juwan/juwan-backend
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
4898aecd3b3a45d3c737bb65e1dc5776a10349e2
juwan-backend/docs/README.md
T
wwweww 4898aecd3b add: envoy redis
2026-02-23 15:54:33 +08:00

96 lines
2.3 KiB
Markdown
Raw Blame History

# Envoy Gateway Configuration
This document explains how the Envoy gateway is configured and how to modify it.
## Files
- envoy.yaml: ConfigMap + Deployment + Service for Envoy
## Current Behavior
- Envoy listens on port 8080 in the Pod and exposes port 80 via a ClusterIP Service.
- All HTTP traffic is routed to user-api only.
- gRPC is not exposed by this gateway.
## Routing
In envoy.yaml, routes are defined under:
static_resources -> listeners -> http_connection_manager -> route_config -> virtual_hosts
The current routing rules are:
- All requests (prefix: "/") -> cluster: user-api
To add a new HTTP service, add a new route above the default route and define a new cluster.
Example: route /order to order-api-svc:8899
1) Add a route match:
- match:
prefix: "/order"
route:
cluster: order-api
2) Add a cluster:
- name: order-api
connect_timeout: 2s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: order-api
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: order-api-svc.juwan.svc.cluster.local
port_value: 8899
## CSRF Protection
Envoy uses a Lua filter for CSRF validation:
- Safe methods (GET/HEAD/OPTIONS):
- If csrf_token cookie is missing, Envoy generates one and sets it in the response.
- Unsafe methods (POST/PUT/PATCH/DELETE, etc):
- Requires BOTH:
- header: X-CSRF-Token
- cookie: csrf_token
- Values must match, otherwise Envoy returns 403.
If you want a different cookie name or header name, update these in the Lua code:
- Header: x-csrf-token
- Cookie: csrf_token
To relax or tighten rules, edit the functions:
- is_safe(method)
- envoy_on_request(request_handle)
## Cookie Attributes
Current Set-Cookie:
csrf_token=<value>; Path=/; SameSite=Strict
To add Secure or HttpOnly, update the string in envoy_on_response.
## Deployment
Apply or update:
kubectl apply -f deploy/k8s/envoy/envoy.yaml
## Common Changes
- Change listening port:
- Update listener port_value and Service targetPort/port.
- Change service namespace:
- Update cluster DNS addresses (e.g. service.ns.svc.cluster.local).
- Add more services:
- Add route + add cluster, as shown above.
Reference in New Issue View Git Blame Copy Permalink