Upstream TCP with proxy protocol

[JuniorJPDJ]

Describe the feature request
Making connection to upstreams services (envoy clusters) encapsulated in PROXY protocol.
Feature was requested at forums at least 2 times and I saw some stackoverflow posts about it too:

• https://discuss.istio.io/t/enable-proxy-protocol-from-istio-to-upstreams/10321
• https://discuss.istio.io/t/config-istio-proxy-protocol/14911

Describe alternatives you've considered
EnvoyFilter, but now it's impossible to do using filters due to transport_socket_matches being an array - MERGE is adding transport_socket at the end and it's never matched as

      {
        "name": "tlsMode-disabled",
        "match": {},
        "transport_socket": {
         "name": "envoy.transport_sockets.raw_buffer",
         "typed_config": {
          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer"
         }
        }
       }

is before and is matching all the traffic.
The only way I figured out it very much dirty and is recreating whole cluster. This AFAIK makes it impossible to apply other EnvoyFilter.ClusterMatch filters based on service names later.

Affected product area (please put an X in all that apply)

[ ] Ambient
[x] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

[hzxuzhonghu]

cc

[klarose]

Thanks for posting this issue. It was previously tracked here as well: #42257

[JuniorJPDJ]

Thank you very much for your previous issue link!
I've not found it myself.
It looks like more people needs this feature too ;)

I see you had similar idea as mine but you found more info about internals handling this case.

Anyway - It's sad that istio doesn't support proxy protocol on downstream and on upstream, as IMO this could be just a flag on the route/listener.

There are real usecases for both and I see people asking for it in lots of issues (mostly downstream).

[JuniorJPDJ]

My workaround from mentioned PR patch works!

[hzxuzhonghu]

/reopen

[rsalmond]

Can this be closed now that #48237 has shipped?

[JuniorJPDJ]

Probably yes, I haven't checked if it works tho.

[JuniorJPDJ]

There's no way to enable proxy protocol on only one of ports - it's only specified in TrafficPolicy and not in TrafficPolicy.PortTrafficPolicy.

[hzxuzhonghu]

This is like tunnel, making it per port is viable too

[JuniorJPDJ]

Also it looks like it's working only for cluster-internal services.
When trying to forward traffic to service with EndpointSlice targeted at IP beyond the cluster it doesn't send proxy headers.
It works for service with pod inside the cluster.

[hzxuzhonghu]

DR must be bound with a service, so you can define a SE for external service

[JuniorJPDJ]

It shouldn't be neccessary as I've native Service defined for those, just with ClusterIP: None and with EndpointSlice pointing to the IP.
With EnvoyFilter and my fork it worked good.