istio: EnvoyFilter patch does not work as expected

Bug description Applying a HTTP_FILTER via EnvoyFilter is very confusing and requires a lot of trial and error. I would have thought it should be possible to just ADD but it appears it must appear before the predefined envoy.router or before/after envoy.cors or envoy.fault filters to appear.

The ‘fix’ for this may just be documenting the correct usage.

Expected behaviour EnvoyFilter of HTTP_FILTER should be able to ADD config.

Steps to reproduce the bug Use the following config:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: tagger
  namespace: istio-system
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: ADD  // this doesn't work, only INSERT_BEFORE with 'envoy.router' or INSERT_BEFORE/INSERT_AFTER with 'envoy.cors' or 'envoy.fault'
      value:
        name: envoy.ip_tagging
        config:
          request_type: INTERNAL
          ip_tags:
          - ip_tag_name: GOTCHA
            ip_list:
            - address_prefix: 0.0.0.1

Then perform: istioctl proxy-config listener istio-ingressgateway-N -n istio-system -o json

Notice the config is not applied. When changing the following operation: INSERT_BEFORE it appears. I’ve tried also dropping out the subFilter section and I would expect it would just add the config at the end, but that doesn’t work either.

There is a working example here: https://discuss.istio.io/t/ip-tagging-configuration/5377/3?u=dansiviter

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm) Istio

client version: 1.4.0
control plane version: 1.4.4
data plane version: 1.4.4 (4 proxies)

Helm

version.BuildInfo{Version:"v3.1.0", GitCommit:"b29d20baf09943e134c2fa5e1e1cab3bf93315fa", GitTreeState:"clean", GoVersion:"go1.13.7"}

Kube

Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:07:57Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}

How was Istio installed? Helm

Environment where bug was observed (cloud vendor, OS, etc) Docker for Mac

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 20 (14 by maintainers)

Most upvoted comments

I think the problem here is insufficient documentation in the EnvoyFilter API for things like ADD. the OP had clearly read through the currently documented options and tried to follow what we suggested. @dansiviter would you like to shoot a PR to istio/api to document these things? I can do it as well but let me know.

+1
rshriram on Feb 21, 2020

I’ve found the error:

Error: envoy.router must be the terminal http filter.

Which has lead me to envoyproxy/envoy#7767. Therefore ADD will never work with HTTP_FILTER or INSERT_AFTER with envoy.router which is not mentioned in the documentation:

ADD: Add the provided config to an existing list (of listeners, clusters, virtual hosts, network filters, or http filters). This operation will be ignored when applyTo is set to ROUTE_CONFIGURATION, or HTTP_ROUTE.

+1
dansiviter on Feb 19, 2020
Read more comments on GitHub
← istio: EnvoyFilter inbound doesn't work
istio: Error adding/updating listener(s) 0.0.0.0_80: error adding listener '0.0.0.0:80': multiple filter chains with the same matching rules are defined →