juwan/juwan-backend
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
4898aecd3b3a45d3c737bb65e1dc5776a10349e2
juwan-backend/docs
T
History
wwweww 4898aecd3b add: envoy redis
2026-02-23 15:54:33 +08:00
..
deployment-troubleshooting.md
add: envoy redis
2026-02-23 15:54:33 +08:00
gozero-redis-configuration.md
add: envoy redis
2026-02-23 15:54:33 +08:00
kubernetes-service-explanation.md
add: envoy redis
2026-02-23 15:54:33 +08:00
README.md
add: envoy redis
2026-02-23 15:54:33 +08:00
redis-sentinel-troubleshooting.md
add: envoy redis
2026-02-23 15:54:33 +08:00
redis-services-guide.md
add: envoy redis
2026-02-23 15:54:33 +08:00
redis-username-discovery.md
add: envoy redis
2026-02-23 15:54:33 +08:00

README.md

Envoy Gateway Configuration

This document explains how the Envoy gateway is configured and how to modify it.

Files

  • envoy.yaml: ConfigMap + Deployment + Service for Envoy

Current Behavior

  • Envoy listens on port 8080 in the Pod and exposes port 80 via a ClusterIP Service.
  • All HTTP traffic is routed to user-api only.
  • gRPC is not exposed by this gateway.

Routing

In envoy.yaml, routes are defined under:

static_resources -> listeners -> http_connection_manager -> route_config -> virtual_hosts

The current routing rules are:

  • All requests (prefix: "/") -> cluster: user-api

To add a new HTTP service, add a new route above the default route and define a new cluster.

Example: route /order to order-api-svc:8899

  1. Add a route match:
  • match: prefix: "/order" route: cluster: order-api
  1. Add a cluster:
  • name: order-api connect_timeout: 2s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: order-api endpoints: - lb_endpoints: - endpoint: address: socket_address: address: order-api-svc.juwan.svc.cluster.local port_value: 8899

CSRF Protection

Envoy uses a Lua filter for CSRF validation:

  • Safe methods (GET/HEAD/OPTIONS):
    • If csrf_token cookie is missing, Envoy generates one and sets it in the response.
  • Unsafe methods (POST/PUT/PATCH/DELETE, etc):
    • Requires BOTH:
      • header: X-CSRF-Token
      • cookie: csrf_token
    • Values must match, otherwise Envoy returns 403.

If you want a different cookie name or header name, update these in the Lua code:

  • Header: x-csrf-token
  • Cookie: csrf_token

To relax or tighten rules, edit the functions:

  • is_safe(method)
  • envoy_on_request(request_handle)

Cookie Attributes

Current Set-Cookie:

csrf_token=; Path=/; SameSite=Strict

To add Secure or HttpOnly, update the string in envoy_on_response.

Deployment

Apply or update:

kubectl apply -f deploy/k8s/envoy/envoy.yaml

Common Changes

  • Change listening port:
    • Update listener port_value and Service targetPort/port.
  • Change service namespace:
    • Update cluster DNS addresses (e.g. service.ns.svc.cluster.local).
  • Add more services:
    • Add route + add cluster, as shown above.
Reference in New Issue View Git Blame Copy Permalink