Traffic tapping
Copy contents of HTTP requests and responses to an external tap server.
About traffic tapping
A tap server is a simple device that connects directly to your infrastructure and receives copies of actual traffic from your network so that this traffic can be further monitored, analyzed, or tested with.
Traffic tapping support in Gloo Gateway is introduced as an alpha feature. Alpha features are likely to change, are not fully tested, and are not supported for production.
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
Considerations
Traffic tapping can be applied to a gateway listener by using an HTTPListenerOption resource. As such, traffic tapping is applied to all routes that the gateway listener serves. Tapping traffic for a specific route is not currently supported.
You must write your own tap servers. You can find the tap server definitions in the
tap-extension-examplesrepository. To receive tap traces, the tap server must implement the tap service protobuf definitions and be configured to receive data over the gRPC or HTTP protocol.Thetap-extension-examplesrepository is provided as an implementation reference. The repository is not intended to be used in production.In the current implementation, the data plane buffers all trace data in memory before sending it to the tap server.
You cannot tap traffic to a local file.
Data that is tapped from the data plane might contain sensitive information, including credentials or Personal Identifiable Information (PII). Before using traffic tapping in your environment, make sure that all data is encrypted during transit and that sensitive data is masked or removed by the tap server before it is written to permanent storage or forwarded to another service. Note that you cannot use the Data Loss Prevention (DLP) plug-in to prevent sensitive data from being leaked via the tap filter.
Before you begin
Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Deploy a tap server
Create the deployment, service, and upstream for the tap server in your cluster.
kubectl apply -f- <<EOF apiVersion: apps/v1 kind: Deployment metadata: labels: app: sample-tap-server-http name: sample-tap-server-http namespace: gloo-system spec: selector: matchLabels: app: sample-tap-server-http replicas: 1 template: metadata: labels: app: sample-tap-server-http spec: containers: - image: gcr.io/solo-test-236622/sample-tap-server-http:0.0.2 name: sample-tap-server-http # args: ["-text='Hello World!'"] ports: - containerPort: 8080 name: grpc --- apiVersion: v1 kind: Service metadata: name: sample-tap-server-http namespace: gloo-system labels: service: sample-tap-server-http spec: ports: - port: 8080 protocol: TCP selector: app: sample-tap-server-http --- apiVersion: gloo.solo.io/v1 kind: Upstream metadata: name: sample-tap-server-http namespace: gloo-system spec: # useHttp2: true static: hosts: - addr: sample-tap-server-http port: 8080 EOFVerify that the tap server is up and running.
kubectl get pods -n gloo-system | grep tap
Set up traffic tapping
Create an HTTPListenerOption resource to configure traffic tapping for the HTTP listener on the gateway. In the following example, you instruct Gloo Gateway to tap all incoming traffic on the gateway and to send it to the tap server that you previously configured by using the HTTP protocol.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: HttpListenerOption metadata: name: tapping namespace: gloo-system spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: http options: tap: sinks: - httpService: tapServer: name: sample-tap-server-http namespace: gloo-system timeout: '20s' EOFIn a terminal window, tail the logs of the tap server.
kubectl -n gloo-system logs deployments/sample-tap-server-http -fIn another terminal window, send a request to the httpbin app.
Go back to the logs of the tap server and verify that you can see the request to the httpbin app.
Example output:
2024/06/25 03:12:44 got a request on / 2024/06/25 03:12:45 Message contents were: { "trace_data": { "Trace": { "HttpBufferedTrace": { "request": { "headers": [ { "key": ":authority", "value": "www.example.com:8080" }, { "key": ":path", "value": "/status/200" }, { "key": ":method", "value": "GET" }, { "key": ":scheme", "value": "http" }, { "key": "user-agent", "value": "curl/7.77.0" }, { "key": "accept", "value": "*/*" }, { "key": "x-forwarded-proto", "value": "http" }, { "key": "x-request-id", "value": "87409d69-7c6d-4ce0-9d5a-a9050f960a60" }, { "key": "x-envoy-expected-rq-timeout-ms", "value": "15000" } ] }, "response": { "headers": [ { "key": ":status", "value": "200" }, { "key": "access-control-allow-credentials", "value": "true" }, { "key": "access-control-allow-origin", "value": "*" }, { "key": "date", "value": "Tue, 25 Jun 2024 03:12:44 GMT" }, { "key": "content-length", "value": "0" }, { "key": "x-envoy-upstream-service-time", "value": "2" }, { "key": "server", "value": "envoy" }, { "key": "x-envoy-decorator-operation", "value": "httpbin.httpbin.svc.cluster.local:8000/*" } ] }
Clean up
You can optionally remove the resources that you created as part of this guide.
kubectl delete deployment sample-tap-server-http -n gloo-system
kubectl delete service sample-tap-server-http -n gloo-system
kubectl delete httplisteneroption tapping -n gloo-system