CR EnvoyHTTPFilter

The Envoy proxy is the basis for the Microgateway Engine. It has been enriched with Airlock-specific features which can be configured with the corresponding CRs. If a feature available as a native Envoy filter is missing in these CRs, the CR EnvoyHTTPFilter can be used to prepend such a native Envoy filter. The CR EnvoyCluster allows configuring additional clusters if a native Envoy filter relies on it. For the CRs EnvoyHTTPFilter and EnvoyCluster, the Envoy configuration language must be used.

  • When do I have to configure an EnvoyCluster?
  • Envoy filters that connect to an upstream service require configuring the corresponding cluster with CR EnvoyCluster.
  • Envoy filters that do their work without an external cluster do not need an EnvoyCluster configured.

Example configuration

The CR EnvoyHTTPFilter allows configuring additional native Envoy filters of kind httpFilters with their full functionality.

  • The following example shows a simple CustomResource EnvoyHTTPFilter which configures the following:
  • The httpFilter ext_authz communicates with the cluster ext-authz.
kind: EnvoyHTTPFilter 
  name: ext-filter-1 
    name: envoy.filters.http.ext_authz  
        path_prefix: "/auth/login"  
          uri: http://opa.service.internal:8099  
          cluster: ext-authz  
          timeout: 0.25s 

The native Envoy filter and cluster are defined in the value section in raw types. The Microgateway Operator validates only the YAML syntax and if the input can be unmarshalled to the corresponding proto type.

Consult the Envoy documentation Envoy HTTP filters for further information.

It is highly recommended to use the CRs EnvoyHTTPFilter and EnvoyClusters only if the feature is unavailable in our other CRs. In such cases, please create a support case and let us know the use case and which feature you are missing in our CRs.

See also the API Reference documentation link at the end of this article.

Reference in CR SidecarGateway

To apply a certain EnvoyHTTPFilter CR for a specific Microgateway Engine, it must be referenced in the corresponding SidecarGateway. The following example references two EnvoyHTTPFilters.

kind: SidecarGateway
  name: my-sidecar-gateway
    - containerPort: 8090
          - name: ext-filter-1
          - name: ext-filter-2 

The custom Envoy filters defined in envoyHTTPFilterRefs.prepend are applied before the Microgateway Engine filters in the order they appear in the SidecarGateway.

Referencing multiple CustomResources can be useful when integrating shared services like an external authorization service by reusing service integration configurations from different SidecarGateways.

See also the API Reference documentation link at the end of this article.