How to make ext_auth render path before rewrite uri in the virtual service?

Need some help in configuring rewrite with ext_auth and upstream service.

  1. Have a backend service called crs and auth
  2. I configured ext_auth with Istio to auth service.
  3. Every call to /crs will go to auth service and if it is succeed then the call will be redirect to crs service.
  4. I have following Virtual Service configuration where i have rewrite_uri to / So that crs service will get path after anything that user enter ex: crs/config?param=123 → config?param=123
  5. But before the call going to crs the call goes to auth service and the path is config?param=123 which auth service can’t understand as it is expecting crs/ in the path to do some validation.
  6. If I change rewrite: uri to /crs/ Then auth service will work as it gets crs/config?param=123 but after auth succeed and the call goes to crs service, it won’t understand prefix crs and fails with error (path not found)

This was never an issue when I used envoy (prefix_rewrite) as a gateway proxy (before trying istio) as by default envoy passes the path to the Auth service (since you configure ext_auth globally) before evaluating the rewrite rules.

Is there a way to have similar behavior where ext_auth gets the path before evaluating the rewrite?

kind: VirtualService
  name: crs
  - gw-istio
  - crs.uri
  - match:
    - uri:
        prefix: /crs/
    - uri:
        prefix: /crs
    name: crs-generic
      attempts: 3
      perTryTimeout: 2s
      uri: "/"
    - destination:
        host: crs
          number: 8080