Envoy.ext_authz filter config for Istio 1.1.3


I used 1.0.2 previously, without mutual auth. I was using the following envoy.ext_authz configuration in the sidecars:

      stat_prefix: ext_authz
      target_uri: simple-auth-svc:8080
    timeout: 10s
filterName: envoy.ext_authz
filterType: HTTP
  index: FIRST
  listenerProtocol: HTTP
  listenerType: SIDECAR_INBOUND

However this does not seem to work with Istio 1.1.3 and its failing silently. If I remove the filter, it works as expected.
Has anyone tried the same with Istio 1.1.3? If so, please do share the envoy.ext_authz filter configuration.


Istio just passes the config directly to Envoy, so I wouldn’t expect Pilot to generate any kind of error around this. However, the version of Envoy got bumped with the update to Istio 1.1, so it’s possible the filter config is being rejected. Have you checked the logs of the Istio Proxy?

One other thing to note is that the gRPC service name that Envoy uses for External Auth got rev’d in the new version. It was called envoy.service.auth.v2alpha and is now called envoy.service.auth.v2 — worth checking what your auth service is expecting.

1 Like

Thanks @spikecurtis.

I checked the logs of the istio proxy, and could note there is one critical log [1]. Not sure if its related though. Not sure if this is relevant.

However regarding the gRPC service name, the auth service is using envoy.service.auth.v2alpha, hence that could be a problem. Will update it to envoy.service.auth.v2 and re-check.

[1]. [2019-04-23 08:59:41.867][54][critical][main] [external/envoy/source/server/server.cc:90] error initializing configuration ‘/etc/istio/proxy/envoy.yaml’: Invalid path: /etc/certs/cert-chain.pem
Invalid path: /etc/certs/cert-chain.pem