HTTP request from envoy filter to K8s API

Hello,

I am trying to add an additional header to incoming requests to my microservices using an Envoy Filter. To get the value of this new header I want to make an upstream HTTP call to the K8s API of the same K8s Cluster as I want to read a ConfigMap and set the header according to values in it.

I am using this example from the documentation as a reference (from here Istio / Envoy Filter ):-

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
              local headers, body = request_handle:httpCall(
               "lua_cluster",
               {
                [":method"] = "POST",
                [":path"] = "/acl",
                [":authority"] = "internal.org.net"
               },
              "authorize call",
              5000)
            end
  # The second patch adds the cluster that is referenced by the lua code
  # cds match is omitted as a new cluster is being added
  - applyTo: CLUSTER
    match:
      context: SIDECAR_OUTBOUND
    patch:
      operation: ADD
      value: # cluster specification
        name: "lua_cluster"
        type: STRICT_DNS
        connect_timeout: 0.5s
        lb_policy: ROUND_ROBIN
        load_assignment:
          cluster_name: lua_cluster
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    protocol: TCP
                    address: "internal.org.net"
                    port_value: 8888

I am replacing the cluster address and [:authority] header and I tried to set them to:-

  1. kubernetes.default.svc:- If I do this, I get the following response body from httpCall():- “Client sent an HTTP request to an HTTPS server.”
  2. kubernetes API Hostname that the kubeconfig contains. Using this I get the following response body from httpCall():- “upstream connect error or disconnect/reset before headers. reset reason: connection termination”

I am passing the correct Authorization token as well as a header in the httpCall()

I have also been setting up destination rules for the above addresses.

Can anyone please help me out with letting me know what I am doing wrong or even if this is the correct way to call the k8s api of the cluster that the envoy sidecar is part of? Any help would be greatly appreciated.

Thank you and kind regards.