Envoy configuration

Envoy Configuration

In order to enable Callout Enforcer, the following changes to Envoy configuration are required:

adjust http_filters section
adjust clusters section

http_filters section

1 http_filters:
2 - name: envoy.filters.http.ext_proc
3   typed_config:
4     "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
5     grpc_service:
6       envoy_grpc:
7         cluster_name: px_callout_cluster
8       timeout: 3s
9     failure_mode_allow: false
10     allow_mode_override: true
11     message_timeout: 3s
12     processing_mode:
13       request_header_mode: "SEND"
14       response_header_mode: "SEND"
15       request_body_mode: "NONE"
16       response_body_mode: "NONE"
17       request_trailer_mode: "SKIP"
18       response_trailer_mode: "SKIP"

Parameters description (Envoy documentation):

grpcservice -> envoygrpc -> cluster_name: the name of “callout” cluster in clusters section
grpcservice -> envoygrpc -> timeout: (recommended 1-5 seconds) The timeout for the gRPC request
failure_mode_allow: By default, if the gRPC stream cannot be established, or if it is closed prematurely with an error, the filter will fail. Specifically, if the response headers have not yet been delivered, then it will return a 500 error downstream
allow_mode_override: (required True) If allow_mode_override is set to true, the filter config processing_mode can be overridden by the response message from the external processing server mode_override.
message_timeout: (recommended 1-5 seconds) Specifies the timeout for each individual message sent on the stream

Processing mode:

request_header_mode: (required SEND) Control how request headers are handled
response_header_mode: (required SEND) Control how response headers are handled
request_body_mode: (required NONE) Control how the request body is handled
response_body_mode: (required NONE) Control how the response body is handled
request_trailer_mode: (required SKIP) Control how request trailers are handled
response_trailer_mode: (required SKIP) Control how response trailers are handled

clusters section

1 clusters:
2 - name: px_callout_cluster
3   type: STRICT_DNS
4   lb_policy: ROUND_ROBIN
5   connect_timeout: 1s
6   http2_protocol_options: {}
7   load_assignment:
8     cluster_name: px_callout_cluster
9     endpoints:
10     - lb_endpoints:
11       - endpoint:
12           address:
13             socket_address:
14               address: 10.0.0.2
15               port_value: 50051
16   health_checks:
17     - timeout: 10s
18       interval: 10s
19       unhealthy_threshold: 1
20       healthy_threshold: 1
21       reuse_connection: true
22       tls_options:
23         alpn_protocols: ["h2"]
24       grpc_health_check:
25         service_name: health_check
26   transport_socket:
27     name: envoy.transport_sockets.tls
28     typed_config:
29       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

Parameters description (Envoy documentation):

endpoints -> lb_endpoints -> endpoint -> address -> socket_address: (required) replace with the Callout Enforcer address
health_checks: an optional section, can be ignored (see below “Health Check” paragraph)

Envoy Configuration

In order to enable Callout Enforcer, the following changes to Envoy configuration are required:

adjust http_filters section
adjust clusters section

http_filters section

1 http_filters:
2 - name: envoy.filters.http.ext_proc
3   typed_config:
4     "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
5     grpc_service:
6       envoy_grpc:
7         cluster_name: px_callout_cluster
8       timeout: 3s
9     failure_mode_allow: false
10     allow_mode_override: true
11     message_timeout: 3s
12     processing_mode:
13       request_header_mode: "SEND"
14       response_header_mode: "SEND"
15       request_body_mode: "NONE"
16       response_body_mode: "NONE"
17       request_trailer_mode: "SKIP"
18       response_trailer_mode: "SKIP"

Parameters description (Envoy documentation):

grpcservice -> envoygrpc -> cluster_name: the name of “callout” cluster in clusters section
grpcservice -> envoygrpc -> timeout: (recommended 1-5 seconds) The timeout for the gRPC request
failure_mode_allow: By default, if the gRPC stream cannot be established, or if it is closed prematurely with an error, the filter will fail. Specifically, if the response headers have not yet been delivered, then it will return a 500 error downstream
allow_mode_override: (required True) If allow_mode_override is set to true, the filter config processing_mode can be overridden by the response message from the external processing server mode_override.
message_timeout: (recommended 1-5 seconds) Specifies the timeout for each individual message sent on the stream

Processing mode:

request_header_mode: (required SEND) Control how request headers are handled
response_header_mode: (required SEND) Control how response headers are handled
request_body_mode: (required NONE) Control how the request body is handled
response_body_mode: (required NONE) Control how the response body is handled
request_trailer_mode: (required SKIP) Control how request trailers are handled
response_trailer_mode: (required SKIP) Control how response trailers are handled

clusters section

1 clusters:
2 - name: px_callout_cluster
3   type: STRICT_DNS
4   lb_policy: ROUND_ROBIN
5   connect_timeout: 1s
6   http2_protocol_options: {}
7   load_assignment:
8     cluster_name: px_callout_cluster
9     endpoints:
10     - lb_endpoints:
11       - endpoint:
12           address:
13             socket_address:
14               address: 10.0.0.2
15               port_value: 50051
16   health_checks:
17     - timeout: 10s
18       interval: 10s
19       unhealthy_threshold: 1
20       healthy_threshold: 1
21       reuse_connection: true
22       tls_options:
23         alpn_protocols: ["h2"]
24       grpc_health_check:
25         service_name: health_check
26   transport_socket:
27     name: envoy.transport_sockets.tls
28     typed_config:
29       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

Parameters description (Envoy documentation):

endpoints -> lb_endpoints -> endpoint -> address -> socket_address: (required) replace with the Callout Enforcer address
health_checks: an optional section, can be ignored (see below “Health Check” paragraph)

1	http_filters:
2	- name: envoy.filters.http.ext_proc
3	typed_config:
4	"@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
5	grpc_service:
6	envoy_grpc:
7	cluster_name: px_callout_cluster
8	timeout: 3s
9	failure_mode_allow: false
10	allow_mode_override: true
11	message_timeout: 3s
12	processing_mode:
13	request_header_mode: "SEND"
14	response_header_mode: "SEND"
15	request_body_mode: "NONE"
16	response_body_mode: "NONE"
17	request_trailer_mode: "SKIP"
18	response_trailer_mode: "SKIP"

1	clusters:
2	- name: px_callout_cluster
3	type: STRICT_DNS
4	lb_policy: ROUND_ROBIN
5	connect_timeout: 1s
6	http2_protocol_options: {}
7	load_assignment:
8	cluster_name: px_callout_cluster
9	endpoints:
10	- lb_endpoints:
11	- endpoint:
12	address:
13	socket_address:
14	address: 10.0.0.2
15	port_value: 50051
16	health_checks:
17	- timeout: 10s
18	interval: 10s
19	unhealthy_threshold: 1
20	healthy_threshold: 1
21	reuse_connection: true
22	tls_options:
23	alpn_protocols: ["h2"]
24	grpc_health_check:
25	service_name: health_check
26	transport_socket:
27	name: envoy.transport_sockets.tls
28	typed_config:
29	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext