Istio filters are completely ignored on Istio 1.9 on EKS cluster

Question

I'm trying to set a simple HTTP filter through Envoy Filter. I'm using a brand new EKS cluster made with Terraform, and Istio installed with Helm to its latest version and default values.

I'm trying to reach a simple python script which receive an http request and print the header.

Below, the resources I'm using..

The python script:

    from flask import Flask, redirect, url_for, request, Response
    import logging
    app = Flask(__name__)
    
    @app.route('/status', methods=['GET', 'POST'])
    def parse_request():
        data = request.data  # data is empty
        # need posted data here
        headers = request.headers
        print(headers)
        app.logger.info(headers)
        status_code = Response(status=200)
        return status_code
    
    if __name__ == '__main__':
        app.run(app.run(debug=True, port=5000, host='0.0.0.0'))

The K8s manifests:

1. Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http
  labels:
    app: http
spec:
  replicas: 1
  selector:
    matchLabels:
      app: http
  template:
    metadata:
      labels:
        app: http
        run: http_pod
    spec:
      containers:
      - image: flask_http_test:latest
        imagePullPolicy: Always
        name: http
        ports:
        - containerPort: 5000
      restartPolicy: Always
      imagePullSecrets:
      - name: regcred

2. Gateway & VirtualService

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
  labels:
    app: http
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
--- 
kind: VirtualService
apiVersion: networking.istio.io/v1alpha3
metadata:
  name: http-service-vs
  namespace: http
  labels:
    app: http
spec:
  hosts:
    - "*"   # host name of api
  gateways:
  - mygateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: http-service-svc  # k8s service name
        port:
            number: 5000     # pod port
EOF

3. Envoy Filter

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: http-service-svc-header-filter
  namespace: http
spec:
  workloadLabels:
    app: http-service-svc
    namespace: http
  filters:
  - listenerMatch:
      portNumber: 5000
      listenerType: SIDECAR_INBOUND 
      listenerProtocol: HTTP
    filterName: envoy.lua
    filterType: HTTP
    filterConfig:
      inlineCode: |
          function envoy_on_request(request_handle)
                request_handle:headers():add("newheader", "it works!")
            end

I can reach my service through the Istio Ingress Gateway but the problem is that the filter completely ignored. I've also tried to define the add the filter in the istio-system namespace, without a workloadSelector, but its still ignored.

Does anybody have any idea on where could be the problem?

Answer 1

The problem is that you are applying an old EnvoyFilter api version that is not supported with istio 1.9.

See EnvoyFilter docs for reference

This should work:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: http-service-svc-header-filter
  namespace: http
spec:
  workloadSelector:
    labels:
      app: http
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 5000
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.router"
    patch:
      operation: INSERT_BEFORE
      value: 
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              request_handle:headers():add("newheader", "it works!")
            end