I am trying to apply some of the Envoy edge proxy best practice configs to my Istio 1.9.0 deployment and I am struggling to get a successful EnvoyFilter in place. All ingress traffic returns 503 after I apply.
Using istioctl I see the configs are applied and proxy-status appears to be healthy… Any ideas?
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: connection-control
namespace: istio-system
spec:
configPatches:
- applyTo: CLUSTER
patch:
operation: MERGE
value:
connect_timeout: 5s
per_connection_buffer_limit_bytes: 32768 # 32 KiB
http2_protocol_options:
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
headers_with_underscores_action: REJECT_REQUEST
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
Note: I have scoured the net and tried basically every possible "working" solution. This config represents what I believe to be the most "correct" solution for 1.9.0. Flow control and connection buffer limiting should be trivial so I must be missing something small.
Thanks in advance for any advice!
So after after some tweaking I finally got a working EnvoyFilter deployed:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: edge-proxy-protocol
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
# context omitted so that this applies to both sidecars and gateways
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
However I was still seeing 30s timeouts on connections I wanted to remain open... turns out the there was a timeout at the global LB level. Mystery solved and EnvoyFilter working as designed.