You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using internal listeners requires effective source/destination IPs to be set instead of the internal envoy addresses. This is needed to de-tunnel the inner traffic and apply traffic policies without refactoring policies in terms of the internal addresses.
Original_dst listener filter seems like the perfect fit for this use case. The feature is to add support for programming source/destination address via this filter on the internal listeners.
The text was updated successfully, but these errors were encountered:
…9655)
Adds support for recovery of the local and the remote addresses in the internal connections using the original_dst listener filter. This supports two use cases:
- cluster endpoint tunneling: an endpoint host metadata is passed through to the internal listener to set the IP destination, example:
name: internal_outbound
load_assignment:
cluster_name: internal_outbound
endpoints:
- lb_endpoints:
- endpoint:
address:
envoy_internal_address:
server_listener_name: internal_outbound
metadata:
filter_metadata:
envoy.filters.listener.original_dst:
local: 127.0.0.1:8080 # Actual network destination
transport_socket:
name: envoy.transport_sockets.internal_upstream
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.internal_upstream.v3.InternalUpstreamTransport
passthrough_metadata:
- name: envoy.filters.listener.original_dst
kind: { host: {}}
transport_socket:
name: envoy.transport_sockets.raw_buffer
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer
- de-tunneling, a CONNECT stream saves the host as the destination address, which is then passed through to the internal listener upstream. This requires a custom filter that sets a filter state object and marks it as shared with the upstream connection. Example implementation: https://github.com/istio/proxy/blob/master/source/extensions/filters/http/connect_authority/filter.cc
Risk Level: low, new feature
Testing: added
Docs Changes: yes
Release Notes: yes
Issue: #29652
issue: #29681
Signed-off-by: Kuat Yessenov <kuat@google.com>
Using internal listeners requires effective source/destination IPs to be set instead of the internal envoy addresses. This is needed to de-tunnel the inner traffic and apply traffic policies without refactoring policies in terms of the internal addresses.
Original_dst listener filter seems like the perfect fit for this use case. The feature is to add support for programming source/destination address via this filter on the internal listeners.
The text was updated successfully, but these errors were encountered: