Closed gdhagger closed 5 years ago
@gdhagger For the particular case of using a Google HTTPS balancer over GKE, we've been able to make it work with a bunch of workarounds:
type: NodePort
and externalTrafficPolicy: Local
, port 15020 (healthcheck) is also exposed to (an arbitrary) nodePort
31320 (similar to the default 31380 for HTTP and 31390 for HTTPS)/healthz/ready
(The drawback here is that if a node pool is recreated then the ports should be mapped again for the new instance group, but we have the whole sequence scripted in Terraform so it helps a bit.)
With this configuration a common Gateway resource with httpsRedirect for port 80 and TLS mode: SIMPLE
termination on port 443 is working as expected.
Hope it helps.
@sangwa These workarounds shouldn't be necessary, and even with them I don't believe it actually solves the problem.
Also, from the testing I've done, even with externalTrafficPolicy: Local
I don't believe the correct IP will be used by envoy as the 'real' IP of the client unless we are able to tune the use_remote_address
parameter. (Also, for the record I'm using Network Endpoint Groups rather than Instance Groups to hit my pods)
For now I've solved the redirect portion by putting AWS CloudFront in front of my LB for any subdomains that need to be redirected from HTTP->HTTPS.
Two loadbalancers = two IPs
Not necessarily, we have both balancers on the same global IP, just different ports (80 vs 443).
My apologies, you're absolutely right! For some reason I was completely convinced I could only attach a global IP to one LB at a time.
On Tue, Mar 26, 2019 at 2:35 AM Yaroslav Zhavoronkov < notifications@github.com> wrote:
Two loadbalancers = two IPs
Not necessarily, we have both balancers on the same global IP, just different ports (80 vs 443).
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/istio/istio/issues/12549#issuecomment-476494010, or mute the thread https://github.com/notifications/unsubscribe-auth/AAbeH-sZTG76IEagLGFLJHJJgWLTgAA2ks5vab-ygaJpZM4b4HhW .
Note for anyone who comes across this issue:
When trying to create an ingress assigned to a global IP already attached to another loadbalancer NOT managed by GKE ingress, I received the following error:
Error during sync: Error running load balancer syncing routine: googleapi: Error 400: Invalid value for field 'resource.IPAddress': 'IP.RED.ACT.ED'. Specified IP address is in-use and would result in a conflict., invalid
However, using another IP address I was able to create two GKE ingresses using the same global IP.
I have the exact same problem... I think Istio should trust headers comming from known upper LB and avoidi to strip them. I understand the security issues related to these headers, but this is a blocking point for us to adopt Istio.
Same issue here.
Can someone that works on Istio help triage this?
Maybe @rshriram? I've seen some comments of yours on some related PRs / issues, such as #13157.
@howardjohn - are there any updates on this? cc: @PiotrSikora, who was also active in the conversation over on #7679, which is related.
Yes. Someone added this and we found later it broke existing users so we set it behind a feature flag. For now it can be enabled with --set pilot.env.PILOT_SIDECAR_USE_REMOTE_ADDRESS=true
. I think someone is working on adding a proper api for this
Also, with the newer EnvoyFilter API, you can tweak a whole lot of envoy settings like this without clumsy workarounds like env vars. https://github.com/istio/api/blob/master/networking/v1alpha3/envoy_filter.proto
@rshriram - that api looks like exactly what we want. Nice. Is going to be in 1.3.x, or later?
@howardjohn - thanks! I'll check that out in the meantime.
1.3.x .. its almost done
This seems completed by both Envoyfilter and the short term solution of environment variable. Is there any other work to be done here?
