-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathenvoy.yaml
More file actions
130 lines (130 loc) · 6.95 KB
/
envoy.yaml
File metadata and controls
130 lines (130 loc) · 6.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
admin: # configuration for the admin page, without this envoy will report a warning
address:
socket_address:
address: 127.0.0.1
port_value: 9901 # note this port is not exposed in the docker-compose.yaml
static_resources:
listeners:
- address: # listen on port 8080 on both IPv4 and IPv6
socket_address:
address: "::" # listen to all local addresses on IPv6
port_value: 8080
additional_addresses:
- address:
socket_address:
address: 0.0.0.0 # listen to all local address on IPv4
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts: # virtual hosts allow multiple DNS records (host names) to refer to a single IP/machine
- name: backend
domains: # in this case we're not using virtual hosts so we say everything goes to the same machine
- "*"
routes: # defines which requests should be forwarded
- match:
prefix: "/v1/" # anything going to the path /v1/ is to be forwarded to openai
route:
cluster: openai # the cluster is defined at the bottom of this file
host_rewrite_literal: "api.openai.com" # when we forward we don't want the host header to be localhost
timeout: 300s # streaming responses can take a while
typed_per_filter_config:
envoy.filters.http.cors: # Rules for applying CORS headers (applied in http_filters below)
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.CorsPolicy
allow_credentials: true
allow_headers: "*"
allow_methods: "GET,POST,OPTIONS"
allow_origin_string_match: # match connections for localhost and the IPv4 and IPv6 literals for the local address
- safe_regex:
regex: https?://localhost(:\d+)?
- safe_regex:
regex: https?://127\.0\.0\.1(:\d+)?
- safe_regex:
regex: https?://\[::1\](:\d+)?
allow_private_network_access: true
max_age: "86400" # cache for 1 day
http_filters:
- name: envoy.filters.http.health_check # matches the health-check path /ping returns 200 OK on success
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
pass_through_mode: false
headers:
- name: ":method"
string_match:
exact: "GET"
- name: ":path"
string_match:
exact: "/ping"
- name: envoy.filters.http.header_to_metadata # keep track of the request path so a later step can check it
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config
request_rules:
- header: :path # Make request path available for ext_authz
on_header_present:
metadata_namespace: envoy.filters.http.ext_authz # this is queried in filter_enabled_metadata below
key: :path
type: STRING
remove: false
- name: extensions.filters.http.cors # add CORS headers using the rules above
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
- name: envoy.filters.http.ext_authz # this filter applies the rules in config/authz.rego using OPA
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service:
google_grpc:
target_uri: opa:9191 # talk to OPA on port 9191
stat_prefix: ext_authz # name used in the Envoy admin/debug page to report statistics
timeout: 5s
failure_mode_allow: false # if OPA doesn't respond, deny the request
filter_enabled_metadata: # use only for OpenAI API /v1/ paths
filter: envoy.filters.http.ext_authz
path:
- key: :path
value:
string_match:
prefix: /v1/
status_on_error: # configure failures as server error rather than client error
code: 503
transport_api_version: V3 # based on the container we are using for OPA, V3 is preferred
with_request_body:
max_request_bytes: 1048576 # limit the body size to 1MB
allow_partial_message: false # if the body doesn't fit then reject the request
- name: envoy.filters.http.router # the filter chain should always end in a http router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: openai
connect_timeout: 0.5s
type: logical_dns
lb_policy: round_robin
load_assignment:
cluster_name: openai
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
protocol: TCP
address: api.openai.com
port_value: 443
# https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: api.openai.com
common_tls_context:
validation_context:
match_typed_subject_alt_names:
- san_type: DNS
matcher:
exact: api.openai.com
trusted_ca:
filename: /etc/ssl/certs/ca-certificates.crt