Closed
Description
So basically we have a Envoy + istio setup running in vm outside kubernetes and we want to start rate limiting based on domains but no config is working for us.
kind: EnvoyFilter
metadata:
name: listener-http
namespace: envoy
labels:
app: envoy
env: stage
spec:
workloadSelector:
labels:
app: envoy
configPatches:
- applyTo: LISTENER
match:
context: GATEWAY
patch:
operation: ADD
value:
name: "http_listener"
address:
socket_address:
address: "0.0.0.0"
port_value: 80
filter_chains:
- filters:
- name: "envoy.filters.network.http_connection_manager"
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress
use_remote_address: true
normalize_path: true
merge_slashes: true
path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
http2_protocol_options:
max_concurrent_streams: 100
initial_stream_window_size: 65536
initial_connection_window_size: 1048576
stream_idle_timeout: 1s
request_timeout: 2s
delayed_close_timeout: 1s
generate_request_id: false
access_log:
- name: envoy.access_loggers.file
filter:
status_code_filter:
comparison:
op: LE
value:
default_value: 300
runtime_key: access_log.access_error.status
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: "/var/log/istio/envoy-http-2xx.log"
- name: envoy.access_loggers.file
filter:
status_code_filter:
comparison:
op: GE
value:
default_value: 300
runtime_key: access_log.access_error.status
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: "/var/log/istio/envoy-http-non-2xx.log"
log_format:
json_format:
timestamp: "%START_TIME%"
request_method: "%REQ(:METHOD)%"
request_path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
protocol: "%PROTOCOL%"
response_code: "%RESPONSE_CODE%"
response_flags: "%RESPONSE_FLAGS%"
connection_termination: "%CONNECTION_TERMINATION_DETAILS%"
upstream_failure_reason: "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
bytes_received: "%BYTES_RECEIVED%"
bytes_sent: "%BYTES_SENT%"
duration: "%DURATION%"
rq_tx_duration: "%REQUEST_TX_DURATION%"
upstream_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
x_forwarded_for: "%REQ(X-FORWARDED-FOR)%"
user_agent: "%REQ(USER-AGENT)%"
request_id: "%REQ(X-REQUEST-ID)%"
authority: "%REQ(:AUTHORITY)%"
upstream_host: "%UPSTREAM_HOST%"
upstream_addr: "%UPSTREAM_LOCAL_ADDRESS%"
rq_server_name: "%REQUESTED_SERVER_NAME%"
route_name: "%ROUTE_NAME%"
content_type: "%REQ(CONTENT-TYPE)%"
content_length: "%REQ(CONTENT-LENGTH)%"
content_encoding: "%REQ(CONTENT-ENCODING)%"
downstream_tcp_failure: "%DOWNSTREAM_TRANSPORT_FAILURE_REASON%"
downstream_handshake_duration: "%DOWNSTREAM_HANDSHAKE_DURATION%"
rtt_duration: "%ROUNDTRIP_DURATION%"
route_config:
name: cluster_route
request_headers_to_add:
- header:
key: X-Client-IP
value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
- header:
key: X-Proxy
value: "%HOSTNAME%"
- header:
key: X-Request-Start
value: "%START_TIME(%s.%3f)%"
append_action: ADD_IF_ABSENT
virtual_hosts:
- name: "client_hosts"
domains:
- test.abc.com
routes:
- match:
prefix: "/"
route:
weighted_clusters:
clusters:
- name: "outbound|7017|service|service.test.svc.cluster.local"
weight: 100
total_weight: 100
rate_limits:
- stage: 0
actions:
- request_headers:
header_name: ":authority"
descriptor_key: "host"
max_stream_duration:
max_stream_duration: 5s
http_filters:
- name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: global-rate-limit
stage: 0
rate_limited_as_resource_exhausted: true
failure_mode_deny: false
enable_x_ratelimit_headers: DRAFT_VERSION_03
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: rate_limit_service
transport_api_version: V3
- name: "envoy.filters.http.router"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
local_reply_config:
mappers:
- filter:
status_code_filter:
comparison:
op: GE
value:
default_value: 500
runtime_key: "non_2xx_status_code"
status_code: 204
This is the config and problem is envoy is not even trying to call rate limiting service
2025-03-13T07:35:05.037220Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:182 [Tags: "ConnectionId":"15916"] creating stream thread=1030541
