Hello,
I am trying to add an additional header to incoming requests to my microservices using an Envoy Filter. To get the value of this new header I want to make an upstream HTTP call to the K8s API of the same K8s Cluster as I want to read a ConfigMap and set the header according to values in it.
I am using this example from the documentation as a reference (from here Istio / Envoy Filter ):-
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end
# The second patch adds the cluster that is referenced by the lua code
# cds match is omitted as a new cluster is being added
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: ADD
value: # cluster specification
name: "lua_cluster"
type: STRICT_DNS
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: lua_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
protocol: TCP
address: "internal.org.net"
port_value: 8888
I am replacing the cluster address and [:authority] header and I tried to set them to:-
- kubernetes.default.svc:- If I do this, I get the following response body from httpCall():- “Client sent an HTTP request to an HTTPS server.”
- kubernetes API Hostname that the kubeconfig contains. Using this I get the following response body from httpCall():- “upstream connect error or disconnect/reset before headers. reset reason: connection termination”
I am passing the correct Authorization token as well as a header in the httpCall()
I have also been setting up destination rules for the above addresses.
Can anyone please help me out with letting me know what I am doing wrong or even if this is the correct way to call the k8s api of the cluster that the envoy sidecar is part of? Any help would be greatly appreciated.
Thank you and kind regards.