EnvoyFilterUsesRelativeOperationWithProxyVersion

EnvoyFilter 没有设置优先级并没有使用相关补丁操作 (INSERT_BEFORE/AFTERREPLACEMERGEDELETE) 和 proxyVersion 时会出现此消息,这可能会导致 EnvoyFilter 升级期间没有被应用。使用 INSERT_FIRSTADD 选项或设置优先级可能有助于确保 EnvoyFilter 被正确应用。 关注 proxyVersion 的原因是,在升级后,proxyVersion 可能会发生变化, 升级后它的使用顺序可能不同于升级前的顺序。

示例

考虑一个 EnvoyFilter 的补丁操作 REPLACE,并使用 proxyVersion

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: test-replace-3
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews4
  configPatches:
    # 第一个补丁将 Lua 过滤器添加到 listener/http 连接管理器
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_OUTBOUND
      proxy:
        proxyVersion: '^1\.11.*'
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.router"
    patch:
      operation: REPLACE
      value: # Lua 过滤器规范
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
              local headers, body = request_handle:httpCall(
               "lua_cluster",
               {
                [":method"] = "POST",
                [":path"] = "/acl",
                [":authority"] = "internal.org.net"
               },
              "authorize call",
              1000)
            end

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: test-replace-4
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews4
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_OUTBOUND
    patch:
      operation: REPLACE
      value: # Lua 过滤器规范
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
              local headers, body = request_handle:httpCall(
               "lua_cluster",
               {
                [":method"] = "POST",
                [":path"] = "/acl",
                [":authority"] = "internal.org.net"
               },
              "authorize call",
              5000)
            end

如何修复

因为 REPLACE 的相关操作是与 proxyVersion 一起使用, 所以添加 priority 可以解决这个问题:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: test-replace-3
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews4
  priority: 10
  configPatches:
    # 第一个补丁将 Lua 过滤器添加到 listener/http 连接管理器
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_OUTBOUND
      proxy:
        proxyVersion: '^1\.11.*'
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.router"
    patch:
      operation: REPLACE
      value: # Lua 过滤器规范
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
              local headers, body = request_handle:httpCall(
               "lua_cluster",
               {
                [":method"] = "POST",
                [":path"] = "/acl",
                [":authority"] = "internal.org.net"
               },
              "authorize call",
              1000)
            end

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: test-replace-4
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews4
  priority: 20
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_OUTBOUND
    patch:
      operation: REPLACE
      value: #Lua filter specification
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
              local headers, body = request_handle:httpCall(
               "lua_cluster",
               {
                [":method"] = "POST",
                [":path"] = "/acl",
                [":authority"] = "internal.org.net"
               },
              "authorize call",
              5000)
            end