In the below diagram I’d like to configure an EnvoyFilter on traffic passing through Gateway1.
I’m able to define a filter for the entire IngressGateway, and further I can modify that filter to track specific hostnames. It would be less fragile and more convenient if I could attach it to the Gateway where the httpsRedirect and secret are configured.
An example use-case is with a gateway handling ports 80/443, with an httpsRedirect: true on port 80. For port 443 I’d like a filter that adds HSTS and other security headers to all responses.
Using a VirtualService, I’m able to configure response headers, but these security headers belong at the Gateway / ingress and should apply equally to all traffic through it.
┌────────────────┐ ┌────────────────┐
┌─▶│ Gateway1 │───▶│VirtualService1 │
│ └────────────────┘ └────────────────┘
┌────────────────┐ │
│ IngressGateway │──┤
└────────────────┘ │
│ ┌────────────────┐ ┌────────────────┐
└─▶│ Gateway2 │───▶│VirtualService2 │
└────────────────┘ └────────────────┘
This is an example filter that applies to the entire ingress, but if I could apply it only to Gateway1 then I would be happy.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: secure-headers
namespace: ${namespace}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.http_connection_manager
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.lua
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
local proto
function envoy_on_request(handle)
proto = handle:headers():get('x-forwarded-proto')
end
function envoy_on_response(handle)
if proto == 'https' and handle:headers():get('Strict-Transport-Security') == nil then
handle:headers():add('Strict-Transport-Security', 'max-age=31536000')
end
end