Envoyproxy 1.11 > 1.12无法再使用RDS找到CORS

Question

我目前正在将我们的Envoyproxy实例从1.11升级到支持V2-api的最新版本，至于V3-api，我们的一些微服务需要更改代码。

这段RDS-config适用于1.11，但不适用于1.12。

node:
  id: id_1
  cluster: test

admin:
  access_log_path: "/tmp/admin_access.log"
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }

dynamic_resources:
  cds_config:
    api_config_source:
      api_type: GRPC
      grpc_services:
        envoy_grpc:
          cluster_name: ESD_cluster

static_resources:
  secrets:
    - name: server_wildcard_cert
      tls_certificate:
        certificate_chain: { filename: "/etc/envoy/star_2019.crt" }
        private_key: { filename: "/etc/envoy/star_2019.key" }
    - name: validation_context
      validation_context:
        trusted_ca: { filename: "/etc/envoy/cacert.pem" }

  - name: listener_https_internal
    address:
      socket_address: { address: 0.0.0.0, port_value: 9443 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          access_log:
          - name: envoy.file_access_log
            config:
              format: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURAT$
              path: "/dev/stdout"
          codec_type: auto
          stat_prefix: ingress_http
          route_config:
            name: esds_route
            virtual_hosts:
            - name: backend
              domains:
                - "*"
              routes:
                - match:
                    prefix: "/"
                  route:
                    cluster: ESD_cluster
                    timeout: 120s
          http_filters:
          - name: envoy.router
# static TLS certificate info
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext
          common_tls_context:
            tls_certificate_sds_secret_configs:
            - name: server_wildcard_cert
            validation_context_sds_secret_config:
              name: validation_context
            alpn_protocols: "h2"

  - name: listener_https
    address:
      socket_address: { address: 0.0.0.0, port_value: 8443 }
    filter_chains:
    - filters:
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          access_log:
          - name: envoy.file_access_log
            config:
              format: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURAT$
              path: "/dev/stdout"
          codec_type: auto
          stat_prefix: ingress_http

          rds:
            route_config_name: ESG_route_configuration
            config_source:
              api_config_source:
                api_type: GRPC
                grpc_services:
                  envoy_grpc:
                    cluster_name: ESD_cluster

              cors:
              allow_origin_string_match:
                - prefix: "*"
              allow_methods: GET, PUT, DELETE, POST, OPTIONS
              allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response$
              max_age: "1728000"
              expose_headers: custom-header-1,grpc-status,grpc-message

          http_filters:
          - name: envoy.grpc_web
          - name: envoy.cors
          - name: envoy.router
            config: {}
# static TLS certificate info
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext
          common_tls_context:
            tls_certificate_sds_secret_configs:
            - name: server_wildcard_cert
            validation_context_sds_secret_config:
              name: validation_context
            alpn_protocols: "h2"

  clusters:
    - name: ESD_cluster
    connect_timeout: 0.25s
    type: STATIC
    lb_policy: ROUND_ROBIN
    http2_protocol_options: {}
#    tls_context: {}
    upstream_connection_options:
      tcp_keepalive: {}
    load_assignment:
      cluster_name: ESD_cluster
      endpoints:
      - lb_endpoints:
         - endpoint:
            address:
              socket_address: { address: 10.80.1.83, port_value: 5028 }
         - endpoint:
            address:
              socket_address: { address: 10.80.1.84, port_value: 5028 }

下面的错误消息如下：

[warning][config] [source/common/protobuf/message_validator_impl.cc:28] Unknown field: type envoy.config.bootstrap.v2.Bootstrap reason INVALID_ARGUMENT:(rds.config_source) cors: Cannot find field.

我一直试图从互联网上寻找关于RDS和CORS的例子，但没有一个。

Answer 1

所以，据我所知，这是从来没有被支持过的东西，v11只是悄悄地删除了v12实际上正在通知您该字段不受支持的字段。所以你的问题的真正答案是；这从来没有起作用，它只是默默地不告诉你v1.11，但它在v1.12中通知你。

这两个接口文档都没有字段rds.config_source.cors

• v1.11
• v1.12

在对上面的配置做了一点修改之后(有一些错误，所以我不得不添加字段/缩进几个地方)，我可以确认envoy v11运行良好，但v12失败了，至少我修复了一些问题。

但是，即使在运行v11时，cors字段也没有设置任何内容。使用管理端点，您可以检查实际设置的配置。对于你的配置，点击localhost:9901/config_dump，你会看到监听器上基本上什么都没有：

    {
     "listener": {
      "name": "listener_https",
      "address": {
       "socket_address": {
        "address": "0.0.0.0",
        "port_value": 8443
       }
      },
      "filter_chains": [
       {}
      ]
     },

这看起来是因为您的listener_https在配置中有一些额外的错误。您命名的惟一过滤器是envoy.file_access_log，但是您试图为它提供HttpConnectionManager的配置，尽管也是在错误的作用域中。

我认为在这一点上，您需要解决配置中的问题，并确保在config_dump中，您尝试引导的内容即使在v1.11上也可以真正设置。