We have been using the envoy.ext_authz
EnvoyFilter along with oauth2_proxy
on our Istio configurations for quite a while. This was however on version 1.4.5. We upgraded Istio to 1.5.1 and have not been able to get the EnvoyFilter to work. Ideally the filter redirects all incoming requests to oauth2_proxy
which then handle authentication and forwards it to the required VirtualService. However, after the upgrade the redirect does not happen at all, and no incoming request is redirected to oauth2_proxy
.
This is my EnvoyFilter
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
spec:
workloadSelector:
labels:
app: istio-ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
portNumber: 443
patch:
operation: INSERT_BEFORE
value:
name: "envoy.ext_authz"
config:
http_service:
server_uri:
uri: http://oauthproxy-service.oauth2-proxy.svc.cluster.local
cluster: outbound|4180||oauthproxy-service.oauth2-proxy.svc.cluster.local
timeout: 1.5s
authorizationRequest:
allowedHeaders:
patterns:
- exact: "cookie"
- exact: "x-forwarded-access-token"
- exact: "x-forwarded-user"
- exact: "x-forwarded-email"
- exact: "authorization"
- exact: "x-forwarded-proto"
- exact: "proxy-authorization"
- exact: "user-agent"
- exact: "x-forwarded-host"
- exact: "from"
- exact: "x-forwarded-for"
- exact: "accept"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
authorizationResponse:
allowedClientHeaders:
patterns:
- exact: "location"
- exact: "proxy-authenticate"
- exact: "set-cookie"
- exact: "authorization"
- exact: "www-authenticate"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
allowedUpstreamHeaders:
patterns:
- exact: "location"
- exact: "proxy-authenticate"
- exact: "set-cookie"
- exact: "authorization"
- exact: "www-authenticate"
- prefix: "x-forwarded"
- prefix: "x-auth-request"
What could I be doing wrong, and how should I go about debugging this?