Helped needed creating Envoy-Filter

Hello,

I need some help creating an envoy-filter.

What I would like to achieve is, that envoy-proxy accepts untrusted certs (actually only at the ingress with mTLS coming from outside the mesh).
If I understand the envoy documentation correctly this can be achieved by setting TlsContextMatchOptions validated = false.

I am struggling to achieve this with istio’s envoy-filter mechanism.

Is there someone who could provide detailed information about how to do this. I don’t find any could how-to/tutorial and it seems that more people are struggling with it.

I’d be happy to write a tutorial on how to use envoy-filters properly as soon as I understand it in-depth.
These tutorials could be placed on the istio website.

This is what I got, but I suggest that this is horribly wrong:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: allow-untrusted-certs
  namespace: istio-system
spec:
  configpatches:
    - applyTo: Cluster
      patch:
        operation: MERGE
        value:
          name: "envoy.route.RouteMatch.TlsContextMatchOptions"
          typed_config:
            "@type": "type.googleapis.com/envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"
            validated: false

@mhite you seem to understand writing envoy filters. Do you mind helping me? :slight_smile:

I wish! I haven’t gotten one working yet. I’m still struggling and I’m not sure what resources are available for learning how all this works.

It’s the unfortunate convergence between a very good working knowledge of Envoy outside the context of Istio, and then using Istio API to overlay the changes into the Envoy configuration API.

Dark art basically.

1 Like