New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible to configure retry policy for external authorization requests? #5974
Comments
Anyone who could comment on the above? Feels like something that is really missing if this is the case since the whole design of Envoy is to enable fault tolerance characteristics of microservices - but has it been missed in this case? |
@gsagula WDYT? |
I actually have it already in the pipe, but sadly I haven't seen this question before. I think it's a great enhancement. What I have is exactly the same retry policy already implemented in Envoy:
|
@enbohm Just out of curiosity. Did you try any of these retry strategies: |
@gsagula I've tried retry polices but that did only retry when the targeting service/cluster was failing not the authorization request. For instance, the below config does retry when "my-service" fails:
but I can't figure out how to make my auth-service to inherit this policy. Currently, my auth. config looks like
I'd like to be able to configure it something like this:
but that is currently not supported AFAIK (I'm running envoy 1.9.0). Also, as per #6119 design proposal, it would be great to have an option to propagate 5xx error codes instead of always returning 403. |
GRPC Service as well... Something like this:
|
@gsagula Are you saying the retries on authz are already being added?? |
@gdheller42 I have #6119 pretty much done. Just need to add a test. You should be able to use the Envoy's retry I believe. |
@gsagula great thanks.. !! |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
@gsagula Hi. Can't tell the status. Is it merged with master yet ? Thanks |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions. |
@gsagula I've been trying to use the strategy suggested: envoy http route retries + ext_authz 5xx errors on connection failure. I don't see it retrying (tcpdump shows two connection attempts then immediate failure, regardless of the number of retry attempts I specify). Perhaps this has something to do with my setup, but there's something I don't understand about how it should be working. Doesn't the authz filter run prior to the route filter, and doesn't it terminate the filter chain on failure? If so, what triggers the retry logic? My config is something along these lines: authz config:
http route retry policy:
|
https://github.com/asayah/envoy-extauth-retry in the meantime maybe we can create an internal listener that points to the extauth server, where we can define the reties if needed |
Title: Retry policy for external authorization requests?
I'm using Envoy 1.9.0 and configured external authorization as described in https://www.envoyproxy.io/docs/envoy/v1.9.0/configuration/http_filters/ext_authz_filter#config-http-filters-ext-authz
It works as expected but sometimes the external authorization server respond with a 5xx status (could be either problems with the server, network, etc.). I haven't managed to configure a retry policy for these cases and wonder if it is possible to do this? Also, I can see that when this occurs, the actual response to the calling client is 403 which is actually a bit misleading and it might be better to propagate 5xx response codes from the authorization server.
So my questions are if retries are possible with authorization requests and if 5xx response codes can be propagates to the client?
Any hints are welcome!
The text was updated successfully, but these errors were encountered: