K
Q

Istio/Envoy edge proxy EnvoyFilter (1.9.0)

2/25/2021

I am trying to apply some of the Envoy edge proxy best practice configs to my Istio 1.9.0 deployment and I am struggling to get a successful EnvoyFilter in place. All ingress traffic returns 503 after I apply.

Using istioctl I see the configs are applied and proxy-status appears to be healthy… Any ideas?

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: connection-control
  namespace: istio-system
spec:
  configPatches:
  - applyTo: CLUSTER
    patch:
      operation: MERGE
      value:
        connect_timeout: 5s
        per_connection_buffer_limit_bytes: 32768 # 32 KiB
        http2_protocol_options:
          initial_stream_window_size: 65536 # 64 KiB
          initial_connection_window_size: 1048576 # 1 MiB
  - applyTo: NETWORK_FILTER
    match:      
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          common_http_protocol_options:
            idle_timeout: 3600s # 1 hour
            headers_with_underscores_action: REJECT_REQUEST
          http2_protocol_options:
            max_concurrent_streams: 100
            initial_stream_window_size: 65536 # 64 KiB
            initial_connection_window_size: 1048576 # 1 MiB
          stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
          request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests

Note: I have scoured the net and tried basically every possible "working" solution. This config represents what I believe to be the most "correct" solution for 1.9.0. Flow control and connection buffer limiting should be trivial so I must be missing something small.

Thanks in advance for any advice!

-- acumartini
envoyproxy
istio
kubernetes

Similar Questions

insufficient regional quota to satisfy request: resource "IN_USE_ADDRESSES"
Scaling a microservice with frontend and backend instances
Google Cloud Engine: I've attached 15 certificates(the maximum allowed) to a load balancer. How do I scale from there?
Only 1 pod handles all requests in Kubernetes cluster
LoadBalancer in Pending State

1 Answer

3/16/2021

So after after some tweaking I finally got a working EnvoyFilter deployed:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: edge-proxy-protocol
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      # context omitted so that this applies to both sidecars and gateways
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          common_http_protocol_options:
            idle_timeout: 3600s # 1 hour
          http2_protocol_options:
            max_concurrent_streams: 100
            initial_stream_window_size: 65536 # 64 KiB
            initial_connection_window_size: 1048576 # 1 MiB
          stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
          request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests

However I was still seeing 30s timeouts on connections I wanted to remain open... turns out the there was a timeout at the global LB level. Mystery solved and EnvoyFilter working as designed.

-- acumartini
Source: StackOverflow