Add OPA Envoy ext_authz plugin and some logger converter for the logs

.gitignore

@@ -67,3 +67,9 @@ __debug_bin*
 # LLM agent configs
 AGENTS.md
 CLAUDE.md
+
+# IDE
+.idea/
+
+# goenv
+.go-version

.goreleaser.yml

@@ -5,7 +5,7 @@ project_name: topaz
 env:
   # https://goreleaser.com/customization/env/
   - REGISTRY=ghcr.io
-  - ORG=aserto-dev
+  - ORG=dynamik-software-lab
   - REPO=topaz
   - DESCRIPTION="Topaz Authorization Service"
   - LICENSE=Apache-2.0
@@ -85,6 +85,29 @@ builds:
       - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.date={{.Date}}
     mod_timestamp: "{{ .CommitTimestamp }}"
 
+  - id: topazd-envoy
+    main: ./topazd-envoy
+    binary: topazd-envoy
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    env:
+      - CGO_ENABLED=0
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s
+      - -w
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/topazd/version.ver={{.Version}}
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/topazd/version.commit={{.ShortCommit}}
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/topazd/version.date={{.Date}}
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
   - id: topaz-backup
     main: ./topaz-backup
     binary: topaz-backup
@@ -115,6 +138,7 @@ archives:
     ids:
       - topaz
       - topazd
+      - topazd-envoy
       - topaz-backup
     files:
       - LICENSE
@@ -228,6 +252,46 @@ dockers_v2:
     build_args:
     flags:
 
+  - id: topaz-envoy-docker
+    dockerfile: "Dockerfile.envoy"
+
+    platforms:
+      - linux/amd64
+      - linux/arm64
+
+    ids:
+      - topaz
+      - topazd-envoy
+      - topaz-backup
+
+    images:
+      - "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}-envoy"
+
+    tags:
+      - "{{ .Version }}"
+      - "{{ if not .IsSnapshot }}latest{{ end }}"
+
+    labels:
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.name": "{{.ProjectName}}-envoy"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+      "org.opencontainers.image.source": "https://github.com/{{ .Env.ORG }}/{{ .Env.REPO }}"
+      "org.opencontainers.image.description": "{{ .Env.DESCRIPTION }} with Envoy ext_authz support"
+      "org.opencontainers.image.licenses": "{{ .Env.LICENSE }}"
+
+    sbom: false
+
+    retry:
+      attempts: 10
+      delay: 10s
+      max_delay: 2m
+
+    extra_files:
+    annotations:
+    build_args:
+    flags:
+
 sboms:
   # https://goreleaser.com/customization/sbom/
   - id: default
@@ -244,5 +308,6 @@ sboms:
     ids:
       - topaz
       - topazd
+      - topazd-envoy
       - topaz-backup
       - topaz-db

Dockerfile.envoy

@@ -0,0 +1,33 @@
+FROM alpine
+
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+ARG BUILDPLATFORM
+
+RUN echo "BUILDPLATFORM=$BUILDPLATFORM" \
+ && echo "TARGETPLATFORM=$TARGETPLATFORM" \
+ && echo "TARGETOS=$TARGETOS" \
+ && echo "TARGETARCH=$TARGETARCH"
+
+RUN apk add --no-cache bash tzdata ca-certificates
+
+RUN mkdir /config && \
+    mkdir /certs && \
+    mkdir /db && \
+    mkdir /decisions
+
+VOLUME ["/config", "/certs", "/db", "/decisions"]
+
+WORKDIR /app
+
+COPY \
+${TARGETPLATFORM}/topaz \
+${TARGETPLATFORM}/topazd-envoy \
+${TARGETPLATFORM}/topaz-backup \
+/app/
+
+EXPOSE 8282 8383 9191 9292 9393
+
+ENTRYPOINT ["./topazd-envoy"]
+CMD ["run", "-c", "/config/config.yaml"]

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/aserto-dev/self-decision-logger v0.0.12
 	github.com/authzen/access.go v1.0.1
 	github.com/cli/browser v1.3.0
+	github.com/dagdynamik/topaz-opa-envoy-log-plugin v0.2.0
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/fatih/color v1.18.0
@@ -46,6 +47,7 @@ require (
 	github.com/moby/term v0.5.2
 	github.com/olekukonko/tablewriter v1.1.3
 	github.com/open-policy-agent/opa v1.14.0
+	github.com/open-policy-agent/opa-envoy-plugin v1.14.0-envoy
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/panmari/cuckoofilter v1.0.6
 	github.com/pkg/errors v0.9.1
@@ -82,6 +84,7 @@ require (
 	github.com/clipperhouse/displaywidth v0.6.2 // indirect
 	github.com/clipperhouse/stringish v0.1.1 // indirect
 	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
 	github.com/containerd/containerd/v2 v2.2.1 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
@@ -96,6 +99,8 @@ require (
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.37.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gdamore/encoding v1.0.1 // indirect
@@ -108,6 +113,7 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/gonvenience/bunt v1.4.3 // indirect
 	github.com/gonvenience/idem v0.0.2 // indirect
 	github.com/gonvenience/neat v1.3.17 // indirect
@@ -202,7 +208,9 @@ require (
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.40.0 // indirect
 	go.opentelemetry.io/otel v1.40.0 // indirect
 	go.opentelemetry.io/otel/metric v1.40.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.40.0 // indirect

