• For each endpoint with CORS we should have method OPTIONS (if not already specified in OpenAPI) that allows to get CORS headers.
• Envoy configuration makes CORS policy applicable per vhost and per route as well, we should make clear distinction when to use what - right now we configure everything per route.

Add rewrites of path to backed. Note that trip_prefix option is does this currently too.

I.e. if service: disabled is not present the parser it would panic.
There are a few other places it might get broken too.

OpenAPI is not feature complete and using its definition it won't be possible to host the site with API AND front.
I.e. static route to index.html should exist, e.g.:

path:
  '/': 
   backend: front.namespace:80

Define how should we supply it - either with OpenAPI CRD or separately.

We can run the operator locally with make run, but we need to disable websockets, because CRDs are installed with them and API server can't reach the local development server.

Or make them work via routing the traffic from the API server to local running operator somehow (probably more complicated).

It could make sense to incorporate some level of protection into kusk-gateway, i.e. something like this.

Other security features could be: SYN flood protection, max payload size, countermeasures for slowloris attack, etc.
This would make kusk-gateway more appealing for hosting production workloads.

STR:

1. Have a fresh cluster
2. make run
3. kubectl apply -f examples/httpbin && kubectl rollout status -w deployment/httpbin
4. Check that Envoy has received the updated configuration
5. kubectl delete -f examples/httpbin/
6. Check that Envoy is now receiving malformed configuration

Create a prototype where request is validated against the spec.
See https://github.com/olensmar/openapi-sidecar as a reference.

We have a MIT license, but boilerplate.txt contains Apache license by default. Also we've already pushed some files with that boilerplate and they need to be changed manually.

Add support for local RateLimiting (without e.g. Redis)

For an internal MVP, we've agreed to have a static Envoy Fleet deployment fetching settings from xDS API server.
This task's scope includes:

• Envoy Fleet deployment
• static configuration for it to fetch settings from xDS API server
• Makefile adjustments to easily deploy and iterate over it

We need automation for releasing new versions of kusk-gateway's docker image

The basic version should be building and pushing a tagged docker image to a public docker repo

It is better to switch to cobra CLI framework in order to run "local" mode separately instead of relying on "--in" key in parameters.

Introduce a new CRD for configuring TLS.

Based on the context and TLS workflows, people will be creating the certificates secrets manually and at the same time LetsEncrypt (CertManager) certificates will be updated dynamically, so we need to send to Envoy information on new certs when this happens.

Since TLS is mapped to the Listener config and EnvoyFleet doesn't manage listener config, but EnvoyConfigManager does when Envoy is ready, we need to send this as part of Envoy application configuration - not as part of Fleet configuration.

Fields for CRD

• Secret ref containing certs
• Cipher suites order string (users will likely exclude or include ciphes depending on their usecases.)

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto has some of those,

I think for the first iteration we need only the secret ref and ciphers order (which again has a sane default - we can make it optional for the user, but allow to configure).

Then manager has to pull this on startup/creation and update and send this to Envoy with listener configuration.

The Envoy config manager sends the whole configuration in one go (we don't do delta configuration currently), it must be a part of main configuration routine in https://github.com/kubeshop/kusk-gateway/blob/main/controllers/config_manager.go#L56

Add x-kusk CORS configuration

Once #45 is done we need to think how do we actually perform an EnvoyFleet deployment in cluster.
I've found a rather simple example of that in redis-operator.

While top level x-kusk validation is called, it is skipped for suboptions creating the situation when incorrect values can be submitted.

/pet/{petID} must be handled during route modification, right now only strict /pet/ is done.

example api crd should look like this:

apiVersion: gateway.kusk.io/v1
kind: API
metadata:
  name: httpbin-sample
spec:
  # service name and port should be specified inside x-kusk annotation
  fleet: default
  
  spec: |
    swagger: '2.0'
    info:
      title: httpbin.org
      description: API Management facade for a very handy and free online HTTP tool.
      version: '1.0'
    host: httpbin.org
    schemes:
    - http
    - https
    x-kusk:
      hosts:
        - example.com // vhost is created dynamically, but you can override TLS and other settings in EnvoyFleet per-host if you want to
      
      disabled:
      
      mock:
      
      validation:
      
      redirect: // redirect and upstream nodes are mutually exclusive
      
      upstream: // service upstream is k8s-native, host is a generic one, they are mutually exclusive
        service:
          namespace: default
          name: petstore
          port: 8080
        host:
          hostname: example.com
          port: 8080
          
      qos:
        retries:
        timeouts:
        rate_limits:
        
      cors:
      
      path:
        rewrite:
        // remove trim_prefix, superseded by rewrite
        prefix: /env3/api // renamed from base

We should allow user to specify upstream (backend?) in a few ways:

1. Native Kubernetes Service Name, Namespace and port, i.e.:

backend:
  service:
    name: petstore
    namespace: default
    port: http

2. Fully customizable host, something like:

backend:
  host: somehost.com:80

The first one would be so much easier and more user-friendly for those that route their traffic to the services inside their clusters (most of the cases) and the latter would allow for custom use cases like a different cluster, non-k8s workloads and etc.

When setting routes we use naive implementation of regex as [A-z0-9]+ for route with parameters (/pet/{id}). This creates conflicts for existing routes (e.g. /pet/findByStatus) since is occasionally caught by /pet/{id} route when it has CORS but /pet/findByStatus doesn't. We need to make sure that regex covers the type that is set in the parameters in OpenAPI.

Add x-kusk trim path configuration

Currently it's done via port-forwarding. Perhaps we can use k3d's node port forwarding: https://k3d.io/usage/guides/exposing_services/

This is intended for local development / demo purposes only.

As per https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/route_matching

When Envoy matches a route, it uses the following procedure:
The HTTP request’s host or :authority header is matched to a virtual host.

Each route entry in the virtual host is checked, in order. If there is a match, the route is used and no further route checks are made.

Independently, each virtual cluster in the virtual host is checked, in order. If there is a match, the virtual cluster is used and no further virtual cluster checks are made.

That means if route with path prefix matching was early in the list of routes for vhost, it will win all routes, even if they're more specific (exact path or regex). We need to ensure that routes in vhost are sorted by:

1. Exact path first
2. Longest regex path first
3. Longest prefix path first
   This must ensure that prefix path / will not match any other routes.

Implement the way to mock paths with predefined responses as POC.
E.g. using x-kusk construct:

x-kusk:
  mock:
    response: "{ blablabla: true }"

Add x-kusk Timeouts configuration

Have a package that would using an envoy configuration manager create an envoy configuration from OpenAPI spec (without any extensions for now).

Provide basic CRD schema and validation with kubebuilder.

We should change our APIs to v1alpha1 before the general release so that we'd be able to update them later without breaking a compatibility promise (which is implicit if we settle on v1 API).

We need to have the definitions of x-kusk extension objects suitable for kusk-gateway to improve user experience. The outcome of this task has to be schema file.