/public-key.read*" +# --- +# apiVersion: security.istio.io/v1 +# kind: AuthorizationPolicy +# metadata: +# name: tokenvendor-public-key-manager-auth +# namespace: default # the policy can only target gateways in the same namespace +# spec: +# selector: +# matchLabels: +# gateway.networking.k8s.io/gateway-name: crc-gateway +# action: CUSTOM +# provider: +# name: "token-vendor-human-auth" +# rules: +# - to: +# - operation: +# paths: +# - "/apis/core.token-vendor/v1/public-key.configure" +# - "/apis/core.token-vendor/v1/public-key.configure*" +# - "/apis/core.token-vendor/v1/public-key.publish" +# - "/apis/core.token-vendor/v1/public-key.publish*" diff --git a/src/app_charts/token-vendor/cloud/http-route.yaml b/src/app_charts/token-vendor/cloud/http-route.yaml index 78b52dec2..578268b10 100644 --- a/src/app_charts/token-vendor/cloud/http-route.yaml +++ b/src/app_charts/token-vendor/cloud/http-route.yaml @@ -1,5 +1,3 @@ -# TODO: need auth -# "http://token-vendor.app-token-vendor.svc.cluster.local/apis/core.token-vendor/v1/token.verify?robots=true" apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: @@ -19,9 +17,13 @@ spec: - path: type: PathPrefix value: /apis/core.token-vendor/v1/public-key.read + filters: + - type: RequestHeaderModifier + requestHeaderModifier: + set: + - name: "x-auth-url" + value: "http://token-vendor.app-token-vendor.svc.cluster.local/apis/core.token-vendor/v1/token.verify?robots=true" --- -# TODO: need auth -# nginx.ingress.kubernetes.io/auth-url: "http://token-vendor.app-token-vendor.svc.cluster.local/apis/core.token-vendor/v1/token.verify?robots=false" apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: @@ -44,6 +46,12 @@ spec: - path: type: PathPrefix value: /apis/core.token-vendor/v1/public-key.publish + filters: + - type: RequestHeaderModifier + requestHeaderModifier: + set: + - name: "x-auth-url" + value: "http://token-vendor.app-token-vendor.svc.cluster.local/apis/core.token-vendor/v1/token.verify?robots=false" --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/src/go/cmd/synk/README.md b/src/go/cmd/synk/README.md index 487c2e674..44e646212 100644 --- a/src/go/cmd/synk/README.md +++ b/src/go/cmd/synk/README.md @@ -6,7 +6,7 @@ It takes set of fully populated Kubernetes resources (files or in-process object It has a similar intent to [Mortar](https://github.com/kontena/mortar), but synk is usable as a Golang library and has first-class support for CRDs. -To be compatible with some of the existing charts, we allow charts to install resources to "kube-system" as the only allowed namespace outside of the chart namespace. +To be compatible with some of the existing charts, we allow charts to install resources to "default" & "kube-system" as the only allowed namespaces outside of the chart namespace. ## Examples diff --git a/src/go/cmd/token-vendor/api/v1/v1.go b/src/go/cmd/token-vendor/api/v1/v1.go index 7524604d8..b75457379 100644 --- a/src/go/cmd/token-vendor/api/v1/v1.go +++ b/src/go/cmd/token-vendor/api/v1/v1.go @@ -362,6 +362,13 @@ func (h *HandlerContext) verifyJWTHandler(w http.ResponseWriter, r *http.Request // Headers (optional): X_FORWARDED_ACCESS_TOKEN or AUTHORIZATION // See function `tokenFromRequest` for details on how to supply the token. func (h *HandlerContext) verifyTokenHandler(w http.ResponseWriter, r *http.Request) { + // for testing: dump request infor to see what we get