-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
maistra-2.0.2
-
None
-
False
-
False
-
qa_ack, ux_ack
-
Undefined
-
in my case, Envoy already has a listener of 0.0.0.0_80, and there is no filter_chain_match. When the exit traffic port is 80, all traffic will go to this listener.
This is my listener example:
{
"name": "0.0.0.0_80",
"active_state": {
"version_info": "2021-03-26T07:09:31Z/1187",
"listener": {
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "0.0.0.0_80",
"address": {
"socket_address":
{ "address": "0.0.0.0", "port_value": 80 }
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"stat_prefix": "outbound_0.0.0.0_80",
"rds": {
"config_source": {
"ads": {}
},
"route_config_name": "80"
},
"http_filters": [
{
"name": "istio.metadata_exchange",
"typed_config": {
"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"type_url": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
"value": {
"config": {
"vm_config": {
"runtime": "envoy.wasm.runtime.null",
"code": {
"local":
{ "inline_string": "envoy.wasm.metadata_exchange" }
}
},
"configuration": "{}\n"
}
}
}
},
{
"name": "istio.alpn",
"typed_config": {
"@type": "type.googleapis.com/istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig",
"alpn_override": [
{ "alpn_override": [ "istio-http/1.0", "istio" ] }
,
{ "upstream_protocol": "HTTP11", "alpn_override": [ "istio-http/1.1", "istio" ] }
,
{ "upstream_protocol": "HTTP2", "alpn_override": [ "istio-h2", "istio" ] }
]
}
},
{
"name": "envoy.cors",
"typed_config":
{ "@type": "type.googleapis.com/envoy.config.filter.http.cors.v2.Cors" }
},
{
"name": "envoy.fault",
"typed_config":
{ "@type": "type.googleapis.com/envoy.config.filter.http.fault.v2.HTTPFault" }
},
{
"name": "istio.stats",
"typed_config": {
"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"type_url": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
"value": {
"config": {
"root_id": "stats_outbound",
"vm_config": {
"vm_id": "stats_outbound",
"runtime": "envoy.wasm.runtime.null",
"code": {
"local":
{ "inline_string": "envoy.wasm.stats" }
}
},
"configuration": "{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\"\n}\n"
}
}
}
},
{
"name": "envoy.router",
"typed_config":
{ "@type": "type.googleapis.com/envoy.config.filter.http.router.v2.Router" }
}
],
"tracing": {
"client_sampling":
{ "value": 100 }
,
"random_sampling":
{ "value": 100 }
,
"overall_sampling":
{ "value": 100 }
},
"access_log": [
{
"name": "envoy.file_access_log",
"typed_config":
{ "@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog", "path": "/dev/stdout", "format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n" }
}
],
"use_remote_address": false,
"generate_request_id": true,
"upgrade_configs": [
{ "upgrade_type": "websocket" }
],
"stream_idle_timeout": "0s",
"normalize_path": true
}
}
]
}
],
"deprecated_v1":
{ "bind_to_port": false }
,
"traffic_direction": "OUTBOUND"
},
"last_updated": "2021-03-26T07:09:55.191Z"
}
}
When our service has an external service dependency and port is 80, and the protocol is not HTTP, so it cannot pass this filter. Is there any way to solve this dilemma?
ps : Everything was fine when I used the Community version of Istio 1.7.6
when i set spec.proxy.networking.protocol.autoDetect.outbound,webhook fail
admission webhook "smcp.validation.maistra.io" denied the request: [automatic protocol detection is not supported in v2.0; if specified, spec.proxy.networking.protocol.autoDetect.inbound must be set to false, automatic protocol detection is not supported in v2.0; if specified, spec.proxy.networking.protocol.autoDetect.outbound must be set to false]
