TechQA.

istio preserve client-ip from pod on onpremise

368 views Asked by At

I need to know client ip from pod where it is running on istio on onpremise.

Is there something wrong from my configurations ?   
The ingressgateway is not loadbalancer, nodeport service.   

When I configure the TPROXY in application deployemnt, it always show ip of ingressgateway pod.   
When I don't configure the TROXY in application deployemtn, it always show 127.0.0.6.   

I don't konw why a POD don't get client-ip from proxy-protocol.   
Could you know how to configure ?   
I configured as follow for proxy protocol.

Traffic flow : Haproxy -> Ingressgateway(NodePort) -> Gateway -> Service -> POD

  1. Haproxy

  • Comment: I configure the haproxy for proxy protocol

  • LoadBalancer: L4

  • Proxy protocol Port: 7559

    1.1 haproxy.cfg

listen nginx-in-istio
    bind        *:7559
    mode        tcp
    option      tcplog
    server  backend01   172.16.6.202:30740 check send-proxy-v2
  1. Ingressgateway

  • Comment : I configure ingressgateway for only proxy protocol

  • Service: NodePort

  • Ingressgateway Pod Label: ingressgateway-cwmp

  • Envoy Filter :

    2.1 Envoyr Filter for proxyprotocol

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proxy-protocol-cwmp
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway-cwmp
  configPatches:
  - applyTo: LISTENER
    match:
       listener:
          name: "0.0.0.0_7559"
          portNumber: 7559
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: envoy.listener.proxy_protocol
        - name: envoy.listener.tls_inspector

2.2 Envoyr Filter for X-fowarded-for

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ingressgateway-settings-x-forwarede-for-cwmp
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway-cwmp
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          skip_xff_append: false
          use_remote_address: true
          xff_num_trusted_hops: 2

2.3 Ingress gateway POD YAML for proxy protocol

  template:
    metadata:
      annotations:
        proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 2 } }'

3.application deployment YAML

  template:
    metadata:
      labels:                 
        app: nginx
      annotations:
        sidecar.istio.io/interceptionMode: TPROXY
kubernetes haproxy istio proxy-protocol
Original Q&A
0

There are 0 answers

Related Questions in KUBERNETES

Related Questions in HAPROXY

Related Questions in ISTIO

Related Questions in PROXY-PROTOCOL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions