Kubernetes Version: v1.23.8
rancher-istio:100.4.0+up1.14.1
got a few errors from istio-proxy. i’m using Envoyfilter to intercept each request , but sometimes call request “http://idserverflexunified.platform-dev/api/token/exchange/v2” get 503 errors.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
portNumber: 80
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
‘@type’: type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
function envoy_on_request(request_handle)
local uri = request_handle:headers():get(“:path”)
– request_handle:logWarn(uri)
local noauth = request_handle:headers():get(“noauth”)
if (noauth==“true” or uri == ‘/observation/metrics’ or uri == ‘/health’) then
request_handle:headers():remove(“authorization”)
elseif (request_handle:headers():get(“tokenexchange”)~=“true”) then
local jwtauth = request_handle:headers():get(“jwtauth”)
if (jwtauth~=“true”) then
local auth = request_handle:headers():get(“x-access-token”)
request_handle:headers():remove(“authorization”)
local headers, body = request_handle:httpCall(
“lua_cluster”,
{
[“:method”] = “POST”,
[“:path”] = “/api/token/exchange/v2”,
[“:authority”] = “idserverflexunified.platform-dev”,
[“authorization”] = “Basic zzzzz==”,
[“x-access-token”] = auth,
[“tokenexchange”] = “true”
},
“authorize call”,
5000)
local status = headers[“:status”]
if (status==“200”) then
request_handle:headers():add(“authorization”, headers[“authorization”])
else
request_handle:respond(
{
[“:status”] = status,
[“x-access-token”] = auth
},
“nope”)
end
end
end
end- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: ADD
value:
connect_timeout: 5s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: lua_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: idserverflexunified.platform-dev
port_value: 80
protocol: TCP
name: lua_cluster
type: STRICT_DNS
workloadSelector:
labels:
tokenproxy: “true”