Istio/Envoy 边缘代理 EnvoyFilter (1.9.0)
Istio/Envoy edge proxy EnvoyFilter (1.9.0)
我正在尝试将一些 Envoy edge proxy best practice 配置应用于我的 Istio 1.9.0 部署,并且我正在努力获得成功的 EnvoyFilter。我申请后所有入口流量returns503
使用 istioctl 我看到配置已应用并且代理状态似乎是健康的......有什么想法吗?
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: connection-control
namespace: istio-system
spec:
configPatches:
- applyTo: CLUSTER
patch:
operation: MERGE
value:
connect_timeout: 5s
per_connection_buffer_limit_bytes: 32768 # 32 KiB
http2_protocol_options:
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
headers_with_underscores_action: REJECT_REQUEST
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
注意:我已经在网上搜索并基本上尝试了所有可能的“有效”解决方案。这个配置代表了我认为是 1.9.0 最“正确”的解决方案。流量控制和连接缓冲区限制应该是微不足道的,所以我一定是遗漏了一些小东西。
提前感谢您的任何建议!
经过一些调整后,我终于部署了一个可用的 EnvoyFilter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: edge-proxy-protocol
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
# context omitted so that this applies to both sidecars and gateways
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
但是我仍然看到 30 秒的连接超时,我想保持打开状态...原来在全局 LB 级别存在超时。谜团解开了,EnvoyFilter 按设计工作。
我正在尝试将一些 Envoy edge proxy best practice 配置应用于我的 Istio 1.9.0 部署,并且我正在努力获得成功的 EnvoyFilter。我申请后所有入口流量returns503
使用 istioctl 我看到配置已应用并且代理状态似乎是健康的......有什么想法吗?
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: connection-control
namespace: istio-system
spec:
configPatches:
- applyTo: CLUSTER
patch:
operation: MERGE
value:
connect_timeout: 5s
per_connection_buffer_limit_bytes: 32768 # 32 KiB
http2_protocol_options:
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
headers_with_underscores_action: REJECT_REQUEST
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
注意:我已经在网上搜索并基本上尝试了所有可能的“有效”解决方案。这个配置代表了我认为是 1.9.0 最“正确”的解决方案。流量控制和连接缓冲区限制应该是微不足道的,所以我一定是遗漏了一些小东西。
提前感谢您的任何建议!
经过一些调整后,我终于部署了一个可用的 EnvoyFilter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: edge-proxy-protocol
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
# context omitted so that this applies to both sidecars and gateways
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
common_http_protocol_options:
idle_timeout: 3600s # 1 hour
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
但是我仍然看到 30 秒的连接超时,我想保持打开状态...原来在全局 LB 级别存在超时。谜团解开了,EnvoyFilter 按设计工作。