Enable proxy protocol from Istio to upstreams

Networking
1

Hi all! I have need of enabling the proxy protocol for upstreams - that is, I want to originate the PROXY header from Istio. I found some documentation related to this on Envoy’s site so it seems doable, I’m just not sure how to set up the filter correctly. Here’s what I have so far:

  configPatches:
  - applyTo: NETWORK_FILTER
    patch:
      operation: INSERT_FIRST
      value:
        transport_socket:
          name: envoy.transport_sockets.upstream_proxy_protocol
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
            config:
              version: V1
            transport_socket:
              name: envoy.transport_sockets.raw_buffer

I’ve tried various permutations of applyTo and operation with no success to this point. Does anyone have a pointer as to what I might try next?

2

I was able to get it working with the following filter, running on Istio 1.8.5:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proxy-protocol-v1
  namespace: istio-system
spec:
  configPatches:
  - applyTo: CLUSTER
    patch:
      operation: MERGE
      value:
        transport_socket:
          name: envoy.transport_sockets.upstream_proxy_protocol
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
            config:
              version: V2
            transport_socket:
              name: "envoy.transport_sockets.raw_buffer"
  workloadSelector:
    labels:
      istio: internal-ingressgateway
1 Like
3

it’s not working now, but I found dirty workaround: Upstream TCP with proxy protocol · Issue #44342 · istio/istio · GitHub