Hi There,
I try to configure amount of details that can be pushed thru XFCC. Currently it’s in form of:
Hash=957be02cd031c04355c94706d071f80c52f45fcc754342b9bbd210f463e1c6b9;Cert="-----BEGIN%20CERTIFICATE-----…-----END%20CERTIFICATE-----%0A";Subject=“CN=test,OU=test,O=test,L=test,ST=CA,C=US”;URI=
I want to remove Cert field from the header but I couldn’t do it yet. I tried to use envoyFilter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: xffc-details
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
{{ .Values.iicsgateway.labels | toYaml | indent 6 }}
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
set_current_client_cert_details:
subject: true
cert: false
chain: false
dns: false
uri: true
I double checked that workload is correct but I couldn’t figure out why it doesn’t work.
Here is the proxy config:
istioctl proxy-config listener iicsgateway-75d578fcbf-vg6h9.masked -o json
[
{
"name": "0.0.0.0_10002",
"address": {
"socketAddress": {
"address": "0.0.0.0",
"portValue": 10002
}
},
"filterChains": [
{
"tlsContext": {
"commonTlsContext": {
"tlsCertificates": [
{
"certificateChain": {
"filename": "/etc/istio/ingressgateway-certs/tls.crt"
},
"privateKey": {
"filename": "/etc/istio/ingressgateway-certs/tls.key"
}
}
],
"validationContext": {
"trustedCa": {
"filename": "/etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem"
}
},
"alpnProtocols": [
"h2",
"http/1.1"
]
},
"requireClientCertificate": true
},
"filters": [
{
"name": "envoy.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "outbound_0.0.0.0_10002",
"rds": {
"configSource": {
"ads": {}
},
"routeConfigName": "https.10002.https.iics-masked.masked"
},
"httpFilters": [
{
"name": "mixer",
"typedConfig": {
"@type": "type.googleapis.com/istio.mixer.v1.config.client.HttpClientConfig",
"transport": {
"networkFailPolicy": {
"policy": "FAIL_CLOSE",
"baseRetryWait": "0.080s",
"maxRetryWait": "1s"
},
"checkCluster": "outbound|15004||istio-policy.istio-system.svc.cluster.local",
"reportCluster": "outbound|15004||istio-telemetry.istio-system.svc.cluster.local",
"reportBatchMaxEntries": 100,
"reportBatchMaxTime": "1s"
},
"serviceConfigs": {
"default": {
"disableCheckCalls": true
}
},
"defaultDestinationService": "default",
"mixerAttributes": {
"attributes": {
"context.proxy_version": {
"stringValue": "1.4.5"
},
"context.reporter.kind": {
"stringValue": "outbound"
},
"context.reporter.uid": {
"stringValue": "kubernetes://iicsgateway-75d578fcbf-vg6h9.masked"
},
"source.namespace": {
"stringValue": "masked"
},
"source.uid": {
"stringValue": "kubernetes://iicsgateway-75d578fcbf-vg6h9.masked"
}
}
},
"forwardAttributes": {
"attributes": {
"source.uid": {
"stringValue": "kubernetes://iicsgateway-75d578fcbf-vg6h9.masked"
}
}
},
"ignoreForwardedAttributes": true
}
},
{
"name": "envoy.cors"
},
{
"name": "envoy.fault"
},
{
"name": "envoy.lua",
"config": {
"inlineCode": "..masked.."
}
},
{
"name": "envoy.router"
}
],
"tracing": {
"operationName": "EGRESS",
"clientSampling": {
"value": 100
},
"randomSampling": {
"value": 1
},
"overallSampling": {
"value": 100
}
},
"httpProtocolOptions": {},
"serverName": "istio-envoy",
"streamIdleTimeout": "0s",
"accessLog": [
{
"name": "envoy.file_access_log",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
"path": "/dev/stdout",
"format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
}
}
],
"useRemoteAddress": true,
"generateRequestId": true,
"forwardClientCertDetails": "SANITIZE_SET",
"setCurrentClientCertDetails": {
"subject": true,
"cert": true,
"dns": true,
"uri": true
},
"upgradeConfigs": [
{
"upgradeType": "websocket"
}
],
"normalizePath": true
}
}
]
}
],
"listenerFilters": [
{
"name": "envoy.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
},
{
"address": {
"socketAddress": {
"address": "0.0.0.0",
"portValue": 15090
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"config": {
"codec_type": "AUTO",
"http_filters": {
"name": "envoy.router"
},
"route_config": {
"virtual_hosts": [
{
"domains": [
"*"
],
"name": "backend",
"routes": [
{
"match": {
"prefix": "/stats/prometheus"
},
"route": {
"cluster": "prometheus_stats"
}
}
]
}
]
},
"stat_prefix": "stats"
}
}
]
}
]
}
]
I see that gateway sets the Cert value to true by default: https://github.com/istio/istio/blob/17976bc32159e96d6ba5793a33e512e7539f9237/pilot/pkg/networking/core/v1alpha3/gateway.go#L379
Could it be a boolean value merge problem?
Any other ideas how to remove it?