Envoy filter - per_filter_config

Hi,

I try to reach via istio version 1.3.3 a situation when my service let’s say XYZ will be ignored by external authorization service configured by envoy filter too (ExtAuthz). I saw API for envoy filters has changed and I should be able to add this property for route (ExtAuthzPerRoute) but probably I did something wrong and it doesn’t work as I expect. In envoy documentation, they present a way how to add this in envoy config Per-Route Configuration. I prepared following yaml to configure this property for my app but I get an error like json: cannot unmarshal string into Go value of type map[string]json.RawMessage. My yaml looks like this:

`apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-auth
namespace: default
spec:
configPatches:

  • applyTo: ROUTE_CONFIGURATION # http connection manager is a filter in Envoy
    match:
    context: ANY
    routeConfiguration:
    portNumber: 8080
    name: xyz-app
    vhost:
    name: xyz-svc:8080
    route: “/”
    patch:
    operation: MERGE
    value:
    per_filter_config:
    envoy.ext_authz:
    disabled: true`

What’s more I/m not sure what is correct to use as a type ROUTE_CONFIGURATION or VIRTUAL_HOST as an applyTo type.

Looks like applying this yaml file fails due to this error json: cannot unmarshal string into Go value of type map[string]json.RawMessage
Since this is using networking API, @lambdai could you take a look or help to triage this issue?
@mgwizdz please feel free to post the question in networking category.

@mgwizdz yaml is indent sensitive. Could you format your config patch? Otherwise it’s hard to tell if there is problem in your config.

What’s more, you are adding per route config so I believe you should apply to HTTP_ROUTE instead of ROUTE_CONFIGURATION and VIRTUAL_HOST

Hey, sorry for mess but generally I created few version so here you go:

ver 1:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-bypass
  namespace: default
spec:
  configPatches:
  - applyTo: ROUTE_CONFIGURATION # http connection manager is a filter in Envoy
    match:
      context: ANY
      routeConfiguration:
        vhost:
          name: login-svc:8080
          route: "/"
    patch:
      operation: MERGE
      value:
        per_filter_config:
          envoy.ext_authz:
            disabled: true

ver 2:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: bypass-filter
  namespace: default
spec:
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: VIRTUAL_HOST
    match:
      routeConfiguration:
        vhost:
          name: smb-login-svc:8080
          route: "/"
  patch:
      operation: MERGE
      value:
        per_filter_config:
          envoy.ext_authz:
            disabled: true

Having issues with excluding per route validation by ext authz, the question is - is it possible to have
kind: EnvoyFilter

Without filters describe only for patching? When i’m trying to apply examples above i got an error pointing on the fact that the “filters” should be there.

Will be interested in the solution addressing for the original problem reported