hashicorp · boruszak · Sep 18, 2023 · Sep 14, 2023 · Sep 14, 2023 · Sep 14, 2023
@@ -0,0 +1,197 @@
+---
+layout: docs
+page_title: Delegate authorization to Apigee
+description: Learn how to use the `ext-authz` Envoy extension to delegate data plane authorization requests to Apigee. 
+---
+
+# Delegate authorization to Apigee
+
+This topic describes how to use the external authorization Envoy extension to delegate data plane authorization requests to Apigee.
+
+For more detailed guidance, refer to the [`learn-consul-apigee-external-authz` repo on GitHub](https://github.com/hashicorp-education/learn-consul-apigee-external-authz).
+
+## Workflow
+
+Complete the following steps to use the external authorization extension with Apigee:
+
+1. Deploy the Apigee Adapter for Envoy and register the service in Consul.
+1. Configure the `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. 
+1. Apply the configuration entry.
+
+## Deploy the Apigee Adapter for Envoy
+
+The [Apigee Adapter for Envoy](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/concepts) is an Apigee-managed API gateway that uses Envoy to proxy API traffic.
+
+To download and install Apigee Adapter for Envoy refer to the [getting started documentation](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/getting-started) or follow along with the [`learn-consul-apigee-external-authz` repo on GitHub](https://github.com/hashicorp-education/learn-consul-apigee-external-authz).
+
+Once the service is deployed in the desired runtime configure the default behavior of the service to direct the authorization requests to Apigee:
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+<CodeBlockConfig filename="apigee-remote-service-envoy.hcl">
+
+```hcl
+Kind = "service-defaults"
+Name = "apigee-remote-service-envoy"
+Protocol = "grpc"
+```
+</CodeBlockConfig>
+</Tab>
+<Tab heading="JSON" group="json">
+<CodeBlockConfig filename="apigee-remote-service-envoy.json">
+
+```json
+{
+  "kind": "service-defaults",
+  "name": "apigee-remote-service-envoy",
+  "protocol": "grpc"
+}
+```
+
+</CodeBlockConfig>
+</Tab>
+<Tab heading="Kubernetes" group="yaml">
+<CodeBlockConfig filename="apigee-remote-service-envoy.yaml">
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: apigee-remote-service-envoy
+  namespace: apigee
+spec:
+  protocol: grpc
+```
+</CodeBlockConfig>
+</Tab>
+</Tabs>
+
+## Configure the `EnvoyExtensions`
+
+Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
+
+- When you configure Envoy extensions on proxy defaults, they apply to every service.
+- When you configure Envoy extensions on service defaults, they apply to all instances of a service with that name.
+
+!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
+
+Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
+
+The following example configures the default behavior for all services named `api` so that the Envoy proxies running as sidecars for those service instances target the apigee-remote-service-envoy service for gRPC authorization requests:
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+<CodeBlockConfig filename="api-auth-service-defaults.hcl">
+
+```hcl
+Kind = "service-defaults"
+Name = "api"
+EnvoyExtensions = [
+  {
+    Name = "builtin/ext-authz"
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Config = {
+        GrpcService = {
+          Target = {
+            Service = {
+              Name = "apigee-remote-service-envoy"
+            }
+          }
+        }
+      }
+    }
+  }
+]
+```
+</CodeBlockConfig>
+</Tab>
+
+<Tab heading="JSON" group="json">
+<CodeBlockConfig filename="api-auth-service-defaults.json">
+
+```json
+{
+  "Kind": "service-defaults",
+  "Name": "api",
+  "EnvoyExtensions": [{
+    "Name": "builtin/ext-authz",
+    "Arguments": {
+      "ProxyType": "connect-proxy",
+      "Config": {
+        "GrpcService": {
+          "Target": {
+            "Service": {
+              "Name": "apigee-remote-service-envoy"
+              }
+            }
+          }
+        }
+      }
+    }
+  ]
+}
+```
+
+</CodeBlockConfig>
+</Tab>
+
+<Tab heading="Kubernetes" group="yaml">
+<CodeBlockConfig filename="api-auth-service-defaults.yaml">
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: api
+  namespace: default
+spec:
+  envoyExtensions:
+  - name: builtin/ext-authz
+    arguments:
+      proxyType: connect-proxy
+      config:
+        grpcService:
+          target:
+            service:
+              name: apigee-remote-service-envoy
+              namespace: apigee
+```
+</CodeBlockConfig>
+</Tab>
+</Tabs>
+
+Refer to the [external authorization extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/ext-authz) for details on how to configure the extension. 
+
+Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. 
+
+## Apply the configuration entry
+
+If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command to update the relevant CRD. The following example applies the extension in a proxy defaults configuration entry.
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+
+```shell-session
+$ consul config write apigee-remote-service-envoy.hcl
+$ consul config write api-auth-service-defaults.hcl
+```
+
+</Tab>
+<Tab heading="JSON" group="json">
+
+```shell-session
+$ consul config write apigee-remote-service-envoy.json
+$ consul config write api-auth-service-defaults.json
+```
+
+</Tab>
+<Tab heading="Kubernetes" group="kubernetes">
+
+```shell-session
+$ kubectl apply -f apigee-remote-service-envoy.yaml
+$ kubectl apply -f api-auth-service-defaults.yaml
+```
+
+</Tab>
+</Tabs>
@@ -57,24 +57,26 @@ EnvoyExtensions = [
 <CodeBlockConfig filename="api-auth-service-defaults.json">
 
 ```json
-"Kind": "service-defaults",
-"Name": "api",
-"EnvoyExtensions": [{
-  "Name": "builtin/ext-authz",
-  "Arguments": {
-    "ProxyType": "connect-proxy",
-    "Config": {
-      "GrpcService": {
-        "Target": {
-          "Service": {
-            "Name": "authz"
+{
+  "Kind": "service-defaults",
+  "Name": "api",
+  "EnvoyExtensions": [{
+    "Name": "builtin/ext-authz",
+    "Arguments": {
+      "ProxyType": "connect-proxy",
+      "Config": {
+        "GrpcService": {
+          "Target": {
+            "Service": {
+              "Name": "authz"
+              }
             }
           }
         }
       }
     }
-  }
-]
+  ]
+}
 ```
 
 </CodeBlockConfig>

@@ -503,6 +503,10 @@
               {
                 "title": "Usage",
                 "routes": [
+                  {
+                    "title": "Delegate authorization to Apigee",
+                    "path": "connect/proxies/envoy-extensions/usage/apigee-ext-authz"
+                  },
                   {
                     "title": "Delegate authorization to external services",
                     "path": "connect/proxies/envoy-extensions/usage/ext-authz"