我正在尝试使 EnvoyFilters 在我的安装中工作。 出于测试目的,我正在尝试设置 lua 过滤器来记录愚蠢的消息并将标题添加到响应中。
这是我的配置:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: dumb-filter
namespace: istio-system
spec:
# workloadSelector:
# labels:
# istio: ingressgateway
configPatches:
# - applyTo: VIRTUAL_HOST
- applyTo: HTTP_ROUTE
match:
context: GATEWAY
# context: ANY
routeConfiguration:
vhost:
# name: "<domain>:443"
route:
#TODO: Understand name compose logic
name: https.443.https.geth-dedicated.default
patch:
operation: MERGE
value:
name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("dm3ch-test", "dm3ch")
response_handle:logErr("Bye Bye.")
end
目前我没有看到响应的日志消息或测试 header 。 我已经试过了:
- 在应用程序和 istio-system 命名空间(istio 网关 pod 所在的位置)中创建 EnvoyFilter 对象
- 指定工作负载选择器(我已验证 istio 网关 pod 具有
istio: ingressgateway标签) - 将上下文从“GATEWAY”更改为“ANY”
- 将 applyTo 更改为
VIRTUAL_HOST和HTTP_ROUTE模式 - 验证路由名称实际上是
https.443.https.geth-dedicated.default使用istioctl proxy-config route <gateway_pod>命令。 - 添加
vhost.name设置和评论vhost.route.name
Istio 版本信息:
❯ istioctl version
client version: 1.11.4
control plane version: 1.12.0-alpha.1
data plane version: 1.12.0-alpha.1 (1 proxies)
路由配置json:
❯ istioctl proxy-config route istio-ingress-675cb54bc9-5r8cs.istio-system --name https.443.https.geth-dedicated.default -o json
[
{
"name": "https.443.https.geth-dedicated.default",
"virtualHosts": [
{
"name": "<domain>:443",
"domains": [
"<domain>",
"<domain>:*"
],
"routes": [
{
"match": {
"prefix": "/",
"caseSensitive": true
},
"route": {
"cluster": "outbound|8545||geth-dedicated.default.svc.cluster.local",
"timeout": "0s",
"retryPolicy": {
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
{
"name": "envoy.retry_host_predicates.previous_hosts"
}
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
},
"hashPolicy": [
{
"connectionProperties": {
"sourceIp": true
}
}
],
"maxGrpcTimeout": "0s"
},
"metadata": {
"filterMetadata": {
"istio": {
"config": "/apis/networking.istio.io/v1alpha3/namespaces/default/virtual-service/geth-dedicated"
}
}
},
"decorator": {
"operation": "geth-dedicated.default.svc.cluster.local:8545/*"
}
}
],
"includeRequestAttemptCount": true
}
],
"validateClusters": false
如果有人能咨询我我做错了什么或者我怎样才能更好地调试为什么没有应用过滤器,我会很高兴。
附:我的目标是在 ingressgateway istio 部署的请求/响应处理期间仅针对特定虚拟服务调用自定义逻辑
最佳答案
克里斯的回答非常有用,但不幸的是它并不完整。 :(
这是我发现的:
- 无法在
HTTP_ROUTE上使用type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua过滤器(但可以使用LuaPerRoute) type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute本身不允许定义新的 lua 过滤器,它只允许禁用现有的 Lua 过滤器或覆盖它源代码envoy docs
因此,要使 lua 自定义逻辑仅应用于一个 http 路由,您需要定义“全局”Lua 过滤器并使用 LuaPerRoute 覆盖特定 http 路由的代码过滤器。
这是我的 list ,让我可以让它工作:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: geth-dedicated
namespace: default
spec:
gateways:
- geth-dedicated # I'm ommiting gateway creation in this snippet
hosts:
- <domain>
http:
- match:
- uri:
prefix: /
name: geth-public
route:
- destination:
host: geth-dedicated
port:
number: 8545
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: dumb-filter
namespace: istio-system # Namespace where istio gateway pods are actually running
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
# Patch that creates "global" lua filter that does nothing useful
- applyTo: HTTP_FILTER
match:
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
function envoy_on_request(request_handle)
-- Empty lua function
end
# Filter for http route that overrides "global" filter lua source code
- applyTo: HTTP_ROUTE
match:
context: GATEWAY
routeConfiguration:
vhost:
route:
name: geth-public # Corresponds to http[0].name in VirtualService
patch:
operation: MERGE
value:
name: envoy.lua
typed_per_filter_config:
envoy.filters.http.lua:
'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
source_code:
inline_string: |
function envoy_on_response(response_handle)
response_handle:logErr("Goodbye my brain.")
response_handle:headers():add("dm3ch-test", "dm3ch wins")
end
关于istio - 无法使基于 lua 的 EnvoyFilter 工作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69623850/