Envoy.ext_authz filter config for Istio 1.1.3

Networking
1

I used 1.0.2 previously, without mutual auth. I was using the following envoy.ext_authz configuration in the sidecars:

  grpc_service:
    google_grpc:
      stat_prefix: ext_authz
      target_uri: simple-auth-svc:8080
    timeout: 10s
filterName: envoy.ext_authz
filterType: HTTP
insertPosition:
  index: FIRST
listenerMatch:
  listenerProtocol: HTTP
  listenerType: SIDECAR_INBOUND

However this does not seem to work with Istio 1.1.3 and its failing silently. If I remove the filter, it works as expected.
Has anyone tried the same with Istio 1.1.3? If so, please do share the envoy.ext_authz filter configuration.

2

Istio just passes the config directly to Envoy, so I wouldn’t expect Pilot to generate any kind of error around this. However, the version of Envoy got bumped with the update to Istio 1.1, so it’s possible the filter config is being rejected. Have you checked the logs of the Istio Proxy?

One other thing to note is that the gRPC service name that Envoy uses for External Auth got rev’d in the new version. It was called envoy.service.auth.v2alpha and is now called envoy.service.auth.v2 — worth checking what your auth service is expecting.

1 Like
3

Thanks @spikecurtis.

I checked the logs of the istio proxy, and could note there is one critical log [1]. Not sure if its related though. Not sure if this is relevant.

However regarding the gRPC service name, the auth service is using envoy.service.auth.v2alpha, hence that could be a problem. Will update it to envoy.service.auth.v2 and re-check.

[1]. [2019-04-23 08:59:41.867][54][critical][main] [external/envoy/source/server/server.cc:90] error initializing configuration ‘/etc/istio/proxy/envoy.yaml’: Invalid path: /etc/certs/cert-chain.pem
Invalid path: /etc/certs/cert-chain.pem

4

facing the same issue with Version: 1.0.5
filter is not getting called/not forwarding calls to given uri

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ext-authz
namespace: istio-system
spec:
workloadLabels:
app: dep-security-dev02
filters:

  • insertPosition:
    index: FIRST
    listenerMatch:
    portNumber: 443
    listenerType: SIDECAR_INBOUND
    listenerProtocol: HTTP
    filterType: HTTP
    filterName: “envoy.ext_authz”
    filterConfig:
    grpc_service:
    google_grpc:
    target_uri: 127.0.0.1:9191
    stat_prefix: “ext_authz”
  • insertPosition:
    index: FIRST
    listenerMatch:
    portNumber: 443
    listenerType: SIDECAR_INBOUND
    listenerProtocol: TCP
    filterType: NETWORK
    filterName: “envoy.ext_authz”
    filterConfig:
    grpc_service:
    google_grpc:
    target_uri: 127.0.0.1:9191
    stat_prefix: “ext_authz”
5

I just ran across this topic. I’m not sure if the poster ever resolved their issue, but for anyone else looking, the EnvoyFilter format changed in istio 1.1.3.

Here is a working example:

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz-grpc
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          portNumber: 443
      patch:
        operation: INSERT_BEFORE
        value:
          name: "envoy.ext_authz"
          config:
            grpc_service:
              google_grpc:
                target_uri: "<your_uri_here>"
                stat_prefix: "ext_authz"
              timeout: 5.000s