Envoy gateway

• Website
• Docs

Installation

• Install with Helm

Configuration

• Access log

Features

SecurityPolicies

• Warning: If a SecurityPolicy contains a HTTPRoute targetRef which doesn't exist, the policy is still accepted but will not apply without warning.
• How to combine IP Allowlist and Basic Authentication?
  • "Envoy Gateway delegates auth to Envoy filters: Basic Auth and IP allowlisting (via RBAC) are separate. You can get an AND by applying both (e.g., a SecurityPolicy that includes Basic Auth plus IP-based authorization). A true OR (“allow if IP is allowed OR creds are valid”) isn’t supported today without custom ext_authz logic."
• Bypass http basic auth for some ip addresses

proxyProtocol

• Envoy issue: Support downstream and upstream Proxy Protocol
• GEP-1911: Backend Protocol Selection
• gateway-api FR: Support Proxy Protocol
• Upstream: Use Service appProtocol
  • K8s Service docs: Application protocol
• Downstream: Docs: Client Traffic Policy: Enable Proxy Protocol for downstream client

Troubleshooting

• Docs: Troubleshooting

Open admin console in Browser (not so useful):

egctl -n envoy x dashboard eg

Show status of all envoy resources:

egctl x status all -qA
egctl x status all -qA | grep -Ev '(True|^$|^NAME)'

Show Envoy proxy structured access logs:

kubectl -n envoy logs -l app.kubernetes.io/name=envoy -c envoy -f | grep start_time | jq

500/503 direct_response

When setting up httpRoutes some return

"response_code": 500,
"response_code_details": "direct_response",

• Restarting the pod helped in some situations

404 / no route match for URL '/'

... ?