-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle 1.12 contrib-image changes #35336
Comments
If Envoy project thinks some filters are not mature enough to be included in the official imagine, maybe we should follow this policy as well. Could it be possible that Istio proxy also provides two images: one only has official extensions and one includes the filters in the Envoy contrib directory? Then users can choose what images to use based on their use cases. Another relevant but not direct issue about third-party protocols support is that Istio requires envoy filter proto go API to be compiled with its core repo. Otherwise validation webhook will complain it doesn't know the proto. So when I tried to support a new protocol in Istio via EnvoyFilter, I had to modify Istio source code, like this: https://github.com/aeraki-framework/istio/blob/270b62b9eff7dfb6439204c0d6be2ed876d82264/pkg/config/xds/filter_types.gen.go#L368 Can we eliminate this dependency somehow? |
I would vote for Istio proxy project to build two images (official and contrib). In order to move from contrib to official, the Envoy project requires users of the feature. If Istio proxy produces both images it makes much easier for the users to try out the contrib images, thus gaining the required users. |
I also would vote for Istio project to build two images(official and contrib). There will be more and more envoy extensions contribute to contrib in the future. In order to support them in Istio, we can now only change the file |
In networking WG we decided for 1.12 we will just add them back to defer a decision. For future we may do another solution. |
Another extension tcp_stats that should live in potential contrib image This one is even trickier because it requires the build host has linux kernel >=4.6 |
@lambdai I think we want all of the extensions that were in 1.11, not just mysql. Including kafka, etc. The original agreement was:
|
@zhaohuabing You can use TypedStruct to avoid a direct protobuf dependency. It's a typed wrapper with JSON inside. The decision is about setting expectations. I don't think we can or should set the expectations that CVEs in contrib envoy extensions have to be addressed. Allowing users to use some untested features in Envoy binary is a dangerous precedent since it puts users into possibly insecure state without us even being aware of it. As for MySQL/Kafka - these have been in alpha since 2016. I think it's time to either move them to beta or remove. It's not sustainable to have features in permanent alpha state. |
@howardjohn I think we need to support custom envoy builds regardless of contrib/core split. Control plane must be able to detect missing extensions and disable features gracefully. We already provide multiple different envoy builds with different sets of extensions. It is perfectly fine to use non-istio Envoy build. Telemetry won't work fully (which can be fixed with Wasm) but not everyone cares about it. |
yes, when it is backported to 1.12 we need an accurate list |
I think there are a few issues with upstream Envoy - but I would be extremely happy if they were mitigated. I think this is clearly the best path forward if feasible:
I think there is a lot of value in making it an opt in for contrib (ie you get contrib filters OR you get Istio filters, or build a custom image). And huge value to make it the default/only way we ship envoy - but that will require a lot more work since it will need to be zero-compromises. |
envoy.filters.network: ..., envoy.filters.network.kafka_broker, envoy.filters.network.kafka_mesh, envoy.filters.network.local_ratelimit, envoy.filters.network.metadata_exchange, envoy.filters.network.mongo_proxy, envoy.filters.network.mysql_proxy, envoy.filters.http: ..., istio.alpn, istio_authn, match-wrapper |
1.12 issue is resolved. ALPN filter will be deprecated with tunnel solution, but not now. Let's discuss in dedicated thread |
In 1.20 envoy (1.12 Istio), some filters are removed from the core image. I believe this will impact our build, as we inherit this.
MySQL filter is used by Istio, albeit in alpha behind an env var flag.
We should consider how to handle this... some ideas:
cc @zhaohuabing @kyessenov
The text was updated successfully, but these errors were encountered: