Search code examples
kubernetesluaistioenvoyproxy

istio: upgrade envoyfilter on istiogateway to new syntax

I'm trying to apply some Lua code to only the istio-ingressgateway pod. So basically, I want to run some Lua code for every request that comes into the ingressgateway.

I've been able to get this to work with the old deprecated syntax using the filters as show below.

This works on Istio 1.4.6:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: my-filter
  namespace: default
  labels:
     some-labels
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  authn-ns1: enabled
  filters:
  - filterName: envoy.lua
    filterType: HTTP
    listenerMatch:
      listenerType: GATEWAY
      listenerProtocol: HTTP
    filterConfig:
      inlineCode: |
        function envoy_on_request(request_handle)
              request_handle:logDebug("Hello World")
        end

However, I haven't been able to get this to work with the new syntax, and I'm a little confused as to how to piece this together. I've tried to merge the examples from the documentation, https://istio.io/docs/reference/config/networking/envoy-filter/ but haven't had any luck getting this to work.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: my-filter
  namespace: default
spec:
  workloadSelector:
    labels:
      istio: ingress-gateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       typed_config:
         "@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
         inlineCode: |
           function envoy_on_request(request_handle)
              request_handle:logDebug("Hello World")
           end

I haven't found too many examples of the new syntax, and none that apply the filter to the ingress gateway. I do have the gateway deployed, but I'm not using sidecar injection.

Do you know how I might craft an envoyfilter such that I can apply Lua code to every inbound request using the new syntax? Are there any good examples of how to do this using the new syntax? Any advice is much appreciated.

Solution

  • Here is what I have tried on istio 1.5.x, I used the test case tests/testdata/networking/envoyfilter-without-service/configs.yaml and changed the workload to istio: ingressgateway to match the istio ingressgateway.

    apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: test-lua
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
        name: envoy.lua
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              request_handle:logWarn("Hello World")
            end