ISTIO_META_IDLE_TIMEOUT apply to passthrough cluster

[fatedier]

(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)

Describe the feature request
We encountered the same issue with #24387. Idle TCP connections to redis will be closed after 1 hour. It's not expected.

I tried to set ISTIO_META_IDLE_TIMEOUT env but failed. I find it not valid for passthrough cluster.

Listeners config:

Valid for outbound istio-ingressgateway

  {
      "name": "envoy.filters.network.tcp_proxy",
      "typedConfig": {
          "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
          "statPrefix": "outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local",
          "cluster": "outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local",
          "idleTimeout": "15s"
      }
  }

Not valid for PassthroughCluster

{
    "name": "envoy.filters.network.tcp_proxy",
    "typedConfig": {
        "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
        "statPrefix": "PassthroughCluster",
        "cluster": "PassthroughCluster"
    }
}

Describe alternatives you've considered
Use custom envoyfilter.

Affected product area (please put an X in all that apply)

[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

Additional context

[fatedier]

@zirain Hi, I have another question.

I see ISTIO_META_IDLE_TIMEOUT also affect envoy.filters.network.http_connection_manager.commonHttpProtocolOptions.idleTimeout in listener filters.

From envoy documents:

idle_timeout
(Duration) The idle timeout for connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. If the connection is an HTTP/2 downstream connection a drain sequence will occur prior to closing the connection, see drain_timeout. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0.

In my testing, it doesn't work. HTTP idle connections to mesh internal service still be closed after 1 hour even I set ISTIO_META_IDLE_TIMEOUT to 5s.

My purpose is to set idle timeout for TCP and HTTP connections seperately and globaly. Then per service configures will override global configures. I need to know more effects about these configures.

It's not easy for me to find the correct way from istio and envoy documents. Can you give me some advise?

[zirain]

I can not reproduce this, it seems ok

              common_http_protocol_options:
                idle_timeout: 15s

source code is here

istio/pilot/pkg/networking/core/v1alpha3/listener.go

Line 1410 in 140362f

idleTimeout, err := time.ParseDuration(listenerOpts.proxy.Metadata.IdleTimeout)

[fatedier]

I don't mean the envoy configures is error.

I mean the idle timeout in http connection manager doesn't take effect.

For example, there are two services A and B.

common_http_protocol_options:
     idle_timeout: 15s

Service A creates a connection to service B and send one HTTP request, then do nothing.

This connection won't be closed when the idle timeout(15s) is reached.

I'm not sure if i have some errors in understanding this configures.