debuggingistioenvoyproxy

How to debug an EnvoyFilter in Istio?


I have the filter below.

I am checking the logs for the gateway and it does not look like the filter is applied.

  1. How do I debug an EnvoyFilter?
  2. Where can I see which filters are applied on each request?
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proper-filter-name-here
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.lua
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
            inlineCode: |
              function envoy_on_request(request_handle)
                 request_handle:logDebug("Hello World!")
              end

Solution

  • This topic is very well described in the documentation:

    The simplest kind of Istio logging is Envoy’s access logging. Envoy proxies print access information to their standard output. The standard output of Envoy’s containers can then be printed by the kubectl logs command.

    You have asked:

    Where can I see what filters are applied each request?

    Based on this issue on github:

    There is no generic mechanism.

    It follows that if you wanted to see what filter was applied to each request, you would have to create your custom solution.

    However, without any problem, you can get logs about each request based on this fragment in the documentation:

    If you used an IstioOperator CR to install Istio, add the following field to your configuration:

    spec:
      meshConfig:
        accessLogFile: /dev/stdout
    

    Otherwise, add the equivalent setting to your original istioctl install command, for example:

    istioctl  install  <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout
    

    You can also choose between JSON and text by setting accessLogEncoding to JSON or TEXT. You may also want to customize the format of the access log by editing accessLogFormat.

    Refer to global mesh options for more information on all three of these settings:

    You can also change access log format and test the access log from linked instructions.

    See also (EDIT):

    • EnvoyFilters will manifest where you tell Istio to put them. Typically a bad EnvoyFilter will manifest as Envoy rejecting the configuration (i.e. not being in the SYNCED state above) and you need to check Istiod (Pilot) logs for the errors from Envoy rejecting the configuration.
    • If configuration didn’t appear in Envoy at all– Envoy did not ACK it, or it’s an EnvoyFilter configuration– it’s likely that the configuration is invalid (Istio cannot syntactically validate the configuration inside of an EnvoyFilter) or is located in the wrong spot in Envoy’s configuration.