as an auth plugin + slog.Warn("v1/token.verify", + slog.String("RemoteAddr", r.RemoteAddr), + slog.String("Method", r.Method), + slog.String("URL", r.URL.String()), + slog.String("Headers", fmt.Sprintf("%v", r.Header))) + if r.Method != http.MethodGet { api.ErrResponse(r.Context(), w, http.StatusBadRequest, fmt.Sprintf("method %s not allowed, only %s", r.Method, http.MethodGet)) diff --git a/src/go/pkg/synk/synk.go b/src/go/pkg/synk/synk.go index fd131e4bd..609d2218f 100644 --- a/src/go/pkg/synk/synk.go +++ b/src/go/pkg/synk/synk.go @@ -413,7 +413,7 @@ func (s *Synk) applyAll( func validateNamespace(r *unstructured.Unstructured, optsNs string) error { ns := r.GetNamespace() - allowed := []string{"", "kube-system", optsNs} + allowed := []string{"", "kube-system", "default", optsNs} if slices.Contains(allowed, ns) { return nil } diff --git a/third_party/istio/istio-generated.yaml b/third_party/istio/istio-generated.yaml index 46ea6b8da..b115ef507 100644 --- a/third_party/istio/istio-generated.yaml +++ b/third_party/istio/istio-generated.yaml @@ -18752,7 +18752,7 @@ webhooks: --- apiVersion: v1 data: - mesh: "accessLogFile: \"\"\naccessLogFormat: |\n {\"authority\": \"%REQ(:AUTHORITY)%\"\ + mesh: "accessLogFile: /dev/stdout\naccessLogFormat: |\n {\"authority\": \"%REQ(:AUTHORITY)%\"\ , \"start_time\": \"%START_TIME%\", \"bytes_received\": \"%BYTES_RECEIVED%\",\ \ \"bytes_sent\": \"%BYTES_SENT%\", \"downstream_local_address\": \"%DOWNSTREAM_LOCAL_ADDRESS%\"\ , \"downstream_remote_address\": \"%DOWNSTREAM_REMOTE_ADDRESS%\", \"duration\"\ @@ -18769,7 +18769,12 @@ data: %REQ(x-icon-instance-name)%\", \"x_resource_instance_name\": \"%REQ(x-resource-instance-name)%\"\ }\ndefaultConfig:\n discoveryAddress: istiod.default.svc:15012\n proxyMetadata:\ \ {}\ndefaultProviders:\n metrics:\n - prometheus\nenablePrometheusMerge: true\n\ - rootNamespace: default\ntrustDomain: cluster.local" + extensionProviders:\n- envoyExtAuthzHttp:\n headersToUpstreamOnAllow:\n \ + \ - authorization\n includeRequestHeadersInCheck:\n - authorization\n \ + \ - x-forwarded-access-token\n - x-auth-url\n pathPrefix: /apis/core.token-vendor/v1/token.verify?robots=true;origin=\n\ + \ port: \"80\"\n service: token-vendor.app-token-vendor.svc.cluster.local\n\ + \ withRequestBody:\n maxRequestBytes: 0\n packAsBytes: false\n name:\ + \ token-vendor-robot-and-human-auth\nrootNamespace: default\ntrustDomain: cluster.local" meshNetworks: 'networks: {}' kind: ConfigMap metadata: @@ -18818,9 +18823,10 @@ data: : {\n \"enabled\": false\n }\n },\n \"configMap\": true,\n \"cpu\"\ : {\n \"targetAverageUtilization\": 80\n },\n \"defaultRevision\": \"\",\n\ \ \"deploymentAnnotations\": {},\n \"deploymentLabels\": {},\n \"enabled\"\ - : true,\n \"env\": {},\n \"envVarFrom\": [],\n \"experimental\": {\n \"\ - stableValidationPolicy\": false\n },\n \"extraContainerArgs\": [],\n \"gatewayClasses\"\ - : {},\n \"gateways\": {\n \"istio-egressgateway\": {},\n \"istio-ingressgateway\"\ + : true,\n \"env\": {\n \"PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS\": \"\ + true\"\n },\n \"envVarFrom\": [],\n \"experimental\": {\n \"stableValidationPolicy\"\ + : false\n },\n \"extraContainerArgs\": [],\n \"gatewayClasses\": {},\n \"\ + gateways\": {\n \"istio-egressgateway\": {},\n \"istio-ingressgateway\"\ : {},\n \"seccompProfile\": {},\n \"securityContext\": {}\n },\n \"global\"\ : {\n \"caAddress\": \"\",\n \"caName\": \"\",\n \"certSigners\": [],\n\ \ \"configCluster\": false,\n \"configValidation\": true,\n \"defaultPodDisruptionBudget\"\ @@ -18862,9 +18868,9 @@ data: : {\n \"enabled\": false,\n \"enabledLocalInjectorIstiod\": false,\n \ \ \"injectionCABundle\": \"\",\n \"injectionPath\": \"/inject\",\n \"injectionURL\"\ : \"\"\n },\n \"jwksResolverExtraRootCA\": \"\",\n \"keepaliveMaxServerConnectionAge\"\ - : \"30m\",\n \"memory\": {},\n \"meshConfig\": {\n \"accessLogFile\": \"\"\ - ,\n \"accessLogFormat\": \"{\\\"authority\\\": \\\"%REQ(:AUTHORITY)%\\\", \\\ - \"start_time\\\": \\\"%START_TIME%\\\", \\\"bytes_received\\\": \\\"%BYTES_RECEIVED%\\\ + : \"30m\",\n \"memory\": {},\n \"meshConfig\": {\n \"accessLogFile\": \"\ + /dev/stdout\",\n \"accessLogFormat\": \"{\\\"authority\\\": \\\"%REQ(:AUTHORITY)%\\\ + \", \\\"start_time\\\": \\\"%START_TIME%\\\", \\\"bytes_received\\\": \\\"%BYTES_RECEIVED%\\\ \", \\\"bytes_sent\\\": \\\"%BYTES_SENT%\\\", \\\"downstream_local_address\\\"\ : \\\"%DOWNSTREAM_LOCAL_ADDRESS%\\\", \\\"downstream_remote_address\\\": \\\"\ %DOWNSTREAM_REMOTE_ADDRESS%\\\", \\\"duration\\\": \\\"%DURATION%\\\", \\\"istio_policy_status\\\ @@ -18881,14 +18887,23 @@ data: \", \\\"x_forwarded_for\\\": \\\"%REQ(X-FORWARDED-FOR)%\\\", \\\"x_icon_instance_name\\\ \": \\\"%REQ(x-icon-instance-name)%\\\", \\\"x_resource_instance_name\\\": \\\"\ %REQ(x-resource-instance-name)%\\\"}\\n\",\n \"defaultConfig\": {\n \"\ - proxyMetadata\": {}\n },\n \"enablePrometheusMerge\": true\n },\n \"nodeSelector\"\ + proxyMetadata\": {}\n },\n \"enablePrometheusMerge\": true,\n \"extensionProviders\"\ + : [\n {\n \"envoyExtAuthzHttp\": {\n \"headersToUpstreamOnAllow\"\ + : [\n \"authorization\"\n ],\n \"includeRequestHeadersInCheck\"\ + : [\n \"authorization\",\n \"x-forwarded-access-token\"\ + ,\n \"x-auth-url\"\n ],\n \"pathPrefix\": \"/apis/core.token-vendor/v1/token.verify?robots=true;origin=\"\ + ,\n \"port\": \"80\",\n \"service\": \"token-vendor.app-token-vendor.svc.cluster.local\"\ + ,\n \"withRequestBody\": {\n \"maxRequestBytes\": 0,\n \ + \ \"packAsBytes\": false\n }\n },\n \"name\": \"\ + token-vendor-robot-and-human-auth\"\n }\n ]\n },\n \"nodeSelector\"\ : {},\n \"ownerName\": \"\",\n \"pdb\": {\n \"minAvailable\": 1,\n \"\ unhealthyPodEvictionPolicy\": \"\"\n },\n \"pilot\": {\n \"cni\": {\n \ - \ \"enabled\": false\n },\n \"enabled\": true\n },\n \"podAnnotations\"\ - : {},\n \"podLabels\": {},\n \"replicaCount\": 1,\n \"resourceQuotas\": {\n\ - \ \"enabled\": true\n },\n \"resources\": {\n \"requests\": {\n \"\ - cpu\": \"500m\",\n \"memory\": \"2048Mi\"\n }\n },\n \"revision\": \"\ - \",\n \"revisionTags\": [],\n \"rollingMaxSurge\": \"100%\",\n \"rollingMaxUnavailable\"\ + \ \"enabled\": false\n },\n \"enabled\": true,\n \"env\": {\n \ + \ \"PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS\": \"true\"\n }\n },\n \"\ + podAnnotations\": {},\n \"podLabels\": {},\n \"replicaCount\": 1,\n \"resourceQuotas\"\ + : {\n \"enabled\": true\n },\n \"resources\": {\n \"requests\": {\n \ + \ \"cpu\": \"500m\",\n \"memory\": \"2048Mi\"\n }\n },\n \"revision\"\ + : \"\",\n \"revisionTags\": [],\n \"rollingMaxSurge\": \"100%\",\n \"rollingMaxUnavailable\"\ : \"25%\",\n \"seccompProfile\": {},\n \"serviceAccountAnnotations\": {},\n\ \ \"serviceAnnotations\": {},\n \"sidecarInjectorWebhook\": {\n \"alwaysInjectSelector\"\ : [],\n \"defaultTemplates\": [],\n \"enableNamespacesByDefault\": false,\n\ @@ -18909,12 +18924,12 @@ data: : {\n \"configValidation\": true,\n \"hub\": \"docker.io/istio\",\n \"\ istioNamespace\": \"default\",\n \"logging\": {\n \"level\": \"all:warn\"\ \n },\n \"platform\": \"gke\",\n \"tag\": \"1.29.2\"\n },\n \"meshConfig\"\ - : {\n \"accessLogFile\": \"\",\n \"accessLogFormat\": \"{\\\"authority\\\ - \": \\\"%REQ(:AUTHORITY)%\\\", \\\"start_time\\\": \\\"%START_TIME%\\\", \\\"\ - bytes_received\\\": \\\"%BYTES_RECEIVED%\\\", \\\"bytes_sent\\\": \\\"%BYTES_SENT%\\\ - \", \\\"downstream_local_address\\\": \\\"%DOWNSTREAM_LOCAL_ADDRESS%\\\", \\\"\ - downstream_remote_address\\\": \\\"%DOWNSTREAM_REMOTE_ADDRESS%\\\", \\\"duration\\\ - \": \\\"%DURATION%\\\", \\\"istio_policy_status\\\": \\\"%DYNAMIC_METADATA(istio.mixer:status)%\\\ + : {\n \"accessLogFile\": \"/dev/stdout\",\n \"accessLogFormat\": \"{\\\"\ + authority\\\": \\\"%REQ(:AUTHORITY)%\\\", \\\"start_time\\\": \\\"%START_TIME%\\\ + \", \\\"bytes_received\\\": \\\"%BYTES_RECEIVED%\\\", \\\"bytes_sent\\\": \\\"\ + %BYTES_SENT%\\\", \\\"downstream_local_address\\\": \\\"%DOWNSTREAM_LOCAL_ADDRESS%\\\ + \", \\\"downstream_remote_address\\\": \\\"%DOWNSTREAM_REMOTE_ADDRESS%\\\", \\\ + \"duration\\\": \\\"%DURATION%\\\", \\\"istio_policy_status\\\": \\\"%DYNAMIC_METADATA(istio.mixer:status)%\\\ \", \\\"method\\\": \\\"%REQ(:METHOD)%\\\", \\\"path\\\": \\\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\\\ \", \\\"protocol\\\": \\\"%PROTOCOL%\\\", \\\"request_id\\\": \\\"%REQ(X-REQUEST-ID)%\\\ \", \\\"requested_server_name\\\": \\\"%REQUESTED_SERVER_NAME%\\\", \\\"response_code\\\ @@ -18928,9 +18943,18 @@ data: \"%REQ(X-FORWARDED-FOR)%\\\", \\\"x_icon_instance_name\\\": \\\"%REQ(x-icon-instance-name)%\\\ \", \\\"x_resource_instance_name\\\": \\\"%REQ(x-resource-instance-name)%\\\"\ }\\n\",\n \"defaultConfig\": {\n \"proxyMetadata\": {}\n },\n \"\ - enablePrometheusMerge\": true\n },\n \"pilot\": {\n \"cni\": {\n \"\ - enabled\": false\n },\n \"enabled\": true\n },\n \"ztunnel\": {\n \"\ - resourceName\": \"ztunnel\"\n }\n}" + enablePrometheusMerge\": true,\n \"extensionProviders\": [\n {\n \ + \ \"envoyExtAuthzHttp\": {\n \"headersToUpstreamOnAllow\": [\n \ + \ \"authorization\"\n ],\n \"includeRequestHeadersInCheck\"\ + : [\n \"authorization\",\n \"x-forwarded-access-token\"\ + ,\n \"x-auth-url\"\n ],\n \"pathPrefix\": \"/apis/core.token-vendor/v1/token.verify?robots=true;origin=\"\ + ,\n \"port\": \"80\",\n \"service\": \"token-vendor.app-token-vendor.svc.cluster.local\"\ + ,\n \"withRequestBody\": {\n \"maxRequestBytes\": 0,\n \ + \ \"packAsBytes\": false\n }\n },\n \"name\": \"\ + token-vendor-robot-and-human-auth\"\n }\n ]\n },\n \"pilot\": {\n \ + \ \"cni\": {\n \"enabled\": false\n },\n \"enabled\": true,\n \"\ + env\": {\n \"PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS\": \"true\"\n \ + \ }\n },\n \"ztunnel\": {\n \"resourceName\": \"ztunnel\"\n }\n}" kind: ConfigMap metadata: annotations: @@ -19189,6 +19213,8 @@ spec: value: /var/run/secrets/remote/config - name: CA_TRUSTED_NODE_ACCOUNTS value: default/ztunnel + - name: PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS + value: 'true' - name: PILOT_TRACE_SAMPLING value: '1' - name: PILOT_ENABLE_ANALYSIS diff --git a/third_party/istio/istio-values.json b/third_party/istio/istio-values.json