diff --git a/install/kubernetes/helm/istio/templates/configmap.yaml b/install/kubernetes/helm/istio/templates/configmap.yaml index 4526c16740dd..f444a5dfa375 100644 --- a/install/kubernetes/helm/istio/templates/configmap.yaml +++ b/install/kubernetes/helm/istio/templates/configmap.yaml @@ -96,6 +96,17 @@ data: # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS connectTimeout: 10s + + # Automatic protocol detection uses a set of heuristics to + # determine whether the connection is using TLS or not (on the + # server side), as well as the application protocol being used + # (e.g., http vs tcp). These heuristics rely on the client sending + # the first bits of data. For server first protocols like MySQL, + # MongoDB, etc., Envoy will timeout on the protocol detection after + # the specified period, defaulting to non mTLS plain TCP + # traffic. Set this field to tweak the period that Envoy will wait + # for the client to send the first bits of data. (MUST BE >=1ms) + protocolDetectionTimeout: {{ .Values.global.proxy.protocolDetectionTimeout }} # DNS refresh rate for Envoy clusters of type STRICT_DNS dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }} diff --git a/install/kubernetes/helm/istio/values.yaml b/install/kubernetes/helm/istio/values.yaml index 3bf96dfe63ec..158bd22ae1c7 100644 --- a/install/kubernetes/helm/istio/values.yaml +++ b/install/kubernetes/helm/istio/values.yaml @@ -205,6 +205,17 @@ global: # This must be given it terms of seconds. For example, 300s is valid but 5m is invalid. dnsRefreshRate: 300s + # Automatic protocol detection uses a set of heuristics to + # determine whether the connection is using TLS or not (on the + # server side), as well as the application protocol being used + # (e.g., http vs tcp). These heuristics rely on the client sending + # the first bits of data. For server first protocols like MySQL, + # MongoDB, etc., Envoy will timeout on the protocol detection after + # the specified period, defaulting to non mTLS plain TCP + # traffic. Set this field to tweak the period that Envoy will wait + # for the client to send the first bits of data. (MUST BE >=1ms) + protocolDetectionTimeout: 10ms + #If set to true, istio-proxy container will have privileged securityContext privileged: false @@ -518,4 +529,4 @@ global: # Specifies whether helm test is enabled or not. # This field is set to false by default, so 'helm template ...' # will ignore the helm test yaml files when generating the template - enableHelmTest: false + enableHelmTest: false \ No newline at end of file diff --git a/pilot/pkg/networking/core/v1alpha3/listener.go b/pilot/pkg/networking/core/v1alpha3/listener.go index f483ae534cfa..d69cb20acdd8 100644 --- a/pilot/pkg/networking/core/v1alpha3/listener.go +++ b/pilot/pkg/networking/core/v1alpha3/listener.go @@ -1602,6 +1602,8 @@ func buildSidecarInboundMgmtListeners(node *model.Proxy, env *model.Environment, }}, // No user filters for the management unless we introduce new listener matches skipUserFilters: true, + proxy: node, + env: env, } l := buildListener(listenerOpts) l.TrafficDirection = core.TrafficDirection_INBOUND @@ -1883,7 +1885,8 @@ func buildListener(opts buildListenerOpts) *xdsapi.Listener { BindToPort: proto.BoolFalse, } } - return &xdsapi.Listener{ + + listener := &xdsapi.Listener{ // TODO: need to sanitize the opts.bind if its a UDS socket, as it could have colons, that envoy // doesn't like Name: fmt.Sprintf("%s_%d", opts.bind, opts.port), @@ -1892,6 +1895,15 @@ func buildListener(opts buildListenerOpts) *xdsapi.Listener { FilterChains: filterChains, DeprecatedV1: deprecatedV1, } + + if util.IsIstioVersionGE13(opts.proxy) { + listener.ListenerFiltersTimeout = util.GogoDurationToDuration(opts.env.Mesh.ProtocolDetectionTimeout) + if listener.ListenerFiltersTimeout != nil { + listener.ContinueOnListenerFiltersTimeout = true + } + } + + return listener } // appendListenerFallthroughRoute adds a filter that will match all traffic and direct to the diff --git a/pkg/config/mesh/mesh.go b/pkg/config/mesh/mesh.go index 2b7a2aa55b28..a171f7c73bf3 100644 --- a/pkg/config/mesh/mesh.go +++ b/pkg/config/mesh/mesh.go @@ -82,6 +82,7 @@ func DefaultMeshConfig() meshconfig.MeshConfig { DefaultDestinationRuleExportTo: []string{"*"}, OutboundTrafficPolicy: &meshconfig.MeshConfig_OutboundTrafficPolicy{Mode: meshconfig.MeshConfig_OutboundTrafficPolicy_ALLOW_ANY}, DnsRefreshRate: types.DurationProto(5 * time.Second), // 5 seconds is the default refresh rate used in Envoy + ProtocolDetectionTimeout: types.DurationProto(10 * time.Millisecond), } }