wwweww
109 lines
2.9 KiB
Markdown
109 lines
2.9 KiB
Markdown
# Envoy Gateway Configuration
|
|
|
|
This document explains how the Envoy unified ingress gateway is configured and how to modify it.
|
|
|
|
## Files
|
|
|
|
- deploy/k8s/envoy/envoy.yaml: ConfigMap + Deployment + Service for Envoy
|
|
|
|
## Current Behavior
|
|
|
|
- Envoy listens on port 8080 in the Pod and exposes port 80 via a ClusterIP Service.
|
|
- Route `/api/users` to `user-api-svc:8888`.
|
|
- Route `/api/email` to `email-api-svc:8888`.
|
|
- Route `/healthz` returns `200 ok` directly from gateway.
|
|
- Unknown routes return `404` from gateway.
|
|
|
|
## Routing
|
|
|
|
In envoy.yaml, routes are defined under:
|
|
|
|
static_resources -> listeners -> http_connection_manager -> route_config -> virtual_hosts
|
|
|
|
The current routing rules are:
|
|
|
|
- `prefix: /api/users` -> `cluster: user_api_cluster`
|
|
- `prefix: /api/email` -> `cluster: email_api_cluster`
|
|
- `path: /healthz` -> direct response `200`
|
|
- `prefix: /` -> direct response `404`
|
|
|
|
To add a new HTTP service, add a new route above the default route and define a new cluster.
|
|
|
|
Example: route `/api/order` to `order-api-svc:8899`
|
|
|
|
1) Add a route match:
|
|
|
|
- match:
|
|
prefix: "/api/order"
|
|
route:
|
|
cluster: order_api_cluster
|
|
|
|
1) Add a cluster:
|
|
|
|
- name: order_api_cluster
|
|
connect_timeout: 2s
|
|
type: STRICT_DNS
|
|
lb_policy: ROUND_ROBIN
|
|
load_assignment:
|
|
cluster_name: order_api_cluster
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: order-api-svc.juwan.svc.cluster.local
|
|
port_value: 8899
|
|
|
|
## CSRF Protection (Double Cookie)
|
|
|
|
Envoy uses a Lua filter for double-cookie CSRF validation:
|
|
|
|
- Safe methods (GET/HEAD/OPTIONS):
|
|
- If missing, Envoy auto-issues two cookies:
|
|
- `csrf_token`
|
|
- `csrf_guard`
|
|
- Unsafe methods (POST/PUT/PATCH/DELETE, etc):
|
|
- Requires BOTH headers:
|
|
- `X-CSRF-Token`
|
|
- `X-CSRF-Guard`
|
|
- Requires BOTH cookies:
|
|
- `csrf_token`
|
|
- `csrf_guard`
|
|
- Header values must exactly match cookie values, otherwise Envoy returns `403`.
|
|
|
|
If you want different cookie or header names, update these constants in Lua:
|
|
|
|
- `TOKEN_COOKIE`
|
|
- `GUARD_COOKIE`
|
|
- `TOKEN_HEADER`
|
|
- `GUARD_HEADER`
|
|
|
|
To relax or tighten rules, edit the functions:
|
|
|
|
- is_safe(method)
|
|
- envoy_on_request(request_handle)
|
|
|
|
## Cookie Attributes
|
|
|
|
Current Set-Cookie:
|
|
|
|
- `csrf_token=<value>; Path=/; SameSite=Strict`
|
|
- `csrf_guard=<value>; Path=/; SameSite=Strict`
|
|
|
|
## Deployment
|
|
|
|
Apply or update:
|
|
|
|
kubectl apply -f deploy/k8s/envoy/envoy.yaml
|
|
|
|
## Common Changes
|
|
|
|
- Change listening port:
|
|
- Update listener port_value and Service targetPort/port.
|
|
- Change service namespace:
|
|
- Update cluster DNS addresses (e.g. `service.ns.svc.cluster.local`).
|
|
- Add more services:
|
|
- Add route + add cluster, as shown above.
|
|
- Update CSRF policy:
|
|
- Edit Lua validation logic in `envoy.filters.http.lua`.
|