New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EnvoyFilter patch does not work as expected #21265
Comments
I've found the error:
Which has lead me to envoyproxy/envoy#7767. Therefore
|
@istio/wg-networking-maintainers Currently the analyze framework doesn't have any rules for EnvoyFilter. Is there someone on the Networking team who either wants to work with me to produce either an admission webhook or analysis warning/info message for this problem? |
I really don't think its feasible to attempt to implement the XDS spec as an analyzer. The API is break glass, if you use it wrong that is the users fault. Its not intended to be easy to use or prevent you from shooting yourself in the foot. That error message is coming directly from Envoy, right? We should just send bad config to envoy (as we do today) and the user can monitor the appropriate metrics (they are already on our dashboards) to investigate envoy errors |
It's not clear whether we should promote this API to beta or stable. |
@kyessenov There is nothing in https://preliminary.istio.io/docs/reference/config/networking/envoy-filter/ suggesting that EnvoyFilter is experimental, other than @howardjohn We created |
@esnible you can generate literally any Envoy config with this API. Its not feasible to capture even 1% of all possible ways this could go wrong. and I don't think its a useful investment in time/effort. And we do have a note about the stability:
|
From a user's perspective, I get that it's not possible to capture all the possible permutations, especially as it's effectively a 3rd party tool. However, if was made easier to find the root cause then we (users) wouldn't waste two man days trying to figure out why Envoy config just disappears. Therefore, exposing the underlying error would be a helpful. |
Better exposing Envoy errors is a great idea, I just don't think its feasible to try to look at EnvoyFilters and try to determine if they are valid or not. |
@esnible Yes, a warning is needed I think, but I am not an owner of the networking APIs. |
I think the problem here is insufficient documentation in the EnvoyFilter API for things like ADD. the OP had clearly read through the currently documented options and tried to follow what we suggested. @dansiviter would you like to shoot a PR to istio/api to document these things? I can do it as well but let me know. |
I encourage a Traffic Management documentation Task that used EnvoyFilter and provided a valid one. Many people would prefer to start with an example and modify it from their use rather than construct one based on reading the reference info. I don't have the skill to write such a Task. Anyone? |
I'm probably not a good candidate as I neither know the code or how it's supposed to work. Sorry! |
… On Fri, Feb 21, 2020, 7:12 AM dansiviter ***@***.***> wrote:
I'm probably not a good candidate as I neither know the code or how it's
supposed to work. Sorry!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#21265?email_source=notifications&email_token=AAEYGXMMV3C7VOZWY2MWXHLRD7VNTA5CNFSM4KXXUNYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMTAPKA#issuecomment-589694888>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXLPISGBPA543DF56GDRD7VNTANCNFSM4KXXUNYA>
.
|
@howardjohn I checked the samples on the Wiki by applying them and using
I am not saying we should write a general purpose XDS validator. I am suggesting that |
I don't think writing that code is something that is feasible without literally applying it and checking against 2 envoys. We don't know what breaks between versions in many cases |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2020-07-31. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
This appears to still be an issue, and is still shown on the documentation for Istio as a valid EnvoyFilter configuration (and the documentation for FilterClass says it is the preferred way of injecting filters). Example 5 on https://istio.io/latest/docs/reference/config/networking/envoy-filter/ Would it be possible to have a terminal filter on the AuthN/AuthZ (presumably also an issue for Stats?) by default? |
@DiamondJoseph can you open a separate issue with the exact EnvoyFIlter you tried and your istio version? The above EnvoyFilter will not work work with latest version since there are some naming changes to various fields when Istio switched to Envoy v3 API's in 1.8 |
We should definitely update the samples to work |
@GregHanson please let me know if you require any further information, I have converted the Helm Library Chart we're using internally to be as close to deployable as possible without including Secrets. |
Bug description
Applying a
HTTP_FILTER
viaEnvoyFilter
is very confusing and requires a lot of trial and error. I would have thought it should be possible to justADD
but it appears it must appear before the predefinedenvoy.router
or before/afterenvoy.cors
orenvoy.fault
filters to appear.The 'fix' for this may just be documenting the correct usage.
Expected behaviour
EnvoyFilter
ofHTTP_FILTER
should be able toADD
config.Steps to reproduce the bug
Use the following config:
Then perform:
istioctl proxy-config listener istio-ingressgateway-N -n istio-system -o json
Notice the config is not applied. When changing the following
operation: INSERT_BEFORE
it appears. I've tried also dropping out thesubFilter
section and I would expect it would just add the config at the end, but that doesn't work either.There is a working example here: https://discuss.istio.io/t/ip-tagging-configuration/5377/3?u=dansiviter
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)Istio
Helm
Kube
How was Istio installed?
Helm
Environment where bug was observed (cloud vendor, OS, etc)
Docker for Mac
The text was updated successfully, but these errors were encountered: