Product guides

Envoy configuration

Suggest Edits

Envoy Configuration

In order to enable Callout Enforcer, the following changes to Envoy configuration are required:

  1. adjust http_filters section
  2. adjust clusters section

http_filters section

http_filters:
- name: envoy.filters.http.ext_proc
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
    grpc_service:
      envoy_grpc:
        cluster_name: px_callout_cluster
      timeout: 3s
    failure_mode_allow: false
    allow_mode_override: true
    message_timeout: 3s
    processing_mode:
      request_header_mode: "SEND"
      response_header_mode: "SEND"
      request_body_mode: "NONE"
      response_body_mode: "NONE"
      request_trailer_mode: "SKIP"
      response_trailer_mode: "SKIP"

Parameters description (Envoy documentation):

  • grpcservice -> envoygrpc -> cluster_name: the name of "callout" cluster in clusters section
  • grpcservice -> envoygrpc -> timeout: (recommended 1-5 seconds) The timeout for the gRPC request
  • failure_mode_allow: By default, if the gRPC stream cannot be established, or if it is closed prematurely with an error, the filter will fail. Specifically, if the response headers have not yet been delivered, then it will return a 500 error downstream
  • allow_mode_override: (required True) If allow_mode_override is set to true, the filter config processing_mode can be overridden by the response message from the external processing server mode_override.
  • message_timeout: (recommended 1-5 seconds) Specifies the timeout for each individual message sent on the stream

Processing mode:

  • request_header_mode: (required SEND) Control how request headers are handled
  • response_header_mode: (required SEND) Control how response headers are handled
  • request_body_mode: (required NONE) Control how the request body is handled
  • response_body_mode: (required NONE) Control how the response body is handled
  • request_trailer_mode: (required SKIP) Control how request trailers are handled
  • response_trailer_mode: (required SKIP) Control how response trailers are handled

clusters section

clusters:
- name: px_callout_cluster
  type: STRICT_DNS
  lb_policy: ROUND_ROBIN
  connect_timeout: 1s
  http2_protocol_options: {}
  load_assignment:
    cluster_name: px_callout_cluster
    endpoints:
    - lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: 10.0.0.2
              port_value: 50051
  health_checks:
    - timeout: 10s
      interval: 10s
      unhealthy_threshold: 1
      healthy_threshold: 1
      reuse_connection: true
      tls_options:
        alpn_protocols: ["h2"]
      grpc_health_check:
        service_name: health_check
  transport_socket:
    name: envoy.transport_sockets.tls
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

Parameters description (Envoy documentation):

  • endpoints -> lb_endpoints -> endpoint -> address -> socket_address: (required) replace with the Callout Enforcer address
  • health_checks: an optional section, can be ignored (see below "Health Check" paragraph)

Updated 12 days ago