With at least one TLS cluster enabled Envoy produces invalid output on the /stats?format=prometheus endpoint, such as this one:
# TYPE envoy_cluster_ssl_ciphers_ECDHE-RSA-AES128-GCM-SHA256 counter
envoy_cluster_ssl_ciphers_ECDHE-RSA-AES128-GCM-SHA256{envoy_cluster_name="local_service"} 8
Dashes are not allowed. The cipher suite should be put in a label instead, e.g.
# TYPE envoy_cluster_ssl_ciphers_ECDHE-RSA-AES128-GCM-SHA256 counter
envoy_cluster_ssl_ciphers_used_total{envoy_cluster_name="local_service", cipher_suite="ECDHE-RSA-AES128-GCM-SHA256"} 8
Repro steps:
- launch Envoy with config below
- send at least one request to the L1 listener:
curl -I localhost:8080
- request /stats?format=prometheus on the admin listener:
curl -s localhost:5000/stats?format=prometheus | grep ciphers
Config:
admin:
access_log_path: /dev/null
address:
socket_address: { address: 0.0.0.0, port_value: 5000 }
static_resources:
listeners:
- name: L1
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
stat_prefix: egress_http
codec_type: AUTO
http_filters:
- name: envoy.router
route_config:
virtual_hosts:
- name: google
domains: ['*']
routes: [{ match: { prefix: / }, route: { cluster: "google" } }]
clusters:
- name: google
connect_timeout: 1s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
tls_context: {}
hosts:
- socket_address: { address: www.google.com, port_value: 443 }
With at least one TLS cluster enabled Envoy produces invalid output on the /stats?format=prometheus endpoint, such as this one:
Dashes are not allowed. The cipher suite should be put in a label instead, e.g.
Repro steps:
curl -I localhost:8080curl -s localhost:5000/stats?format=prometheus | grep ciphersConfig: