Fault Injection (proto)

This extension has the qualified name envoy.filters.http.fault

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

Fault Injection configuration overview.

extensions.filters.http.fault.v3.FaultAbort

[extensions.filters.http.fault.v3.FaultAbort proto]

{
  "http_status": ...,
  "grpc_status": ...,
  "header_abort": {...},
  "percentage": {...}
}
http_status

(uint32) HTTP status code to use to abort the HTTP request.

Precisely one of http_status, grpc_status, header_abort must be set.

grpc_status

(uint32) gRPC status code to use to abort the gRPC request.

Precisely one of http_status, grpc_status, header_abort must be set.

header_abort

(extensions.filters.http.fault.v3.FaultAbort.HeaderAbort) Fault aborts are controlled via an HTTP header (if applicable).

Precisely one of http_status, grpc_status, header_abort must be set.

percentage

(type.v3.FractionalPercent) The percentage of requests/operations/connections that will be aborted with the error code provided.

extensions.filters.http.fault.v3.FaultAbort.HeaderAbort

[extensions.filters.http.fault.v3.FaultAbort.HeaderAbort proto]

Fault aborts are controlled via an HTTP header (if applicable). See the HTTP fault filter documentation for more information.

extensions.filters.http.fault.v3.HTTPFault

[extensions.filters.http.fault.v3.HTTPFault proto]

{
  "delay": {...},
  "abort": {...},
  "upstream_cluster": ...,
  "headers": [],
  "downstream_nodes": [],
  "max_active_faults": {...},
  "response_rate_limit": {...},
  "delay_percent_runtime": ...,
  "abort_percent_runtime": ...,
  "delay_duration_runtime": ...,
  "abort_http_status_runtime": ...,
  "max_active_faults_runtime": ...,
  "response_rate_limit_percent_runtime": ...,
  "abort_grpc_status_runtime": ...,
  "disable_downstream_cluster_stats": ...,
  "filter_metadata": {...}
}
delay

(extensions.filters.common.fault.v3.FaultDelay) If specified, the filter will inject delays based on the values in the object.

abort

(extensions.filters.http.fault.v3.FaultAbort) If specified, the filter will abort requests based on the values in the object. At least abort or delay must be specified.

upstream_cluster

(string) Specifies the name of the (destination) upstream cluster that the filter should match on. Fault injection will be restricted to requests bound to the specific upstream cluster.

headers

(repeated config.route.v3.HeaderMatcher) Specifies a set of headers that the filter should match on. The fault injection filter can be applied selectively to requests that match a set of headers specified in the fault filter config. The chances of actual fault injection further depend on the value of the percentage field. The filter will check the request’s headers against all the specified headers in the filter config. A match will happen if all the headers in the config are present in the request with the same values (or based on presence if the value field is not in the config).

downstream_nodes

(repeated string) Faults are injected for the specified list of downstream hosts. If this setting is not set, faults are injected for all downstream nodes. Downstream node name is taken from the HTTP x-envoy-downstream-service-node header and compared against downstream_nodes list.

max_active_faults

(UInt32Value) The maximum number of faults that can be active at a single time via the configured fault filter. Note that because this setting can be overridden at the route level, it’s possible for the number of active faults to be greater than this value (if injected via a different route). If not specified, defaults to unlimited. This setting can be overridden via runtime <config_http_filters_fault_injection_runtime> and any faults that are not injected due to overflow will be indicated via the faults_overflow <config_http_filters_fault_injection_stats> stat.

Attention

Like other circuit breakers in Envoy, this is a fuzzy limit. It’s possible for the number of active faults to rise slightly above the configured amount due to the implementation details.

response_rate_limit

(extensions.filters.common.fault.v3.FaultRateLimit) The response rate limit to be applied to the response body of the stream. When configured, the percentage can be overridden by the fault.http.rate_limit.response_percent runtime key.

Attention

This is a per-stream limit versus a connection level limit. This means that concurrent streams will each get an independent limit.

delay_percent_runtime

(string) The runtime key to override the default runtime. The default is: fault.http.delay.fixed_delay_percent

abort_percent_runtime

(string) The runtime key to override the default runtime. The default is: fault.http.abort.abort_percent

delay_duration_runtime

(string) The runtime key to override the default runtime. The default is: fault.http.delay.fixed_duration_ms

abort_http_status_runtime

(string) The runtime key to override the default runtime. The default is: fault.http.abort.http_status

max_active_faults_runtime

(string) The runtime key to override the default runtime. The default is: fault.http.max_active_faults

response_rate_limit_percent_runtime

(string) The runtime key to override the default runtime. The default is: fault.http.rate_limit.response_percent

abort_grpc_status_runtime

(string) The runtime key to override the default runtime. The default is: fault.http.abort.grpc_status

disable_downstream_cluster_stats

(bool) To control whether stats storage is allocated dynamically for each downstream server. If set to true, “x-envoy-downstream-service-cluster” field of header will be ignored by this filter. If set to false, dynamic stats storage will be allocated for the downstream cluster name. Default value is false.

filter_metadata

(Struct) When an abort or delay fault is executed, the metadata struct provided here will be added to the request’s dynamic metadata under the namespace corresponding to the name of the fault filter. This data can be logged as part of Access Logs using the command operator %DYNAMIC_METADATA(NAMESPACE)%, where NAMESPACE is the name of the fault filter.