envoyproxy/envoy

TCP traffic tapping doesn't support any matching other than "any"

Open

#13.803 aberto em 28 de out. de 2020

Ver no GitHub
 (1 comment) (0 reactions) (0 assignees)C++ (5.373 forks)batch import
area/taphelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

I've been experimenting with TCP traffic tapping of an upstream cluster. E.g.,:

"transport_socket": {
    "name": "envoy.transport_sockets.tap",
    "typed_config": {
      "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tap.v3.Tap",
      "common_config": {
        "admin_config": {
          "config_id": "mtu.hserver-multi-tenant-upstream.cerberus"
        }
      },
      "transport_socket": {
        "name": "envoy.transport_sockets.tls"
      }
    }
  },

This example uses the admin_config, but that's not important. My question concerns the static_config alternative as well. Continuing with the admin config example, however, if I post this document to the /tap endpoint, it captures traffic:

config_id: mtu.hserver-multi-tenant-upstream.cerberus
tap_config:
    match:
        any_match: true
    output_config:
        streaming: true
        sinks:
            - streaming_admin: {}

But if I post this document, with different match criteria, it never captures traffic, even when the header exists:

config_id: mtu.hserver-multi-tenant-upstream.cerberus
tap_config:
    match:
        http_request_headers_match:
            headers:
                - name: x-capture
                  present_match: true
    output_config:
        streaming: true
        sinks:
            - streaming_admin: {}

Possibly this is intentional. After all, I'm tapping at the TCP level, not the HTTP level. But the documentation doesn't say anything about matching (except for "any") not working when tapping at the TCP level. So I don't know if this is a bug or a documentation deficiency.

I tested with Envoy version

40de14954b29b4c1c87793482b90b27da3370f0f/1.17.0-dev/Clean/RELEASE/BoringSSL

Guia do colaborador