Applying EnvoyFilter to the virtual listener

Networking
1

Is it possible to apply an EnvoyFilter resource to the "virtual" filter on 0.0.0.0:15001 ?

Using the right ListenerMatch config (https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter/#EnvoyFilter-ListenerMatch) would it be possible to insert a new Filter in the FilterChain inserted before the BlackHoleCluster or PassthroughCluster (1.1+) ?

[
    {
        "name": "virtual",
        "address": {
            "socketAddress": {
                "address": "0.0.0.0",
                "portValue": 15001
            }
        },
        "filterChains": [
            {
                "filters": [
                    {
                        "name": "envoy.tcp_proxy",
                        "config": {
                            "cluster": "PassthroughCluster",
                            "stat_prefix": "PassthroughCluster"
                        }
                    }
                ]
            }
        ],
        "useOriginalDst": true
    }
]

I am aware of a newer version of EnvoyFilter that will be added in the upcoming releases that would address my specific use case, (see https://github.com/istio/api/pull/899) but I was hoping I could make do with the current version of the Resource, by inserting my cluster as the default cluster as follows,

[
    {
        "name": "virtual",
        "address": {
            "socketAddress": {
                "address": "0.0.0.0",
                "portValue": 15001
            }
        },
        "filterChains": [
            {
                "filters": [
                    {
                        // INSERT
                        // custom (default) filter here
                    }
                    {
                        "name": "envoy.tcp_proxy",
                        "config": {
                            "cluster": "PassthroughCluster",
                            "stat_prefix": "PassthroughCluster"
                        }
                    }
                ]
            }
        ],
        "useOriginalDst": true
    }
]
1 Like
2

Tried the following EnvoyFilter spec but I can’t figure out where/how to debug it. I looked at the envoy config on the targeted pod but it doesn’t seem to have taken affect :confused:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: hello-world-filter
  namespace: fed-example
spec:
  workloadLabels:
    app: hello-world-app
  filters:
  - listenerMatch:
      portNumber: 15001
      listenerType: SIDECAR_OUTBOUND
      listenerProtocol: TCP
      address: 0.0.0.0
    filterName: envoy.tcp_proxy
    filterType: NETWORK
    filterConfig:
      cluster: "BlackHoleCluster"
      stat_prefix: "BlackHoleCluster"

Envoy config on workload pod,

  {
     "version_info": "2019-07-10T18:32:57Z/34",
     "listener": {
      "name": "virtual",
      "address": {
       "socket_address": {
        "address": "0.0.0.0",
        "port_value": 15001
       }
      },
      "filter_chains": [
       {
        "filters": [
         {
          "name": "envoy.tcp_proxy",
          "config": {
           "stat_prefix": "PassthroughCluster",
           "cluster": "PassthroughCluster"
          }
         }
        ]
       }
      ],
      "use_original_dst": true
     },
     "last_updated": "2019-07-10T18:33:00.883Z"
    },
3

Created an issue regarding this - https://github.com/istio/istio/issues/15527

4

sorry. the current envoy filter does not apply to virtual listeners. They are added after all envoy filters have been applied. I am trying to fix all of these in the newer implementation.