The service mesh leaks x-envoy* headers outside of the mesh. To prevent this I’m trying to apply this filter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: egress-filter
namespace: istio-system
spec:
workloadSelector:
labels:
app: istio-egressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: MERGE
value:
name: "envoy.router"
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.router.v2.Router"
suppress_envoy_headers: true
This doesn’t seem to work though as proxy-config reports the same filter chain configuration before and after applying the filter. However, if I change the workloadSelector so that the label is app: istio-ingressgateway, I do see a change in the configuration for the ingress gateway so I have no reason to believe there is a problem with the filter specification as such.
Does anyone know what might be happening here?