Skip to content

Instantly share code, notes, and snippets.

@ilackarms

ilackarms/notes-and-code-hoot-envoyfilter-1.yaml

Created January 12, 2021 20:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ilackarms/e7b2c3915035549a541ea4416ad344ee to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ilackarms/e7b2c3915035549a541ea4416ad344ee to your computer and use it in GitHub Desktop.
Download ZIP
Raw
notes-and-code-hoot-envoyfilter-1.yaml
## apply to client cluster
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: reviews.bookinfo.svc.remote-cluster.global
namespace: istio-system
spec:
addresses:
- 241.208.99.7
endpoints:
- address: 172.18.0.3
labels:
cluster: remote-cluster
ports:
http: 32000
hosts:
- reviews.bookinfo.svc.remote-cluster.global
location: MESH_INTERNAL
ports:
- name: http
number: 9080
protocol: HTTP
resolution: DNS
---
#### apply to remote cluster
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-federation-bookinfo
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*.global'
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bookinfo-federation.bookinfo
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.sni_cluster
portNumber: 15443
patch:
operation: INSERT_AFTER
value:
name: envoy.filters.network.tcp_cluster_rewrite
typed_config:
'@type': type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite
cluster_pattern: \.remote-cluster.global$
cluster_replacement: .cluster.local
workloadSelector:
labels:
istio: ingressgateway
---
# examples
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
namespace: bookinfo
spec:
hosts:
- reviews.bookinfo.svc.cluster.local
http:
- name: "reviews-v2-routes"
match:
- uri:
prefix: "/"
route:
- destination:
host: reviews.bookinfo.svc.cluster.local
subset: v2
---
# istioctl proxy-config route $(kubectl get pod -n bookinfo | grep productpage | awk '{print $1}').bookinfo -ojson | less
# / reviews-v2-routes
{
"name": "reviews-v2-routes",
"match": {
"prefix": "/",
"caseSensitive": true
},
"route": {
"cluster": "outbound|80|v2|reviews.bookinfo.svc.cluster.local",
"timeout": "0s",
"typedPerFilterConfig": {
"envoy.ext_authz": {
"@type": "type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute",
"checkSettings": {
"contextExtensions": {
"config_id": "default.dev"
}
}
}
}
"retryPolicy": {
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
{
"name": "envoy.retry_host_predicates.previous_hosts"
}
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
},
"maxStreamDuration": {
"maxStreamDuration": "0s"
}
},
"metadata": {
"filterMetadata": {
"istio": {
"config": "/apis/networking.istio.io/v1alpha3/namespaces/bookinfo/virtual-service/reviews-route"
}
}
},
"decorator": {
"operation": "reviews.bookinfo.svc.cluster.local:80/*"
}
}
---
# envoyfilter example
kubectl apply -f - <<EOF
# metadata
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: custom-metadata-filter
namespace: istio-system
annotations:
change: meee
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.wasm
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
name: "custom-metadata-filter"
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"cluster_name": "myclusta"
}
vm_config:
runtime: envoy.wasm.runtime.v8
code:
local:
filename: /metadata_exchange.wasm
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.wasm
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
name: "custom-metadata-filter"
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"cluster_name": "myclusta"
}
vm_config:
runtime: envoy.wasm.runtime.v8
code:
local:
filename: /metadata_exchange.wasm
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.wasm
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
name: "custom-metadata-filter"
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"cluster_name": "myclusta"
}
vm_config:
runtime: envoy.wasm.runtime.v8
code:
local:
filename: /metadata_exchange.wasm
---
# auth example
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-external-auth
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_ROUTE
match :
context: SIDECAR_OUTBOUND
vhost:
route:
name: "reviews-v2-routes"
action: "ROUTE"
patch:
operation: MERGE
value:
route:
typed_per_filter_config:
envoy.ext_authz:
'@type': type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute
check_settings:
context_extensions:
config_id: custom-ext-auth
---
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment