Envoy filter - per_filter_config

Hi,

I try to reach via istio version 1.3.3 a situation when my service let’s say XYZ will be ignored by external authorization service configured by envoy filter too (ExtAuthz). I saw API for envoy filters has changed and I should be able to add this property for route (ExtAuthzPerRoute) but probably I did something wrong and it doesn’t work as I expect. In envoy documentation, they present a way how to add this in envoy config Per-Route Configuration. I prepared following yaml to configure this property for my app but I get an error like json: cannot unmarshal string into Go value of type map[string]json.RawMessage. My yaml looks like this:

`apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-auth
namespace: default
spec:
configPatches:

  • applyTo: ROUTE_CONFIGURATION # http connection manager is a filter in Envoy
    match:
    context: ANY
    routeConfiguration:
    portNumber: 8080
    name: xyz-app
    vhost:
    name: xyz-svc:8080
    route: “/”
    patch:
    operation: MERGE
    value:
    per_filter_config:
    envoy.ext_authz:
    disabled: true`

What’s more I/m not sure what is correct to use as a type ROUTE_CONFIGURATION or VIRTUAL_HOST as an applyTo type.

Looks like applying this yaml file fails due to this error json: cannot unmarshal string into Go value of type map[string]json.RawMessage
Since this is using networking API, @lambdai could you take a look or help to triage this issue?
@mgwizdz please feel free to post the question in networking category.

@mgwizdz yaml is indent sensitive. Could you format your config patch? Otherwise it’s hard to tell if there is problem in your config.

What’s more, you are adding per route config so I believe you should apply to HTTP_ROUTE instead of ROUTE_CONFIGURATION and VIRTUAL_HOST

Hey, sorry for mess but generally I created few version so here you go:

ver 1:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-bypass
  namespace: default
spec:
  configPatches:
  - applyTo: ROUTE_CONFIGURATION # http connection manager is a filter in Envoy
    match:
      context: ANY
      routeConfiguration:
        vhost:
          name: login-svc:8080
          route: "/"
    patch:
      operation: MERGE
      value:
        per_filter_config:
          envoy.ext_authz:
            disabled: true

ver 2:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: bypass-filter
  namespace: default
spec:
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: VIRTUAL_HOST
    match:
      routeConfiguration:
        vhost:
          name: smb-login-svc:8080
          route: "/"
  patch:
      operation: MERGE
      value:
        per_filter_config:
          envoy.ext_authz:
            disabled: true

Having issues with excluding per route validation by ext authz, the question is - is it possible to have
kind: EnvoyFilter

Without filters describe only for patching? When i’m trying to apply examples above i got an error pointing on the fact that the “filters” should be there.

Will be interested in the solution addressing for the original problem reported

Hi,

I modified a little bit my yaml and it looks like it deploys correctly but still, this filter property is not added into envoy configuration. Do you have any ideas about what I should change there?

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: by-pass
spec:
  configPatches:
  - applyTo: HTTP_ROUTE
    match:
      context: GATEWAY
      routeConfiguration:
        portNumber: 443
        vhost:
          name: "*:443"
    patch:
      operation: MERGE
      value:
          per_filter_config:
            envoy.ext_authz:
              disabled: true

lambdai, have you tried your configuration? for me it is not being applied correctly on istio version 1.4.6

This is my configuration, it is working for me.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        # context: SIDECAR_INBOUND
        listener: 
          filterChain:
            sni: api.httpbin.com
            filter:
              name: "envoy.http_connection_manager"
              # subFilter:
              #   name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz #FILTER NAME
          config:
            status_on_error:
              code: 503
            failure_mode_allow: false
            http_service:
              path_prefix: /decisions
              server_uri:
                uri: https://oathkeeper.com
                cluster: outbound|443||oathkeeper.com
                timeout: 10s
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: "authorization"
                  - exact: "cookie"
                  - exact: "content-type"
                  - exact: "access-control-allow-origin"
                  - exact: "origin"
                  - exact: "x-envoy-external-address"
                  - exact: "x-forwarded-for"
                  - exact: "proxy-authorization"
                  - exact: "user-agent"
                  - exact: "x-forwarded-host"
                  - exact: "x-forwarded-proto"
                  - exact: "x-requested-with"
              authorizationResponse:
                allowed_upstream_headers:
                  patterns:
                  - exact: "authorization"
                  - exact: "cookie"
                  - exact: "x-forwarded-for"
                  - exact: "user-agent"
                  - exact: "vary"
                  - exact: "origin"
                  - exact: "content-type"
                  - exact: "access-control-allow-credentials"
                  - exact: "access-control-allow-origin"
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: bypass-ext-authz
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_ROUTE
      match:
        routeConfiguration:
          vhost:
            name: api.httpbin.com:443
            route:
              name: rewrite-api-http-route #from virtual service http route name
      patch:
        operation: MERGE
        value:
          typed_per_filter_config:
            envoy.filters.http.ext_authz:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
              disabled: true
1 Like