Equivalents of Nginx Ingress Annonations on IstIO Ingress Gateway

I think I found how to set nginx.ingress.kubernetes.io/proxy-body-size in Istio.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             request_handle:headers():add("request_body_size", request_handle:body():length())
           end

And also the TLS ciphers:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-tls-ingress
spec:
  selector:
    app: my-tls-ingress-gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem
      cipherSuites: "<tls-ciphers>"

If you receiving the 413 Entity Too Large as a response the main issue of this situation is that one of the Envoy filters within the chain has a buffering.

The discussion about that you will find here: https://github.com/envoyproxy/envoy/issues/2919

The initial values for that buffering on Envoy are set by the properties:

  http2_protocol_options:
    initial_stream_window_size: 65536 # 64 KiB
    initial_connection_window_size: 1048576 # 1 MiB

Source: https://www.bookstack.cn/read/envoyproxy-1.13/9a624d80e56eceef.md

You can override that buffer for the given workload (or globally) but you have to remember if you will increase too much there is a risk of the out of memory attacks.

Example filter which reconfigure it:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: my-service
spec:
  workloadSelector:
    labels:
      app: my-service
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
      patch:
        operation: MERGE
        value:
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
            http2_protocol_options:
              initial_stream_window_size: 65536
              initial_connection_window_size: 10485760 # 10 MB

You will find more about Envoy Filers on the Istio documentation: https://istio.io/latest/docs/reference/config/networking/envoy-filter/

Additional samples: https://github.com/istio/istio/wiki/EnvoyFilter-Samples

Nginx ingress annotations equivalents can be implemented in Istio with Envoy Filter.

More specifically by using HTTP Lua filter.

Example of envoy filter that has HTTP Lua filter:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
             local headers, body = request_handle:httpCall(
              "lua_cluster",
              {
               [":method"] = "POST",
               [":path"] = "/acl",
               [":authority"] = "internal.org.net"
              },
             "authorize call",
             5000)
           end
  # The second patch adds the cluster that is referenced by the lua code
  # cds match is omitted as a new cluster is being added
  - applyTo: CLUSTER
    match:
      context: SIDECAR_OUTBOUND
    patch:
      operation: ADD
      value: # cluster specification
        name: "lua_cluster"
        type: STRICT_DNS
        connect_timeout: 0.5s
        lb_policy: ROUND_ROBIN
        hosts:
        - socket_address:
            protocol: TCP
            address: "internal.org.net"
            port_value: 8888

For example:

nginx.ingress.kubernetes.io/proxy-body-size could be achieved by size = buffer:length().

nginx.ingress.kubernetes.io/proxy-read-timeout or nginx.ingress.kubernetes.io/proxy-send-timeout are custom timeouts which could be achieved by httpCall(5000).

Full list of methods can be found here.

Hope this helps.

Update:

After rereading nginx annotations getBytes() looks better for nginx.ingress.kubernetes.io/proxy-buffer-size than buffer:lenght().

getBytes()

buffer:getBytes(index, length)

Get bytes from the buffer. By default Envoy will not copy all buffer bytes to Lua. This will cause a buffer segment to be copied. index is an integer and supplies the buffer start index to copy. length is an integer and supplies the buffer length to copy. index + length must be less than the buffer length.

So buffer:getBytes(0, 8000) should load 8k of bytes from buffer similar to nginx.ingress.kubernetes.io/proxy-buffer-size: "8k".