成功最有效的方法就是向有经验的人学习!

network filter-HttpConnectionManager

什么是HttpConnectionManager

HttpConnectionManager是http1,http2,https协议必须经过的一个network filter,名称是envoy.filters.network.http_connection_manager。可以配置大量参数,其中http_filters,route_config最为复杂。http_filters配置http类型的filter,实现各种功能,其中route filter必须有一个,且必须是最后一个过滤器,实现路由功能。route_config用来配置静态路由功能,路由也可以用rds来配置,获取动态路由。HttpConnectionManager的实现原理及配置方法,是一个必须掌握的内容,理解了他就等于对非tcp连接的功能理解了一大半。更深入一点,需要掌握各种http filter的配置。

配置

{
  "codec_type": "...",编解码器类型
  "stat_prefix": "...",stat前缀
  "rds": "{...}",动态路由配置
  "route_config": "{...}",静态路由配置
  "scoped_routes": "{...}",根据请求属性,动态路由配置
  "http_filters": [],http过滤器配置
  "add_user_agent": "{...}",是否处理user-agent属性
  "tracing": "{...}",链路跟踪配置
  "common_http_protocol_options": "{...}",http协议选项配置
  "http_protocol_options": "{...}",http1选项
  "http2_protocol_options": "{...}",http2选项
  "server_name": "...",服务器名称
  "server_header_transformation": "...",server_name写入头规则
  "scheme_header_transformation": "{...}",:scheme头处理
  "max_request_headers_kb": "{...}",最大请求头
  "stream_idle_timeout": "{...}",流空闲超时时间
  "request_timeout": "{...}",请求超时时间
  "request_headers_timeout": "{...}",请求头超时时间
  "drain_timeout": "{...}",排水超时时间
  "delayed_close_timeout": "{...}",延迟关闭超时时间
  "access_log": [],访问日志配置
  "use_remote_address": "{...}",使用远程地址
  "xff_num_trusted_hops": "...",x-forwarded-for跳数
  "original_ip_detection_extensions": [],原始ip检测扩展
  "internal_address_config": "{...}",内部地址配置规则
  "skip_xff_append": "...",是否跳过远程地址绑定到 x-forwarded-for
  "via": "...",绑定via头到请求和响应
  "generate_request_id": "{...}",是否产生x-request-id 头
  "preserve_external_request_id": "...",是否保留外部x-request-id
  "always_set_request_id_in_response": "...",是否总是将 x-request-id 放到响应头里
  "forward_client_cert_details": "...",forward x-forwarded-client-cert 头
  "set_current_client_cert_details": "{...}",设置forward_client_cert_details 
  "proxy_100_continue": "...",代理Expect: 100-continue头
  "upgrade_configs": [],http升级配置
  "normalize_path": "{...}",path是否正规化处理
  "merge_slashes": "...",合并斜线
  "path_with_escaped_slashes_action": "...",有escaped斜杠的处理方法
  "request_id_extension": "{...}",request id扩展配置
  "local_reply_config": "{...}",本地响应配置
  "strip_matching_host_port": "...",是否移除匹配的host/authority中的端口
  "strip_any_host_port": "...",是否移除任何host/authority中的端口
  "stream_error_on_invalid_http_message": "{...}",接到错误请求处理
  "strip_trailing_host_dot": "..."是否移除host的最后一个点
}

rds:

{
  "config_source": "{...}",配置来源
  "route_config_name": "..."路由名称
}

config_source:

{
  "path": "...",路径
  "api_config_source": "{...}",api来源配置
  "ads": "{...}",ads配置
  "initial_fetch_timeout": "{...}",初始抓取超时时间
  "resource_api_version": "..."api版本
}

api_config_source:

{
  "api_type": "...",api类型
  "transport_api_version": "...",api版本
  "cluster_names": [],集群名称
  "grpc_services": [],grpc服务
  "refresh_delay": "{...}",刷新延迟
  "request_timeout": "{...}",请求超时时间
  "rate_limit_settings": "{...}",限速设置
  "set_node_on_first_message_only": "..."只在第一个消息设置node
}

route_config:

{
  "name": "...",路由名称
  "virtual_hosts": [],虚拟主机配置
  "vhds": "{...}",虚拟主机发现服务配置
  "internal_only_headers": [],只在mesh内部使用的头
  "response_headers_to_add": [],添加响应头
  "response_headers_to_remove": [],删除响应头
  "request_headers_to_add": [],添加请求头
  "request_headers_to_remove": [],删除请求头
  "most_specific_header_mutations_wins": "...",最具体的头优先
  "validate_clusters": "{...}",是否校验clusters
  "max_direct_response_body_size_bytes": "{...}"直接响应最大body大小,默认4096字节
}

virtual_hosts:

{
  "name": "...",虚拟主机名称
  "domains": [],域名
  "routes": [],路由规则
  "require_tls": "...",tls是否必须
  "virtual_clusters": [],虚拟clusters
  "rate_limits": [],限速配置
  "request_headers_to_add": [],添加request头
  "request_headers_to_remove": [],删除request头
  "response_headers_to_add": [],添加response头
  "response_headers_to_remove": [],删除response头
  "cors": "{...}",跨站资源共享配置
  "typed_per_filter_config": "{...}",虚拟主机级别的过滤器配置
  "include_request_attempt_count": "...",x-envoy-attempt-count头是否放到上游请求中
  "include_attempt_count_in_response": "...",x-envoy-attempt-count头是否放到下游响应中
  "retry_policy": "{...}",重试策略
  "hedge_policy": "{...}",对冲策略
  "per_request_buffer_limit_bytes": "{...}"没个请求缓存限值
}

routes:

{
  "name": "...",路由名称
  "match": "{...}",匹配条件
  "route": "{...}",路由
  "redirect": "{...}",重定向
  "direct_response": "{...}",直接响应
  "metadata": "{...}",元数据
  "decorator": "{...}",装饰
  "typed_per_filter_config": "{...}",路由级别的filter配置
  "request_headers_to_add": [],添加请求头
  "request_headers_to_remove": [],删除请求头
  "response_headers_to_add": [],添加响应头
  "response_headers_to_remove": [],删除响应头
  "tracing": "{...}",覆盖连接管理器级别的tracing
  "per_request_buffer_limit_bytes": "{...}"每个请求缓存大小限值
}

match:

{
  "prefix": "...",前缀匹配
  "path": "...",精确路径匹配
  "safe_regex": "{...}",正则匹配
  "connect_matcher": "{...}",匹配CONNECT requests
  "case_sensitive": "{...}",大小写是否敏感
  "runtime_fraction": "{...}",运行时百分比
  "headers": [],匹配头
  "query_parameters": [],匹配参数
  "grpc": "{...}",匹配grpc连接
  "tls_context": "{...}",匹配tls
  "dynamic_metadata": []匹配动态元数据
}

route:

{
  "cluster": "...",集群名称
  "cluster_header": "...",透过请求头,获取要路由的集群
  "weighted_clusters": "{...}",加权的cluster
  "cluster_not_found_response_code": "...",集群没找到响应码
  "metadata_match": "{...}",subset负载均衡匹配的元数据
  "prefix_rewrite": "...",路径前缀重写
  "regex_rewrite": "{...}",路径正则重写
  "host_rewrite_literal": "...",host重写
  "auto_host_rewrite": "{...}",自动host重写为上游服务host
  "host_rewrite_header": "...",用请求头重写host
  "host_rewrite_path_regex": "{...}",用路径正则重写host
  "timeout": "{...}",上游超时时间
  "idle_timeout": "{...}",路由空闲超时时间
  "retry_policy": "{...}",重试策略
  "request_mirror_policies": [],请求镜像策略
  "priority": "...",路由优先级
  "rate_limits": [],限速配置
  "include_vh_rate_limits": "{...}",是否包含虚拟主机级别的限速
  "hash_policy": [],基于hash的路由的hash策略
  "cors": "{...}",跨站资源共享配置
  "max_grpc_timeout": "{...}",废弃
  "grpc_timeout_offset": "{...}",废弃
  "upgrade_configs": [],连接升级配置
  "internal_redirect_policy": "{...}",上游重定向策略
  "internal_redirect_action": "...",上游重定向动作
  "max_internal_redirects": "{...}",最大内部重定向次数
  "hedge_policy": "{...}",对冲策略
  "max_stream_duration": "{...}"流最大时间
}

weighted_clusters:

{
  "clusters": [],集群配置
  "total_weight": "{...}",总权重大小
  "runtime_key_prefix": "..."运行时key前缀
}

hash_policy:

{
  "header": "{...}",请求头hash策略
  "cookie": "{...}",cookie hash策略
  "connection_properties": "{...}",连接属性hash策略
  "query_parameter": "{...}",请求参数hash策略
  "filter_state": "{...}",过滤器状态hash策略
  "terminal": "..."最终hash策略
}

clusters:

{
  "name": "...",集群名称
  "cluster_header": "...",从请求头中获取集群名称
  "weight": "{...}",权重
  "metadata_match": "{...}",元数据匹配
  "request_headers_to_add": [],添加请求头
  "request_headers_to_remove": [],删除请求头
  "response_headers_to_add": [],添加响应头
  "response_headers_to_remove": [],删除响应头
  "typed_per_filter_config": "{...}",cluster级别的filter配置
  "host_rewrite_literal": "..."host重写
}

redirect:

{
  "https_redirect": "...",schema替换成https
  "scheme_redirect": "...",删除标准pod
  "host_redirect": "...",host替换
  "port_redirect": "...",端口替换
  "path_redirect": "...",路径替换
  "prefix_rewrite": "...",prefix或path替换
  "regex_rewrite": "{...}",path正则重写
  "response_code": "...",响应码,默认301
  "strip_query": "..."删除query部分
}

direct_response:

{
  "status": "...",状态码
  "body": "{...}"响应体
}

virtual_clusters:

{
  "headers": [],匹配头
  "name": "..."虚拟集群名称
}

rate_limits:

{
  "stage": "{...}",stage号码
  "disable_key": "...",禁用限速的key
  "actions": [],动作
  "limit": "{...}"追加到descriptor的限速参数配置
}

actions:

{
  "source_cluster": "{...}",来源cluster
  "destination_cluster": "{...}",目标cluster
  "request_headers": "{...}",请求头匹配
  "remote_address": "{...}",远程地址匹配
  "generic_key": "{...}",通用key匹配
  "header_value_match": "{...}",请求头匹配值
  "dynamic_metadata": "{...}",动态元数据匹配
  "metadata": "{...}",元数据匹配
  "extension": "{...}"descriptor 扩展匹配
}

cors:

{
  "allow_origin_string_match": [],允许的源
  "allow_methods": "...",允许的方法
  "allow_headers": "...",允许的头
  "expose_headers": "...",暴露的头
  "max_age": "...",有效时间
  "allow_credentials": "{...}",允许的cookie
  "filter_enabled": "{...}",生效百分比
  "shadow_enabled": "{...}"不生效但是记录百分比
}

retry_policy:

{
  "retry_on": "...",重试条件
  "num_retries": "{...}",重试次数
  "per_try_timeout": "{...}",每次重试超时时间
  "per_try_idle_timeout": "{...}",每次重试空闲超时时间
  "retry_priority": "{...}",决定负载的重试优先级
  "retry_host_predicate": [],重试host断言
  "retry_options_predicates": [],重试选项断言
  "host_selection_retry_max_attempts": "...",选择host重试最大次数
  "retriable_status_codes": [],除了重试条件以外的重试状态码
  "retry_back_off": "{...}",指数级重试的参数
  "rate_limited_retry_back_off": "{...}",限流条件下的重试等待策略
  "retriable_headers": [],响应头重试触发配置
  "retriable_request_headers": []请求头重试触发配置
}

hedge_policy:

{
  "hedge_on_per_try_timeout": "..."
}

vhds:

{
  "config_source": "{...}"配置源
}

scoped_routes:

{
  "name": "...",路由名称
  "scope_key_builder": "{...}",产生scope key的算法
  "rds_config_source": "{...}",rds配置源
  "scoped_route_configurations_list": "{...}",scoped路由列表
  "scoped_rds": "{...}"scoped路由
}

http_filters:

{
  "name": "...",过滤器名称
  "typed_config": "{...}",过滤器配置
  "config_discovery": "{...}",配置发现
  "is_optional": "..."是否可选
}

tracing:

{
  "client_sampling": "{...}",客户端tracing采样率
  "random_sampling": "{...}",随机采样率
  "overall_sampling": "{...}",采样率限值
  "verbose": "...",标记span更多信息
  "max_path_tag_length": "{...}",最长路径长度默认256
  "custom_tags": [],自定义标签
  "provider": "{...}"对接外部服务
}

custom_tags:

{
  "tag": "...",tag名称
  "literal": "{...}",字面类型的tag
  "environment": "{...}",environment类型tag
  "request_header": "{...}",请求头类型的tag
  "metadata": "{...}"元数据类型的tag
}

common_http_protocol_options:

{
  "idle_timeout": "{...}",空闲超时时间
  "max_connection_duration": "{...}",最大连接时间
  "max_headers_count": "{...}",最大头数量
  "max_stream_duration": "{...}",最大流时间
  "headers_with_underscores_action": "...",带有下划线的请求头的处理动作
  "max_requests_per_connection": "{...}"每个连接的最大请求数量
}

http_protocol_options:

{
  "allow_absolute_url": "{...}",是否允许完全url
  "accept_http_10": "...",是否接受http1.0,0.9请求
  "default_host_for_http_10": "...",http1.0请求的默认host
  "header_key_format": "{...}",响应头的key格式
  "enable_trailers": "...",启用trailers 
  "allow_chunked_length": "...",允许带有Content-Length and Transfer-Encoding头的请求
  "override_stream_error_on_invalid_http_message": "{...}"允许无效的http消息
}

http2_protocol_options:

{
  "hpack_table_size": "{...}",hpack表大小,默认4096
  "max_concurrent_streams": "{...}",最大并发流
  "initial_stream_window_size": "{...}",初始流窗口大小
  "initial_connection_window_size": "{...}",初始连接窗口大小
  "allow_connect": "...",是否允许Websocket 代理
  "max_outbound_frames": "{...}",最大出口帧
  "max_outbound_control_frames": "{...}",最大出口控制帧
  "max_consecutive_inbound_frames_with_empty_payload": "{...}",空内容的最大连续入口帧
  "max_inbound_priority_frames_per_stream": "{...}",每个流的最大入口优先帧
  "max_inbound_window_update_frames_per_data_frame_sent": "{...}",每个数据帧发送的最大入口窗口更新帧
  "stream_error_on_invalid_http_messaging": "...",在错误的htt消息时流错误
  "override_stream_error_on_invalid_http_message": "{...}",当http消息错误时覆盖流错误
  "connection_keepalive": "{...}"连接保持参数
}

access_log:

{
  "name": "...",日志类型名称
  "filter": "{...}",过滤日志配置
  "typed_config": "{...}"具体配置
}

upgrade_configs:

{
  "upgrade_type": "...",升级类型
  "filters": [],http过滤器
  "enabled": "{...}"是否启用
}

local_reply_config:

{
  "mappers": [],映射配置
  "body_format": "{...}"内容格式
}

mappers:

{
  "filter": "{...}",日志过滤器配置
  "status_code": "{...}",状态码
  "body": "{...}",内容
  "body_format_override": "{...}",映射级别的body格式
  "headers_to_add": []添加头
}

filter:

{
  "status_code_filter": "{...}",状态码过滤器
  "duration_filter": "{...}",时间过滤器
  "not_health_check_filter": "{...}",非健康检查过滤器
  "traceable_filter": "{...}",是否可跟踪过滤器
  "runtime_filter": "{...}",运行时过滤器
  "and_filter": "{...}",与过滤器
  "or_filter": "{...}",或过滤器
  "header_filter": "{...}",头过滤器
  "response_flag_filter": "{...}",响应标记过滤器
  "grpc_status_filter": "{...}",grpc状态过滤器
  "extension_filter": "{...}",扩展过滤器
  "metadata_filter": "{...}"元数据过滤器
}

