Unable to create EnvoyFilter for ext_proc

Config
1

Hi,

I tried to apply the following EnvoyFilter configuration:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ingress-ext-proc
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.router"
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.ext_proc
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor"
          failure_mode_allow: false
          message_timeout:
            seconds: 10
          processing_mode:
            request_body_mode: BUFFERED
            response_body_mode: BUFFERED
          grpc_service:
            timeout:
              seconds: 10
            google_grpc:
              target_uri: <REDACTED>:<REDACTED>
              stat_prefix: waap

However, I received this error:
Error from server: error when creating "ingress_ext_proc.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: Envoy filter: could not resolve Any message type: type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor

I believe this should work as pkg/config/xds/filter_types.gen.go for v1.12.1 (which I’m using) contains an import for the v3 ext_proc filter.

istioctl validate reports the same error, but istioctl analyze finds no validation issues.

The same filter configuration has been tested successfully with Envoy 1.20.0 & 1.20.1.
Istio 1.12.1 is using Envoy 1.20.1. Not sure what I’m missing.

Thanks!

2

Nevermind, I just got this to work by replacing the typed_config of the filter with a generic udpa.type.v1.TypedStruct container as follows:

patch:
  operation: INSERT_BEFORE
  value:
    name: envoy.filters.http.ext_proc
    typed_config:
      "@type": type.googleapis.com/udpa.type.v1.TypedStruct
      type_url: "type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor"
      value:
        failure_mode_allow: false
        message_timeout:
          seconds: 10
        processing_mode:
          request_body_mode: BUFFERED
          response_body_mode: BUFFERED
        grpc_service:
          timeout:
            seconds: 10
          google_grpc:
            target_uri: <REDACTED>:<REDACTED>
            stat_prefix: waap

That took some digging because Istio’s EnvoyFilter reference does not detail when and why TypedStruct should be used, but I did find some information about this in Envoy’s docs:
"In case the control plane lacks the schema definitions for an extension, xds.type.v3.TypedStruct should be used as a generic container. The type URL inside it is then used by a client to convert the contents to a typed configuration resource."

This also helped: istio/istio#35391.

So Istio probably doesn’t recognize the filter’s schema definition yet, which is strange because I was able to use it explicitly back when it was still under v3alpha (with Istio 1.10). Well, I guess this will do for now.