Is it possible to write an envoy plugin that would resolve request destination at runtime?
Problem I'm trying to solve:
- requests arrive at xxxx.foo.com where cardinality of xxxx is high (there is wildcard DNS entry)
- requests are authorized
- there is in memory dynamic database that maps xxxx values to internal IP:port pair that request must be forwarded to. Mappings change frequently.
What is the easiest way to to have envoy route requests to correct destination?
I ended up using a combination of xDS protocol and external auth endpoint.
- Envoy is configured to get cluster and route configuration via xDS from control plane. See: https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
envoy.filters.http.ext_authz
filter is added so that Envoy would make a gRPC request for each incoming HTTP request.
- A "blackhole" cluster is configured that doesn't correspond to any real service.
- A wildcard route is configured that routes all requests to the "blackhole" cluster.
When HTTP request arrives, Envoy has to make a routing decision immediately. At this point is too late to add new routes and cluster definitions so following trick is used:
- Envoy routes the request to "backhole" cluster based on existing configuration
- Envoy makes a request to
ext_authz
endpoint. The service providing this endpoint blocks the auth request while it figures out where it should be routed.
- The service pushes cluster and route information to Envoy via xDS.
- Service responds to the blocked auth request with
DeniedHttpResponse
that contains 302
redirect to the same URL.
- Client receives the 302 redirect response and re-issues the request.
- When envoy gets this second request, routing rule and cluster definition are already configured so it routes the request to the correct destination.