实战

默认配置

envoyfilter/httpconnectionmanager/ef-productpage-general.yaml

kubectl apply -f ef-productpage-general.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: REPLACE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                accessLog:
                - name: envoy.access_loggers.file
                  typedConfig:
                    '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                    logFormat:
                      textFormat: |
                        [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% "%UPSTREAM_TRANSPORT_FAILURE_REASON%" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%
                    path: /dev/stdout
                delayedCloseTimeout: 1s
                forwardClientCertDetails: SANITIZE_SET
                httpFilters:
                - name: istio.metadata_exchange
                  typedConfig:
                    '@type': type.googleapis.com/udpa.type.v1.TypedStruct
                    typeUrl: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
                    value:
                      config:
                        configuration:
                          '@type': type.googleapis.com/google.protobuf.StringValue
                          value: |
                            {}
                        vm_config:
                          code:
                            local:
                              inline_string: envoy.wasm.metadata_exchange
                          runtime: envoy.wasm.runtime.null
                - name: envoy.filters.http.jwt_authn
                  typedConfig:
                    '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
                    providers:
                      origins-0:
                        forward: true
                        issuer: testing@secure.istio.io
                        localJwks:
                          inlineString: "{ \"keys\":\n   [ \n     {\n       \"e\":\"AQAB\",\n
                            \      \"kid\":\"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ\",\n
                            \      \"kty\":\"RSA\",\n       \"n\":\"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ\"\n
                            \    }\n   ]\n}\n"
                        payloadInMetadata: testing@secure.istio.io
                    rules:
                    - match:
                        prefix: /
                      requires:
                        requiresAny:
                          requirements:
                          - providerName: origins-0
                          - allowMissing: {}
                - name: istio_authn
                  typedConfig:
                    '@type': type.googleapis.com/istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig
                    policy:
                      originIsOptional: true
                      origins:
                      - jwt:
                          issuer: testing@secure.istio.io
                      principalBinding: USE_ORIGIN
                    skipValidateTrustDomain: true
                - name: envoy.filters.http.cors
                  typedConfig:
                    '@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
                - name: envoy.filters.http.fault
                  typedConfig:
                    '@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
                - name: istio.stats
                  typedConfig:
                    '@type': type.googleapis.com/udpa.type.v1.TypedStruct
                    typeUrl: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
                    value:
                      config:
                        configuration:
                          '@type': type.googleapis.com/google.protobuf.StringValue
                          value: |
                            {
                              "debug": "false",
                              "stat_prefix": "istio",
                              "disable_host_header_fallback": true
                            }
                        root_id: stats_outbound
                        vm_config:
                          code:
                            local:
                              inline_string: envoy.wasm.stats
                          runtime: envoy.wasm.runtime.null
                          vm_id: stats_outbound
                - name: envoy.filters.http.router
                  typedConfig:
                    '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
                httpProtocolOptions: {}
                normalizePath: true
                pathWithEscapedSlashesAction: KEEP_UNCHANGED
                rds:
                  configSource:
                    ads: {}
                    initialFetchTimeout: 0s
                    resourceApiVersion: V3
                  routeConfigName: http.8080
                serverName: istio-envoy
                setCurrentClientCertDetails:
                  cert: true
                  dns: true
                  subject: true
                  uri: true
                statPrefix: outbound_0.0.0.0_8080
                streamIdleTimeout: 0s
                tracing:
                  clientSampling:
                    value: 100
                  customTags:
                  - metadata:
                      kind:
                        request: {}
                      metadataKey:
                        key: envoy.filters.http.rbac
                        path:
                        - key: istio_dry_run_allow_shadow_effective_policy_id
                    tag: istio.authorization.dry_run.allow_policy.name
                  - metadata:
                      kind:
                        request: {}
                      metadataKey:
                        key: envoy.filters.http.rbac
                        path:
                        - key: istio_dry_run_allow_shadow_engine_result
                    tag: istio.authorization.dry_run.allow_policy.result
                  - metadata:
                      kind:
                        request: {}
                      metadataKey:
                        key: envoy.filters.http.rbac
                        path:
                        - key: istio_dry_run_deny_shadow_effective_policy_id
                    tag: istio.authorization.dry_run.deny_policy.name
                  - metadata:
                      kind:
                        request: {}
                      metadataKey:
                        key: envoy.filters.http.rbac
                        path:
                        - key: istio_dry_run_deny_shadow_engine_result
                    tag: istio.authorization.dry_run.deny_policy.result
                  - literal:
                      value: latest
                    tag: istio.canonical_revision
                  - literal:
                      value: istio-ingressgateway
                    tag: istio.canonical_service
                  - literal:
                      value: mesh1
                    tag: istio.mesh_id
                  - literal:
                      value: istio-system
                    tag: istio.namespace
                  overallSampling:
                    value: 100
                  randomSampling:
                    value: 1
                upgradeConfigs:
                - upgradeType: websocket
                useRemoteAddress: true

codec_type

AUTO

默认是auto,自动匹配

ef-codec_type-AUTO.yaml

kubectl apply -f ef-codec_type-AUTO.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                codec_type: AUTO

HTTP1

ef-codec_type-HTTP1.yaml

kubectl apply -f ef-codec_type-HTTP1.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                codec_type: HTTP1

HTTP2

ef-codec_type-HTTP2.yaml

kubectl apply -f ef-codec_type-HTTP2.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                codec_type: HTTP2

不能访问,因为我们用的是http1.1协议

rds

ef-rds.yaml

kubectl apply -f ef-rds.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                rds:
                  configSource:
                    ads: {}
                    initialFetchTimeout: 10s
                    resourceApiVersion: V3
                  routeConfigName: http.8080

route_config

general

ef-route_config-general.yaml

kubectl apply -f ef-route_config-general.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "test"
                  internal_only_headers:
                  - test5
                  response_headers_to_add:
                  - header:
                      key: test1
                      value: test1 
                    append: true
                  response_headers_to_remove:
                  - test3
                  request_headers_to_add:
                  - header:
                      key: test2
                      value: test2 
                    append: true
                  request_headers_to_remove:
                  - test3
                  most_specific_header_mutations_wins: true
                  validate_clusters: true
                  max_direct_response_body_size_bytes: 1024

virtual_hosts

routes
match
prefix

ef-route_config-virtual_hosts-routes-match-prefix.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-prefix.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

path

ef-route_config-virtual_hosts-routes-match-path.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-path.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /test
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "path"

safe_regex

ef-route_config-virtual_hosts-routes-match-safe_regex.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-safe_regex.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        safe_regex:
                          google_re2: {}
                          regex: ".*regex.*"
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "regex"

connect_matcher

ef-route_config-virtual_hosts-routes-match-connect_matcher.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-connect_matcher.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        connect_matcher: {}
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "regex"

case_sensitive

ef-route_config-virtual_hosts-routes-match-case_sensitive.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-case_sensitive.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "case_sensitive"

runtime_fraction

ef-route_config-virtual_hosts-routes-match-runtime_fraction.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-runtime_fraction.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        runtime_fraction:
                          default_value:
                            numerator: 10
                            denominator: HUNDRED
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

headers

{
  "name": "...",头名称
  "exact_match": "...",精确匹配
  "safe_regex_match": "{...}",正则匹配
  "range_match": "{...}",范围匹配
  "present_match": "...",存在匹配
  "prefix_match": "...",前缀匹配
  "suffix_match": "...",后缀匹配
  "contains_match": "...",包含匹配
  "string_match": "{...}",字符串匹配
  "invert_match": "..."反向匹配
}
exact_match:

ef-route_config-virtual_hosts-routes-match-headers-exact_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-exact_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          exact_match: test.test:32688
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
safe_regex_match:

ef-route_config-virtual_hosts-routes-match-headers-safe_regex_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-safe_regex_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          safe_regex_match:
                            google_re2: {}
                            regex: ".*test.*"
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
range_match

ef-route_config-virtual_hosts-routes-match-headers-range_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-range_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "test"
                          range_match:
                            start: 1
                            end: 10
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
present_match

ef-route_config-virtual_hosts-routes-match-headers-present_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-present_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          present_match: true
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
prefix_match

ef-route_config-virtual_hosts-routes-match-headers-prefix_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-prefix_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          prefix_match: test
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
suffix_match

ef-route_config-virtual_hosts-routes-match-headers-suffix_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-suffix_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          suffix_match: "32688"
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
contains_match

ef-route_config-virtual_hosts-routes-match-headers-contains_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-contains_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          contains_match: test
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
string_match
{
  "exact": "...",精确匹配
  "prefix": "...",前缀
  "suffix": "...",后缀
  "safe_regex": "{...}",正则
  "contains": "...",包含
  "ignore_case": "..."忽略大小写
}
exact

报错,istio还没实现

ef-route_config-virtual_hosts-routes-match-headers-string_match-exact.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-string_match-exact.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          string_match:
                            exact: "test.test:32688"
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
invert_match

ef-route_config-virtual_hosts-routes-match-headers-invert_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-headers-invert_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        headers:
                        - name: "host"
                          contains_match: test2
                          invert_match: true
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

query_parameters

{
  "name": "...",参数名称
  "string_match": "{...}",string匹配
  "present_match": "..."存在匹配
}

string_match:

