Dockerfile to replace Istio proxy configuration.
Add a Dockerfile to build a version of the proxy that has different
check_cache behavior.
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
new file mode 100644
index 0000000..452e2ed
--- /dev/null
+++ b/proxy/Dockerfile
@@ -0,0 +1,4 @@
+FROM istio/proxy:0.1.3
+
+COPY envoy.conf.template /etc/opt/proxy/envoy.conf.template
+
diff --git a/proxy/README.md b/proxy/README.md
new file mode 100644
index 0000000..2a64a4a
--- /dev/null
+++ b/proxy/README.md
@@ -0,0 +1,11 @@
+# Proxy Docker image
+
+This directory contains a Dockerfile that will replace the Envoy
+configuration in the standard Istio proxy image with the configuration
+template in this directory.
+
+The main reason to change the configuration template here is to change
+the "check_cache_keys" parameter. With this change, the default
+Istio proxy will cache "check" results with the same URL. This change
+adds HTTP headers "apikey" and "Authorization" so that the caching
+will take authentication into account.
diff --git a/proxy/envoy.conf.template b/proxy/envoy.conf.template
new file mode 100644
index 0000000..e5984cc
--- /dev/null
+++ b/proxy/envoy.conf.template
@@ -0,0 +1,152 @@
+{
+ "listeners": [
+ {
+ "address": "tcp://0.0.0.0:${PORT}",
+ "bind_to_port": true,
+ "filters": [
+ {
+ "type": "read",
+ "name": "http_connection_manager",
+ "config": {
+ "codec_type": "auto",
+ "stat_prefix": "ingress_http",
+ "route_config": {
+ "virtual_hosts": [
+ {
+ "name": "backend",
+ "domains": ["*"],
+ "routes": [
+ {
+ "timeout_ms": 0,
+ "prefix": "/",
+ "cluster": "service1",
+ "opaque_config": {
+ "mixer_control": "on",
+ "mixer_forward": "off"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "access_log": [
+ {
+ "path": "/dev/stdout"
+ }
+ ],
+ "filters": [
+ {
+ "type": "decoder",
+ "name": "mixer",
+ "config": {
+ "mixer_server": "${MIXER_SERVER}",
+ "mixer_attributes": {
+ "target.uid": "POD222",
+ "target.service": "foo.svc.cluster.local"
+ },
+ "quota_name": "RequestCount",
+ "quota_amount": "1",
+ "check_cache_expiration_seconds": 1,
+ "check_cache_keys": [
+ "request.host",
+ "request.path",
+ "origin.user",
+ "request.headers/apikey",
+ "request.headers/authorization"
+ ]
+ }
+ },
+ {
+ "type": "decoder",
+ "name": "router",
+ "config": {}
+ }
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "address": "tcp://0.0.0.0:7070",
+ "bind_to_port": true,
+ "filters": [
+ {
+ "type": "read",
+ "name": "http_connection_manager",
+ "config": {
+ "codec_type": "auto",
+ "stat_prefix": "ingress_http",
+ "route_config": {
+ "virtual_hosts": [
+ {
+ "name": "backend",
+ "domains": ["*"],
+ "routes": [
+ {
+ "timeout_ms": 0,
+ "prefix": "/",
+ "cluster": "service2"
+ }
+ ]
+ }
+ ]
+ },
+ "access_log": [
+ {
+ "path": "/dev/stdout"
+ }
+ ],
+ "filters": [
+ {
+ "type": "decoder",
+ "name": "mixer",
+ "config": {
+ "mixer_server": "${MIXER_SERVER}",
+ "forward_attributes": {
+ "source.uid": "POD11",
+ "source.namespace": "XYZ11"
+ }
+ }
+ },
+ {
+ "type": "decoder",
+ "name": "router",
+ "config": {}
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ],
+ "admin": {
+ "access_log_path": "/dev/stdout",
+ "address": "tcp://0.0.0.0:9001"
+ },
+ "cluster_manager": {
+ "clusters": [
+ {
+ "name": "service1",
+ "connect_timeout_ms": 5000,
+ "type": "strict_dns",
+ "lb_type": "round_robin",
+ "hosts": [
+ {
+ "url": "tcp://${BACKEND}"
+ }
+ ]
+ },
+ {
+ "name": "service2",
+ "connect_timeout_ms": 5000,
+ "type": "strict_dns",
+ "lb_type": "round_robin",
+ "hosts": [
+ {
+ "url": "tcp://localhost:9090"
+ }
+ ]
+ }
+ ]
+ }
+}
