From a5d4b53ecfda0e8f00496753bec664c3e9fe090b Mon Sep 17 00:00:00 2001 From: Stojan Dimitrovski Date: Fri, 28 Feb 2025 16:21:52 +0100 Subject: [PATCH 1/3] feat: remove api key checks in envoy --- ansible/files/envoy_config/lds.supabase.yaml | 63 -------------------- 1 file changed, 63 deletions(-) diff --git a/ansible/files/envoy_config/lds.supabase.yaml b/ansible/files/envoy_config/lds.supabase.yaml index 40d3d46f2..6f7f74786 100644 --- a/ansible/files/envoy_config/lds.supabase.yaml +++ b/ansible/files/envoy_config/lds.supabase.yaml @@ -37,51 +37,6 @@ resources: rules: action: DENY policies: - api_key_missing: - permissions: - - any: true - principals: - - not_id: - or_ids: - ids: - - header: - name: apikey - present_match: true - - header: - name: ':path' - string_match: - contains: apikey= - api_key_not_valid: - permissions: - - any: true - principals: - - not_id: - or_ids: - ids: - - header: - name: apikey - string_match: - exact: anon_key - - header: - name: apikey - string_match: - exact: service_key - - header: - name: apikey - string_match: - exact: supabase_admin_key - - header: - name: ':path' - string_match: - contains: apikey=anon_key - - header: - name: ':path' - string_match: - contains: apikey=service_key - - header: - name: ':path' - string_match: - contains: apikey=supabase_admin_key origin_protection_key_missing: permissions: - any: true @@ -383,24 +338,6 @@ resources: route: cluster: admin_api prefix_rewrite: /privileged/ - typed_per_filter_config: - envoy.filters.http.rbac: - '@type': >- - type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute - rbac: - rules: - action: DENY - policies: - basic_auth: - permissions: - - any: true - principals: - - header: - name: authorization - invert_match: true - string_match: - exact: Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5 - treat_missing_header_as_empty: true - match: prefix: /metrics/aggregated request_headers_to_remove: From 67b2f829221e8d24adc81c10e52b46b65d486e4e Mon Sep 17 00:00:00 2001 From: Stojan Dimitrovski Date: Fri, 28 Feb 2025 17:11:34 +0100 Subject: [PATCH 2/3] bump vars --- ansible/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index b49b27e8c..ab9d94b4f 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -8,8 +8,8 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.040-orioledb" - postgres15: "15.8.1.046" + postgresorioledb-17: "17.0.1.041-orioledb" + postgres15: "15.8.1.047" # Non Postgres Extensions pgbouncer_release: "1.19.0" From 675311cc077d4183f20dbf3f62225817e2482b65 Mon Sep 17 00:00:00 2001 From: Stojan Dimitrovski Date: Sat, 1 Mar 2025 12:32:35 +0100 Subject: [PATCH 3/3] add `x-sb-error-code` header to envoy lds.yaml when api key or opk don't match --- ansible/files/envoy_config/lds.supabase.yaml | 4 ++++ ansible/files/envoy_config/lds.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/ansible/files/envoy_config/lds.supabase.yaml b/ansible/files/envoy_config/lds.supabase.yaml index 6f7f74786..6fdcb68c7 100644 --- a/ansible/files/envoy_config/lds.supabase.yaml +++ b/ansible/files/envoy_config/lds.supabase.yaml @@ -189,6 +189,10 @@ resources: prefix: /metrics/aggregated invert_match: true status_code: 401 + headers_to_add: + - header: + key: x-sb-error-code + value: '%RESPONSE_CODE_DETAILS%' body_format_override: json_format: message: >- diff --git a/ansible/files/envoy_config/lds.yaml b/ansible/files/envoy_config/lds.yaml index 2fc7cae13..97481c889 100644 --- a/ansible/files/envoy_config/lds.yaml +++ b/ansible/files/envoy_config/lds.yaml @@ -215,6 +215,10 @@ resources: prefix: /metrics/aggregated invert_match: true status_code: 401 + headers_to_add: + - header: + key: x-sb-error-code + value: '%RESPONSE_CODE_DETAILS%' body_format_override: json_format: message: >-