I am trying to set TCP idleTimeout via an Envoy Filter, so that outbound connections external domain some.app.com will be terminated if they are idle for 5s:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: listener-timeout-tcp
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
sni: some.app.com
filter:
name: envoy.filters.network.tcp_proxy
patch:
operation: MERGE
value:
name: envoy.filters.network.tcp_proxy
typed_config:
'@type': type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy
idle_timeout: 5s
However, when I try to apply this filter I get the following error:
Error from server: error when creating "filter.yaml": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: envoy filter: missing filters
So, I realised that the EnvoyFilter configuration above is not supported by istio 1.2.5, so I modified the configuration to work with the old version:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-idle-timeout
spec:
workloadSelector:
labels:
app: mecha-dev
filters:
- listenerMatch:
listenerType: SIDECAR_OUTBOUND
listenerProtocol: TCP
filterName: envoy.tcp_proxy
filterType: NETWORK
filterConfig:
idle_timeout: 5s
After modifying the EnvoyFilter was created but it does not seem to have any affect on the outbound requests. Also, I couldn't find a way to restrict this filter to only outbound requests going to external service some.app.com.
Is there something missing in my EnvoyFilter configuration? Also, can we restrict this filter to just some.app.com? There's address option under listenerMatch but what if the IP address of the external service keeps on changing?
Istio and EnvoyProxy version used:
ISTIO_VERSION=1.2.5
ENVOY_VERSION=1.11.0-dev
This is a community wiki answer. Feel free to expand it.
As already discussed in the comments, the EnvoyFilter was not yet supported in Istio version 1.2 and actually that version is no longer in support since Dec 2019.
I strongly recommend upgrading to the latest Istio and Envoy versions. Also, after you upgrade please notice that the filter name you want to use was deprecated and replaced. You should now use envoy.filters.network.tcp_proxy instead of envoy.tcp_proxy.
Please remember that things are getting deprecated for a reason and keeping the old versions will sooner or later bring you more trouble. Try to keep things more up-to-date.
More details can be found in the latest docs.