Skip to content

HTTPProxy weighted services - healthchecks #7358

New issue
New issue
Open
Open
HTTPProxy weighted services - healthchecks#7358
Labels
kind/questionCategorizes an issue as a user question.lifecycle/needs-triageIndicates that an issue needs to be triaged by a project contributor.
@akardaspg

Description

@akardaspg
akardaspg
opened on Dec 22, 2025

Hello,

I have config for HTTPProxy with weighted services like below:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: example-proxy
spec:
  virtualhost:
    fqdn: some.host.test
  routes:
  - conditions:
    - prefix: /
    healthCheckPolicy:
        path: /chealth                          
        intervalSeconds: 5                        
        timeoutSeconds: 2                         
        unhealthyThresholdCount: 3                
        healthyThresholdCount: 2                  
        host: other.host.test         
    services:
    - name: service-1
      port: 443
      protocol: tls
      weight: 70
      requestHeadersPolicy:
        set:
        - name: Host
          value: other.host.test
    - name: service-2
      port: 443
      weight: 30
      protocol: tls
      requestHeadersPolicy:
        set:
        - name: Host
          value: other.host.test

When one of the service is not available (the health-check does not succeeded), the traffic is still forwarded to unhealthy service, even the envoy marked the service as unhealthy:

example-proxy/service-1/443/ddc01a37e7::X.X.X.X:443::health_flags::/failed_active_hc
example-proxy/service-2/443/ddc01a37e7::Y.Y.Y.Y:443::health_flags::healthy

I assume because the services are mapped to weighted_cluster in envoy config:

"virtual_hosts": [
              {
                "name": "some.host.test",
                "domains": [
                  "some.host.test"
                ],
                "routes": [
                  {
                    "match": {
                      "prefix": "/"
                    },
                    "route": {
                      "weighted_clusters": {
                        "clusters": [
                          {
                            "name": "example-proxy/service-1/443/ddc01a37e7:",
                            "weight": 70,
                            "host_rewrite_literal": "other.host.test"
                          },
                          {
                            "name": "example-proxy/service-2/443/ddc01a37e7",
                            "weight": 30,
                            "host_rewrite_literal": "other.host.test"
                          }
                        ]
                      }
                    },

And tests are performed by Envoy not on weighted_clusters level to check health of them and deactivate it from route, but tests are performed on cluster level to filter out unhealthy Endpoin/EndpointSlices.

So the loadbalacing decision is pure made on weight and does not account the health status.

The question is then, is there any solution for contour to overcome this one, to automatically filter out service from traffic forward if not healthy ?

I think this kind of behaviour could be solved by implementing it on top of Aggregated cluster functionality on Envoy side with locality_weighted_lb_config, are there maybe plan to implement this on contour side ?

Environment:

  • Contour version: 1.33.0
  • Kubernetes version: (use kubectl version): 1.34
  • Cloud provider or hardware configuration: kind/local

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/questionCategorizes an issue as a user question.lifecycle/needs-triageIndicates that an issue needs to be triaged by a project contributor.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions