Correct config for EnvoyFilter ext.authz

Hello,
I’m a newbie Istio user and I’m trying to update my current Lua and ext_authz EnvoyFilter specs to use the structure suggested in docs, replacing the filters section with the configPatches section, that I’m using to authenticate each request incoming my cluster. I’m using Istio 1.5.1 and I couldn’t make it work, could you help me to understand what I’m doing wrong? Also, I wanted to understand… will the filter section be deprecated?

Here is my “old” spec, that I was using since Istio 1.2:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authserver-security-by-default
  namespace: istio-system
spec:
  filters:
    - listenerMatch:
        listenerType: GATEWAY
        listenerProtocol: HTTP
      filterName: envoy.lua
      insertPosition:
        index: FIRST
      filterType: HTTP
      filterConfig:
        inlineCode: |
          function envoy_on_response(response_handle)
            if not response_handle:headers():get("Strict-Transport-Security") then
              response_handle:headers():add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
            end
          end
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authserver
  namespace: istio-system
spec:
  filters:
  - listenerMatch:
      listenerType: GATEWAY
      listenerProtocol: HTTP
    filterName: envoy.ext_authz
    insertPosition:
      index: AFTER
      relativeTo: authserver-security-by-default
    filterType: HTTP
    filterConfig:
      http_service:
        server_uri:
          uri: "http://authserver.auth-server.svc.cluster.local:80"
          cluster: "outbound|80||authserver.auth-server.svc.cluster.local"
          timeout: "1s"
        authorization_response:
          allowed_upstream_headers:
            patterns:
              - exact: Client-Id
              - exact: User-Id
        authorization_request:
          allowed_headers:
            patterns:
              - exact: Authorization

And this is my failed attempt of “new” spec with Istio 1.5.1:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authserver-security-by-default
  namespace: istio-system
spec:
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.lua
          # name: envoy.filters.http.lua
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
            inlineCode: |
              function envoy_on_response(response_handle)
                if not response_handle:headers():get("Strict-Transport-Security") then
                  response_handle:headers():add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
                end
              end
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authserver
  namespace: istio-system
spec:
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          # name: envoy.filters.http.ext_authz
          name: envoy.ext_authz
          typed_config:
            "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
            http_service:
              server_uri:
                uri: "http://authserver.auth-server.svc.cluster.local:80"
                cluster: "outbound|80||authserver.auth-server.svc.cluster.local"
                timeout: "1s"
              authorization_response:
                allowed_upstream_headers:
                  patterns:
                    - exact: Client-Id
                    - exact: User-Id
              authorization_request:
                allowed_headers:
                  patterns:
                    - exact: Authorization

Besides, I realized that if I use SIDECAR_INBOUND, the EnvoyFilter is broken, it can’t start. Other question is about the filter chain, is it well configured? Where can I read about the order in that chain? My last question is what about the name value for the filter, because Envoy docs recommends using the ones that I left commented, could it be?
Thank you so much!

2 Likes

I have similar issue, used to have an envoyfilter looking like this using istio 1.16

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
spec:
  workloadLabels:
    istio: ingressgateway
  filters:
  - filterConfig:
      httpService:
        serverUri:
          uri: http://authservice.air.svc.cluster.local
          cluster: outbound|8080||authservice.air.svc.cluster.local
          failureModeAllow: false
          timeout: 10s
        authorizationRequest: 
          allowedHeaders:
            patterns:
            - exact: "cookie"
            - exact: "X-Auth-Token"
        authorizationResponse:
          allowedUpstreamHeaders:
            patterns:
            - exact: "kubeflow-userid"
      statusOnError:
        code: GatewayTimeout
    filterName: envoy.ext_authz
    filterType: HTTP
    insertPosition:
      index: FIRST
    listenerMatch:
      portNumber: 443
      listenerType: GATEWAY

but can’t figure out the right way to do it with istio 1.5.1, that’s what I came up with so far:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 443
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_FIRST
      value:
        name: envoy.ext_authz
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
          http_service:
            server_uri:
              uri: http://authservice.air.svc.cluster.local
              cluster: outbound|8080||authservice.air.svc.cluster.local
              timeout: 10s
            authorization_request:
              allowed_headers:
                patterns:
                - exact: "cookie"
                - exact: "X-Auth-Token"
            authorization_response:
              allowed_upstream_headers:
                patterns:
                - exact: "kubeflow-userid"
          failure_mode_allow: false
          status_on_error:
            code: GatewayTimeout

Thanks for the help :slight_smile:

2 Likes

Did you find a solution for this ?

1 Like