How to enable inserting of Authentication headers for outgoing requests using Envoy

Security
1

We’re currently in the process of trying to replace a homegrown authentication proxy sidecar with envoy for our services in kubernetes. The reason why we needed to create such a sidecar in the first place is that we use custom JWT tokens along with another header to authenticate. This authentication proxy has 2 main functionalities;

  1. Authenticating incoming requests
    - I’ve been able to replicate this functionality using the ext_authz filter in Envoy
  2. Inject authentication headers into outgoing requests

My question is for the 2nd use case, is there a way to use Envoy as an outgoing proxy and perhaps call another sidecar/service to obtain JWT tokens, then insert them as headers to the outgoing request?

The config I have right now:

static_resources:
  listeners:
    -
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 9000
      filter_chains:
        filters:
          -
            name: envoy.http_connection_manager
            config:
              stat_prefix: ingress_http
              http_filters:
                -
                  name: envoy.ext_authz
                  config:
                    http_service:
                      server_uri:
                        uri: http://0.0.0.0:9002
                        cluster: ext-authz
                        timeout: 1s
                        failure_mode_allow: false
                      authorization_request:
                        allowed_headers:
                          patterns:
                            prefix: "wd-"
                -
                  name: envoy.router
                  config: {}
              route_config:
                name: local_route
                virtual_hosts:
                  -
                    name: backend
                    domains: '*'
                    routes:
                      -
                        route:
                          cluster: some-service
                        match:
                          prefix: /
  clusters:
    -
      name: some-service
      type: STRICT_DNS
      connect_timeout: 1s
      hosts:
        -
          socket_address:
            address: 0.0.0.0
            port_value: 19000
    -
      name: ext-authz
      type: STRICT_DNS
      connect_timeout: 1s
      hosts:
        -
          socket_address:
            address: 0.0.0.0
            port_value: 9002
2

Hello @Sameer_Kapoor, did you have any updates on this topic? I am looking for something similar

3

I think you can use ext_authz filter to fetch the extra JWT token, you can do it either in your current ext_authz filter or add it as a separate one.

4

I ended up using a lua_filter to call the sidecar to generate a JWT token and then passed this on to the forward request

    http_filters:
    - name: envoy.lua
      typed_config:
        \"@type\": type.googleapis.com/envoy.config.filter.http.lua.v2.Lua
        inline_code: |
          function envoy_on_request(request_handle)
              local headers, body = request_handle:httpCall(
              \"ext-authz\",
              {
                [\":method\"] = \"GET\",
                [\":path\"] = \"/generateJwt\",
                [\":authority\"] = \"ext-authz\",
              },
              \"blah\",
              5000
              )
              -- Add information from the HTTP call into the headers that are about to be sent to the next
              -- filter in the filter chain.
              request_handle:headers():add(\"authorization\", headers[\"authorization\"])
          end

ext-authz is defined as a cluster

  clusters:
    -
      name: sameer-test-envoy
      type: STRICT_DNS
      connect_timeout: 1s
      hosts:
        -
          socket_address:
            address: 0.0.0.0
            port_value: 19000
    -
      name: ext-authz
      type: STRICT_DNS
      connect_timeout: 1s
      hosts:
        -
          socket_address:
            address: 0.0.0.0
            port_value: 9002