Istio: The ability to configure the upstream version of envoy in istio/proxy

Created on 7 Nov 2019 · 3Comments · Source: istio/istio

Describe the feature request

The ability to configure the upstream version of envoy in the istio/proxy WORKSPACE dynamically (e.g. configurable from a CI/CD system). Ideally, attributes such as url (i.e.repo) and sha could be specified via environment variables or another, related bazel-specific means. Additionally, if the http archive source is private, then auth configuration (e.g. .netrc) should be configurable as well.

As a reference implementation, I took a stab at this https://github.com/istio/proxy/pull/2496 but my effort was subsequently reverted due to limitations in the approach; one major limitation being the absence of a means to authenticate.

Describe alternatives you've considered

Continue to hard-code the value and handle auth ad hoc.
Configure and build from a local source path.
Use --override_repository (xref: https://github.com/istio/proxy/pull/2496#issuecomment-548842080) but not sure how this will work regarding auth with private repos/archives.

arenetworkinenvoy kinenhancement

Source

clarketm

👍2

All 3 comments

@lizan - Do you have any bandwidth to help with this. Is there any way to take what you do locally to build proxy w/envoy from a private repo/url and make it configurable from an external environment or user (e.g. CI)?

For example, how do you use --override_repository with a .netrc file in your local development to pull from a private source location?

clarketm on 8 Nov 2019

👍1

@clarketm --override_repository allows you to point envoy (or any other repository in bazel terms) to a specific local directory, without patching WORKSPACE. Regarding auth with private repos/archives, it should be done prior to invoke bazel, for example: git clone https://github.com/private/envoy /tmp/envoy && bazel build --override_repository=envoy=/tmp/envoy //src/envoy will work, and you are able to configure git to do authenticate (by default git https uses .netrc, you can also use ssh too).

lizan on 11 Nov 2019

👍1

@lizan

@clarketm --override_repository allows you to point envoy (or an...

Okay I see. So the idea is to clone the private repository/source locally on the filesystem upfront, then use --override_repository to direct bazel to the local path where the source was downloaded. I can give that a try and send out a PR shortly, Thanks!

clarketm on 12 Nov 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

istioctl experimental remove-from-mesh deployment istio-egressgateway -n istio-system * failed to update deployment "istio-egressgateway.istio-system" for service "istio-egressgateway.istio-system" due to Deployment.apps "istio-egressgateway" is invalid: spec.template.spec.containers: Required value

tanjunchen · 3Comments

EnvoyFilter not being applied to the workload sidecar "virtual" listener

nitishm · 3Comments

gRPC routing via Gateway and VirtualService going astray

karlmutch · 3Comments

Automatic Sidecar Injection failing on release-1.0 branch

douglas-reid · 3Comments

Istio helm chart is failing to install

iroller · 3Comments