XFCC Ingress gateway, append_forward instead of sanitize_set

Hi there,

Is it possible to configure append_forward instead of sanitize_set for Ingress Gateway? It would be nice to reduce number of details provided.

I found relevant topic in github.

I checked the code https://github.com/istio/istio/blob/49296bc2556e1f1770ac7a46bdf980e1d0713a37/pilot/pkg/networking/core/v1alpha3/gateway.go. It uses HttpConnectionManager_SANITIZE_SET there but I don’t see any way to provide configuration on top of it.

1 Like

I found the way, may be it was too obvious for the others but not for me. I used EnvoyFilter. Here is the example that I used. Now it works as expected:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: xffc-forward-protocol
  namespace: mynamespace # as defined in meshConfig resource.
spec:
  workloadSelector:
    labels:
      rbliznet: ingressgateway
      istio: custom-ingressgateway
      app: custom-ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      # context applyed only to gateway
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
          forward_client_cert_details: FORWARD_ONLY