Yes. Someone added this and we found later it broke existing users so we set it behind a feature flag. For now it can be enabled with
--set pilot.env.PILOT_SIDECAR_USE_REMOTE_ADDRESS=true
. I think someone is working on adding a proper api for this
I might be missing something but I don't see how this is applied to the ingress-gateway ? this seems hardcoded here : https://github.com/istio/istio/blob/f772ceea87ae58896e1eabe2cf83ebfd8c54bf6d/pilot/pkg/networking/core/v1alpha3/gateway.go#L358
@howardjohn I think we should re-open this issue :
The issues specifically is about setting use_remote_address
to false
on the ingress-gateway.
Currently I have not been able to do that, except by forking pilot.
the flag you mention does allow setting use_remote_address
to true
for sidecars (defaults to false) but it doesn't change anything on the ingress-gateway. On my ingress-gateway the use_remote_address
is true
which is the default on 1.3.x as far as I can make from the code.
Using the EnvoyFilter below I'm able to modify the http_connection_manager but my value for use_remote_address
is over-ridden during the MERGE
.
I know my envoy filter is applied because the xffNumTrustedHops
is set to 2
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-settings
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.http_connection_manager
patch:
operation: MERGE
value:
typed_config:
'@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
use_remote_address: false
xff_num_trusted_hops: 2
workloadSelector:
labels:
istio: ingressgateway
[
{
"name": "0.0.0.0_80",
"address": {
"socketAddress": {
"address": "0.0.0.0",
"portValue": 80
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "0.0.0.0_80",
"rds": {
...
},
"httpFilters": [
...
],
"useRemoteAddress": true,
"xffNumTrustedHops": 2,
...
}
]
Maybe related use_remote_address
is not a bool type. it is a struct
type BoolValue struct {
// The bool value.
Value bool `protobuf:"varint,1,opt,name=value,proto3" json:"value,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
You can preserve the external request id with the following EnvoyFilter. I'm running Istio 1.3.0.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-settings
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.http_connection_manager
patch:
operation: MERGE
value:
typed_config:
'@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
preserve_external_request_id: true
Maybe related
use_remote_address
is not a bool type. it is a structtype BoolValue struct { // The bool value. Value bool `protobuf:"varint,1,opt,name=value,proto3" json:"value,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Maybe you're onto something @hzxuzhonghu use_remote_address
is BoolType
whereas preserve_external_request_id
is indeed bool
.
However my understanding is that the representation in json is a bool in both case : https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue
@fcantournet have you got a solution for your issue for 1.3.x version, i have created a EnvoyFilter
similar to yours, and confirmed that it works on 1.4.0, but there're intermittent 503 issues. Changing it to 1.3.5 doesn't seem to work
@jh-sz I am facing the same issue on 1.3.5, setting xff_num_trusted_hops works on 1.4.0 but not in 1.3.5, did you managed to make it work ?
@bbenlazreg don't think it works for 1.3.5
don't think it's solved in 1.10. I can not set use_remote_address: false
via EnvoyFilter
This is still true as of Istio 1.17.2. I've tried using this EnvoyFilter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-settings
namespace: istio-ingressgateway
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
use_remote_address: false
xff_num_trusted_hops: 2
workloadSelector:
labels:
istio: ingressgateway-ns
And saw the same thing:
use_remote_address: true,
...
xff_num_trusted_hops: 2,
This is a duplicate of https://github.com/istio/istio/issues/18169
Describe the feature request Need to be able to tell an ingressgateway that it's not the absolute edge proxy. Currently the value for it's envoy http connection filter 'use_remote_address' configuration is hardcoded to true. This causes it to ignore values set for x-forwarded-for, x-forwarded-proto etc. In turn, this breaks the behavior of the httpsRedirect flag in a gateway configuration when TLS is terminated prior to the ingressgateway.
Describe alternatives you've considered I've experimented with using Lua EnvoyFilters to inspect headers and provide a workaround http->https redirect, however the filter sees the headers after they've already been mangled. Potentially I could run yet another proxy between the loadbalancer and the ingressgateway, but this is something I really want to avoid. As far as I can tell it's not possible to patch an automatically generated envoy filter.
Additional context My exact scenario is this:
Related to: