EnvoyFilterUsesRelativeOperationWithProxyVersion
このメッセージは、EnvoyFilterに優先度がなく、相対パッチ操作(INSERT_BEFORE/AFTER、REPLACE、MERGE、DELETE)とproxyVersionが設定されている場合に発生します。これにより、アップグレード中にEnvoyFilterが適用されない可能性があります。INSERT_FIRSTまたはADDオプションを使用するか、優先度を設定すると、EnvoyFilterが正しく適用されるのに役立つ場合があります。proxyVersionに関する懸念の理由は、アップグレード後にはproxyVersionが変更されている可能性があり、適用される順序が以前とは異なる可能性があるためです。
例
proxyVersionを使用し、パッチ操作がREPLACEのEnvoyFilterについて考えます
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-3
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
configPatches:
# The first patch adds the Lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: REPLACE
value: # Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
1000)
end
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-4
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: REPLACE
value: #Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end
解決方法
proxyVersionとともにREPLACEの相対操作が使用されたため、priorityを追加すると問題が解決します
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-3
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
priority: 10
configPatches:
# The first patch adds the Lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: REPLACE
value: # Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
1000)
end
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: test-replace-4
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews4
priority: 20
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: REPLACE
value: #Lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end