We use envoy 1.24 docker image and have envoy yaml configured to go to service A successfully. After that we decided to go with envoy external auth
We did configuration as per instructions and got it to work locally. There is a auth service that is run as docker image and we have envoy running in docker, pointing to auth docker image address.
Problem occurred when we shipped these two services to Google Cloud Run. While we didn't had any auth configured, we successfully managed to trigger GRPC requests on service A. Moment we added external auth, and tried to push everything to GCP Cloud Run, we bumped into issue:
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: immediate connect error: Cannot assign requested address'
Envoy config looks like this:
Filter:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service:
envoy_grpc:
cluster_name: auth
transport_api_version: V3
Cluster:
- name: auth
type: STRICT_DNS
lb_policy: ROUND_ROBIN
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options: { }
load_assignment:
cluster_name: auth
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: cloud-run-address
port_value: 443
If I try to hit the auth service directly via GRPC check request I am able to do so without any issues. Even if I set url of auth service to service A, it is resolving successfully and giving me error accordingly.
Since we use GRPC for communication, all services are http2 enabled.
What are we doing wrong? We need to be able to authorise using external auth service hosted on cloud run. Any help to get this to work out is appreciated. Thx
Managed to get it working. Had to do couple of changes to cluster config:
- name: auth
type: STRICT_DNS
lb_policy: ROUND_ROBIN
dns_lookup_family: V4_ONLY
http2_protocol_options: {}
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
load_assignment:
cluster_name: auth
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: internal_ip_address_from_lb
port_value: 443
Furhter more, in address field I have added IP address from load balancer that I have created. Type of load balancer is internal load balancer, configured to go directly to my cloud run auth service.