Envoy Gateway Configuration

This document explains how the Envoy unified ingress gateway is configured and how to modify it.

Files

• deploy/k8s/envoy/envoy.yaml: ConfigMap + Deployment + Service for Envoy

Current Behavior

• Envoy listens on port 8080 in the Pod and exposes port 80 via a ClusterIP Service.
• Route /api/users to user-api-svc:8888.
• Route /api/email to email-api-svc:8888.
• Route /healthz returns 200 ok directly from gateway.
• Unknown routes return 404 from gateway.

Routing

In envoy.yaml, routes are defined under:

static_resources -> listeners -> http_connection_manager -> route_config -> virtual_hosts

The current routing rules are:

• prefix: /api/users -> cluster: user_api_cluster
• prefix: /api/email -> cluster: email_api_cluster
• path: /healthz -> direct response 200
• prefix: / -> direct response 404

To add a new HTTP service, add a new route above the default route and define a new cluster.

Example: route /api/order to order-api-svc:8899

1. Add a route match:

• match: prefix: "/api/order" route: cluster: order_api_cluster

1. Add a cluster:

• name: order_api_cluster connect_timeout: 2s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: order_api_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: order-api-svc.juwan.svc.cluster.local port_value: 8899

CSRF Protection (Double Cookie)

Envoy uses a Lua filter for double-cookie CSRF validation:

• Safe methods (GET/HEAD/OPTIONS):
  • If missing, Envoy auto-issues two cookies:
    • csrf_token
    • csrf_guard
• Unsafe methods (POST/PUT/PATCH/DELETE, etc):
  • Requires BOTH headers:
    • X-CSRF-Token
    • X-CSRF-Guard
  • Requires BOTH cookies:
    • csrf_token
    • csrf_guard
  • Header values must exactly match cookie values, otherwise Envoy returns 403.

If you want different cookie or header names, update these constants in Lua:

• TOKEN_COOKIE
• GUARD_COOKIE
• TOKEN_HEADER
• GUARD_HEADER

To relax or tighten rules, edit the functions:

• is_safe(method)
• envoy_on_request(request_handle)

Cookie Attributes

Current Set-Cookie:

• csrf_token=<value>; Path=/; SameSite=Strict
• csrf_guard=<value>; Path=/; SameSite=Strict

Deployment

Apply or update:

kubectl apply -f deploy/k8s/envoy/envoy.yaml

Common Changes

• Change listening port:
  • Update listener port_value and Service targetPort/port.
• Change service namespace:
  • Update cluster DNS addresses (e.g. service.ns.svc.cluster.local).
• Add more services:
  • Add route + add cluster, as shown above.
• Update CSRF policy:
  • Edit Lua validation logic in envoy.filters.http.lua.