Istio EnvoyFilter Lua HttpCall在HTTPS下不起作用?

2022-1-14 20:12:49
收藏:0
阅读:309
评论:2

我需要在外部API中解密请求的主体。 但是,当我尝试使用lua使用EnvoyFilter时,它不能正常工作。 如果我尝试使用此处发布的相同代码但没有HTTPS,则工作。但是使用HTTPS返回503。

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: eva-decrypt-filter
  namespace: istio-system
spec:
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: ANY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.lua
          typed_config:
            "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
            inlineCode: |
              function envoy_on_request(request_handle)
               local buffered = request_handle:body()
               local bodyString = tostring(buffered:getBytes(0, buffered:length()))
               print("bodyString ->")
               print(bodyString)
               if string.match(bodyString, "valcirtest") then
                print("iniciando http_Call")
                local responseHeaders, responseBody = request_handle:httpCall(
                  "thirdparty",
                  {
                   [":method"] = "POST",
                   [":path"] = "/decrypt",
                   [":authority"] = "keycloack-dev-admin.eva.bot",
                   [":scheme"] = "https",
                   ["content-type"] = "application/json",
                   ["content-length"] = bodyString:len(),
                  },
                  bodyString,
                  3000)
                print("acabou a requisicao")
                print("responseHeaders -> ")
                print(responseHeaders)
                print(responseHeaders[":status"])
                print("responseBody -> ")
                print(responseBody)
                local content_length = request_handle:body():setBytes(responseBody)
                request_handle:headers():replace("content-length", content_length)
               else
                print("nao entrou")
               end
              end
    - applyTo: CLUSTER
      match:
        context: SIDECAR_OUTBOUND
      patch:
        operation: ADD
        value: # cluster specification
          name: thirdparty
          connect_timeout: 1.0s
          type: STRICT_DNS
          dns_lookup_family: V4_ONLY
          lb_policy: ROUND_ROBIN
          load_assignment:
            cluster_name: thirdparty
            endpoints:
              - lb_endpoints:
                  - endpoint:
                      address:
                        socket_address:
                          protocol: TCP
                          address: keycloack-dev-admin.eva.bot
                          port_value: 443

响应错误为:

503
responseBody ->
upstream connect error or disconnect/reset before headers. reset reason: connection termination

我正在使用Istio v.1.11.4。

原文链接 https://stackoverflow.com/questions/70594554

点赞
stackoverflow用户19444183
stackoverflow用户19444183

应该在您的“thirdparty”集群上配置,并在集群配置中添加以下内容:

transport_socket:
  name: envoy.transport_sockets.tls
2022-06-29 13:37:52
stackoverflow用户309830
stackoverflow用户309830

为了补充@koffi-kodjo的答案,您还需要指定typed_config属性。 transport_socket节点应该放置在name:thirdparty节点的同一级别上。

        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

参考:

2022-09-06 11:51:28

作者:

stackoverflow用户9572629

stackoverflow用户9572629
推荐文章