Updates

.github/workflows/ngwaf-envoy.yaml

@@ -29,7 +29,7 @@ jobs:
             --from-literal=secretaccesskey=${{ secrets.NGWAF_STAGING_SECRETACCESSKEY }}
       
       - name: Deploy Envoy resources from file
-        run: kubectl apply -f k8s/envoy-deployment.yaml
+        run: kubectl apply -f on-prem-ngwaf-integrations/envoy-deployment.yaml
 
       - name: Wait for Envoy rollout
         run: kubectl rollout status deployment/envoy-waf-deployment --timeout=30s

on-prem-ngwaf-integrations/envoy-deployment.yaml

@@ -0,0 +1,201 @@
+# ConfigMap: Contains the updated Envoy configuration with ext_authz integration.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: envoy-config
+data:
+  envoy.yaml: |
+    node:
+      id: proxy-node
+      cluster: proxy-cluster
+    static_resources:
+      listeners:
+      - name: listener_0
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 10000
+        filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                  - name: backend
+                    domains: ["*"]
+                    routes:
+                    - match:
+                        prefix: "/"
+                      route:
+                        cluster: edge_cluster
+                        host_rewrite_literal: "http.edgecompute.app"
+                    cors:
+                      allow_origin_string_match:
+                        - prefix: "*"
+                      allow_methods: GET, PUT, DELETE, POST, OPTIONS
+                      allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
+                      max_age: "1728000"
+                      expose_headers: custom-header-1,grpc-status,grpc-message
+                
+                access_log:
+                - name: envoy.access_loggers.stdout
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+                - name: envoy.http_grpc_access_log
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig
+                    common_config:
+                      log_name: "sigsci-agent-grpc"
+                      transport_api_version: V3
+                      grpc_service:
+                        envoy_grpc:
+                          cluster_name: sigsci-agent-grpc
+                        timeout: 0.2s
+                    additional_request_headers_to_log:
+                    # These sigsci-agent headers are required for correct processing:
+                    - "x-sigsci-request-id"
+                    - "x-sigsci-waf-response"
+                    # Optionally, additional headers can be added that should be recorded:
+                    - "accept"
+                    - "content-type"
+                    - "content-length"
+                    additional_response_headers_to_log:
+                    - "date"
+                    - "server"
+                    - "content-type"
+                    - "content-length"
+
+
+                http_filters:
+                # ext_authz filter calls the NGWAF agent via gRPC.
+                - name: envoy.filters.http.ext_authz
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                    transport_api_version: V3
+                    grpc_service:
+                      envoy_grpc:
+                        cluster_name: sigsci-agent-grpc
+                    failure_mode_allow: false
+                - name: envoy.filters.http.router
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      clusters:
+      # Cluster for forwarding requests to https://http.edgecompute.app.
+      - name: edge_cluster
+        connect_timeout: 0.25s
+        type: LOGICAL_DNS
+        lb_policy: ROUND_ROBIN
+        dns_lookup_family: V4_ONLY
+        http2_protocol_options: {}
+        load_assignment:
+          cluster_name: edge_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: http.edgecompute.app
+                    port_value: 443
+        transport_socket:
+          name: envoy.transport_sockets.tls
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+            sni: "http.edgecompute.app"
+      # Cluster used by the ext_authz filter to contact the NGWAF agent.
+      - name: sigsci-agent-grpc
+        connect_timeout: 0.25s
+        type: STATIC
+        lb_policy: ROUND_ROBIN
+        http2_protocol_options: {}  # <--- This tells Envoy to use HTTP/2 for gRPC
+        load_assignment:
+          cluster_name: sigsci-agent-grpc
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    # Both containers share the same network namespace.
+                    address: 127.0.0.1
+                    port_value: 9999
+
+---
+
+# Deployment: Combines the Envoy proxy and the Next‑Gen WAF Agent sidecar.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: envoy-waf-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: envoy-waf
+  template:
+    metadata:
+      labels:
+        app: envoy-waf
+    spec:
+      containers:
+      # Envoy container – set to use debug logging for detailed output.
+      - name: envoy
+        image: envoyproxy/envoy:v1.22-latest
+        args:
+          - "-c"
+          - "/etc/envoy/envoy.yaml"
+          - "-l"
+          - "debug"    # Change to "trace" for even more verbosity.
+        ports:
+        - containerPort: 10000
+        volumeMounts:
+        - name: envoy-config
+          mountPath: /etc/envoy
+      # Next‑Gen WAF Agent container (sigsci-agent) configured for ext_authz (gRPC mode).
+      - name: sigsci-agent
+        image: signalsciences/sigsci-agent:latest
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: SIGSCI_ACCESSKEYID
+          valueFrom:
+            secretKeyRef:
+              name: sigsci.my-site-name-here
+              key: accesskeyid
+        - name: SIGSCI_SECRETACCESSKEY
+          valueFrom:
+            secretKeyRef:
+              name: sigsci.my-site-name-here
+              key: secretaccesskey
+        # Instruct the agent to expect response data and configure its gRPC address.
+        - name: SIGSCI_ENVOY_EXPECT_RESPONSE_DATA
+          value: "1"
+        - name: SIGSCI_ENVOY_GRPC_ADDRESS
+          value: "localhost:9999"
+        - name: SIGSCI_DEBUG_ALL_THE_THINGS
+          value: "true"
+        - name: SIGSCI_WAF_DATA_LOG
+          value: "/dev/stdout"
+        ports:
+        - containerPort: 9999
+        securityContext:
+          readOnlyRootFilesystem: true
+      volumes:
+      - name: envoy-config
+        configMap:
+          name: envoy-config
+
+---
+
+# Service: Exposes the Envoy listener on port 10000.
+apiVersion: v1
+kind: Service
+metadata:
+  name: envoy
+spec:
+  selector:
+    app: envoy-waf
+  ports:
+  - protocol: TCP
+    port: 10000
+    targetPort: 10000