EnvoyFilter - ext_authz for istio 1.3

Security
1

Hi,

I struggle with converting istio filter from istio version 1.2 to the new api for envoy filters from istio 1.3. However, I have some problems with that, maybe someone will be willing to help me and figure out what I did wrong. Everything applied correctly but traffic isn’t redirected to auth-service (with filter config from version 1.2 it works). Maybe I don’t need to convert this because there isn’t any info that the previous config will stop working soon?

config from istio 1.2

kind: EnvoyFilter
metadata:
  name: edge-lua-filter
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
- listenerMatch:
      listenerType: ANY
    filterName: envoy.ext_authz
    filterType: HTTP
    filterConfig:
      http_service:
        server_uri:
          uri: http://authorization-svc.default.svc.cluster.local:8080
          cluster: outbound|8080||authorization-svc.default.svc.cluster.local
          timeout: 5s
        path_prefix: /authorization/validate
        authorizationRequest:
          allowedHeaders:
            patterns:
            - exact: "cookie"
        authorizationResponse:
          allowed_upstream_headers:
            patterns:
            - exact: "User-Id"

istio version 1.3

kind: EnvoyFilter
metadata:
  name: ext-auth
  namespace: default
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.ext_authz"
    patch:
      operation: INSERT_BEFORE
      value:
        config:
          http_service:
            server_uri:
              uri: http://authorization-svc.default.svc.cluster.local:8080
              cluster: outbound|8080||authorization-svc.default.svc.cluster.local
              timeout: 5s
            path_prefix: /authorization/validate
            authorizationRequest:
            allowedHeaders:
              patterns:
              - exact: "cookie"
            authorizationResponse:
              allowed_upstream_headers:
              patterns:
              - exact: "User-Id"
2

Hello,

you probably forget to add filter name in patch.value section, my working configuration is:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz
spec:
  workloadSelector:
    labels:
      app: authdebug-server
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
#          portNumber: 15090
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz #FILTER NAME
          config:
             http_service:
               failure_mode_allow: false
               path_prefix: /decisions
               server_uri:
                 uri: http://oathkeeper-api.default.svc.cluster.local:4456
                 cluster: outbound|4456||oathkeeper-api.default.svc.cluster.local
                 timeout: 5s