Last week at work, we hit a very interesting problem — is it possible to run an Envoy plugin inside of an Istio sidecar? The plugin I was specifically interested in was Moesif, a really nice API request observability tool we use.
Now, the sidecar proxies in Istio are Envoy, so it seems like a reasonable enough request.
The problem of customizing Envoy configuration directly in Istio is solved by Istio's EnvoyFilter resource. You can see examples here.
Now, the Moesif plugin wants to run some Lua on outgoing requests. The
EnvoyFilter documentation has a clear way to do that; it's a somewhat typical use case.
However, there's a problem — the Lua it wants to run depends on the Moesif library. This use case is closer to embedded Lua than a full-fledged application with a package manager. Even if we were setting up a VM we could download the library in the user data script. We need a way to get the Moesif library into the sidecar.
Istio does have a way to edit the sidecar configuration (the
Sidecar resource), but it's more focused on the traffic going in and out than on filesystem of the sidecar. After some searching, I did come across an annotation that was exactly what I needed:
With the omitted values looking like this:
userVolume JSON, we're referencing the library as a
ConfigMap. That's the best way I could come up with going from a folder of Lua code to files in the sidecar.
folder of Lua code -> ConfigMap -> user volume in sidecar
Going from the folder of Lua code to a
ConfigMap was a simpler problem. I did the following, in Pulumi:
- Recursively search the folder and build an array of all Lua files in the folder
- Build a ConfigMap where a file like
moesif/core/helpers.luawould have a key of
moesif-core-helpers.luaand a value of the minified contents of the file. (Note that
/is not a valid character in keys of ConfigMaps).
Once I verified that the library was present in the sidecar then things worked pretty smoothly.
$ kubectl exec -it nginx --container=istio-proxy -- ls /usr/local/share/lua/5.1 moesif
Let's go over the pros and cons of this approach.
- You can easily turn the
EnvoyFilteron/off with labels
- It works (we've tried about 3 other outbound traffic monitoring setups with Moesif, just getting one working is not a given. These tools are usually meant to monitor inbound traffic, not outbound.)
- This approach doesn't have as many TLS issues as others, since it's the first thing that catches the traffic as it leaves the original container, and in our setup, we have Istio originate TLS later in the Envoy listener's filter chain. The closer to the edge of your network you put a tool like this, the more likely you are to have TLS issues. There's a tradeoff there.
- You have to specify that
sidecar.istio.io/userVolumeannotation on every Deployment. If you have some good abstraction over Kubernetes resources then this is less of a problem. For us, it's a problem.
- If you have any retries implemented in Istio, because that comes later in the filter chain, it's not visible to Moesif. Moesif just sees one request with the status code of the final call, and an increased latency. So 500's that we want to catch can be covered up.
- It's not simple.
If you've had similar issues, please let me know what approach you took!