Hello,
I’m a newbie Istio user and I’m trying to update my current Lua and ext_authz EnvoyFilter specs to use the structure suggested in docs, replacing the filters section with the configPatches section, that I’m using to authenticate each request incoming my cluster. I’m using Istio 1.5.1 and I couldn’t make it work, could you help me to understand what I’m doing wrong? Also, I wanted to understand… will the filter section be deprecated?
Here is my “old” spec, that I was using since Istio 1.2:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authserver-security-by-default
namespace: istio-system
spec:
filters:
- listenerMatch:
listenerType: GATEWAY
listenerProtocol: HTTP
filterName: envoy.lua
insertPosition:
index: FIRST
filterType: HTTP
filterConfig:
inlineCode: |
function envoy_on_response(response_handle)
if not response_handle:headers():get("Strict-Transport-Security") then
response_handle:headers():add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
end
end
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authserver
namespace: istio-system
spec:
filters:
- listenerMatch:
listenerType: GATEWAY
listenerProtocol: HTTP
filterName: envoy.ext_authz
insertPosition:
index: AFTER
relativeTo: authserver-security-by-default
filterType: HTTP
filterConfig:
http_service:
server_uri:
uri: "http://authserver.auth-server.svc.cluster.local:80"
cluster: "outbound|80||authserver.auth-server.svc.cluster.local"
timeout: "1s"
authorization_response:
allowed_upstream_headers:
patterns:
- exact: Client-Id
- exact: User-Id
authorization_request:
allowed_headers:
patterns:
- exact: Authorization
And this is my failed attempt of “new” spec with Istio 1.5.1:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authserver-security-by-default
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
# name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
function envoy_on_response(response_handle)
if not response_handle:headers():get("Strict-Transport-Security") then
response_handle:headers():add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
end
end
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authserver
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
# name: envoy.filters.http.ext_authz
name: envoy.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
http_service:
server_uri:
uri: "http://authserver.auth-server.svc.cluster.local:80"
cluster: "outbound|80||authserver.auth-server.svc.cluster.local"
timeout: "1s"
authorization_response:
allowed_upstream_headers:
patterns:
- exact: Client-Id
- exact: User-Id
authorization_request:
allowed_headers:
patterns:
- exact: Authorization
Besides, I realized that if I use SIDECAR_INBOUND, the EnvoyFilter is broken, it can’t start. Other question is about the filter chain, is it well configured? Where can I read about the order in that chain? My last question is what about the name value for the filter, because Envoy docs recommends using the ones that I left commented, could it be?
Thank you so much!