Help ! 503 upstream reset: reset reason: connection termination

Kubernetes Version: v1.23.8
rancher-istio:100.4.0+up1.14.1

got a few errors from istio-proxy. i’m using Envoyfilter to intercept each request , but sometimes call request “http://idserverflexunified.platform-dev/api/token/exchange/v2” get 503 errors.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
spec:
configPatches:

  • applyTo: HTTP_FILTER
    match:
    context: SIDECAR_INBOUND
    listener:
    filterChain:
    filter:
    name: envoy.filters.network.http_connection_manager
    subFilter:
    name: envoy.filters.http.router
    portNumber: 80
    patch:
    operation: INSERT_BEFORE
    value:
    name: envoy.lua
    typed_config:
    @type’: type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
    inlineCode: |
    function envoy_on_request(request_handle)
    local uri = request_handle:headers():get(“:path”)
    – request_handle:logWarn(uri)
    local noauth = request_handle:headers():get(“noauth”)
    if (noauth==“true” or uri == ‘/observation/metrics’ or uri == ‘/health’) then
    request_handle:headers():remove(“authorization”)
    elseif (request_handle:headers():get(“tokenexchange”)~=“true”) then
    local jwtauth = request_handle:headers():get(“jwtauth”)
    if (jwtauth~=“true”) then
    local auth = request_handle:headers():get(“x-access-token”)
    request_handle:headers():remove(“authorization”)
    local headers, body = request_handle:httpCall(
    “lua_cluster”,
    {
    [“:method”] = “POST”,
    [“:path”] = “/api/token/exchange/v2”,
    [“:authority”] = “idserverflexunified.platform-dev”,
    [“authorization”] = “Basic zzzzz==”,
    [“x-access-token”] = auth,
    [“tokenexchange”] = “true”
    },
    “authorize call”,
    5000)
    local status = headers[“:status”]
    if (status==“200”) then
    request_handle:headers():add(“authorization”, headers[“authorization”])
    else
    request_handle:respond(
    {
    [“:status”] = status,
    [“x-access-token”] = auth
    },
    “nope”)
    end
    end
    end
    end
  • applyTo: CLUSTER
    match:
    context: SIDECAR_OUTBOUND
    patch:
    operation: ADD
    value:
    connect_timeout: 5s
    lb_policy: ROUND_ROBIN
    load_assignment:
    cluster_name: lua_cluster
    endpoints:
    - lb_endpoints:
    - endpoint:
    address:
    socket_address:
    address: idserverflexunified.platform-dev
    port_value: 80
    protocol: TCP
    name: lua_cluster
    type: STRICT_DNS
    workloadSelector:
    labels:
    tokenproxy: “true”