istio: EnvoyFilter inbound doesn't work

Bug description

adding this config doesn’t work

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: add-calling-service-inbound
spec:
  workloadSelector:
    labels:
      app: echo-ping
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value:
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             request_handle:headers():add("x-foo", "bar")
           end

Expected behavior

Lua code will be called for every incoming service call.

Steps to reproduce the bug

apply the filter and check headers on the receiving end

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)

$> istioctl version
client version: 1.4.2
control plane version: 1.4.2
data plane version: 1.4.2 (3 proxies)

$> kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"clean", BuildDate:"2019-11-13T11:23:11Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"clean", BuildDate:"2019-11-13T11:13:49Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

How was Istio installed?

istioctl manifest apply

Environment where bug was observed (cloud vendor, OS, etc)

microk8s

istio-dump.tar.gz

Thanks in advance

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 3
  • Comments: 17 (8 by maintainers)

Most upvoted comments

Is there any update on this? I walked into the same issue/bug. A solution is removing the portNumber altogether.

...
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
-          portNumber: 5000
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
...
+6
TimVosch on Mar 18, 2020

@lfundaro @lizongshen I’ve find a solution yesterday. Be sure that you have a service for your deployment and in your service define ports as below:


spec:
  ports:
  - name: http # this is the important part
  port: <port>
  targetPort: <targetPort>
+2
mstrYoda on Apr 8, 2020

@lfundaro @lizongshen I’ve find a solution yesterday. Be sure that you have a service for your deployment and in your service define ports as below:


spec:
  ports:
  - name: http # this is the important part
  port: <port>
  targetPort: <targetPort>

Thank you so much for this, @mstrYoda ! How did you even figure this out? Is this requirement documented somewhere?

+1
benjaminxie on Feb 9, 2022

The difference between the new envoy filter and old envoy filter are :

  1. with the new spec lua envoyfilter configured, it only modify one listener which name “<POD_IP>_9080”
  2. with the old spec lua envoy filter configured. it will modify two listener <POD_IP>_9080 and virtualInbound (0.0.0.0: 15006)

so for the 1st one, without the modification for virtualInbound, it shall fail.

+1
hobbytp on Jan 17, 2020
Read more comments on GitHub
← istio: Envoy shutting down before the thing it's wrapping can cause failed requests
istio: EnvoyFilter patch does not work as expected →