I am using Istio 1.0.3 as GKE managed. I am adding an envoy filter to do external authorization as per documentation mentioned in https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter/
and https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto#external-authorization
Based on logs, I see that the filter is being applied and the HTTP call is happening to the external authorization service I created. But, it’s not passing the headers I mentioned in the envoyfilter. Maybe I am setting it right? Can someone look into it and help by correcting the envoyfilter syntax?
Here’s my filter config:
kind: EnvoyFilter
metadata:
name: test-auth-service-filter
spec:
workloadLabels:
app: test-service
filters:
- insertPosition:
index: FIRST
listenerMatch:
listenerType: ANY
listenerProtocol: ALL
filterType: HTTP
filterName: "envoy.ext_authz"
filterConfig:
http_service:
server_uri:
uri: http://test-auth-service.default.svc.cluster.local:80
cluster: outbound|80||test-auth-service.default.svc.cluster.local
timeout: 5s
path_prefix: /api/testAuthService/jwt/authenticate
authorization_request:
allowed_headers: [ x-goog-authenticated-user-email X-TST-AUTH-TOKEN set-cookie cookie ]
failure_mode_allow: false