Equivalents of Nginx Ingress Annonations on IstIO Ingress Gateway

Question

I'm currently migrating an IT environment from Nginx Ingress Gateway to IstIO Ingress Gateway on Kubernetes.

I need to migrate the following Nginx annotations:

nginx.ingress.kubernetes.io/proxy-buffer-size
nginx.ingress.kubernetes.io/proxy-read-timeout
nginx.ingress.kubernetes.io/proxy-send-timeout
nginx.ingress.kubernetes.io/proxy-body-size
nginx.ingress.kubernetes.io/upstream-vhost

For Nginx, the annotations are documented here: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

I didn't find the way of use for the IstIO Ingress Gateway on the documentation of IstIO for the Nginx annotations.

Does anyone know how to implement the above mentioned annotations in the IstIO Ingress Gateway?

Answer 1

I think I found how to set nginx.ingress.kubernetes.io/proxy-body-size in Istio.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             request_handle:headers():add("request_body_size", request_handle:body():length())
           end

And also the TLS ciphers:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-tls-ingress
spec:
  selector:
    app: my-tls-ingress-gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem
      cipherSuites: "<tls-ciphers>"

Answer 2

If you receiving the 413 Entity Too Large as a response the main issue of this situation is that one of the Envoy filters within the chain has a buffering.

The discussion about that you will find here: https://github.com/envoyproxy/envoy/issues/2919

The initial values for that buffering on Envoy are set by the properties:

  http2_protocol_options:
    initial_stream_window_size: 65536 # 64 KiB
    initial_connection_window_size: 1048576 # 1 MiB

Source: https://www.bookstack.cn/read/envoyproxy-1.13/9a624d80e56eceef.md

You can override that buffer for the given workload (or globally) but you have to remember if you will increase too much there is a risk of the out of memory attacks.

Example filter which reconfigure it:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: my-service
spec:
  workloadSelector:
    labels:
      app: my-service
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
      patch:
        operation: MERGE
        value:
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
            http2_protocol_options:
              initial_stream_window_size: 65536
              initial_connection_window_size: 10485760 # 10 MB

You will find more about Envoy Filers on the Istio documentation: https://istio.io/latest/docs/reference/config/networking/envoy-filter/

Additional samples: https://github.com/istio/istio/wiki/EnvoyFilter-Samples