EnvoyFilter envoy.ext_authz not working with 1.5.1

Kuro · April 29, 2020, 9:28pm

We have been using the envoy.ext_authz EnvoyFilter along with oauth2_proxy on our Istio configurations for quite a while. This was however on version 1.4.5. We upgraded Istio to 1.5.1 and have not been able to get the EnvoyFilter to work. Ideally the filter redirects all incoming requests to oauth2_proxy which then handle authentication and forwards it to the required VirtualService. However, after the upgrade the redirect does not happen at all, and no incoming request is redirected to oauth2_proxy.

This is my EnvoyFilter

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          portNumber: 443
      patch:
        operation: INSERT_BEFORE
        value:
          name: "envoy.ext_authz"
          config:
            http_service:
              server_uri:
                uri: http://oauthproxy-service.oauth2-proxy.svc.cluster.local
                cluster: outbound|4180||oauthproxy-service.oauth2-proxy.svc.cluster.local
                timeout: 1.5s
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: "cookie"
                  - exact: "x-forwarded-access-token"
                  - exact: "x-forwarded-user"
                  - exact: "x-forwarded-email"
                  - exact: "authorization"
                  - exact: "x-forwarded-proto"
                  - exact: "proxy-authorization"
                  - exact: "user-agent"
                  - exact: "x-forwarded-host"
                  - exact: "from"
                  - exact: "x-forwarded-for"
                  - exact: "accept"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"
              authorizationResponse:
                allowedClientHeaders:
                  patterns:
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "authorization"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"
                allowedUpstreamHeaders:
                  patterns:
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "authorization"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"

What could I be doing wrong, and how should I go about debugging this?

Reza · June 10, 2020, 4:56am

did you manage this find a solution for this?

Scott_Robertson · June 10, 2020, 4:48pm

I’ve had better luck when being explicit on the filter under the listener that I want to INSERT_BEFORE or INSERT_AFTER.

ning · July 14, 2020, 4:45am

Anyone can share the solution? I have the same issue on 1.5.6

Reza · July 15, 2020, 10:57am

This works for me on 1.6:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
  namespace: istio-test
spec:
  workloadSelector:
    labels:
      app: httpbin
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      #context: GATEWAY
      listener:
        portNumber: 80
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.ext_authz
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
          http_service:
            server_uri:
              uri: http://oauth2-proxy.istio-extensions.svc.cluster.local
              cluster: outbound|80||oauth2-proxy.istio-extensions.svc.cluster.local
              timeout: 3s
              #TODO below headers are probably more than needed. please trim down.
            authorization_request:
              #TODO below is a workaround to redirect back to the orignal url after authentication. this shound not be needed.
              headers_to_add:
              - key: x-auth-request-redirect
                value: "https://httpbin.dev.kube....com.au"
              allowed_headers:
                patterns:
                 - exact: "authorization"
                 - exact: "x-forwarded-proto"
                 - exact: "proxy-authorization"
                 - exact: "user-agent"
                 - exact: "x-forwarded-host"
                 - exact: "x-forwarded-proto"
                 - exact: "from"
                 - exact: "accept"
                 - prefix: "x-forwarded"
                 - prefix: "x-auth-request"
                 - prefix: "_oauth2_proxy"
                 - exact: "cookie"
                 - exact: "referer"                
                 - exact: "location"
                 - exact: "set-cookie"
            authorization_response:
              allowed_upstream_headers:
                patterns:
                  - exact: "authorization"
                  - exact: "Cookie"
                  - exact: "cookie"
                  - prefix: "_oauth2_proxy"
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"
                  - exact: "referer"                
              allowed_client_headers:
                patterns:
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "authorization"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"                
                  - exact: "referer"

flickerfly · January 15, 2021, 1:41am

Been digging through documentation trying to figure the same thing out on Istio 1.4.2 / Envoy 1.12.0 myself. Can’t upgrade due to old k8s.

I can’t figure out a typed_config: type that doesn’t result in Pilot’s webhook rejecting the EnvoyFilter. It does get imported if I use a config: instead of typed_config:. Documentation from Envoy suggests it should work. I see typed_config used in other filters when I list out the listener.

Even a workaround that doesn’t use an EnvoyFilter would be cool at this point.

Topic		Replies	Views
EnvoyFilter - ext_authz for istio 1.3 Security	1	2227	November 19, 2019
Cannot get EnvoyFilter ext_authz to work Networking	11	4008	April 25, 2022
Istio Envoy (EnvoyFilter) skipping ext_authz filter (Istio 1.5.5) Networking	8	2553	October 23, 2020
Envoy filter not working on specific gateway	1	1619	March 5, 2023
Correct config for EnvoyFilter ext.authz	2	2716	June 12, 2020

EnvoyFilter envoy.ext_authz not working with 1.5.1

Related topics