Hello.
So I have a very unique situation.
Problem
Virtual services route rules are not applied. We have a buzzfeed sso setup in our cluster. We wand to modify response headers to i.e Add header. to each request that matches the uri sign_in.
Buzzfeed sso has its own namespace.
Now To accomplish this I have created a virtual service.
Steps to Reproduce:
We used this virtual service spec to create the route rules.
Virtual Service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: sso-auth-injector
spec:
hosts:
- sso-auth
http: - match:
- uri:
prefix: /sign_in
ignoreUriCase: true
route: - destination:
host: sso-auth
headers:
response:
add:
foo: bar
request:
add:
hello: world
- uri:
Analysis
- Istioctk x describe has output
Pod: sso-auth-58744b56cd-lwqrh.sso
Pod Ports: 4180 (sso-auth), 15090 (istio-proxy)
Suggestion: add ‘app’ label to pod for Istio telemetry.
Suggestion: add ‘version’ label to pod for Istio telemetry.
Service: sso-auth.sso
Port: http 80/HTTP targets pod port 4180
Pod is PERMISSIVE (enforces HTTP/mTLS) and clients speak HTTP
VirtualService: sso-auth-injector.sso
/sign_in uncased
2) Istioctl . Not attaching all the rules but for outbound|80|
“routes”: [
{
“match”: {
“prefix”: “/sign_in”,
“caseSensitive”: false
},
“route”: {
“cluster”: “outbound|80||sso-auth.sso.svc.cluster.local”,
“timeout”: “0s”,
“retryPolicy”: {
“retryOn”: “connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes”,
“numRetries”: 2,
“retryHostPredicate”: [
{
“name”: “envoy.retry_host_predicates.previous_hosts”
}
],
“hostSelectionRetryMaxAttempts”: “5”,
“retriableStatusCodes”: [
503
]
},
“maxGrpcTimeout”: “0s”
},
“metadata”: {
“filterMetadata”: {
“istio”: {
“config”: “/apis/networking/v1alpha3/namespaces/sso/virtual-service/sso-auth-injector”
}
}
},
“decorator”: {
“operation”: “sso-auth.sso.svc.cluster.local:80/sign_in”
},
“typedPerFilterConfig”: {
“mixer”: {
“@type”: “type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig”,
“disableCheckCalls”: true,
“mixerAttributes”: {
“attributes”: {
“destination.service.host”: {
“stringValue”: “sso-auth.sso.svc.cluster.local”
},
“destination.service.name”: {
“stringValue”: “sso-auth”
},
“destination.service.namespace”: {
“stringValue”: “sso”
},
“destination.service.uid”: {
“stringValue”: “istio://sso/services/sso-auth”
}
}
},
“forwardAttributes”: {
“attributes”: {
“destination.service.host”: {
“stringValue”: “sso-auth.sso.svc.cluster.local”
},
“destination.service.name”: {
“stringValue”: “sso-auth”
},
“destination.service.namespace”: {
“stringValue”: “sso”
},
“destination.service.uid”: {
“stringValue”: “istio://sso/services/sso-auth”
}
}
}
}
},
“requestHeadersToAdd”: [
{
“header”: {
“key”: “hello”,
“value”: “world”
},
“append”: true
}
],
“responseHeadersToAdd”: [
{
“header”: {
“key”: “foo”,
“value”: “bar”
},
“append”: true
}
]
}
]
},
Issues/Questions
- These rules dont take affect. Each request is passed to the service but headers are not modified.
- Shouldnt the route rules be applicable to inbound requests as opposed to outbound (as shown in config generated).