Build and run the PDP using:
cd services && make
GLOBAL_CONFIG_PATH=../config/gateway.json PDP_POLICY_PATH=../policies ./out/pdp-serverPDP listens on 0.0.0.0:9000. To use the host instance of PDP, edit config/envoy.json and set the address of the ExtAuthZ plugin to your host network address.
Policies are written in Rego and evaluated with Open Policy Agent
To run policy test cases:
cd policies && make test- Refer to
policies/example.regofor policy example - Policies are load from
./policiesdirectory
The Tap Service is integrated as a Envoy ExtProc filter. This means, it has greater control over Envoy's request processing life-cycle and can make changes if required.
Currently, it is used for publishing events for data collection only but in future may be extended to support other use-cases. Tap service internally implements a handler chain to delegate an Envoy event to its internal handlers. Example:
tapService, err := tap.NewTapService(config, []tap.TapHandlerRegistration{
tap.NewTapEventPublisherRegistration(),
})To build and use from host:
cd services && make
GLOBAL_CONFIG_PATH=../config/gateway.json ./out/tap-serverTo use Tap service from host, edit
envoy.jsonand change address ofext-proc-tapcluster.
Start a docker container with nats client
docker run --rm -it \
--network supply-chain-security-gateway_default \
-v `pwd`:/workspace \
synadia/nats-boxSubscribe to a subject and receive messages
GODEBUG=x509ignoreCN=0 nats sub \
--tlscert=/workspace/pki/tap/server.crt \
--tlskey=/workspace/pki/tap/server.key \
--tlsca=/workspace/pki/root.crt \
--server=tls://nats-server:4222 \
com.msg.event.upstream.request