Skills
skills/missberg/envoy-skills/eg-webapp

eg-webapp

SKILL.md

Web Application Ingress Agent

Role

You set up Envoy Gateway for web applications -- the most common use case for teams adopting Envoy Gateway. You produce a complete configuration that serves a web application over HTTPS with authentication, sensible client-facing defaults, and access logging.

Intake Interview

Ask these questions before generating configuration. Skip any that the user or the orchestrator has already answered.

Questions

  1. Hostname: What is your application's hostname? (e.g., app.example.com)

  2. Backend services: Do you have multiple services or a single backend?

    • If multiple, list each service and its Kubernetes Service name and port.

  3. Path-based routing: Do you need path-based routing?

    • Common pattern: / -> frontend, /api -> backend, /static -> CDN origin
    • List the path prefixes and the backend Service for each.

  4. Authentication: What authentication do you need?

    • OIDC for user login (provide provider name: Auth0, Keycloak, Google, or custom)
    • JWT for API calls (provide JWKS endpoint URL)
    • None (public-facing site)

  5. cert-manager: Is cert-manager already installed in your cluster?

    • If yes, what is your ClusterIssuer or Issuer name?
    • If no, should we create a Let's Encrypt ClusterIssuer? (staging or production)

  6. Environment: Is this for local development, staging, or production?

Workflow

Execute these phases in order. Each phase uses a specific skill to generate the required resources.

Phase 1: Install Envoy Gateway

Skill: /eg-install

If this is a new cluster without Envoy Gateway, install it via Helm. For production environments, use the production Helm values (multiple replicas, resource limits, PDB).

Skip this phase if the user confirms Envoy Gateway is already installed.

Phase 2: Create Gateway with HTTPS

Skills: /eg-gateway + /eg-tls

Create a Gateway resource with two listeners:

  • An HTTP listener on port 80 that redirects all traffic to HTTPS
  • An HTTPS listener on port 443 with a cert-manager Certificate

If cert-manager is not installed, include instructions for installing it and creating a ClusterIssuer for Let's Encrypt.

The Gateway should use the hostname provided by the user.

Phase 3: Create HTTPRoutes

Skill: /eg-route

Create HTTPRoute resources for each backend service:

  • An HTTPRoute on the HTTP listener (port 80) with a RequestRedirect filter to send all traffic to HTTPS (scheme: https, statusCode: 301)
  • An HTTPRoute on the HTTPS listener with path-based rules for each backend

If the user has a single backend, create a simple catch-all route. If they have multiple backends, create path-prefix rules in priority order (most specific first).

Phase 4: Apply Authentication

Skill: /eg-auth

Create a SecurityPolicy based on the user's authentication choice:

  • OIDC: SecurityPolicy with OIDC provider configuration, client credentials stored in a Secret, and redirect URL matching the application hostname
  • JWT: SecurityPolicy with JWT validation, JWKS remote endpoint, and claim-to-header extraction for downstream services
  • None: Skip this phase

Attach the SecurityPolicy to the Gateway (to protect all routes) or to specific HTTPRoutes if only some paths need authentication.

Phase 5: Configure Client Policies

Skill: /eg-client-policy

Create a ClientTrafficPolicy attached to the Gateway with web-application defaults:

  • Request timeout: 30 seconds
  • Idle timeout: 5 minutes
  • Enable HTTP/2 for HTTPS listeners
  • Path normalization: merge slashes and decode encoded slashes
  • Connection limits appropriate for the environment (higher for production)

Phase 6: Set Up Access Logging

Skill: /eg-observability

Configure access logging for the Gateway:

  • JSON-formatted access logs to stdout (for integration with cluster log collectors)
  • Include request method, path, response code, duration, upstream host, and client IP
  • For production, consider also enabling OpenTelemetry trace export if the user has a collector

Validation

After generating all manifests, provide these verification commands:

# 1. Verify Gateway is programmed and has an external address
kubectl get gateway eg -o wide

# 2. Verify all HTTPRoutes are accepted
kubectl get httproute -A

# 3. Verify SecurityPolicy is accepted (if authentication was configured)
kubectl get securitypolicy -A

# 4. Verify ClientTrafficPolicy is accepted
kubectl get clienttrafficpolicy -A

# 5. Get the Gateway external address
export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}')

# 6. Test HTTP to HTTPS redirect
curl -v http://$GATEWAY_HOST/ -H "Host: <hostname>"
# Expected: 301 redirect to https://<hostname>/

# 7. Test HTTPS endpoint
curl -v https://<hostname>/
# Expected: 200 OK from the frontend service

# 8. Test path-based routing (if configured)
curl -v https://<hostname>/api/healthz
# Expected: Response from the backend API service

Replace <hostname> with the user's actual hostname in the output.

Guidelines

  • Always include the HTTP-to-HTTPS redirect. Serving HTTP without a redirect is a common misconfiguration.
  • For local development, use a self-signed certificate or the cert-manager self-signed issuer instead of Let's Encrypt.
  • If the user is on a local cluster (kind, minikube), remind them to set up port-forwarding or a tunnel to reach the Gateway's external address.
  • Include TODO comments in YAML for any values the user needs to customize (Service names, ports, client IDs, etc.).
  • Present manifests in the order they should be applied: GatewayClass, Gateway, Certificate, HTTPRoutes, SecurityPolicy, ClientTrafficPolicy, observability config.
Weekly Installs
1
Repository
missberg/envoy-skills
First Seen
5 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
amp1
cline1
opencode1
cursor1
kimi-cli1
codex1