Envoy filter - per_filter_config

mgwizdz · October 27, 2019, 12:22pm

Hi,

I try to reach via istio version 1.3.3 a situation when my service let’s say XYZ will be ignored by external authorization service configured by envoy filter too (ExtAuthz). I saw API for envoy filters has changed and I should be able to add this property for route (ExtAuthzPerRoute) but probably I did something wrong and it doesn’t work as I expect. In envoy documentation, they present a way how to add this in envoy config Per-Route Configuration. I prepared following yaml to configure this property for my app but I get an error like json: cannot unmarshal string into Go value of type map[string]json.RawMessage. My yaml looks like this:

`apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: bypass-auth
namespace: default
spec:
configPatches:

applyTo: ROUTE_CONFIGURATION # http connection manager is a filter in Envoy
match:
context: ANY
routeConfiguration:
portNumber: 8080
name: xyz-app
vhost:
name: xyz-svc:8080
route: “/”
patch:
operation: MERGE
value:
per_filter_config:
envoy.ext_authz:
disabled: true`

What’s more I/m not sure what is correct to use as a type ROUTE_CONFIGURATION or VIRTUAL_HOST as an applyTo type.

JimmyChen · December 3, 2019, 10:19pm

Looks like applying this yaml file fails due to this error json: cannot unmarshal string into Go value of type map[string]json.RawMessage
Since this is using networking API, @lambdai could you take a look or help to triage this issue?
@mgwizdz please feel free to post the question in networking category.

lambdai · December 3, 2019, 11:43pm

@mgwizdz yaml is indent sensitive. Could you format your config patch? Otherwise it’s hard to tell if there is problem in your config.

lambdai · December 3, 2019, 11:57pm

What’s more, you are adding per route config so I believe you should apply to HTTP_ROUTE instead of ROUTE_CONFIGURATION and VIRTUAL_HOST

mgwizdz · December 5, 2019, 3:48pm

Hey, sorry for mess but generally I created few version so here you go:

ver 1:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-bypass
  namespace: default
spec:
  configPatches:
  - applyTo: ROUTE_CONFIGURATION # http connection manager is a filter in Envoy
    match:
      context: ANY
      routeConfiguration:
        vhost:
          name: login-svc:8080
          route: "/"
    patch:
      operation: MERGE
      value:
        per_filter_config:
          envoy.ext_authz:
            disabled: true

ver 2:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: bypass-filter
  namespace: default
spec:
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: VIRTUAL_HOST
    match:
      routeConfiguration:
        vhost:
          name: smb-login-svc:8080
          route: "/"
  patch:
      operation: MERGE
      value:
        per_filter_config:
          envoy.ext_authz:
            disabled: true

Victor_Kamnev · December 19, 2019, 10:54am

Having issues with excluding per route validation by ext authz, the question is - is it possible to have
kind: EnvoyFilter

Without filters describe only for patching? When i’m trying to apply examples above i got an error pointing on the fact that the “filters” should be there.

Will be interested in the solution addressing for the original problem reported

mgwizdz · January 26, 2020, 8:27pm

Hi,

I modified a little bit my yaml and it looks like it deploys correctly but still, this filter property is not added into envoy configuration. Do you have any ideas about what I should change there?

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: by-pass
spec:
  configPatches:
  - applyTo: HTTP_ROUTE
    match:
      context: GATEWAY
      routeConfiguration:
        portNumber: 443
        vhost:
          name: "*:443"
    patch:
      operation: MERGE
      value:
          per_filter_config:
            envoy.ext_authz:
              disabled: true

Victor_Kamnev · June 4, 2020, 1:49pm

lambdai, have you tried your configuration? for me it is not being applied correctly on istio version 1.4.6

Jimmy.Gao · August 12, 2020, 7:57am

This is my configuration, it is working for me.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        # context: SIDECAR_INBOUND
        listener: 
          filterChain:
            sni: api.httpbin.com
            filter:
              name: "envoy.http_connection_manager"
              # subFilter:
              #   name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz #FILTER NAME
          config:
            status_on_error:
              code: 503
            failure_mode_allow: false
            http_service:
              path_prefix: /decisions
              server_uri:
                uri: https://oathkeeper.com
                cluster: outbound|443||oathkeeper.com
                timeout: 10s
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: "authorization"
                  - exact: "cookie"
                  - exact: "content-type"
                  - exact: "access-control-allow-origin"
                  - exact: "origin"
                  - exact: "x-envoy-external-address"
                  - exact: "x-forwarded-for"
                  - exact: "proxy-authorization"
                  - exact: "user-agent"
                  - exact: "x-forwarded-host"
                  - exact: "x-forwarded-proto"
                  - exact: "x-requested-with"
              authorizationResponse:
                allowed_upstream_headers:
                  patterns:
                  - exact: "authorization"
                  - exact: "cookie"
                  - exact: "x-forwarded-for"
                  - exact: "user-agent"
                  - exact: "vary"
                  - exact: "origin"
                  - exact: "content-type"
                  - exact: "access-control-allow-credentials"
                  - exact: "access-control-allow-origin"
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: bypass-ext-authz
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_ROUTE
      match:
        routeConfiguration:
          vhost:
            name: api.httpbin.com:443
            route:
              name: rewrite-api-http-route #from virtual service http route name
      patch:
        operation: MERGE
        value:
          typed_per_filter_config:
            envoy.filters.http.ext_authz:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
              disabled: true

Topic		Replies	Views
Need help wrapping my head around EnvoyFilter.RouteConfigurationMatch for ExtAuthz based on route Networking	2	774	October 17, 2022
EnvoyFilter - ext_authz for istio 1.3 Security	1	2227	November 19, 2019
Unable to create EnvoyFilter for ext_proc Config	1	1419	January 19, 2022
EnvoyFilter migration Config	0	741	January 4, 2024
Correct config for EnvoyFilter ext.authz	2	2717	June 12, 2020

Envoy filter - per_filter_config

Related topics