apiVersion: v1
kind: ConfigMap
metadata:
  name: frontend-envoy
data:
  envoy-config.yaml: |
    node:
      id: "frontend"
      cluster: "demo-cluster-spire"
    admin:
      access_log:
      - name: envoy.access_loggers.file
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
          path: "/tmp/admin_access0.log"
      address:
        socket_address:
          protocol: TCP
          address: 127.0.0.1
          port_value: 8100
    static_resources:
      listeners:
      - name: outbound_proxy
        address:
          socket_address:
            address: 127.0.0.1
            port_value: 3001
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              common_http_protocol_options:
                idle_timeout: 1s
              codec_type: auto
              access_log:
              - name: envoy.access_loggers.file
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                  path: "/tmp/outbound-proxy.log"
              stat_prefix: ingress_http
              route_config:
                name: service_route
                virtual_hosts:
                - name: outbound_proxy
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/"
                    route:
                      cluster: backend
                http_filters:
                - name: envoy.filters.http.router
                  typed_config: 
                    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
      clusters:
      - name: spire_agent
        connect_timeout: 0.25s
        http2_protocol_options: {}
        load_assignment:	
          cluster_name: spire_agent
          endpoints:	
          - lb_endpoints:	
            - endpoint:	
                address:	
                  pipe:	
                    path: /run/spire/sockets/agent.sock
      - name: backend
        connect_timeout: 0.25s
        type: strict_dns
        lb_policy: ROUND_ROBIN
        load_assignment:	
          cluster_name: ext-authz
          endpoints:	
          - lb_endpoints:	
            - endpoint:	
                address:	
                  socket_address:	
                    address: backend-envoy
                    port_value: 9001
        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
            common_tls_context:
              tls_certificate_sds_secret_configs:
              - name: "spiffe://example.org/ns/default/sa/default/frontend"
                sds_config:
                  resource_api_version: V3
                  api_config_source:
                    api_type: GRPC
                    transport_api_version: V3
                    grpc_services:
                      envoy_grpc:
                        cluster_name: spire_agent
              combined_validation_context:
                default_validation_context:
                  match_typed_subject_alt_names:
                  - san_type: URI
                    matcher:
                      exact: "spiffe://example.org/ns/default/sa/default/backend"
                validation_context_sds_secret_config:
                  name: "spiffe://example.org"
                  sds_config:
                    resource_api_version: V3
                    api_config_source:
                      api_type: GRPC
                      transport_api_version: V3
                      grpc_services:
                        envoy_grpc:
                          cluster_name: spire_agent
              tls_params:
                ecdh_curves:
                  - X25519:P-256:P-521:P-384