Envoy filter not allowing headers in Istio?

#1

I am using Istio 1.0.3 as GKE managed. I am adding an envoy filter to do external authorization as per documentation mentioned in https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter/
and https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto#external-authorization

Based on logs, I see that the filter is being applied and the HTTP call is happening to the external authorization service I created. But, it’s not passing the headers I mentioned in the envoyfilter. Maybe I am setting it right? Can someone look into it and help by correcting the envoyfilter syntax?

Here’s my filter config:

kind: EnvoyFilter
metadata:
  name: test-auth-service-filter
spec:
  workloadLabels:
    app: test-service
  filters:
  - insertPosition:
      index: FIRST
    listenerMatch:
      listenerType: ANY
      listenerProtocol: ALL
    filterType: HTTP
    filterName: "envoy.ext_authz"
    filterConfig:
      http_service:
        server_uri:
          uri: http://test-auth-service.default.svc.cluster.local:80
          cluster: outbound|80||test-auth-service.default.svc.cluster.local
          timeout: 5s
        path_prefix: /api/testAuthService/jwt/authenticate
        authorization_request:
          allowed_headers: [ x-goog-authenticated-user-email X-TST-AUTH-TOKEN set-cookie cookie ]
      failure_mode_allow: false