ALS Service for Istio Ingress Gateway Access Logs

Rancher
1

I am trying to setup a ALS GRPC cluster to stream the http and tcp access logs from listeners in Ingress gateways.

I am using the Racher Istio Operator to configure the ALS service target as below

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: my-istio-operator
  namespace: istio-system
spec:
  meshConfig:
   ingressClass: my-istio
   ingressService: my-gslb-ingress
   ingressSelector: my-gslb-ingress
   enableEnvoyAccessLogService: true
   defaultConfig:
    envoyAccessLogService:
      address: "my-als.default.svc.cluster.local:9002"

I see the listeners are added with access_log block referencing the als grpc cluster named “envoy_accesslog_service” but there is no cluster created

access_log": [
    {
        "name": "envoy.access_loggers.http_grpc",
        "typed_config": {
            "@type": "type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig",
            "common_config": {
                "log_name": "http_envoy_accesslog",
                "grpc_service": {
                    "envoy_grpc": {
                        "cluster_name": "envoy_accesslog_service"
                    }
                },
                "filter_state_objects_to_log": [
                    "wasm.upstream_peer",
                    "wasm.upstream_peer_id",
                    "wasm.downstream_peer",
                    "wasm.downstream_peer_id"
                ],
                "transport_api_version": "V3"
            }
        }
    }
]

During the startup of envoy i see the below error and envoy doesn’t reach ready state.

warning envoy config gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_8443: Unknown gRPC client cluster 'envoy_accesslog_service'
0.0.0.0_8080: Unknown gRPC client cluster 'envoy_accesslog_service'

warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejected

I tried to create a cluster named “envoy_accesslog_service” as below

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: gslb-gateway-access-log
  namespace: routing
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
      istio: my-gslb-ingress
  configPatches:
  - applyTo: CLUSTER
    patch:
      operation: ADD
      value:
        name: "envoy_accesslog_service"
        type: LOGICAL_DNS
        connect_timeout: 0.5s
        lb_policy: ROUND_ROBIN
        load_assignment:
          cluster_name: envoy_accesslog_service
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: "my-als.default.svc.cluster.local:9002"
                    port_value: 9002

This time envoy startup gives the below errror

warning envoy config    gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_8443: gRPC client cluster 'envoy_accesslog_service' is not static
0.0.0.0_8080: gRPC client cluster 'envoy_accesslog_service' is not static

Am I missing any configuration ?

Any help is appreciated.