Envoy lua handler network issues

1

Hi all,

I’m using istio 1.5.1 on minikube.
minikube version: v1.9.0
commit: 48fefd43444d2f8852f527c78f0141b377b1e42a`
Kubernetes version is 1.18.0

I need to validate jwt tokens using custom service providing public key as a field of json payload. To do it I added an EnvoyFilter as following

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: default
spec:
  workloadLabels:
    app: reviews
  filters:
  - listenerMatch:
      portNumber: 9080
      listenerType: SIDECAR_INBOUND
      listenerProtocol: HTTP
    filterName: envoy.lua
    filterType: HTTP
    filterConfig:
      inlineCode: |
        function envoy_on_request(request_handle)
          request_handle:logWarn("Start")
          local sso_request = {
            [":method"] = "GET",
            [":path"] = "/PATHTOENDPOINT",
            [":authority"] = "MYHOSTNAME",
            ["Authorization"] = "Basic AUTHORIZATIONKEY"
          }
          request_handle:logWarn("Request created")
          local response_headers, response_body = request_handle:httpCall(
                "outbound|443||MYHOSTNAME",
                sso_request,
                "",                            
                5000
          )
        end

I used an istio example and deployed as following

kubectl apply -f istio-1.5.1/samples/bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f istio-1.5.1/samples/bookinfo/networking/bookinfo-gateway.yaml
kubectl apply -f istio-1.5.1/samples/bookinfo/networking/destination-rule-all.yaml
kubectl apply -f istio-1.5.1/samples/bookinfo/networking/virtual-service-all-v1.yaml

To test my filter I open a web page via port 9080 and click on “Normal user” link.
When I view istio-proxy logs I see log messages “Start” and “Request created” which means that code is executed. After that I see error

script log: upstream connect error or disconnect/reset before headers. reset reason: connection termination

I tried ssh to “istio-proxy” and “reviews” containers of “reviews-v1” pod and do
curl MYHOSTNAME/PATHTOENDPOINT -H “Authorization: Basic AUTHORIZATIONKEY”
and it worked just fine in both cases.

I have added a service entry as following (Not sure there was a need to do it)

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: sso-2k
spec:
  hosts:
  - MYHOSTNAME
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: TLS
  resolution: DNS

Could you please explain me what I’m missing? Why is my call from lua failing all the time?