zirain
commented
7 months ago I recall istio only print listener access log when 404 in the past?
Open howardjohn opened 7 months ago
zirain
commented
7 months ago I recall istio only print listener access log when 404 in the past?
howardjohn
commented
7 months ago This isn't about listener access logs, but for hbone the destination endpoint is an internal listener instead of ip
zirain
commented
7 months ago you can either change the hardcode log format or just remove it(this option may cause difficult to debug).
howardjohn
commented
7 months ago I think we want to log the real source and dest IP. This may just be changing the format to access some other info, but we might need to make changes in Envoy/istio-proxy to expose that info if its not available (not sure what info we have)
howardjohn
commented
6 months ago There are two parts here:
"envoy://connect_originate/10.244.0.10:80". This seems easier, since the original IP is known to be in EDS metadata and access logs can access it. However, we would want to do something like metadata.ip OR upstream_addr for the non HBONE cases; I don't see how to do that in envoy. %CEL(...) seemed promising but has a lot of bugszirain
commented
4 months ago envoy://connect_originate/10.244.0.10:80 is from %UPSTREAM_HOST% which related to https://github.com/envoyproxy/envoy/blob/main/source/common/network/address_impl.cc#L470.
envoy://internal_client_address/ is from %UPSTREAM_LOCAL_ADDRESS% which related to https://github.com/envoyproxy/envoy/blob/main/source/extensions/bootstrap/internal_listener/client_connection_factory.cc#L30
keithmattix
commented
1 month ago Not stale
When we use HBONE in envoy, we get access logs showing unexpected info
Without hbone:
With hbone:
Probably we can tweak these to avoid exposing internals