 You can use kind to spin up the Kubernetes cluster https://kind.sigs.k8s.

io/
 Use helm charts to deploy apps(contour, envoy, Kubernetes-dashboard, exemplar, etc) on the
Kubernetes cluster. You can find it here https://helm.sh/
 You can find the contour helm chart here https://artifacthub.io/packages/helm/bitnami/contour
 You can find the Kubernetes-dashboard helm chart here
https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard
 You can find the envoy helm chart here https://artifacthub.io/packages/helm/slamdev/envoy

The Envoy proxy in green should act like a proxy forwarder to the chained Envoy proxy(red) the envoy
http filters ( https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/http_filters )

Implement the logic on Envoy to perform a null check for incoming request header(example header
name : x-trace-id = null or “” then fail the API call and return a 400 bad request to client. If X-tace-
id=”abcd” then forward the call to dummy backend.

This document may help you to quickly set up local Contour development environment.(I have gathered
the info but never tried this setup)
Initial Setup

First of all, install Kind https://kind.sigs.k8s.io/docs/user/quick-start/#installation

Clone the Contour source code from https://github.com/projectcontour/contour

The most helpful quick start instruction is in CONTRIBUTING.md

https://github.com/projectcontour/contour/blob/main/CONTRIBUTING.md#building-from-source

The fastest way to spin up a complete Contour on Kind cluster with the local code is through command

make install-contour-working

We need to make sure the namespace needs to be in projectcontour

kubectl config set-context --current --namespace-projectcontour

Adding test application

Next step is to add an application that sits behind envoy as a testing application. To do this, we are going
to use the application httpbin from Contour Getting started documentation
https://projectcontour.io/getting-started/.

kubectl apply -f https://projectcontour.io/examples/httpbin.yaml

This yaml creates a pod, service, and an ingress.

Replace Ingress with HttpProxy

Now, we don't want the app to go through the ingress. Instead, we want to use an httpProxy to have the
Contour control of the envoy proxy.

First, let's remove the ingress:

kubecti delete ingress httpbin

Below is the httpProxy we want to apply to the namespace to replace the removed ingress. Create it as a
yaml file (httpProxy.yaml):

Then apply the yaml file.

kubectl apply -f httpproxy.yaml

Remote JWKS

When it comes to remoteJWKS. We have an endpoint we can utilize to hit to check against:
https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json

And the token is in: https://raw.githubusercontent.com/istio/istio/release1.6/security/tools/jwt/

samples/groups-scope.jwt

attach this token to the Authorization for the payload

Now we just need to forward the port:

kubecti -n projectcontour port-forward service/envoy 8888:443

We need to use port 443 or else payload will cause this issue: OPENSSL_internal:WRONG_VERSION
NUMBER

Checking application works

Use postman or any REST client tester to test against.

Here is the following information:

URL: https://local.projectcontour.io:8888

Header add Authorization with Bearer token

Bearer
eyahbGci0i3sUzI1NiISImtpZCI6IKRIRm3wb01VCX3ZOHyenBBMFYZKNtcjVWTzVaRXIOUnpIV8tZWS2d1EiLC
J0eXAiOi3KV1QifQ.ey31eHAiOjMIMZCZOTEXHDOSImdyb3

Now to test, if you include the token, response should be 200, If exclude the token, response should be
401.