EnvoyFilter BookInfo example doesn't work

Networking
1

I’m going through the examples on EnvoyFilters and have deployed the BookInfo application to try out the second example but the added lua http filter is never executed.

My setup is
docker-desktop
istio version 1.4.3
istio default profile
kubectl apply -f istio-1.4.3/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f istio-1.4.3/samples/bookinfo/networking/bookinfo-gateway.yaml
kubectl apply -f istio-1.4.3/samples/bookinfo/networking/destination-rule-all.yaml
kubectl apply -f istio-1.4.3/samples/bookinfo/networking/virtual-service-all-v1.yaml

After this I can hit http://localhost/productpage in my browser which correctly shows the product page with the v1 reviews content.
I then added the below envoy filter adapted slightly from the example.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-filter
  namespace: default
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 9080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value:
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
               request_handle:logWarn("envoy_on_request")
               request_handle:respond(
                  {[":status"] = "403",
                  ["upstream_foo"] = headers["foo"]},
                  "nope")
           end

Things I had to change here are the name and namespace, the portNumber from 8080 to 9080 (this seems to be an error in the example) and the lua script to log a warning and respond with 403.

According to the doc this should enable the lua filter for all inbound http calls arriving at service port 9080 of the reviews service pod with label ‘app: reviews’, in the default namespace.
However this is not happening as http://localhost/productpage still shows the v1 reviews content and I see no warning appear in the logs for istio-proxy of reviews-v1

Running
istioctl pc listeners reviews-v1-75b979578c-pzgtw.default --port 9080 -o json
shows that the lua script has been applied to the to the inbound listener listening on port 9080

Am I missing something? Why isn’t the lua script being called with the request?

1 Like
3

I think it is a bug, you can try the following one which I tested and it can worked.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: default
spec:
  workloadLabels:
    app: reviews
  filters:
  - listenerMatch:
      portNumber: 9080
      listenerType: SIDECAR_INBOUND # will match with the inbound listener for reviews:8080
      listenerProtocol: HTTP
    filterName: envoy.lua
    filterType: HTTP
    filterConfig:
      inlineCode: |
        function envoy_on_request(request_handle)
          request_handle:logWarn("envoy_on_request")
          request_handle:respond(
            {[":status"] = "403"},
            "nope")
        end

The main difference with yours and mine is

  1. after your yaml file configured, it only modify one listener which name “172.17.0.7_9080”
  2. after my yaml file configured. it will modify two listener 172.17.0.7_9080 and virtualInbound (0.0.0.0: 15006)

I think that is root cause why your configuration failed. But from my view, your yaml is also ok, so it is a bug.

4

This worked for me. Thanks
Looks like there is an open ticket for it https://github.com/istio/istio/issues/19549