Wednesday, July 13, 2022

Istio and proxy-protocol

 When you search for solutions on the internet it is sometimes very difficult to know if what is proposed is going to work in your environment. The challenge comes from the fact that not everyone identifies the version they were working with at the time they applied this solution.

I find this snippet of YAML to be applied to my istio deployment to allow some headers to be properly passed on with the requests to the destination service.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proxy-protocol
  namespace: istio-system
spec:
  configPatches:
    - applyTo: LISTENER
      patch:
        operation: MERGE
        value:
          listener_filters:
            - name: envoy.listener.proxy_protocol
            - name: envoy.listener.tls_inspector
  workloadSelector:
    labels:
      istio: ingressgateway

Once applied, I tested but nothing changed and I still get the errors:

ERR_TOO_MANY_REDIRECTS

I then decide to see if restarting the istio ingress pod would fix things.

Well…

The pod is not coming back so I pull the logs and rapidly reads to identify what is causing this issue. I finally spot a few lines:

2022-07-12T20:39:29.975846Z error envoy misc Using deprecated extension name 'envoy.listener.proxy_protocol' for 'envoy.filters.listener.proxy_protocol'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this filter name is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override.
2022-07-12T20:39:30.421115Z error envoy misc Using deprecated extension name 'envoy.listener.proxy_protocol' for 'envoy.filters.listener.proxy_protocol'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this filter name is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override.
2022-07-12T20:39:30.429091Z warning envoy config gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_8443: Didn't find a registered implementation for name: 'envoy.listener.proxy_protocol'
0.0.0.0_8080: Didn't find a registered implementation for name: 'envoy.listener.proxy_protocol'

So I delete the EnvoyFilter and everything comes back.

So envoy.listener.proxy_protocol does not work with istio 1.13.x? I will have to read more to figure that part out.


on

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)