From 032e43088faad5be7f8a61aba077b1beb899be90 Mon Sep 17 00:00:00 2001
From: Shinnosuke Sawada-Dazai <shin@warashi.dev>
Date: Mon, 9 Sep 2024 10:52:14 +0900
Subject: [PATCH] Set the envoy retry policy for external-authz filter (#5194)

* Add timeout for envoy ext_authz

Signed-off-by: Shinnosuke Sawada-Dazai <shin@warashi.dev>

* Upgrade envoy

Signed-off-by: Shinnosuke Sawada-Dazai <shin@warashi.dev>

* Set retry_policy for ext_authz service

Signed-off-by: Shinnosuke Sawada-Dazai <shin@warashi.dev>

---------

Signed-off-by: Shinnosuke Sawada-Dazai <shin@warashi.dev>
---
 manifests/pipecd/templates/deployment.yaml      |  2 +-
 manifests/pipecd/templates/envoy-configmap.yaml | 13 +++++++++++++
 manifests/pipecd/values.yaml                    |  2 +-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/manifests/pipecd/templates/deployment.yaml b/manifests/pipecd/templates/deployment.yaml
index 67a1e414d1..cc3b2900fc 100644
--- a/manifests/pipecd/templates/deployment.yaml
+++ b/manifests/pipecd/templates/deployment.yaml
@@ -25,7 +25,7 @@ spec:
       {{- end }}
       containers:
         - name: envoy
-          image: envoyproxy/envoy-alpine:{{ .Values.gateway.imageTag }}
+          image: envoyproxy/envoy:{{ .Values.gateway.imageTag }}
           imagePullPolicy: IfNotPresent
           command:
           - envoy
diff --git a/manifests/pipecd/templates/envoy-configmap.yaml b/manifests/pipecd/templates/envoy-configmap.yaml
index b7390c8db4..710ac93b9d 100644
--- a/manifests/pipecd/templates/envoy-configmap.yaml
+++ b/manifests/pipecd/templates/envoy-configmap.yaml
@@ -38,11 +38,22 @@ data:
                   grpc_service:
                     envoy_grpc:
                       cluster_name: grpc-envoy-ext-authz
+                      retry_policy:
+                        num_retries: 3
+                        retry_back_off:
+                          base_interval: 0.25s
+                          max_interval: 1s
+                        retry_on: 5xx
+                    timeout: 3s
                   transport_api_version: V3
                   include_peer_certificate: false
               - name: envoy.filters.http.grpc_web
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
 {{- if .Values.cors.enabled }}
               - name: envoy.filters.http.cors
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
 {{- end }}
               - name: envoy.filters.http.grpc_stats
                 typed_config:
@@ -50,6 +61,8 @@ data:
                   stats_for_all_methods: true
                   enable_upstream_stats: true
               - name: envoy.filters.http.router
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
               route_config:
                 name: local_route
                 virtual_hosts:
diff --git a/manifests/pipecd/values.yaml b/manifests/pipecd/values.yaml
index f9dee57481..231922b7ef 100644
--- a/manifests/pipecd/values.yaml
+++ b/manifests/pipecd/values.yaml
@@ -22,7 +22,7 @@ serviceAccount:
 # Workloads.
 gateway:
   replicasCount: 1
-  imageTag: v1.18.3
+  imageTag: v1.31.0
   resources: {}
   internalTLS:
     enabled: false