Lesson 8 · Traffic, the edge & resilience
EnvoyFilter — the escape hatch
When the high-level CRDs can't express it — patch Envoy directly. This repo uses it for real.
Your win: explain what an EnvoyFilter is, when to reach for it (and when not to), and read this repo's Lua EnvoyFilter that rewrites auth headers inside the sidecar.
The last resort — by design
VirtualService, DestinationRule, and Gateway are abstractions over Envoy — clean, portable, and covering the common cases. An EnvoyFilter drops below them: it lets you patch the raw Envoy configuration directly — add an HTTP filter, manipulate headers, run custom Lua/Wasm, tweak a listener.1 It's the escape hatch for things the high-level CRDs simply can't express.
An EnvoyFilter targets a point in the proxy
Every EnvoyFilter says where to patch and what to do:
- context —
SIDECAR_INBOUND/SIDECAR_OUTBOUND/GATEWAY(which direction of which proxy). - match — the listener/filter/route to attach to.
- patch — the operation (
INSERT_BEFORE,MERGE, …) and the config to splice in.
util.http.envoyfilter.salesforce — a kind: EnvoyFilter
(:5), context: SIDECAR_INBOUND
(:16), inserting an envoy.lua HTTP filter
(:26-29). Its inline Lua reads the X-Salesforce-Domain
header (:33), calls the auth service's
/auth/api/v1/exchange_named_credential_jwt, and swaps the
Authorization header before the request reaches your app — a token
exchange done in the sidecar, transparently. It's wired into every service via
util.app (_app.tpl:24). There's a sibling
util.hasura.envoyfilter that injects a Lua activity-log filter on the Hasura
sidecar.
Istio docs — EnvoyFilter (reference)
context / match / patch, the operations, and the strong warnings about version coupling.
Check yourself (from memory)
Q1. You reach for an EnvoyFilter when…
Q2. The main risk of EnvoyFilter is that it…
Q3. This repo's Salesforce EnvoyFilter uses Lua to…
X-Salesforce-Domain,
calls auth, and rewrites Authorization before your app sees it.
context (SIDECAR_INBOUND/OUTBOUND/GATEWAY),
match (listener/filter/route), patch (INSERT_BEFORE/MERGE + config).
RISK: tightly COUPLED to the Envoy/Istio VERSION (an upgrade can silently break it), bypasses
validation — use SPARINGLY, pin the version. REPO (real use):
util.http.envoyfilter.salesforce (_app_envoyfilter_salesforce.tpl)
— SIDECAR_INBOUND Lua that reads X-Salesforce-Domain, calls auth's
token-exchange, and SWAPS the Authorization header before the app sees it (wired
via _app.tpl:24); plus a Hasura activity-log Lua filter. Legit use: bespoke
per-request logic a CRD can't do.