大家好,我是 Envoy 和 Istio 的新手。我正在尝试编写一个特使过滤器来重写/重定向 HTTP(s) 请求。下面是我的配置(是的,一个玩具示例),它不工作。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: lua-filter
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():add("authorization", "it works!")
end
function envoy_on_response(response_handle)
filter_name = "ENVOY"
response_handle:headers():add("my_Filter", filter_name)
end
在部署应用程序(在 Cloudflare 后面的 443 端口监听 https)和 envoy 过滤器后,我执行 curl -v <my_app> .我没有看到添加的请求 header 或响应 header 。我也尝试添加 xff_num_trusted_hops: 2其他一些答案建议但无济于事。我做错了什么?
最佳答案
要将过滤器应用于单个 pod,您必须为您的应用添加 workloadSelector。
workloadSelector:
labels:
xxx: xxx
例如,有一个 nginx 部署和具有适当 workloadSelector 的 envoy 过滤器。
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
spec:
selector:
matchLabels:
run: nginx1
replicas: 1
template:
metadata:
labels:
run: nginx1
app: frontend
spec:
containers:
- name: nginx1
image: nginx
ports:
- containerPort: 80
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: lua-filter
namespace: default
spec:
workloadSelector:
labels:
run: nginx1
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():add("authorization", "it works!")
end
function envoy_on_response(response_handle)
filter_name = "ENVOY"
response_handle:headers():add("my_Filter", filter_name)
end
将过滤器应用于所有通过您的 istio 入口网关的请求。
1.将更改上下文从 SIDECAR_INBOUND 更改为 GATEWAY。
2.设置一个workloadSelector。
workloadSelector:
labels:
istio: ingressgateway
3.设置istio-system命名空间。
namespace: istio-system
4.经过几次编辑后有你的例子。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: lua-filter
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():add("authorization", "it works!")
end
function envoy_on_response(response_handle)
filter_name = "ENVOY"
response_handle:headers():add("my_Filter", filter_name)
end
5.我用curl查了一下
curl -s -I -X HEAD xx.xx.xx.xx/productpage
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5179
server: istio-envoy
date: Tue, 10 Nov 2020 08:28:30 GMT
x-envoy-upstream-service-time: 60
my_filter: ENVOY <---
和
我在 istio ingress-gateway pod 中使用 config_dump 检查了它。
我在那里执行
kubectl exec -ti istio-ingressgateway-86f88b6f6-2tv64 -n istio-system -- /bin/bash
config_dump 的结果
curl 0:15000/config_dump | grep my_Filter
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 140k 0 140k 0 0 9.7M 0 --:--:-- --:--:-- --:--:-- 9.7M
"inline_code": "function envoy_on_request(request_handle)\n request_handle:headers():add(\"authorization\", \"it works!\")\nend\nfunction envoy_on_response(response_handle)\n filter_name = \"ENVOY\"\n response_handle:headers():add(\"my_Filter\", filter_name)\nend\n"
其他资源:
关于istio - 未使用简单的特使过滤器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64760048/