Can't get EnvoyFilter to work

Hi team,

I have the pod and service definition as follows:

---

kind: Pod
apiVersion: v1
metadata:
  name: stable-http-echo-app
  labels:
    app: stable
spec:
  containers:
    - name: http-echo-app
      image: hashicorp/http-echo
      ports:
      - containerPort: 5678
      args:
        - "-text=stable"

---

kind: Service
apiVersion: v1
metadata:
  name: stable-echo-service
spec:
  selector:
    app: stable
  ports:
    - port: 5678
      targetPort: 5678

This service is working fine as expected.

I wanted to make use of EnvoyFilter to make an another HTTP Call to service inside cluster to check for authentication status. Before making call to this auth service, I want to get cookie from this service and pass as an header to auth service.

As I am first time user, I just started with printing some basic info and adding response headers with EnvoyFilter, however, I coundn’t make it working. Below is my envoy filter spec:

--- 
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata: 
  name: stable-lua
spec: 
  filters: 
    - 
      filterConfig: 
        inlineCode: |
            function envoy_on_request(request_handle)
              local cookie = request_handle:headers():get("Cookie")
              request_handle:logInfo("reading cookies from headers")
              request_handle:logInfo(cookie)
            end
            function envoy_on_response(response_handle)
              response_handle:headers():add("x-this","works")
            end
      filterName: envoy.lua
      filterType: HTTP
      listenerMatch: 
        portNumber: 5678
        listenerType: ANY
  workloadLabels: 
    app: stable

The problem is I do not see any errors or logs in istio-proxy. So, I am little concern whether my envoyfilter is getting detected or not.

I do see the following warning Ignoring filter envoy.lua. Cannot insert HTTP filter in network filter chain in istio-pilot.

Can anyone suggest what am I be doing wrong.

Ok, Here I am answering my own question for anyone facing similar problem

I was able to figure out the problem for this. The problem is that we will have to explicity add name to ports. if I set name to http explicitly, filter gets applied to the listener.

Similar issue that helped debugging and solving: https://github.com/istio/istio/issues/9716

can you share the yaml config
for me it still dont works

1 Like

An example filter applied to GATEWAY:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: gateway
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
  - listenerMatch:
      listenerType: GATEWAY
      portNumber: 443
      listenerProtocol: HTTP
    filterName: envoy.lua
    filterType: HTTP
    insertPosition:
      index: FIRST
    filterConfig:
      inlineCode: |
        function envoy_on_request(request_handle)
            request_handle:logWarn("envoy_on_request")
        end

        function envoy_on_response(response_handle)
            response_handle:logWarn("envoy_on_response")
        end

1 Like

Could you let me know where do I see this envoy_on_request and envoy_on_response logs

lua is one of envoy filter, so you can enable it by setting"proxyComponentLogLevel" in gateway deployment yaml file, you can modify in installation phase or edit it directly in runtime.

it looks like:
//- --proxyComponentLogLevel=lua.debug,misc.debug
image

1 Like

Thanks for your help. Could you let me know how do I provide command line option in yaml file?

“–proxyComponentLogLevel=lua.debug,misc.debug” seems more like a command line option

Also could you please help with my below another issue

Hello, to apply this, but to validate through an internal service, how would EnvoyFilter be?

Looks like this is using deprecated methods now. Would love to see how this looks using the configPatches method.

try to find answer from Lua — envoy 1.18.0-dev-b4b824 documentation

key word: request_handle:httpCall

and cluster should be something like outbound|80||internal-service-name.beta.svc.cluster.local

also I had an article which may help Istio: Custom User Authentication with EnvoyFilter | by xring | Medium

careful about version changes.

for my filter which applied to GATEWAY, you should find logs from isti-ingressgateway instance.

if you applied to SIDECAR_INBOUND, you should find logs in istio-proxy container.

so first in recent Istio version the envoy filter yaml structure has changed. it should look like:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: header-printer
  namespace: my-app-namespace
spec:
  workloadLabels:
    app: myapp
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          portNumber: 8080
          filterChain:
            filter:
              name: 'envoy.filters.network.http_connection_manager'
              subFilter:
                name: 'envoy.filters.http.router'
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.lua
          typed_config:
            "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
            inlineCode: |
              function envoy_on_request(request_handle)
                headers_log = ""
                for header, value in pairs(request_handle:headers()) do
                    headers_log = headers_log .. "\n\t" .. header .. ": " .. value
                end
                request_handle:logWarn("Got request with headers:" .. headers_log)
              end