{
  "exact": "...",
  "prefix": "...",
  "suffix": "...",
  "safe_regex": "{...}",
  "contains": "...",
  "ignore_case": "..."
}

1、string_match

1.1exact

ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-exact.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-exact.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        query_parameters:
                        - name: test
                          string_match: 
                            exact: test
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

访问 test.test:32688/test?test=test

1.2prefix

ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-prefix.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-prefix.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        query_parameters:
                        - name: test
                          string_match: 
                            prefix: te
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

1.3suffix

ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-suffix.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-suffix.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        query_parameters:
                        - name: test
                          string_match: 
                            suffix: "t"
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

1.4safe_regex

ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-safe_regex.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-safe_regex.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        query_parameters:
                        - name: test
                          string_match: 
                            safe_regex: 
                              google_re2: {}
                              regex: ".*test.*"
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

1.5contains

ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-contains.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-contains.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        query_parameters:
                        - name: test
                          string_match: 
                            contains: est
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

1.6ignore_case

ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-ignore_case.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-query_parameters-string_match-ignore_case.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        query_parameters:
                        - name: test
                          string_match: 
                            contains: EST
                            ignore_case: true
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

2present_match

ef-route_config-virtual_hosts-routes-match-query_parameters-present_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-query_parameters-present_match.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        query_parameters:
                        - name: test
                          present_match: true
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
grpc

ef-route_config-virtual_hosts-routes-match-grpc.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-grpc.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        grpc: {}
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

访问 http://test.test:32688/test?test=test

因为不是grpc连接所以报错

tls_context

ef-route_config-virtual_hosts-routes-match-tls_context.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-tls_context.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        tls_context:
                          presented: true
                          validated: true
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"
dynamic_metadata

不会用,放弃

ef-route_config-virtual_hosts-routes-match-dynamic_metadata.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-match-dynamic_metadata.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /tEst
                        case_sensitive: false
                        dynamic_metadata:
                          filter:
                          path:
                          - key:
                          value:
                          invert:
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "runtime_fraction"

route

cluster

ef-route_config-virtual_hosts-routes-route-cluster.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-cluster.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /productpage
                        case_sensitive: false
                      route:
                        cluster: outbound|9080||productpage.istio.svc.cluster.local
cluster_header

ef-route_config-virtual_hosts-routes-route-cluster_header.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-cluster_header.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /productpage
                        case_sensitive: false
                      route:
                        cluster_header: upstream_cluster

file

weighted_clusters

weighted_clusters:

{
  "clusters": [],
  "total_weight": "{...}",
  "runtime_key_prefix": "..."
}

clusters:

{
  "name": "...",
  "cluster_header": "...",
  "weight": "{...}",
  "metadata_match": "{...}",
  "request_headers_to_add": [],
  "request_headers_to_remove": [],
  "response_headers_to_add": [],
  "response_headers_to_remove": [],
  "typed_per_filter_config": "{...}",
  "host_rewrite_literal": "..."
}

1general

ef-route_config-virtual_hosts-routes-route-weighted_clusters-general.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-weighted_clusters-general.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /productpage
                        case_sensitive: false
                      route:
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                            request_headers_to_add:
                            - header:
                                key: test
                                value: test
                              append: true
                            request_headers_to_remove:
                            - test2
                            response_headers_to_add:
                            - header:
                                key: test3
                                value: test3
                              append: true
                            response_headers_to_remove:
                            - test4
                            host_rewrite_literal: mytest
                          total_weight: 100
                          runtime_key_prefix: test

2cluster_header

报错,istio还没实现

ef-route_config-virtual_hosts-routes-route-weighted_clusters-cluster_header.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-weighted_clusters-cluster_header.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /productpage
                        case_sensitive: false
                      route:
                        weighted_clusters:
                          clusters:
                          - cluster_header: upstream_cluster
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

3typed_per_filter_config

ef-route_config-virtual_hosts-routes-route-weighted_clusters-typed_per_filter_config.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-weighted_clusters-typed_per_filter_config.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /productpage
                        case_sensitive: false
                      route:
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                            typed_per_filter_config:
                              envoy.filters.http.bandwidth_limit:
                                "@type": type.googleapis.com/envoy.extensions.filters.http.bandwidth_limit.v3alpha.BandwidthLimit
                                stat_prefix: bandwidth_limiter_custom_route
                                enable_mode: REQUEST_AND_RESPONSE
                                limit_kbps: 500
                                fill_interval: 0.1s
                          total_weight: 100
                          runtime_key_prefix: test
prefix_rewrite

ef-route_config-virtual_hosts-routes-route-prefix_rewrite.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-prefix_rewrite.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        path: /product
                      route:
                        prefix_rewrite: /productpage
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
regex_rewrite

ef-route_config-virtual_hosts-routes-route-regex_rewrite.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-regex_rewrite.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /service
                      route:
                        regex_rewrite:
                          pattern:
                            google_re2: {}
                            regex: "/service/([^/]+)/(.*)$"
                          substitution: /\2\1
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

访问http://test.test:32688/service/page/product

host_rewrite_literal

ef-route_config-virtual_hosts-routes-route-host_rewrite_literal.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-host_rewrite_literal.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        host_rewrite_literal: testhost
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
auto_host_rewrite

strict_dns or logical_dns 类型的cluster才会生效

ef-route_config-virtual_hosts-routes-route-auto_host_rewrite.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-auto_host_rewrite.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        auto_host_rewrite: true
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
host_rewrite_header

ef-route_config-virtual_hosts-routes-route-host_rewrite_header.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-host_rewrite_header.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "test.test:8080"
                    - "test.test:32688"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        host_rewrite_header: host_header
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
host_rewrite_path_regex

ef-route_config-virtual_hosts-routes-route-host_rewrite_path_regex.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-host_rewrite_path_regex.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "test.test:8080"
                    - "test.test:32688"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        host_rewrite_path_regex:
                          pattern:
                            google_re2: {}
                            regex: "^/(.+)/.+$"
                          substitution: \1
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
retry_policy
{
  "retry_on": "...",
  "num_retries": "{...}",
  "per_try_timeout": "{...}",
  "per_try_idle_timeout": "{...}",
  "retry_priority": "{...}",
  "retry_host_predicate": [],
  "retry_options_predicates": [],
  "host_selection_retry_max_attempts": "...",
  "retriable_status_codes": [],
  "retry_back_off": "{...}",
  "rate_limited_retry_back_off": "{...}",
  "retriable_headers": [],
  "retriable_request_headers": []
}

1general

x-envoy-retry-on

5xx , gateway-error , reset , connect-failure , envoy-ratelimited , retriable-4xx , refused-stream , retriable-status-codes , retriable-headers

ef-route_config-virtual_hosts-routes-route-retry_policy-general.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-retry_policy-general.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "test.test:8080"
                    - "test.test:32688"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        retry_policy:
                          retry_on: 5xx,gateway-error,reset,connect-failure
                          num_retries: 3
                          per_try_timeout: 10s
                          #per_try_idle_timeout: 10s
                          retry_priority:
                            name: envoy.retry_priorities.previous_priorities
                            typed_config:
                              "@type": type.googleapis.com/envoy.extensions.retry.priority.previous_priorities.v3.PreviousPrioritiesConfig
                              update_frequency: 2
                          retry_host_predicate:
                          - name: envoy.retry_host_predicates.previous_hosts  
                          host_selection_retry_max_attempts: 3
                          retriable_status_codes: 
                          - 503 
                          retry_back_off:
                            base_interval: 10ms
                            max_interval: 50ms
                          rate_limited_retry_back_off:
                            reset_headers:
                            - name: Retry-After
                              format: SECONDS
                            - name: X-RateLimit-Reset
                              format: UNIX_TIMESTAMP
                            max_interval: "300s"
                          retriable_headers:
                          - name: test
                            exact_match: test
                          retriable_request_headers:
                          - name: test
                            exact_match: test
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
request_mirror_policies
{
  "cluster": "...",
  "runtime_fraction": "{...}",
  "trace_sampled": "{...}"
}

ef-route_config-virtual_hosts-routes-route-request_mirror_policies.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-request_mirror_policies.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        request_mirror_policies:
                        - cluster: outbound|9080||productpage-2.istio.svc.cluster.local
                          runtime_fraction:
                            default_value:
                              numerator: 100
                              denominator: HUNDRED
                          trace_sampled: true
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
rate_limits
{
  "stage": "{...}",
  "disable_key": "...",
  "actions": [],
  "limit": "{...}"
}

actions:

{
  "source_cluster": "{...}",
  "destination_cluster": "{...}",
  "request_headers": "{...}",
  "remote_address": "{...}",
  "generic_key": "{...}",
  "header_value_match": "{...}",
  "dynamic_metadata": "{...}",
  "metadata": "{...}",
  "extension": "{...}"
}

limit:

{
  "dynamic_metadata": "{...}"
}

1source_cluster

ef-route_config-virtual_hosts-routes-route-rate_limits-source_cluster.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-source_cluster.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - source_cluster: {}
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

2destination_cluster

ef-route_config-virtual_hosts-routes-route-rate_limits-destination_cluster.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-destination_cluster.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - destination_cluster: {}
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

3request_headers

ef-route_config-virtual_hosts-routes-route-rate_limits-request_headers.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-request_headers.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - request_headers:
                              header_name: ":path"
                              descriptor_key: "PATH"
                              skip_if_absent: true
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

4remote_address

ef-route_config-virtual_hosts-routes-route-rate_limits-remote_address.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-remote_address.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - remote_address: {}
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

5generic_key

ef-route_config-virtual_hosts-routes-route-rate_limits-generic_key.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-generic_key.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - generic_key: 
                              descriptor_key: test
                              descriptor_value: test
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

6header_value_match

ef-route_config-virtual_hosts-routes-route-rate_limits-header_value_match.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-header_value_match.yaml -n istio-system

headers:

{
  "name": "...",
  "exact_match": "...",
  "safe_regex_match": "{...}",
  "range_match": "{...}",
  "present_match": "...",
  "prefix_match": "...",
  "suffix_match": "...",
  "contains_match": "...",
  "string_match": "{...}",
  "invert_match": "..."
}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - header_value_match:
                              descriptor_value: test
                              expect_match: true
                              headers:
                              - name: test
                                exact_match: test
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

7dynamic_metadata

ef-route_config-virtual_hosts-routes-route-rate_limits-dynamic_metadata.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-dynamic_metadata.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - dynamic_metadata: 
                              descriptor_key: test
                              default_value: test
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

8metadata

source:

ROUTE_ENTRY , DYNAMIC

ef-route_config-virtual_hosts-routes-route-rate_limits-metadata.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-metadata.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - metadata: 
                              descriptor_key: test
                              default_value: test
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                              source: DYNAMIC
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

9extension

ef-route_config-virtual_hosts-routes-route-rate_limits-extension.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-rate_limits-extension.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        rate_limits:
                        - stage: 0
                          disable_key: test
                          actions:
                          - extension: 
                              name: envoy.rate_limit_descriptors.expr
                              typed_config:
                                "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor
                                descriptor_key: test
                                skip_if_error: true
                                text: connection.requested_server_name
                          limit:
                            dynamic_metadata:
                              metadata_key:
                                key: envoy.xxx
                                path:
                                - key: prop
                                - key: foo
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
hash_policy
{
  "header": "{...}",
  "cookie": "{...}",
  "connection_properties": "{...}",
  "query_parameter": "{...}",
  "filter_state": "{...}",
  "terminal": "..."
}

1header

ef-route_config-virtual_hosts-routes-route-hash_policy-header.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-hash_policy-header.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        hash_policy:
                        - header:
                            header_name: test
                            regex_rewrite:
                              pattern:
                                google_re2: {}
                                regex: "/([^/]+)/(.*)$"
                              substitution: /\2\1  
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

2cookie

当cookie的path设置了值不为null的时候,以设置的值为准。当cookie的path为null时候,获取请求的URI的path值 当URI的path值是以“/”结尾的时候,直接设置为cookie的path值 当URI的path值不是以“/”结尾的时候,查看path里面是否有“/” 如果有“/”的话,直接截取到最后一个“/”,然后设置为cookie的path值。如果没有“/”的话,将cookie的path设置为”/”。

ef-route_config-virtual_hosts-routes-route-hash_policy-cookie.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-hash_policy-cookie.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        hash_policy:
                        - cookie:
                            name: test
                            ttl: 10h
                            path: "/productpage"
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

3connection_properties

ef-route_config-virtual_hosts-routes-route-hash_policy-connection_properties.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-hash_policy-connection_properties.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        hash_policy:
                        - connection_properties:
                            source_ip: true
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

4query_parameter

ef-route_config-virtual_hosts-routes-route-hash_policy-query_parameter.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-hash_policy-query_parameter.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        hash_policy:
                        - query_parameter:
                            name: test_param
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

5filter_state

ef-route_config-virtual_hosts-routes-route-hash_policy-filter_state.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-hash_policy-filter_state.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        hash_policy:
                        - filter_state:
                            key: test
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test

6terminal

ef-route_config-virtual_hosts-routes-route-hash_policy-terminal.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-hash_policy-terminal.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        hash_policy:
                        - filter_state:
                            key: test
                        - query_parameter:
                            name: test_param
                        - terminal: true
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
cors
{
  "allow_origin_string_match": [],
  "allow_methods": "...",
  "allow_headers": "...",
  "expose_headers": "...",
  "max_age": "...",
  "allow_credentials": "{...}",
  "filter_enabled": "{...}",
  "shadow_enabled": "{...}"
}

ef-route_config-virtual_hosts-routes-route-cors.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-cors.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        cors:
                          allow_origin_string_match:
                          - safe_regex:
                              google_re2: {}
                              regex: ".*test.*"
                          allow_methods: POST,GET,OPTION
                          allow_headers: test
                          expose_headers: test2
                          max_age: 1h
                          allow_credentials: true
                          filter_enabled:
                            default_value:
                              numerator: 100
                              denominator:  HUNDRED
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
upgrade_configs
{
  "upgrade_type": "...",
  "enabled": "{...}",
  "connect_config": "{...}"
}

connect_config:

{
  "proxy_protocol_config": "{...}",
  "allow_post": "..."
}

proxy_protocol_config:

{
  "version": "..."
}

version:

V1

(DEFAULT) ⁣PROXY protocol version 1. Human readable format.

V2

⁣PROXY protocol version 2. Binary format.

ef-route_config-virtual_hosts-routes-route-upgrade_configs.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-upgrade_configs.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        upgrade_configs:
                        - upgrade_type: websocket
                          enabled: true
                          connect_config:
                            allow_post: true
                            proxy_protocol_config:
                              version: V1
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
internal_redirect_policy

不知道@type

{
  "max_internal_redirects": "{...}",
  "redirect_response_codes": [],
  "predicates": [],
  "allow_cross_scheme_redirect": "..."
}

redirect_response_codes:

301, 302, 303, 307 and 308

predicates :

envoy.internal_redirect_predicates.allow_listed_routes
envoy.internal_redirect_predicates.previous_routes
envoy.internal_redirect_predicates.safe_cross_scheme

ef-route_config-virtual_hosts-routes-route-internal_redirect_policy.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-internal_redirect_policy.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        internal_redirect_policy:
                          max_internal_redirects: 10
                          redirect_response_codes:
                          - 301
                          - 302
                          predicates:
                          - name: envoy.internal_redirect_predicates.allow_listed_routes
                            typed_config:
                              '@type':
                              allowed_route_names:
                              - testroute
                          allow_cross_scheme_redirect: true
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
internal_redirect_action