2025-03-13T07:35:05.037249Z debug envoy router external/envoy/source/common/router/upstream_request.cc:563 [Tags: "ConnectionId":"17105","StreamId":"3984706284249986929"] pool ready thread=1030541
2025-03-13T07:35:05.037236Z debug envoy pool external/envoy/source/common/http/conn_pool_base.cc:78 queueing stream due to no available connections (ready=0 busy=0 connecting=0)thread=1030512
2025-03-13T07:35:05.037269Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:291 trying to create new connection thread=1030512
2025-03-13T07:35:05.037271Z debug envoy client external/envoy/source/common/http/codec_client.cc:141 [Tags: "ConnectionId":"15916"] encode complete thread=1030541
2025-03-13T07:35:05.037274Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:145 creating a new connection (connecting=0) thread=1030512
2025-03-13T07:35:05.037292Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:484 [Tags: "ConnectionId":"17222"] client disconnected, failure reason: thread=1030541
2025-03-13T07:35:05.037316Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:454 invoking idle callbacks - is_draining_for_deletion_=false thread=1030541
2025-03-13T07:35:05.037330Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:215 [Tags: "ConnectionId":"17222"] destroying stream: 0 remaining thread=1030541
2025-03-13T07:35:05.037331Z debug envoy connection external/envoy/source/common/network/connection_impl.h:98 [Tags: "ConnectionId":"17224"] current connecting state: true thread=1030512
2025-03-13T07:35:05.037359Z debug envoy client external/envoy/source/common/http/codec_client.cc:57 [Tags: "ConnectionId":"17224"] connecting thread=1030512
2025-03-13T07:35:05.037365Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:1009 [Tags: "ConnectionId":"17224"] connecting to 10.44.59.70:7017 thread=1030512
2025-03-13T07:35:05.037393Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:1028 [Tags: "ConnectionId":"17224"] connection in progress thread=1030512
2025-03-13T07:35:05.037410Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:484 [Tags: "ConnectionId":"17223"] client disconnected, failure reason: thread=1030512
2025-03-13T07:35:05.037417Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:454 invoking idle callbacks - is_draining_for_deletion_=false thread=1030512
2025-03-13T07:35:05.037441Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:215 [Tags: "ConnectionId":"17223"] destroying stream: 0 remaining thread=1030512
2025-03-13T07:35:05.037612Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:746 [Tags: "ConnectionId":"17224"] connected thread=1030512
2025-03-13T07:35:05.037624Z debug envoy client external/envoy/source/common/http/codec_client.cc:88 [Tags: "ConnectionId":"17224"] connected thread=1030512
2025-03-13T07:35:05.037631Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:328 [Tags: "ConnectionId":"17224"] attaching to next stream thread=1030512
2025-03-13T07:35:05.037646Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:182 [Tags: "ConnectionId":"17224"] creating stream thread=1030512
2025-03-13T07:35:05.037654Z debug envoy router external/envoy/source/common/router/upstream_request.cc:563 [Tags: "ConnectionId":"17093","StreamId":"7946817319171554321"] pool ready thread=1030512
2025-03-13T07:35:05.037671Z debug envoy client external/envoy/source/common/http/codec_client.cc:141 [Tags: "ConnectionId":"17224"] encode complete thread=1030512
2025-03-13T07:35:05.037720Z debug envoy client external/envoy/source/common/http/codec_client.cc:128 [Tags: "ConnectionId":"15916"] response complete thread=1030541
2025-03-13T07:35:05.037738Z debug envoy router external/envoy/source/common/router/router.cc:1479 [Tags: "ConnectionId":"17105","StreamId":"3984706284249986929"] upstream headers complete: end_stream=true thread=1030541
2025-03-13T07:35:05.037762Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1863 [Tags: "ConnectionId":"17105","StreamId":"3984706284249986929"] encoding headers via codec (end_stream=true):
as visible in these debug logs , can someone please help with what's wrong?