Skip to content

alibo/envoy-forwardauth

BranchesTags

Repository files navigation

Forward Auth Demo (Go + Envoy/Contour)

CI Go Version Latest Tag GHCR Auth GHCR Backend

This repository provides a Go-based external authorization service that supports both Envoy ext_authz gRPC and HTTP forward-auth modes, plus a simple upstream backend. It includes local Docker Compose, Kubernetes manifests with Contour HTTPProxy and ExtensionService, and CI/CD to GHCR.

Features

  • Echo-based HTTP endpoint: /api/v1/auth/http/forward/*
  • Envoy ext_authz gRPC Authorization.Check
  • Deterministic auth decisions via query/path or bearer token
  • Structured logging and echo-back of request/response data in backend

Quick Start (Docker Compose)

  • Build and run: docker compose --profile grpc up --build (for gRPC) or --profile http for HTTP.
  • Test HTTP forward-auth: curl -i localhost:18081/foo?decision=allow
  • Test gRPC auth (via proxy): curl -i localhost:18080/foo -H 'Authorization: Bearer good'
  • Direct endpoints: auth HTTP :8080, gRPC :9090, backend :8081.

Kubernetes (Contour/OpenShift)

  • Install Contour (or this fork that exposed http-based ext_authz).
  • Apply base: kubectl apply -k deploy/k8s/base.
  • Two HTTPProxy examples are provided using auth-grpc and auth-http ExtensionServices.

Auth Decision Rules

  • ?decision=allow|deny or path contains /allow or /deny.
  • Authorization: Bearer <token> allowed if <token> equals AUTH_ACCEPT_TOKEN (default good).

Development

  • Build: make build
  • Test (coverage): make test
  • Lint/format: make lint / make fmt
  • Images: make docker-build TAG=dev && make docker-push TAG=dev

Images are published to GHCR by CI on pushes and tags.

Container Images (GHCR)

  • Auth service: ghcr.io/alibo/envoy-forwardauth-auth

    • Pull: docker pull ghcr.io/alibo/envoy-forwardauth-auth:sha-<shortsha> or a semver tag vX.Y.Z when released.
    • Run: docker run --rm -p 8080:8080 -p 9090:9090 ghcr.io/alibo/envoy-forwardauth-auth:latest

  • Key env: HTTP_ADDR (default :8080), GRPC_ADDR (default :9090), AUTH_ACCEPT_TOKEN (default good), LOG_JSON (default 1), AUTH_DENY_STATUS (default 403, set to 401 to return Unauthorized).

  • Backend service: ghcr.io/alibo/envoy-forwardauth-backend

    • Pull: docker pull ghcr.io/alibo/envoy-forwardauth-backend:sha-<shortsha> or vX.Y.Z.
    • Run: docker run --rm -p 8081:8081 ghcr.io/alibo/envoy-forwardauth-backend:latest
    • Key env: ADDR (default :8081).

Latest tags

Image Tags Package Page
ghcr.io/alibo/envoy-forwardauth-auth sha-<shortsha>, vX.Y.Z https://github.com/alibo/envoy-forwardauth/pkgs/container/envoy-forwardauth-auth
ghcr.io/alibo/envoy-forwardauth-backend sha-<shortsha>, vX.Y.Z https://github.com/alibo/envoy-forwardauth/pkgs/container/envoy-forwardauth-backend

List tags via CLI

  • With skopeo: skopeo list-tags docker://ghcr.io/alibo/envoy-forwardauth-auth
  • With crane: crane ls ghcr.io/alibo/envoy-forwardauth-auth

Note: GHCR may require authentication for rate limits. Login with echo "$GITHUB_TOKEN" | docker login ghcr.io -u <your-username> --password-stdin.

About

Testing envoy's forward auth feature in golang (http + grpc)

Topics

golang envoy contour forwardauth vibe-coding

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v1.1.0 Latest
Sep 24, 2025
+ 1 release

Packages

 
 
 

Contributors

Languages