K
Q

Equivalents of Nginx Ingress Annonations on IstIO Ingress Gateway

11/27/2019

I'm currently migrating an IT environment from Nginx Ingress Gateway to IstIO Ingress Gateway on Kubernetes.

I need to migrate the following Nginx annotations:

nginx.ingress.kubernetes.io/proxy-buffer-size
nginx.ingress.kubernetes.io/proxy-read-timeout
nginx.ingress.kubernetes.io/proxy-send-timeout
nginx.ingress.kubernetes.io/proxy-body-size
nginx.ingress.kubernetes.io/upstream-vhost

For Nginx, the annotations are documented here: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

I didn't find the way of use for the IstIO Ingress Gateway on the documentation of IstIO for the Nginx annotations.

Does anyone know how to implement the above mentioned annotations in the IstIO Ingress Gateway?

Thanks in advance.

Best regards, rforberger

-- Ronny Forberger
istio
kubernetes
nginx-ingress

Similar Questions

Is there a way to create a configMap containing multiple files for a Kubernetes Pod?
The Pod address range limits the maximum size of the cluster
How to delete replication controller and its pods in kubernetes?
Monitor only one namespace metrics - Prometheus with Kubernetes
cgroups: cgroup mountpoint does not exist: unknown in gitlab Kubernetes executor

2 Answers

11/27/2019

Nginx ingress annotations equivalents can be implemented in Istio with Envoy Filter.

More specifically by using HTTP Lua filter.

Example of envoy filter that has HTTP Lua filter:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
             local headers, body = request_handle:httpCall(
              "lua_cluster",
              {
               [":method"] = "POST",
               [":path"] = "/acl",
               [":authority"] = "internal.org.net"
              },
             "authorize call",
             5000)
           end
  # The second patch adds the cluster that is referenced by the lua code
  # cds match is omitted as a new cluster is being added
  - applyTo: CLUSTER
    match:
      context: SIDECAR_OUTBOUND
    patch:
      operation: ADD
      value: # cluster specification
        name: "lua_cluster"
        type: STRICT_DNS
        connect_timeout: 0.5s
        lb_policy: ROUND_ROBIN
        hosts:
        - socket_address:
            protocol: TCP
            address: "internal.org.net"
            port_value: 8888

For example:

nginx.ingress.kubernetes.io/proxy-body-size could be achieved by size = buffer:length().

nginx.ingress.kubernetes.io/proxy-read-timeout or nginx.ingress.kubernetes.io/proxy-send-timeout are custom timeouts which could be achieved by httpCall(5000).

Full list of methods can be found here.

Hope this helps.

Update:

After rereading nginx annotations getBytes() looks better for nginx.ingress.kubernetes.io/proxy-buffer-size than buffer:lenght().

getBytes()

buffer:getBytes(index, length)

Get bytes from the buffer. By default Envoy will not copy all buffer bytes to Lua. This will cause a buffer segment to be copied. index is an integer and supplies the buffer start index to copy. length is an integer and supplies the buffer length to copy. index + length must be less than the buffer length.

So buffer:getBytes(0, 8000) should load 8k of bytes from buffer similar to nginx.ingress.kubernetes.io/proxy-buffer-size: "8k".

-- Piotr Malec
Source: StackOverflow
2/26/2020

I think I found how to set nginx.ingress.kubernetes.io/proxy-body-size in Istio.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             request_handle:headers():add("request_body_size", request_handle:body():length())
           end

And also the TLS ciphers:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-tls-ingress
spec:
  selector:
    app: my-tls-ingress-gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem
      cipherSuites: "<tls-ciphers>"
-- Ronny Forberger
Source: StackOverflow