index 43fa9a5b1..f5ebd3320 100644 --- a/third_party/istio/istio-values.json +++ b/third_party/istio/istio-values.json @@ -122,7 +122,9 @@ "enabled": false } }, - "env": {} + "env": { + "PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS": "true" + } }, "revision": "", "sidecarInjectorWebhook": { diff --git a/third_party/istio/istio_operator.yaml b/third_party/istio/istio_operator.yaml index 17a6a33a0..8cfa2dcbe 100644 --- a/third_party/istio/istio_operator.yaml +++ b/third_party/istio/istio_operator.yaml @@ -16,17 +16,48 @@ spec: # Override the default namespace (istio-system) because we will wrap this YAML in a # ChartAssignment, and the controller will install to the default namespace. istioNamespace: default + pilot: + env: + PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS: "true" meshConfig: - # from default defaultConfig: proxyMetadata: {} enablePrometheusMerge: true - # Set this to "/dev/stdout" to enable access logging. - accessLogFile: "" + accessLogFile: "/dev/stdout" accessLogFormat: | {"authority": "%REQ(:AUTHORITY)%", "start_time": "%START_TIME%", "bytes_received": "%BYTES_RECEIVED%", "bytes_sent": "%BYTES_SENT%", "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%", "downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%", "duration": "%DURATION%", "istio_policy_status": "%DYNAMIC_METADATA(istio.mixer:status)%", "method": "%REQ(:METHOD)%", "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", "protocol": "%PROTOCOL%", "request_id": "%REQ(X-REQUEST-ID)%", "requested_server_name": "%REQUESTED_SERVER_NAME%", "response_code": "%RESPONSE_CODE%", "response_flags": "%RESPONSE_FLAGS%", "route_name": "%ROUTE_NAME%", "start_time": "%START_TIME%", "upstream_cluster": "%UPSTREAM_CLUSTER%", "upstream_host": "%UPSTREAM_HOST%", "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%", "upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%", "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%", "user_agent": "%REQ(USER-AGENT)%", "x_forwarded_for": "%REQ(X-FORWARDED-FOR)%", "x_icon_instance_name": "%REQ(x-icon-instance-name)%", "x_resource_instance_name": "%REQ(x-resource-instance-name)%"} + # Baseline Debugging for ensonic/istio: + # The PILOT_ENABLE_MULTIPLE_CUSTOM_AUTHZ_PROVIDERS flag is applied to Istiod. + # However, Istiod still reports 'only 1 provider can be used per workload'. + # This suggests a possible version limitation or a requirement that providers + # be referenced in a specific way when multiple are used. + extensionProviders: + - name: "token-vendor-robot-and-human-auth" + envoyExtAuthzHttp: + service: "token-vendor.app-token-vendor.svc.cluster.local" + port: "80" + pathPrefix: "/apis/core.token-vendor/v1/token.verify?robots=true;origin=" + # Force Envoy to use GET instead of POST for the verification check + withRequestBody: + maxRequestBytes: 0 + packAsBytes: false + includeRequestHeadersInCheck: + - "authorization" + - "x-forwarded-access-token" + - "x-auth-url" + headersToUpstreamOnAllow: + - "authorization" + # - name: "token-vendor-human-auth" + # envoyExtAuthzHttp: + # service: "token-vendor.app-token-vendor.svc.cluster.local" + # port: "80" + # pathPrefix: "/apis/core.token-vendor/v1/token.verify?robots=false" + # headersToUpstreamOnAllow: ["authorization"] + # includeRequestHeadersInCheck: + # - "authorization" + # - "x-forwarded-access-token" components: base: