static_resources:
  # --8<-- [start:listener]
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    # --8<-- [end:listener]
    filter_chains:
    - filter_chain_match:
        server_names: ["*.john-stream.com"]
    - transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          require_client_certificate: true
          common_tls_context:
            tls_params:
              tls_minimum_protocol_version: TLSv1_3
            validation_context:
              trusted_ca: { filename: /certs/root_ca.crt }
              match_typed_subject_alt_names:
              - san_type: URI
                matcher:
                  prefix: spiffe://john-stream.com
            tls_certificates:
            - certificate_chain: { filename: /certs/cert.pem }
              private_key: { filename: /certs/envoy.pem }
      filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          use_remote_address: true
          http2_protocol_options:
            max_concurrent_streams: 100
          access_log:
          - name: envoy.access_loggers.file
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
              path: "/var/log/envoy/access.log"
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*.john-stream.com"]
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: restic
          http_filters:
          - name: envoy.filters.http.rbac
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
              rules:
                action: ALLOW
                policies:
                  "data_policy":
                    permissions:
                      - and_rules:
                          rules:
                            - header:
                                name: ":path"
                                string_match:
                                  prefix: "/dev-test"
                    principals:
                      - authenticated:
                          principal_name:
                            exact: "spiffe://john-stream.com/ubuntu"
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: restic
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: restic
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                # Change this depending on the docker compose service name
                address: rest-server
                port_value: 8000