ext_proc/ext_authz / async client: Better observability
#32,250 opened on Feb 7, 2024
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (378 merged PRs in 30d)
Description
When connection to the external server fails, all we see in ext_proc or ext_authz is grpc unavailable or something simple like this. It is not sufficient to give the end user any hint on what actually went wrong. Our users often fail to setup TLS on the grpc server side. When the extension calls fail, the grpc unavailable status is insufficient to tell them where to go look. Its often a guess work.
Similarly, if a connection could not be established due to firewall rules, all we see is unavailable.
It would be good to have some error string straight from boring SSL that informs the user that this was a SSL error (we do not have to process that string. Just expose it as it is). In the same vein, for firewall issues, if the user sees "connection refused" [which is what the kernel gives us], it is a sufficient hint for them to go look at their server to debug the issue.
Given that both ext_proc and ext_authz use the grpc async client, it would be good to expose this info so that it can be extracted and logged into the filter_metadata in ext_proc/ext_authz and thus dumped into access logs in Envoy.
cc @tyxia @htuch @jbohanon @wbpcode etc.