PASS_THROUGH_INTERNAL_REDIRECT , HANDLE_INTERNAL_REDIRECT

ef-route_config-virtual_hosts-routes-route-internal_redirect_action.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-internal_redirect_action.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        internal_redirect_policy:
                          max_internal_redirects: 10
                          redirect_response_codes:
                          - 301
                          - 302
                          allow_cross_scheme_redirect: true
                        internal_redirect_action: HANDLE_INTERNAL_REDIRECT
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
hedge_policy

ef-route_config-virtual_hosts-routes-route-hedge_policy.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-hedge_policy.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        hedge_policy:
                          hedge_on_per_try_timeout: true
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
genral

priority: HIGH, DEFAULT

ef-route_config-virtual_hosts-routes-route-genral.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-route-genral.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        cluster_not_found_response_code: 404
                        metadata_match:
                          filter_metadata:
                            "envoy.lb": 
                              canary: true
                        timeout: 10s
                        idle_timeout: 5s
                        priority: HIGH
                        max_stream_duration: 
                          max_stream_duration: 10s
                          grpc_timeout_header_max: 5s
                          grpc_timeout_header_offset: 3s
                        cluster: outbound|9080||productpage.istio.svc.cluster.local

redirect

https_redirect

ef-route_config-virtual_hosts-routes-redirect-https_redirect.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-https_redirect.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      redirect:
                        https_redirect: true
scheme_redirect

ef-route_config-virtual_hosts-routes-redirect-scheme_redirect.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-scheme_redirect.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      redirect:
                        scheme_redirect: http
host_redirect

ef-route_config-virtual_hosts-routes-redirect-host_redirect.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-host_redirect.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      redirect:
                        host_redirect: 192.168.229.134
port_redirect

ef-route_config-virtual_hosts-routes-redirect-port_redirect.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-port_redirect.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      redirect:
                        host_redirect: 192.168.229.134
                        port_redirect: 32688
path_redirect

ef-route_config-virtual_hosts-routes-redirect-path_redirect.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-path_redirect.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      redirect:
                        host_redirect: 192.168.229.134
                        port_redirect: 32688
                        path_redirect: /productpage
prefix_rewrite

ef-route_config-virtual_hosts-routes-redirect-prefix_rewrite.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-prefix_rewrite.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /test
                      redirect:
                        host_redirect: 192.168.229.134
                        port_redirect: 32688
                        prefix_rewrite: /productpage
regex_rewrite

ef-route_config-virtual_hosts-routes-redirect-regex_rewrite.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-regex_rewrite.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /test
                      redirect:
                        host_redirect: 192.168.229.134
                        port_redirect: 32688
                        regex_rewrite:
                          pattern:
                            google_re2: {}
                            regex: "/service/([^/]+)/(.*)$"
                          substitution: /\2\1
response_code

MOVED_PERMANENTLY

(DEFAULT) ⁣Moved Permanently HTTP Status Code – 301.

FOUND

⁣Found HTTP Status Code – 302.

SEE_OTHER

⁣See Other HTTP Status Code – 303.

TEMPORARY_REDIRECT

⁣Temporary Redirect HTTP Status Code – 307.

PERMANENT_REDIRECT

⁣Permanent Redirect HTTP Status Code – 308.

ef-route_config-virtual_hosts-routes-redirect-response_code.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-response_code.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /test
                      redirect:
                        host_redirect: 192.168.229.134
                        port_redirect: 32688
                        regex_rewrite:
                          pattern:
                            google_re2: {}
                            regex: "/service/([^/]+)/(.*)$"
                          substitution: /\2\1
                        response_code: MOVED_PERMANENTLY
strip_query

ef-route_config-virtual_hosts-routes-redirect-strip_query.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-redirect-strip_query.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /test
                      redirect:
                        host_redirect: 192.168.229.134
                        port_redirect: 32688
                        regex_rewrite:
                          pattern:
                            google_re2: {}
                            regex: "/service/([^/]+)/(.*)$"
                          substitution: /\2\1
                        response_code: MOVED_PERMANENTLY
                        strip_query: true

direct_response

{
  "status": "...",
  "body": "{...}"
}

body:

{
  "filename": "...",
  "inline_bytes": "...",
  "inline_string": "..."
}

ef-route_config-virtual_hosts-routes-direct_response.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-direct_response.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

tracing

{
  "client_sampling": "{...}",
  "random_sampling": "{...}",
  "overall_sampling": "{...}",
  "custom_tags": []
}

ef-route_config-virtual_hosts-routes-tracing.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-tracing.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"
                      tracing:
                          customTags:
                          - metadata:
                              kind:
                                request: {}
                              metadataKey:
                                key: envoy.filters.http.rbac
                                path:
                                - key: istio_dry_run_allow_shadow_effective_policy_id
                            tag: istio.authorization.dry_run.allow_policy.name
                          - metadata:
                              kind:
                                request: {}
                              metadataKey:
                                key: envoy.filters.http.rbac
                                path:
                                - key: istio_dry_run_allow_shadow_engine_result
                            tag: istio.authorization.dry_run.allow_policy.result
                          - metadata:
                              kind:
                                request: {}
                              metadataKey:
                                key: envoy.filters.http.rbac
                                path:
                                - key: istio_dry_run_deny_shadow_effective_policy_id
                            tag: istio.authorization.dry_run.deny_policy.name
                          - metadata:
                              kind:
                                request: {}
                              metadataKey:
                                key: envoy.filters.http.rbac
                                path:
                                - key: istio_dry_run_deny_shadow_engine_result
                            tag: istio.authorization.dry_run.deny_policy.result
                          - literal:
                              value: latest
                            tag: istio.canonical_revision
                          - literal:
                              value: istio-ingressgateway
                            tag: istio.canonical_service
                          - literal:
                              value: mesh1
                            tag: istio.mesh_id
                          - literal:
                              value: istio-system
                            tag: istio.namespace
                          overallSampling:
                            numerator: 100
                            denominator: HUNDRED
                          randomSampling:
                            numerator: 1
                            denominator: HUNDRED
                          clientSampling:
                            numerator: 100
                            denominator: HUNDRED

general

decorator:

{
  "operation": "...",
  "propagate": "{...}"
}

ef-route_config-virtual_hosts-routes-general.yaml

kubectl apply -f ef-route_config-virtual_hosts-routes-general.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      metadata:
                        filter_metadata:
                          "envoy.lb": 
                            canary: true
                      decorator:
                        operation: test
                        propagate: true
                      typed_per_filter_config:
                        envoy.filters.http.bandwidth_limit:
                          "@type": type.googleapis.com/envoy.extensions.filters.http.bandwidth_limit.v3alpha.BandwidthLimit
                          stat_prefix: bandwidth_limiter_custom_route
                          enable_mode: REQUEST_AND_RESPONSE
                          limit_kbps: 500
                          fill_interval: 0.1s
                      request_headers_to_add:
                      - header:
                          key: test1
                          value: test1
                        append: true
                      request_headers_to_remove:
                      - test2
                      response_headers_to_add:
                      - header:
                          key: test3
                          value: test3
                        append: true
                      response_headers_to_remove:
                      - test3
                      per_request_buffer_limit_bytes: 1024
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

require_tls

NONE

ef-route_config-virtual_hosts-require_tls.yaml

kubectl apply -f ef-route_config-virtual_hosts-require_tls.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    require_tls: NONE 
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

EXTERNAL_ONLY

ef-route_config-virtual_hosts-require_tls-EXTERNAL_ONLY.yaml

kubectl apply -f ef-route_config-virtual_hosts-require_tls-EXTERNAL_ONLY.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    require_tls: EXTERNAL_ONLY 
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

ALL

ef-route_config-virtual_hosts-require_tls-ALL.yaml

kubectl apply -f ef-route_config-virtual_hosts-require_tls-ALL.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    require_tls: ALL 
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

virtual_clusters

{
  "headers": [],
  "name": "..."
}

headers:

{
  "name": "...",
  "exact_match": "...",
  "safe_regex_match": "{...}",
  "range_match": "{...}",
  "present_match": "...",
  "prefix_match": "...",
  "suffix_match": "...",
  "contains_match": "...",
  "string_match": "{...}",
  "invert_match": "..."
}

ef-route_config-virtual_hosts-virtual_clusters.yaml

kubectl apply -f ef-route_config-virtual_hosts-virtual_clusters.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    virtual_clusters:
                    - headers:
                      - name: test
                        exact_match: test
                      name: test
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

rate_limits

{
  "stage": "{...}",
  "disable_key": "...",
  "actions": [],
  "limit": "{...}"
}

actions:

{
  "source_cluster": "{...}",
  "destination_cluster": "{...}",
  "request_headers": "{...}",
  "remote_address": "{...}",
  "generic_key": "{...}",
  "header_value_match": "{...}",
  "dynamic_metadata": "{...}",
  "metadata": "{...}",
  "extension": "{...}"
}

ef-route_config-virtual_hosts-rate_limits.yaml

kubectl apply -f ef-route_config-virtual_hosts-rate_limits.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    rate_limits:
                    - stage: 0
                      disable_key: test
                      actions:
                      - source_cluster: {}
                      limit:
                        dynamic_metadata:
                          metadata_key:
                            key: envoy.xxx
                            path:
                            - key: prop
                            - key: foo
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

headers

ef-route_config-virtual_hosts-headers.yaml

kubectl apply -f ef-route_config-virtual_hosts-headers.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    request_headers_to_add:
                    - header:
                        key: test1
                        value: test1
                      append: true
                    request_headers_to_remove:
                    - test2
                    response_headers_to_add:
                    - header:
                        key: test3
                        value: test3
                      append: true
                    response_headers_to_remove:
                    - test4
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

cors

{
  "allow_origin_string_match": [],
  "allow_methods": "...",
  "allow_headers": "...",
  "expose_headers": "...",
  "max_age": "...",
  "allow_credentials": "{...}",
  "filter_enabled": "{...}",
  "shadow_enabled": "{...}"
}

ef-route_config-virtual_hosts-cors.yaml

kubectl apply -f ef-route_config-virtual_hosts-cors.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    cors:
                      allow_origin_string_match:
                      - safe_regex:
                          google_re2: {}
                          regex: ".*test.*"
                      allow_methods: POST,GET,OPTION
                      allow_headers: test
                      expose_headers: test2
                      max_age: 1h
                      allow_credentials: true
                      filter_enabled:
                        default_value:
                           numerator: 100
                           denominator: HUNDRED
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

typed_per_filter_config

ef-route_config-virtual_hosts-typed_per_filter_config.yaml

kubectl apply -f ef-route_config-virtual_hosts-typed_per_filter_config.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    typed_per_filter_config:
                      envoy.filters.http.bandwidth_limit:
                        "@type": type.googleapis.com/envoy.extensions.filters.http.bandwidth_limit.v3alpha.BandwidthLimit
                        stat_prefix: bandwidth_limiter_custom_route
                        enable_mode: REQUEST_AND_RESPONSE
                        limit_kbps: 500
                        fill_interval: 0.1s
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

retry_policy

{
  "retry_on": "...",
  "num_retries": "{...}",
  "per_try_timeout": "{...}",
  "per_try_idle_timeout": "{...}",
  "retry_priority": "{...}",
  "retry_host_predicate": [],
  "retry_options_predicates": [],
  "host_selection_retry_max_attempts": "...",
  "retriable_status_codes": [],
  "retry_back_off": "{...}",
  "rate_limited_retry_back_off": "{...}",
  "retriable_headers": [],
  "retriable_request_headers": []
}

ef-route_config-virtual_hosts-retry_policy.yaml

kubectl apply -f ef-route_config-virtual_hosts-retry_policy.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    retry_policy:
                      retry_on: 5xx,gateway-error,reset,connect-failure
                      num_retries: 3
                      per_try_timeout: 10s
                      #per_try_idle_timeout: 10s
                      retry_priority:
                        name: envoy.retry_priorities.previous_priorities
                        typed_config:
                          "@type": type.googleapis.com/envoy.extensions.retry.priority.previous_priorities.v3.PreviousPrioritiesConfig
                          update_frequency: 2
                      retry_host_predicate:
                      - name: envoy.retry_host_predicates.previous_hosts  
                      host_selection_retry_max_attempts: 3
                      retriable_status_codes: 
                      - 503 
                      retry_back_off:
                        base_interval: 10ms
                        max_interval: 50ms
                      rate_limited_retry_back_off:
                        reset_headers:
                        - name: Retry-After
                          format: SECONDS
                        - name: X-RateLimit-Reset
                          format: UNIX_TIMESTAMP
                        max_interval: "300s"
                      retriable_headers:
                      - name: test
                        exact_match: test
                      retriable_request_headers:
                      - name: test
                        exact_match: test
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

general

ef-route_config-virtual_hosts-general.yaml

kubectl apply -f ef-route_config-virtual_hosts-general.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    include_request_attempt_count: true
                    include_attempt_count_in_response: true
                    hedge_policy:
                      hedge_on_per_try_timeout: true
                    per_request_buffer_limit_bytes: 1024
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"

scoped_routes

{
  "name": "...",
  "scope_key_builder": "{...}",
  "rds_config_source": "{...}",
  "scoped_route_configurations_list": "{...}",
  "scoped_rds": "{...}"
}

1scoped_route_configurations_list
header_value_extractor:

{
  "name": "...",
  "element_separator": "...",
  "index": "...",
  "element": "{...}"
}

rds_config_source:

{
  "path": "...",
  "api_config_source": "{...}",
  "ads": "{...}",
  "initial_fetch_timeout": "{...}",
  "resource_api_version": "..."
}

scoped_route_configurations:

{
  "on_demand": "...",
  "name": "...",
  "route_configuration_name": "...",
  "key": "{...}"
}

ef-scoped_routes-scoped_route_configurations_list.yaml

kubectl apply -f ef-scoped_routes-scoped_route_configurations_list.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                scoped_routes:
                  name: test
                  scope_key_builder:
                    fragments:
                    - header_value_extractor:
                        name: X-Header
                        element_separator: ";"
                        index: 0
                        element:
                          separator: "="
                          key: test
                  rds_config_source:
                    ads: {}
                    initialFetchTimeout: 10s
                    resourceApiVersion: V3
                  scoped_route_configurations_list:
                    scoped_route_configurations:
                    - on_demand: true
                      name: test
                      route_configuration_name: http.8080
                      key:
                        fragments:
                        - string_key: test

2scoped_rds
ef-scoped_routes-scoped_rds.yaml

kubectl apply -f ef-scoped_routes-scoped_rds.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                scoped_routes:
                  name: test
                  scope_key_builder:
                    fragments:
                    - header_value_extractor:
                        name: X-Header
                        element_separator: ";"
                        index: 0
                        element:
                          separator: "="
                          key: test
                  rds_config_source:
                    ads: {}
                    initialFetchTimeout: 10s
                    resourceApiVersion: V3
                  scoped_rds:
                    scoped_rds_config_source:
                      ads: {}
                      initialFetchTimeout: 10s
                      resourceApiVersion: V3

http_filters

tracing

{
  "client_sampling": "{...}",
  "random_sampling": "{...}",
  "overall_sampling": "{...}",
  "verbose": "...",
  "max_path_tag_length": "{...}",
  "custom_tags": [],
  "provider": "{...}"
}

provider:

envoy.tracers.datadog
envoy.tracers.dynamic_ot
envoy.tracers.lightstep
envoy.tracers.opencensus
envoy.tracers.skywalking
envoy.tracers.xray
envoy.tracers.zipkin

ef-tracing.yaml

kubectl apply -f ef-tracing.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"
                tracing:
                  overallSampling:
                    value: 99
                  randomSampling:
                    value: 1
                  clientSampling:
                    value: 99
                  verbose: true
                  max_path_tag_length: 256
                 # provider:
                 #   name: envoy.tracers.zipkin

common_http_protocol_options

{
  "idle_timeout": "{...}",
  "max_connection_duration": "{...}",
  "max_headers_count": "{...}",
  "max_stream_duration": "{...}",
  "headers_with_underscores_action": "...",
  "max_requests_per_connection": "{...}"
}

headers_with_underscores_action:

ALLOW

(DEFAULT) ⁣Allow headers with underscores. This is the default behavior.

REJECT_REQUEST

⁣Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests end with the stream reset. The “httpN.requests_rejected_with_underscores_in_headers” counter is incremented for each rejected request.

