feat(api): support per-route gRPC initial metadata for ExtProc via ExtProcPerRoute#8463
Open
surenraju-careem wants to merge 4 commits intoenvoyproxy:mainfrom
Open
Conversation
…tProcPerRoute Add `grpcInitialMetadata` field to the `ExtProc` API in EnvoyExtensionPolicy, enabling users to specify per-route key-value pairs that Envoy sends as gRPC stream initial metadata to the external processing server via ExtProcPerRoute.overrides.grpc_initial_metadata. This allows ext_proc servers to identify which HTTPRoute rule is being processed and apply route-specific handler logic without relying on unstable index-based xDS route names (e.g. rule/0/match/0). Changes: - api/v1alpha1: add GRPCInitialMetadata []ExtProcGRPCInitialMetadataEntry to ExtProc struct with kubebuilder MaxItems=16 validation - internal/ir: add GRPCInitialMetadata field and ExtProcGRPCInitialMetadata type to ExtProc IR struct - internal/gatewayapi: map GRPCInitialMetadata from API to IR in buildExtProc - internal/xds/translator: patchRoute now emits a typed ExtProcPerRoute with overrides.grpc_initial_metadata when entries are configured, falling back to the existing empty FilterConfig when none are set - CRD manifests regenerated via make manifests - API docs regenerated via make generate - release-notes/current.yaml: add entry for new feature - examples/grpc-ext-proc: read gRPC stream initial metadata and reflect values in response headers to enable e2e verification Fixes envoyproxy#8459 Signed-off-by: Suren Raju <suren.raju@careem.com>
✅ Deploy Preview for cerulean-figolla-1f9435 canceled.
|
Codecov Report❌ Patch coverage is
❌ Your patch check has failed because the patch coverage (17.24%) is below the target coverage (60.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #8463 +/- ##
==========================================
- Coverage 74.13% 74.09% -0.05%
==========================================
Files 242 242
Lines 37579 37604 +25
==========================================
+ Hits 27859 27862 +3
- Misses 7778 7798 +20
- Partials 1942 1944 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
- Pass extProc by pointer in buildExtProc to fix gocritic hugeParam lint (egv1a1.ExtProc is 96 bytes, passing by value flagged by linter) - Update generated helm CRD test outputs (all.out.yaml, e2e.out.yaml, envoy-gateway-crds.out.yaml) to match latest manifests - Fix case-insensitive grep in image.mk for Docker API version check Signed-off-by: Suren Raju <suren.raju@careem.com>
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
zhaohuabing
requested changes
Mar 12, 2026
zhaohuabing
reviewed
Mar 12, 2026
| // per-route metadata without duplicating the full gRPC service configuration. | ||
| // | ||
| // +optional | ||
| GRPCInitialMetadata []ExtProcGRPCInitialMetadataEntry `json:"grpcInitialMetadata,omitempty"` |
Member
There was a problem hiding this comment.
Is it possible that we may need to support HTTP ext proc in the future? If so, a GRPCService wrapper might be more furture-proof. cc @guydc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
feat(api)
What this PR does / why we need it:
Adds a
grpcInitialMetadatafield to theExtProcAPI inEnvoyExtensionPolicy, allowing users to specify per-route key-value pairs sent as gRPC stream initial metadata to the external processing server viaExtProcPerRoute.overrides.grpc_initial_metadata.Today,
patchRoute()in the xDS translator always emits an emptyFilterConfig{Config: &anypb.Any{}}for every ext_proc-enabled route — regardless of whichEnvoyExtensionPolicy(withsectionNamescoping) is attached. This means the ext_proc server has no stable, per-route signal to determine which HTTPRoute rule is being processed.The only current option is
Attributes["xds.route_name"], but that value is index-based (httproute/ns/name/rule/0/match/0/...) and breaks whenever rules are reordered.With this change, operators can inject stable, semantic metadata:
Envoy then delivers these as gRPC stream initial metadata to the ext_proc server on every request matching that rule, enabling the server to apply rule-specific logic without any unstable xDS route name parsing.
This maps directly to
ExtProcOverrides.grpc_initial_metadata(field 7), which is fully implemented in Envoy since envoy#31544.Which issue(s) this PR fixes:
Fixes #8459
Changes:
api/v1alpha1: addGRPCInitialMetadata []ExtProcGRPCInitialMetadataEntrytoExtProcstructinternal/ir: addGRPCInitialMetadatafield andExtProcGRPCInitialMetadatatypeinternal/gatewayapi: map API field to IR inbuildExtProc()internal/xds/translator:patchRoute()emits a typedExtProcPerRoutewithoverrides.grpc_initial_metadatawhen entries are present; falls back to emptyFilterConfigotherwisemake manifests)make generate)examples/grpc-ext-proc: updated to read and reflect gRPC stream initial metadata in response headers for e2e observabilityRelease Notes: Yes