Add option INSERT_FIRST in EnvoyFilter.Patch.Operation #1234
Conversation
gargnupur
requested review from
dcberg,
geeknoid,
linsun,
louiscryan and
smawson
as code owners
googlebot
added
the
cla: yes
istio-testing
added
the
size/S
|
@rshriram the use case here is we want to insert metadata exchange filter as the 1st filter in the filter chain. We need to specify what happens when 2 configs match an insertion point and both want to be
|
To keep it consistent with other configs, we should take precedence by creation time. In case it is influenced by a later misconfigured one. |
|
Why is https://github.com/istio/api/pull/1234/files#diff-fa79aef151053e8b9e7be36c58eeaf39R631-R633 not sufficient? @louiscryan did not want insert first. Instead he wanted to add this rider to INSERT_BEFORE (as written in the comment above). I dont mind adding it for clarity. And what about the other one that kuat had? the filter class so that we can intelligently order groups of filters without users having to specify the exact location? |
|
@rshriram we can discuss the filter classes in the other PR. |
This is what I was pointing out. If you omit the filter/subfilter match completely, then INSERT_BEFORE acts as an insert first in the filter list (in http or network as applicable). Is this semantic insufficient? |
|
Aah ok, thanks for point it out. We will give it a try. @gargnupur can you try it out? |
|
out of curiosity, why do we need to keep the metadata filter in EnvoyFilter? why can't we program it from Pilot as part of the core filter stack? |
|
@rshriram , @mandarjog : I saw that INSERT_BEFORE acts as INSERT_FIRST when there is no filter/subfilter match but there are 2 problems with it:
|
|
Metadata filter does not have config so we can actually program it in pilot and add a meshconfig setting. I will evaluate that. |
|
We get this error if a match is not specified: |
|
Specifying empty listener match made it work. The only caveat is that filter gets added in http filter chains too. Although, should not be a problem as filter will get skipped for Http as agreed ALPN for http won't be istio-peer-exchange... |
How would |
@hzxuzhonghu : With INSERT_FIRST, we can have a match clause that says, add a filter on top of the filter chain list, if it finds tcp_proxy in the filter chain. So filter will get added in tcp chain and not http chain.. |
|
Another question: how will know whether it should be applied to tcp filter instead of http? Specify it in |
Yes.. we can specify match for tcp_proxy v/s http mangager in listener filter chain match |
* Remove hack for loading metadata exchange config fix build and edit charts too Run make gen again and fix test Run make gen again` Fix unit test * rebase and run make gen again Add INSERT_FIRST option for EnvoyFilter (istio#20555) Ref: istio/api#1234 Update istio/api to release-1.5 Run make gen Update update_crds.sh
* Remove hack for loading metadata exchange config (#20592) * Remove hack for loading metadata exchange config fix build and edit charts too Run make gen again and fix test Run make gen again` Fix unit test * rebase and run make gen again Add INSERT_FIRST option for EnvoyFilter (#20555) Ref: istio/api#1234 Update istio/api to release-1.5 Run make gen Update update_crds.sh * gen Co-authored-by: Nupur Garg <37600866+gargnupur@users.noreply.github.com>
* Remove hack for loading metadata exchange config fix build and edit charts too Run make gen again and fix test Run make gen again` Fix unit test * rebase and run make gen again Add INSERT_FIRST option for EnvoyFilter (#20555) Ref: istio/api#1234 Update istio/api to release-1.5 Run make gen Update update_crds.sh
Add option INSERT_FIRST in EnvoyFilter.Patch.Operation. This is so that a filter can be added to the top of the list based on Match clause too.