DROP_HEADER

⁣Drop the header with name containing underscores. The header is dropped before the filter chain is invoked and as such filters will not see dropped headers. The “httpN.dropped_headers_with_underscores” is incremented for each dropped header.

ef-common_http_protocol_options.yaml

kubectl apply -f ef-common_http_protocol_options.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"
                common_http_protocol_options:
                  idle_timeout: 10s
                  max_connection_duration: 10s
                  max_headers_count: 1
                  max_stream_duration: 10s
                  headers_with_underscores_action: ALLOW 
                  #max_requests_per_connection: 1 

http_protocol_options

{
  "allow_absolute_url": "{...}",
  "accept_http_10": "...",
  "default_host_for_http_10": "...",
  "header_key_format": "{...}",
  "enable_trailers": "...",
  "allow_chunked_length": "...",
  "override_stream_error_on_invalid_http_message": "{...}"
}

header_key_format:

{
  "proper_case_words": "{...}",
  "stateful_formatter": "{...}"
}

ef-http_protocol_options.yaml

kubectl apply -f ef-http_protocol_options.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"
                http_protocol_options:
                  allow_absolute_url: true
                  accept_http_10: true
                  default_host_for_http_10: test
                  header_key_format:
                    proper_case_words: {}
                  enable_trailers: true
                  allow_chunked_length: true
                  override_stream_error_on_invalid_http_message: true

http2_protocol_options

{
  "hpack_table_size": "{...}",
  "max_concurrent_streams": "{...}",
  "initial_stream_window_size": "{...}",
  "initial_connection_window_size": "{...}",
  "allow_connect": "...",
  "max_outbound_frames": "{...}",
  "max_outbound_control_frames": "{...}",
  "max_consecutive_inbound_frames_with_empty_payload": "{...}",
  "max_inbound_priority_frames_per_stream": "{...}",
  "max_inbound_window_update_frames_per_data_frame_sent": "{...}",
  "stream_error_on_invalid_http_messaging": "...",
  "override_stream_error_on_invalid_http_message": "{...}",
  "connection_keepalive": "{...}"
}

HPACK(HTTP2 头部压缩算法)

connection_keepalive:

{
  "interval": "{...}",
  "timeout": "{...}",
  "interval_jitter": "{...}",
  "connection_idle_interval": "{...}"
}

ef-http2_protocol_options.yaml

kubectl apply -f ef-http2_protocol_options.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /
                      direct_response:
                        status: 200
                        body: 
                          inline_string: "prefix"
                http2_protocol_options:
                  hpack_table_size: 4096
                  max_concurrent_streams: 10
                  initial_stream_window_size: 268435456 
                  initial_connection_window_size: 268435456
                  allow_connect: true
                  max_outbound_frames: 10000
                  max_outbound_control_frames: 1000
                  max_consecutive_inbound_frames_with_empty_payload: 1
                  max_inbound_priority_frames_per_stream: 100
                  max_inbound_window_update_frames_per_data_frame_sent: 10
                  #stream_error_on_invalid_http_messaging: true
                  override_stream_error_on_invalid_http_message: true
                  connection_keepalive:
                    interval: 100ms
                    timeout: 10ms
                    interval_jitter:
                      value: 10
                    connection_idle_interval: 10s

3.11access_log

upgrade_configs

{
  "upgrade_type": "...",
  "filters": [],
  "enabled": "{...}"
}

filters:

{
  "name": "...",
  "typed_config": "{...}",
  "config_discovery": "{...}",
  "is_optional": "..."
}

ef-3.12upgrade_configs.yaml

kubectl apply -f ef-3.12upgrade_configs.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
                upgrade_configs:
                - upgrade_type: websocket
                  enabled: true
                  #filters:

general

server_header_transformation:

OVERWRITE

(DEFAULT) ⁣Overwrite any Server header with the contents of server_name.

APPEND_IF_ABSENT

⁣If no Server header is present, append Server server_name If a Server header is present, pass it through.

PASS_THROUGH

⁣Pass through the value of the server header, and do not append a header if none is present.

original_ip_detection_extensions:

envoy.http.original_ip_detection.custom_header
envoy.http.original_ip_detection.xff
envoy.http.original_ip_detection.custom_header

{
  "header_name": "...",
  "allow_extension_to_set_address_as_trusted": "...",
  "reject_with_status": "{...}"
}

forward_client_cert_details:

How to handle the x-forwarded-client-cert (XFCC) HTTP header.

SANITIZE

(DEFAULT) ⁣Do not send the XFCC header to the next hop. This is the default value.

FORWARD_ONLY

⁣When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.

APPEND_FORWARD

⁣When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it.

SANITIZE_SET

⁣When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.

ALWAYS_FORWARD_ONLY

⁣Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.

set_current_client_cert_details:

{
  "subject": "{...}",
  "cert": "...",
  "chain": "...",
  "dns": "...",
  "uri": "..."
}

path_with_escaped_slashes_action:

Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. This operation occurs before URL normalization and the merge slashes transformations if they were enabled.

IMPLEMENTATION_SPECIFIC_DEFAULT

(DEFAULT) ⁣Default behavior specific to implementation (i.e. Envoy) of this configuration option. Envoy, by default, takes the KEEP_UNCHANGED action. NOTE: the implementation may change the default behavior at-will.

KEEP_UNCHANGED

⁣Keep escaped slashes.

REJECT_REQUEST

⁣Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. The “httpN.downstream_rq_failed_path_normalization” counter is incremented for each rejected request.

UNESCAPE_AND_REDIRECT

⁣Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. Redirect occurs after path normalization and merge slashes transformations if they were configured. NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented for each redirected request.

UNESCAPE_AND_FORWARD

⁣Unescape %2F and %5C sequences. Note: this option should not be enabled if intermediaries perform path based access control as it may lead to path confusion vulnerabilities.

request_id_extension:

{
  "pack_trace_reason": "{...}",
  "use_request_id_for_trace_sampling": "{...}"
}

ef-general.yaml

kubectl apply -f ef-general.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
                add_user_agent: true
                server_name: envoy
                server_header_transformation: OVERWRITE
                scheme_header_transformation:
                  scheme_to_overwrite: http
                max_request_headers_kb: 60
                stream_idle_timeout: 5m
                request_timeout: 1m
                request_headers_timeout: 30s
                drain_timeout: 10s
                delayed_close_timeout: 1000ms
                use_remote_address: true
                xff_num_trusted_hops: 3
                original_ip_detection_extensions: 
                - name: envoy.http.original_ip_detection.custom_header
                  typed_config:
                    '@type': type.googleapis.com/envoy.extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig
                    header_name: test
                    allow_extension_to_set_address_as_trusted: true
                    reject_with_status:
                      code: Forbidden
                internal_address_config:
                  unix_sockets: true
                skip_xff_append: false
                via: via
                generate_request_id: true
                preserve_external_request_id: true
                always_set_request_id_in_response: true
                forward_client_cert_details: SANITIZE_SET
                set_current_client_cert_details:
                  subject: true
                  cert: true
                  chain: true
                  dns: true
                  uri: true
                proxy_100_continue: true
                normalize_path: true
                merge_slashes: true
                request_id_extension:
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig
                    pack_trace_reason: false
                    use_request_id_for_trace_sampling: true
                path_with_escaped_slashes_action: IMPLEMENTATION_SPECIFIC_DEFAULT
                strip_matching_host_port: true
                #strip_any_host_port: true
                stream_error_on_invalid_http_message: true
                strip_trailing_host_dot: true

local_reply_config

{
  "mappers": [],
  "body_format": "{...}"
}

mappers:

{
  "filter": "{...}",
  "status_code": "{...}",
  "body": "{...}",
  "body_format_override": "{...}",
  "headers_to_add": []
}

filter:

{
  "status_code_filter": "{...}",
  "duration_filter": "{...}",
  "not_health_check_filter": "{...}",
  "traceable_filter": "{...}",
  "runtime_filter": "{...}",
  "and_filter": "{...}",
  "or_filter": "{...}",
  "header_filter": "{...}",
  "response_flag_filter": "{...}",
  "grpc_status_filter": "{...}",
  "extension_filter": "{...}",
  "metadata_filter": "{...}"
}

body_format:

{
  "text_format": "...",
  "json_format": "{...}",
  "text_format_source": "{...}",
  "omit_empty_values": "...",
  "content_type": "...",
  "formatters": []
}

ef-local_reply_config.yaml

kubectl apply -f ef-local_reply_config.yaml -n istio-system
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
              name: envoy.filters.network.http_connection_manager
              typedConfig:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: test
                  virtual_hosts:
                  - name: test
                    domains:
                    - "*"
                    routes:
                    - name: testroute
                      match: 
                        prefix: /product
                      route:
                        weighted_clusters:
                          clusters:
                          - name: outbound|9080||productpage.istio.svc.cluster.local
                            weight: 100
                          total_weight: 100
                          runtime_key_prefix: test
                local_reply_config:
                  mappers:
                  - status_code: 200
                    filter:
                      header_filter:
                        header:
                          name: test
                          exact_match: test
                    body: 
                      inline_string: "test"
                    body_format_override:
                      text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" 
                    headers_to_add:
                    - header:
                        key: test
                        value: test
                      append: true
                  body_format:
                    text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n"      
赞(0) 打赏
未经允许不得转载:竹影清风阁 » network filter-HttpConnectionManager
分享到

大佬们的评论 抢沙发

全新“一站式”建站,高质量、高售后的一条龙服务

微信 抖音 支付宝 百度 头条 快手全平台打通信息流

橙子建站.极速智能建站8折购买虚拟主机

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续给力更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫

微信扫一扫

登录

找回密码

注册