go.sum

@@ -84,6 +84,8 @@ github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEX
 github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
 github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
 github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk=
 github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
@@ -102,6 +104,8 @@ github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHf
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/dagdynamik/topaz-opa-envoy-log-plugin v0.2.0 h1:ovuu8D3x9WPpxLByguLDVTvfBdICT2zND1h91kN4Gio=
+github.com/dagdynamik/topaz-opa-envoy-log-plugin v0.2.0/go.mod h1:XglfyESWYtwXAsdC3PrGylxIQ0Jg9aGoh/+r8jm4N2k=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -134,7 +138,11 @@ github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0 h1:u3riX6BoYRfF4Dr7dwSOroNfdSbEPe9Yyl09/B6wBrQ=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -385,6 +393,8 @@ github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
 github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
 github.com/open-policy-agent/opa v1.14.0 h1:sdG94h9GrZQQcTaH70fJhOuU+/C2FAeeAo8mSPssV/U=
 github.com/open-policy-agent/opa v1.14.0/go.mod h1:e+JSg7BVV9/vRcD5HYTUeyKIrvigPxYX6T1KcVUaHaM=
+github.com/open-policy-agent/opa-envoy-plugin v1.14.0-envoy h1:RN35n0PVD9xvM5BIwuxFfnO7DfDvTjyFxGQAgCN8KQQ=
+github.com/open-policy-agent/opa-envoy-plugin v1.14.0-envoy/go.mod h1:++NgaPFESeZuDMHmysHE1bGM5Q8wnrhiGoLwwQIEgHU=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -516,8 +526,12 @@ go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
 go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 h1:XmiuHzgJt067+a6kwyAzkhXooYVv3/TOw9cM2VfJgUM=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0/go.mod h1:KDgtbWKTQs4bM+VPUr6WlL9m/WXcmkCcBlIzqxPGzmI=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
+go.opentelemetry.io/contrib/propagators/b3 v1.40.0 h1:xariChe8OOVF3rNlfzGFgQc61npQmXhzZj/i82mxMfg=
+go.opentelemetry.io/contrib/propagators/b3 v1.40.0/go.mod h1:72WvbdxbOfXaELEQfonFfOL6osvcVjI7uJEE8C2nkrs=
 go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
 go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 h1:QKdN8ly8zEMrByybbQgv8cWBcdAarwmIPZ6FThrWXJs=

makefile

@@ -1,4 +1,5 @@
 SHELL              := $(shell which bash)
+export PATH        := $(HOME)/.goenv/shims:$(PATH)
 
 NO_COLOR           := \033[0m
 OK_COLOR           := \033[32;01m

topazd-envoy/main.go

@@ -0,0 +1,59 @@
+package main
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aserto-dev/topaz/topazd/version"
+	"github.com/aserto-dev/topaz/topazd/x"
+	"github.com/spf13/cobra"
+)
+
+var rootCmd = &cobra.Command{
+	Use:           "topazd-envoy [flags]",
+	SilenceErrors: true,
+	SilenceUsage:  true,
+}
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Print version and exit",
+	Run: func(cmd *cobra.Command, args []string) {
+		fmt.Printf("%s %s (envoy)\n", x.AppName, version.GetInfo().String())
+	},
+}
+
+func main() {
+	cmdRun.Flags().StringVarP(
+		&flagRunConfigFile,
+		"config-file", "c", "",
+		"set path of configuration file")
+	cmdRun.Flags().StringSliceVarP(
+		&flagRunBundleFiles,
+		"bundle", "b", []string{},
+		"load paths as bundle files or root directories (can be specified more than once)")
+	cmdRun.Flags().BoolVarP(
+		&flagRunWatchLocalBundles,
+		"watch", "w", false,
+		"if set, local changes to bundle paths trigger a reload")
+	cmdRun.Flags().StringSliceVarP(
+		&flagRunIgnorePaths,
+		"ignore", "", []string{},
+		"set file and directory names to ignore during loading local bundles (e.g., '.*' excludes hidden files)")
+	cmdRun.Flags().BoolVarP(
+		&flagRunDebug,
+		"debug", "", false,
+		"start debug service")
+
+	rootCmd.AddCommand(cmdRun)
+
+	_ = cmdRun.MarkFlagRequired("config-file")
+
+	rootCmd.AddCommand(
+		versionCmd,
+	)
+
+	if err := rootCmd.Execute(); err != nil {
+		log.Fatal(err.Error())
+	}
+}