EnvoyFilter in ingressgateway does not seem to work

Security
1

Hello,

I am trying to implement authentication and authorization at the Istio ingressgateway.

Our infrastructure only passes jwt token on http-only cookies. For that reason, I am trying to add an EnvoyFilter that adds the jwt cookie value to the Authorization header.

However, that does not seem to be working.

Here is my EnvoyFilter config:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: my-auth-token
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8443
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value:
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
          inlineCode: |
            function stringSplit(inputstr, sep)
              if sep == nil then
                sep = "%s"
              end
              local t={}
              for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
                table.insert(t, str)
              end
              return t
            end

            function envoy_on_request(handle) 
              headers = handle:headers()

              path = headers:get(":path")
              if path == "/health" or path == "/metrics" then
                return
              end

              cookieString = headers:get("cookie")
              if cookieString ~= nil then
                splitCookieString = stringSplit(cookieString, ";")
                
                jwt = nil
                for i, cookieItem in ipairs(splitCookieString) do
                  if string.find(cookieItem, "access_token") ~= nil then
                    jwt = string.gsub(cookieItem, "access_token=", "")
                  end
                end

                if jwt ~= nil then
                  token = string.gsub(jwt, "^ ", "")
                  headers:replace("Authorization", "Bearer: "..token)
                  print("[my-auth-token] cookie transformed to header")
                end
              end
            end

The reason I believe its not working is because I don’t see any logs coming out of this filter in istio-ingressgateway pods.

Any help would bye much appreciated. Thanks!

2

I believe you want this to applyTo: GATEWAY instead of SIDECAR_INBOUND

If you run istioctl proxy-config routes <ingress pod name> -n istio-system -o json you should see the lua filter being injected somewhere in there.

3

Thanks @nick_tetrate !

I tried replacing context: SIDECAR_INBOUND with context: GATEWAY
Still does not seem to be working.

istioctl proxy-config routes istio-ingressgateway-b755f965d-v6v4t -n istio-system -o json

The json out returned by the command does not indicate that the newly added filter is associated with the ingress gateway.

4

what version of istio?

5

in istio 1.7+ you need to use envoy v3 config
i found an example on github
https://github.com/e-conomic/vml-istio/blob/1c32c7d4ad1f19fa94a164c7f47de52ce07b6c32/manifests/istio-https-redirect-lua.yaml

6

Thanks @nick_tetrate ! This is very helpful. I was able to resolve it with your help :slight_smile: